il-aslr New usr/src/man/man5/privileges.5

   1 '\" te
   2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
   3 .\" Copyright 2013, Joyent, Inc. All Rights Reserved.
   4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
   5 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
   6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
   7 .TH PRIVILEGES 5 "Feb 3, 2015"
   8 .SH NAME
   9 privileges \- process privilege model
  10 .SH DESCRIPTION
  11 .LP
  12 Solaris software implements a set of privileges that provide fine-grained
  13 control over the actions of processes. The possession of a certain privilege
  14 allows a process to perform a specific set of restricted operations.
  15 .sp
  16 .LP
  17 The change to a primarily privilege-based security model in the Solaris
  18 operating system gives developers an opportunity to restrict processes to those
  19 privileged operations actually needed instead of all (super-user) or no
  20 privileges (non-zero UIDs). Additionally, a set of previously unrestricted
  21 operations now requires a privilege; these privileges are dubbed the "basic"
  22 privileges and are by default given to all processes.
  23 .sp
  24 .LP
  25 Taken together, all defined privileges with the exception of the "basic"
  26 privileges compose the set of privileges that are traditionally associated with
  27 the root user. The "basic" privileges are "privileges" unprivileged processes
  28 were accustomed to having.
  29 .sp
  30 .LP
  31 The defined privileges are:
  32 .sp
  33 .ne 2
  34 .na
  35 \fB\fBPRIV_CONTRACT_EVENT\fR\fR
  36 .ad
  37 .sp .6
  38 .RS 4n
  39 Allow a process to request reliable delivery of events to an event endpoint.
  40 .sp
  41 Allow a process to include events in the critical event set term of a template
  42 which could be generated in volume by the user.
  43 .RE
  44 
  45 .sp
  46 .ne 2
  47 .na
  48 \fB\fBPRIV_CONTRACT_IDENTITY\fR\fR
  49 .ad
  50 .sp .6
  51 .RS 4n
  52 Allows a process to set the service FMRI value of a process contract template.
  53 .RE
  54 
  55 .sp
  56 .ne 2
  57 .na
  58 \fB\fBPRIV_CONTRACT_OBSERVER\fR\fR
  59 .ad
  60 .sp .6
  61 .RS 4n
  62 Allow a process to observe contract events generated by contracts created and
  63 owned by users other than the process's effective user ID.
  64 .sp
  65 Allow a process to open contract event endpoints belonging to contracts created
  66 and owned by users other than the process's effective user ID.
  67 .RE
  68 
  69 .sp
  70 .ne 2
  71 .na
  72 \fB\fBPRIV_CPC_CPU\fR\fR
  73 .ad
  74 .sp .6
  75 .RS 4n
  76 Allow a process to access per-CPU hardware performance counters.
  77 .RE
  78 
  79 .sp
  80 .ne 2
  81 .na
  82 \fB\fBPRIV_DTRACE_KERNEL\fR\fR
  83 .ad
  84 .sp .6
  85 .RS 4n
  86 Allow DTrace kernel-level tracing.
  87 .RE
  88 
  89 .sp
  90 .ne 2
  91 .na
  92 \fB\fBPRIV_DTRACE_PROC\fR\fR
  93 .ad
  94 .sp .6
  95 .RS 4n
  96 Allow DTrace process-level tracing. Allow process-level tracing probes to be
  97 placed and enabled in processes to which the user has permissions.
  98 .RE
  99 
 100 .sp
 101 .ne 2
 102 .na
 103 \fB\fBPRIV_DTRACE_USER\fR\fR
 104 .ad
 105 .sp .6
 106 .RS 4n
 107 Allow DTrace user-level tracing. Allow use of the syscall and profile DTrace
 108 providers to examine processes to which the user has permissions.
 109 .RE
 110 
 111 .sp
 112 .ne 2
 113 .na
 114 \fB\fBPRIV_FILE_CHOWN\fR\fR
 115 .ad
 116 .sp .6
 117 .RS 4n
 118 Allow a process to change a file's owner user ID. Allow a process to change a
 119 file's group ID to one other than the process's effective group ID or one of
 120 the process's supplemental group IDs.
 121 .RE
 122 
 123 .sp
 124 .ne 2
 125 .na
 126 \fB\fBPRIV_FILE_CHOWN_SELF\fR\fR
 127 .ad
 128 .sp .6
 129 .RS 4n
 130 Allow a process to give away its files. A process with this privilege runs as
 131 if {\fB_POSIX_CHOWN_RESTRICTED\fR} is not in effect.
 132 .RE
 133 
 134 .sp
 135 .ne 2
 136 .na
 137 \fB\fBPRIV_FILE_DAC_EXECUTE\fR\fR
 138 .ad
 139 .sp .6
 140 .RS 4n
 141 Allow a process to execute an executable file whose permission bits or ACL
 142 would otherwise disallow the process execute permission.
 143 .RE
 144 
 145 .sp
 146 .ne 2
 147 .na
 148 \fB\fBPRIV_FILE_DAC_READ\fR\fR
 149 .ad
 150 .sp .6
 151 .RS 4n
 152 Allow a process to read a file or directory whose permission bits or ACL would
 153 otherwise disallow the process read permission.
 154 .RE
 155 
 156 .sp
 157 .ne 2
 158 .na
 159 \fB\fBPRIV_FILE_DAC_SEARCH\fR\fR
 160 .ad
 161 .sp .6
 162 .RS 4n
 163 Allow a process to search a directory whose permission bits or ACL would not
 164 otherwise allow the process search permission.
 165 .RE
 166 
 167 .sp
 168 .ne 2
 169 .na
 170 \fB\fBPRIV_FILE_DAC_WRITE\fR\fR
 171 .ad
 172 .sp .6
 173 .RS 4n
 174 Allow a process to write a file or directory whose permission bits or ACL do
 175 not allow the process write permission. All privileges are required to write
 176 files owned by UID 0 in the absence of an effective UID of 0.
 177 .RE
 178 
 179 .sp
 180 .ne 2
 181 .na
 182 \fB\fBPRIV_FILE_DOWNGRADE_SL\fR\fR
 183 .ad
 184 .sp .6
 185 .RS 4n
 186 Allow a process to set the sensitivity label of a file or directory to a
 187 sensitivity label that does not dominate the existing sensitivity label.
 188 .sp
 189 This privilege is interpreted only if the system is configured with Trusted
 190 Extensions.
 191 .RE
 192 
 193 .sp
 194 .ne 2
 195 .na
 196 \fB\fBPRIV_FILE_FLAG_SET\fR\fR
 197 .ad
 198 .sp .6
 199 .RS 4n
 200 Allows a process to set immutable, nounlink or appendonly file attributes.
 201 .RE
 202 
 203 .sp
 204 .ne 2
 205 .na
 206 \fB\fBPRIV_FILE_LINK_ANY\fR\fR
 207 .ad
 208 .sp .6
 209 .RS 4n
 210 Allow a process to create hardlinks to files owned by a UID different from the
 211 process's effective UID.
 212 .RE
 213 
 214 .sp
 215 .ne 2
 216 .na
 217 \fB\fBPRIV_FILE_OWNER\fR\fR
 218 .ad
 219 .sp .6
 220 .RS 4n
 221 Allow a process that is not the owner of a file to modify that file's access
 222 and modification times. Allow a process that is not the owner of a directory to
 223 modify that directory's access and modification times. Allow a process that is
 224 not the owner of a file or directory to remove or rename a file or directory
 225 whose parent directory has the "save text image after execution" (sticky) bit
 226 set. Allow a process that is not the owner of a file to mount a \fBnamefs\fR
 227 upon that file. Allow a process that is not the owner of a file or directory to
 228 modify that file's or directory's permission bits or ACL.
 229 .RE
 230 
 231 .sp
 232 .ne 2
 233 .na
 234 \fB\fBPRIV_FILE_READ\fR\fR
 235 .ad
 236 .sp .6
 237 .RS 4n
 238 Allow a process to read objects in the filesystem.
 239 .RE
 240 
 241 .sp
 242 .ne 2
 243 .na
 244 \fB\fBPRIV_FILE_SETID\fR\fR
 245 .ad
 246 .sp .6
 247 .RS 4n
 248 Allow a process to change the ownership of a file or write to a file without
 249 the set-user-ID and set-group-ID bits being cleared. Allow a process to set the
 250 set-group-ID bit on a file or directory whose group is not the process's
 251 effective group or one of the process's supplemental groups. Allow a process to
 252 set the set-user-ID bit on a file with different ownership in the presence of
 253 \fBPRIV_FILE_OWNER\fR. Additional restrictions apply when creating or modifying
 254 a setuid 0 file.
 255 .RE
 256 
 257 .sp
 258 .ne 2
 259 .na
 260 \fB\fBPRIV_FILE_UPGRADE_SL\fR\fR
 261 .ad
 262 .sp .6
 263 .RS 4n
 264 Allow a process to set the sensitivity label of a file or directory to a
 265 sensitivity label that dominates the existing sensitivity label.
 266 .sp
 267 This privilege is interpreted only if the system is configured with Trusted
 268 Extensions.
 269 .RE
 270 
 271 .sp
 272 .ne 2
 273 .na
 274 \fB\fBPRIV_FILE_WRITE\fR\fR
 275 .ad
 276 .sp .6
 277 .RS 4n
 278 Allow a process to modify objects in the filesytem.
 279 .RE
 280 
 281 .sp
 282 .ne 2
 283 .na
 284 \fB\fBPRIV_GRAPHICS_ACCESS\fR\fR
 285 .ad
 286 .sp .6
 287 .RS 4n
 288 Allow a process to make privileged ioctls to graphics devices. Typically only
 289 an xserver process needs to have this privilege. A process with this privilege
 290 is also allowed to perform privileged graphics device mappings.
 291 .RE
 292 
 293 .sp
 294 .ne 2
 295 .na
 296 \fB\fBPRIV_GRAPHICS_MAP\fR\fR
 297 .ad
 298 .sp .6
 299 .RS 4n
 300 Allow a process to perform privileged mappings through a graphics device.
 301 .RE
 302 
 303 .sp
 304 .ne 2
 305 .na
 306 \fB\fBPRIV_IPC_DAC_READ\fR\fR
 307 .ad
 308 .sp .6
 309 .RS 4n
 310 Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared
 311 Memory Segment whose permission bits would not otherwise allow the process read
 312 permission.
 313 .RE
 314 
 315 .sp
 316 .ne 2
 317 .na
 318 \fB\fBPRIV_IPC_DAC_WRITE\fR\fR
 319 .ad
 320 .sp .6
 321 .RS 4n
 322 Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared
 323 Memory Segment whose permission bits would not otherwise allow the process
 324 write permission.
 325 .RE
 326 
 327 .sp
 328 .ne 2
 329 .na
 330 \fB\fBPRIV_IPC_OWNER\fR\fR
 331 .ad
 332 .sp .6
 333 .RS 4n
 334 Allow a process that is not the owner of a System V IPC Message Queue,
 335 Semaphore Set, or Shared Memory Segment to remove, change ownership of, or
 336 change permission bits of the Message Queue, Semaphore Set, or Shared Memory
 337 Segment.
 338 .RE
 339 
 340 .sp
 341 .ne 2
 342 .na
 343 \fB\fBPRIV_NET_ACCESS\fR\fR
 344 .ad
 345 .sp .6
 346 .RS 4n
 347 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
 348 .RE
 349 
 350 .sp
 351 .ne 2
 352 .na
 353 \fB\fBPRIV_NET_BINDMLP\fR\fR
 354 .ad
 355 .sp .6
 356 .RS 4n
 357 Allow a process to bind to a port that is configured as a multi-level port
 358 (MLP) for the process's zone. This privilege applies to both shared address and
 359 zone-specific address MLPs. See \fBtnzonecfg\fR(\fB4\fR) from the Trusted
 360 Extensions manual pages for information on configuring MLP ports.
 361 .sp
 362 This privilege is interpreted only if the system is configured with Trusted
 363 Extensions.
 364 .RE
 365 
 366 .sp
 367 .ne 2
 368 .na
 369 \fB\fBPRIV_NET_ICMPACCESS\fR\fR
 370 .ad
 371 .sp .6
 372 .RS 4n
 373 Allow a process to send and receive ICMP packets.
 374 .RE
 375 
 376 .sp
 377 .ne 2
 378 .na
 379 \fB\fBPRIV_NET_MAC_AWARE\fR\fR
 380 .ad
 381 .sp .6
 382 .RS 4n
 383 Allow a process to set the \fBNET_MAC_AWARE\fR process flag by using
 384 \fBsetpflags\fR(2). This privilege also allows a process to set the
 385 \fBSO_MAC_EXEMPT\fR socket option by using \fBsetsockopt\fR(3SOCKET). The
 386 \fBNET_MAC_AWARE\fR process flag and the \fBSO_MAC_EXEMPT\fR socket option both
 387 allow a local process to communicate with an unlabeled peer if the local
 388 process's label dominates the peer's default label, or if the local process
 389 runs in the global zone.
 390 .sp
 391 This privilege is interpreted only if the system is configured with Trusted
 392 Extensions.
 393 .RE
 394 
 395 .sp
 396 .ne 2
 397 .na
 398 \fB\fBPRIV_NET_MAC_IMPLICIT\fR\fR
 399 .ad
 400 .sp .6
 401 .RS 4n
 402 Allow a proces to set \fBSO_MAC_IMPLICIT\fR option by using
 403 \fBsetsockopt\fR(3SOCKET).  This allows a privileged process to transmit
 404 implicitly-labeled packets to a peer.
 405 .sp
 406 This privilege is interpreted only if the system is configured with
 407 Trusted Extensions.
 408 .RE
 409 
 410 .sp
 411 .ne 2
 412 .na
 413 \fB\fBPRIV_NET_OBSERVABILITY\fR\fR
 414 .ad
 415 .sp .6
 416 .RS 4n
 417 Allow a process to open a device for just receiving network traffic, sending
 418 traffic is disallowed.
 419 .RE
 420 
 421 .sp
 422 .ne 2
 423 .na
 424 \fB\fBPRIV_NET_PRIVADDR\fR\fR
 425 .ad
 426 .sp .6
 427 .RS 4n
 428 Allow a process to bind to a privileged port number. The privilege port numbers
 429 are 1-1023 (the traditional UNIX privileged ports) as well as those ports
 430 marked as "\fBudp/tcp_extra_priv_ports\fR" with the exception of the ports
 431 reserved for use by NFS and SMB.
 432 .RE
 433 
 434 .sp
 435 .ne 2
 436 .na
 437 \fB\fBPRIV_NET_RAWACCESS\fR\fR
 438 .ad
 439 .sp .6
 440 .RS 4n
 441 Allow a process to have direct access to the network layer.
 442 .RE
 443 
 444 .sp
 445 .ne 2
 446 .na
 447 \fB\fBPRIV_PROC_AUDIT\fR\fR
 448 .ad
 449 .sp .6
 450 .RS 4n
 451 Allow a process to generate audit records. Allow a process to get its own audit
 452 pre-selection information.
 453 .RE
 454 
 455 .sp
 456 .ne 2
 457 .na
 458 \fB\fBPRIV_PROC_CHROOT\fR\fR
 459 .ad
 460 .sp .6
 461 .RS 4n
 462 Allow a process to change its root directory.
 463 .RE
 464 
 465 .sp
 466 .ne 2
 467 .na
 468 \fB\fBPRIV_PROC_CLOCK_HIGHRES\fR\fR
 469 .ad
 470 .sp .6
 471 .RS 4n
 472 Allow a process to use high resolution timers.
 473 .RE
 474 
 475 .sp
 476 .ne 2
 477 .na
 478 \fB\fBPRIV_PROC_EXEC\fR\fR
 479 .ad
 480 .sp .6
 481 .RS 4n
 482 Allow a process to call \fBexec\fR(2).
 483 .RE
 484 
 485 .sp
 486 .ne 2
 487 .na
 488 \fB\fBPRIV_PROC_FORK\fR\fR
 489 .ad
 490 .sp .6
 491 .RS 4n
 492 Allow a process to call \fBfork\fR(2), \fBfork1\fR(2), or \fBvfork\fR(2).
 493 .RE
 494 
 495 .sp
 496 .ne 2
 497 .na
 498 \fB\fBPRIV_PROC_INFO\fR\fR
 499 .ad
 500 .sp .6
 501 .RS 4n
 502 Allow a process to examine the status of processes other than those to which it
 503 can send signals. Processes that cannot be examined cannot be seen in
 504 \fB/proc\fR and appear not to exist.
 505 .RE
 506 
 507 .sp
 508 .ne 2
 509 .na
 510 \fB\fBPRIV_PROC_LOCK_MEMORY\fR\fR
 511 .ad
 512 .sp .6
 513 .RS 4n
 514 Allow a process to lock pages in physical memory.
 515 .RE
 516 
 517 .sp
 518 .ne 2
 519 .na
 520 \fB\fBPRIV_PROC_OWNER\fR\fR
 521 .ad
 522 .sp .6
 523 .RS 4n
 524 Allow a process to send signals to other processes and inspect and modify the
 525 process state in other processes, regardless of ownership. When modifying
 526 another process, additional restrictions apply: the effective privilege set of
 527 the attaching process must be a superset of the target process's effective,
 528 permitted, and inheritable sets; the limit set must be a superset of the
 529 target's limit set; if the target process has any UID set to 0 all privilege
 530 must be asserted unless the effective UID is 0. Allow a process to bind
 531 arbitrary processes to CPUs.
 532 .RE
 533 
 534 .sp
 535 .ne 2
 536 .na
 537 \fB\fBPRIV_PROC_PRIOUP\fR\fR
 538 .ad
 539 .sp .6
 540 .RS 4n
 541 Allow a process to elevate its priority above its current level.
 542 .RE
 543 
 544 .sp
 545 .ne 2
 546 .na
 547 \fB\fBPRIV_PROC_PRIOCNTL\fR\fR
 548 .ad
 549 .sp .6
 550 .RS 4n
 551 Allows all that PRIV_PROC_PRIOUP allows.
 552 Allow a process to change its scheduling class to any scheduling class,
 553 including the RT class.
 554 .RE
 555 
 556 .sp
 557 .ne 2
 558 .na
 559 \fB\PRIV_PROC_SECFLAGS\fR
 560 .ad
 561 .sp .6
 562 .RS 4n
 563 Allow a process to manipulate the secflags of processes (subject to,
 564 additionally, the ability to signal that process)
 565 .RE
 566 
 567 .sp
 568 .ne 2
 569 .na
 570 \fB\fBPRIV_PROC_SESSION\fR\fR
 571 .ad
 572 .sp .6
 573 .RS 4n
 574 Allow a process to send signals or trace processes outside its session.
 575 .RE
 576 
 577 .sp
 578 .ne 2
 579 .na
 580 \fB\fBPRIV_PROC_SETID\fR\fR
 581 .ad
 582 .sp .6
 583 .RS 4n
 584 Allow a process to set its UIDs at will, assuming UID 0 requires all privileges
 585 to be asserted.
 586 .RE
 587 
 588 .sp
 589 .ne 2
 590 .na
 591 \fB\fBPRIV_PROC_TASKID\fR\fR
 592 .ad
 593 .sp .6
 594 .RS 4n
 595 Allow a process to assign a new task ID to the calling process.
 596 .RE
 597 
 598 .sp
 599 .ne 2
 600 .na
 601 \fB\fBPRIV_PROC_ZONE\fR\fR
 602 .ad
 603 .sp .6
 604 .RS 4n
 605 Allow a process to trace or send signals to processes in other zones. See
 606 \fBzones\fR(5).
 607 .RE
 608 
 609 .sp
 610 .ne 2
 611 .na
 612 \fB\fBPRIV_SYS_ACCT\fR\fR
 613 .ad
 614 .sp .6
 615 .RS 4n
 616 Allow a process to enable and disable and manage accounting through
 617 \fBacct\fR(2).
 618 .RE
 619 
 620 .sp
 621 .ne 2
 622 .na
 623 \fB\fBPRIV_SYS_ADMIN\fR\fR
 624 .ad
 625 .sp .6
 626 .RS 4n
 627 Allow a process to perform system administration tasks such as setting node and
 628 domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
 629 .RE
 630 
 631 .sp
 632 .ne 2
 633 .na
 634 \fB\fBPRIV_SYS_AUDIT\fR\fR
 635 .ad
 636 .sp .6
 637 .RS 4n
 638 Allow a process to start the (kernel) audit daemon. Allow a process to view and
 639 set audit state (audit user ID, audit terminal ID, audit sessions ID, audit
 640 pre-selection mask). Allow a process to turn off and on auditing. Allow a
 641 process to configure the audit parameters (cache and queue sizes, event to
 642 class mappings, and policy options).
 643 .RE
 644 
 645 .sp
 646 .ne 2
 647 .na
 648 \fB\fBPRIV_SYS_CONFIG\fR\fR
 649 .ad
 650 .sp .6
 651 .RS 4n
 652 Allow a process to perform various system configuration tasks. Allow
 653 filesystem-specific administrative procedures, such as filesystem configuration
 654 ioctls, quota calls, creation and deletion of snapshots, and manipulating the
 655 PCFS bootsector.
 656 .RE
 657 
 658 .sp
 659 .ne 2
 660 .na
 661 \fB\fBPRIV_SYS_DEVICES\fR\fR
 662 .ad
 663 .sp .6
 664 .RS 4n
 665 Allow a process to create device special files. Allow a process to successfully
 666 call a kernel module that calls the kernel \fBdrv_priv\fR(9F) function to check
 667 for allowed access. Allow a process to open the real console device directly.
 668 Allow a process to open devices that have been exclusively opened.
 669 .RE
 670 
 671 .sp
 672 .ne 2
 673 .na
 674 \fB\fBPRIV_SYS_DL_CONFIG\fR\fR
 675 .ad
 676 .sp .6
 677 .RS 4n
 678 Allow a process to configure a system's datalink interfaces.
 679 .RE
 680 
 681 .sp
 682 .ne 2
 683 .na
 684 \fB\fBPRIV_SYS_IP_CONFIG\fR\fR
 685 .ad
 686 .sp .6
 687 .RS 4n
 688 Allow a process to configure a system's IP interfaces and routes. Allow a
 689 process to configure network parameters for \fBTCP/IP\fR using \fBndd\fR. Allow
 690 a process access to otherwise restricted \fBTCP/IP\fR information using
 691 \fBndd\fR. Allow a process to configure \fBIPsec\fR. Allow a process to pop
 692 anchored \fBSTREAM\fRs modules with matching \fBzoneid\fR.
 693 .RE
 694 
 695 .sp
 696 .ne 2
 697 .na
 698 \fB\fBPRIV_SYS_IPC_CONFIG\fR\fR
 699 .ad
 700 .sp .6
 701 .RS 4n
 702 Allow a process to increase the size of a System V IPC Message Queue buffer.
 703 .RE
 704 
 705 .sp
 706 .ne 2
 707 .na
 708 \fB\fBPRIV_SYS_IPTUN_CONFIG\fR\fR
 709 .ad
 710 .sp .6
 711 .RS 4n
 712 Allow a process to configure IP tunnel links.
 713 .RE
 714 
 715 .sp
 716 .ne 2
 717 .na
 718 \fB\fBPRIV_SYS_LINKDIR\fR\fR
 719 .ad
 720 .sp .6
 721 .RS 4n
 722 Allow a process to unlink and link directories.
 723 .RE
 724 
 725 .sp
 726 .ne 2
 727 .na
 728 \fB\fBPRIV_SYS_MOUNT\fR\fR
 729 .ad
 730 .sp .6
 731 .RS 4n
 732 Allow a process to mount and unmount filesystems that would otherwise be
 733 restricted (that is, most filesystems except \fBnamefs\fR). Allow a process to
 734 add and remove swap devices.
 735 .RE
 736 
 737 .sp
 738 .ne 2
 739 .na
 740 \fB\fBPRIV_SYS_NET_CONFIG\fR\fR
 741 .ad
 742 .sp .6
 743 .RS 4n
 744 Allow a process to do all that \fBPRIV_SYS_IP_CONFIG\fR,
 745 \fBPRIV_SYS_DL_CONFIG\fR, and \fBPRIV_SYS_PPP_CONFIG\fR allow, plus the
 746 following: use the \fBrpcmod\fR STREAMS module and insert/remove STREAMS
 747 modules on locations other than the top of the module stack.
 748 .RE
 749 
 750 .sp
 751 .ne 2
 752 .na
 753 \fB\fBPRIV_SYS_NFS\fR\fR
 754 .ad
 755 .sp .6
 756 .RS 4n
 757 Allow a process to provide NFS service: start NFS kernel threads, perform NFS
 758 locking operations, bind to NFS reserved ports: ports 2049 (\fBnfs\fR) and port
 759 4045 (\fBlockd\fR).
 760 .RE
 761 
 762 .sp
 763 .ne 2
 764 .na
 765 \fB\fBPRIV_SYS_PPP_CONFIG\fR\fR
 766 .ad
 767 .sp .6
 768 .RS 4n
 769 Allow a process to create, configure, and destroy PPP instances with pppd(1M)
 770 \fBpppd\fR(1M) and control PPPoE plumbing with \fBsppptun\fR(1M)sppptun(1M).
 771 This privilege is granted by default to exclusive IP stack instance zones.
 772 .RE
 773 
 774 .sp
 775 .ne 2
 776 .na
 777 \fB\fBPRIV_SYS_RES_BIND\fR\fR
 778 .ad
 779 .sp .6
 780 .RS 4n
 781 Allows a process to bind processes to processor sets.
 782 .RE
 783 
 784 .sp
 785 .ne 2
 786 .na
 787 \fB\fBPRIV_SYS_RES_CONFIG\fR\fR
 788 .ad
 789 .sp .6
 790 .RS 4n
 791 Allows all that PRIV_SYS_RES_BIND allows.
 792 Allow a process to create and delete processor sets, assign CPUs to processor
 793 sets and override the \fBPSET_NOESCAPE\fR property. Allow a process to change
 794 the operational status of CPUs in the system using \fBp_online\fR(2). Allow a
 795 process to configure filesystem quotas. Allow a process to configure resource
 796 pools and bind processes to pools.
 797 .RE
 798 
 799 .sp
 800 .ne 2
 801 .na
 802 \fB\fBPRIV_SYS_RESOURCE\fR\fR
 803 .ad
 804 .sp .6
 805 .RS 4n
 806 Allow a process to exceed the resource limits imposed on it by
 807 \fBsetrlimit\fR(2) and \fBsetrctl\fR(2).
 808 .RE
 809 
 810 .sp
 811 .ne 2
 812 .na
 813 \fB\fBPRIV_SYS_SMB\fR\fR
 814 .ad
 815 .sp .6
 816 .RS 4n
 817 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
 818 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
 819 (SMB).
 820 .RE
 821 
 822 .sp
 823 .ne 2
 824 .na
 825 \fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR
 826 .ad
 827 .sp .6
 828 .RS 4n
 829 Allow a process to successfully call a third party loadable module that calls
 830 the kernel \fBsuser()\fR function to check for allowed access. This privilege
 831 exists only for third party loadable module compatibility and is not used by
 832 Solaris proper.
 833 .RE
 834 
 835 .sp
 836 .ne 2
 837 .na
 838 \fB\fBPRIV_SYS_TIME\fR\fR
 839 .ad
 840 .sp .6
 841 .RS 4n
 842 Allow a process to manipulate system time using any of the appropriate system
 843 calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2).
 844 .RE
 845 
 846 .sp
 847 .ne 2
 848 .na
 849 \fB\fBPRIV_SYS_TRANS_LABEL\fR\fR
 850 .ad
 851 .sp .6
 852 .RS 4n
 853 Allow a process to translate labels that are not dominated by the process's
 854 sensitivity label to and from an external string form.
 855 .sp
 856 This privilege is interpreted only if the system is configured with Trusted
 857 Extensions.
 858 .RE
 859 
 860 .sp
 861 .ne 2
 862 .na
 863 \fB\fBPRIV_VIRT_MANAGE\fR\fR
 864 .ad
 865 .sp .6
 866 .RS 4n
 867 Allows a process to manage virtualized environments such as \fBxVM\fR(5).
 868 .RE
 869 
 870 .sp
 871 .ne 2
 872 .na
 873 \fB\fBPRIV_WIN_COLORMAP\fR\fR
 874 .ad
 875 .sp .6
 876 .RS 4n
 877 Allow a process to override colormap restrictions.
 878 .sp
 879 Allow a process to install or remove colormaps.
 880 .sp
 881 Allow a process to retrieve colormap cell entries allocated by other processes.
 882 .sp
 883 This privilege is interpreted only if the system is configured with Trusted
 884 Extensions.
 885 .RE
 886 
 887 .sp
 888 .ne 2
 889 .na
 890 \fB\fBPRIV_WIN_CONFIG\fR\fR
 891 .ad
 892 .sp .6
 893 .RS 4n
 894 Allow a process to configure or destroy resources that are permanently retained
 895 by the X server.
 896 .sp
 897 Allow a process to use SetScreenSaver to set the screen saver timeout value
 898 .sp
 899 Allow a process to use ChangeHosts to modify the display access control list.
 900 .sp
 901 Allow a process to use GrabServer.
 902 .sp
 903 Allow a process to use the SetCloseDownMode request that can retain window,
 904 pixmap, colormap, property, cursor, font, or graphic context resources.
 905 .sp
 906 This privilege is interpreted only if the system is configured with Trusted
 907 Extensions.
 908 .RE
 909 
 910 .sp
 911 .ne 2
 912 .na
 913 \fB\fBPRIV_WIN_DAC_READ\fR\fR
 914 .ad
 915 .sp .6
 916 .RS 4n
 917 Allow a process to read from a window resource that it does not own (has a
 918 different user ID).
 919 .sp
 920 This privilege is interpreted only if the system is configured with Trusted
 921 Extensions.
 922 .RE
 923 
 924 .sp
 925 .ne 2
 926 .na
 927 \fB\fBPRIV_WIN_DAC_WRITE\fR\fR
 928 .ad
 929 .sp .6
 930 .RS 4n
 931 Allow a process to write to or create a window resource that it does not own
 932 (has a different user ID). A newly created window property is created with the
 933 window's user ID.
 934 .sp
 935 This privilege is interpreted only if the system is configured with Trusted
 936 Extensions.
 937 .RE
 938 
 939 .sp
 940 .ne 2
 941 .na
 942 \fB\fBPRIV_WIN_DEVICES\fR\fR
 943 .ad
 944 .sp .6
 945 .RS 4n
 946 Allow a process to perform operations on window input devices.
 947 .sp
 948 Allow a process to get and set keyboard and pointer controls.
 949 .sp
 950 Allow a process to modify pointer button and key mappings.
 951 .sp
 952 This privilege is interpreted only if the system is configured with Trusted
 953 Extensions.
 954 .RE
 955 
 956 .sp
 957 .ne 2
 958 .na
 959 \fB\fBPRIV_WIN_DGA\fR\fR
 960 .ad
 961 .sp .6
 962 .RS 4n
 963 Allow a process to use the direct graphics access (DGA) X protocol extensions.
 964 Direct process access to the frame buffer is still required. Thus the process
 965 must have MAC and DAC privileges that allow access to the frame buffer, or the
 966 frame buffer must be allocated to the process.
 967 .sp
 968 This privilege is interpreted only if the system is configured with Trusted
 969 Extensions.
 970 .RE
 971 
 972 .sp
 973 .ne 2
 974 .na
 975 \fB\fBPRIV_WIN_DOWNGRADE_SL\fR\fR
 976 .ad
 977 .sp .6
 978 .RS 4n
 979 Allow a process to set the sensitivity label of a window resource to a
 980 sensitivity label that does not dominate the existing sensitivity label.
 981 .sp
 982 This privilege is interpreted only if the system is configured with Trusted
 983 Extensions.
 984 .RE
 985 
 986 .sp
 987 .ne 2
 988 .na
 989 \fB\fBPRIV_WIN_FONTPATH\fR\fR
 990 .ad
 991 .sp .6
 992 .RS 4n
 993 Allow a process to set a font path.
 994 .sp
 995 This privilege is interpreted only if the system is configured with Trusted
 996 Extensions.
 997 .RE
 998 
 999 .sp
1000 .ne 2
1001 .na
1002 \fB\fBPRIV_WIN_MAC_READ\fR\fR
1003 .ad
1004 .sp .6
1005 .RS 4n
1006 Allow a process to read from a window resource whose sensitivity label is not
1007 equal to the process sensitivity label.
1008 .sp
1009 This privilege is interpreted only if the system is configured with Trusted
1010 Extensions.
1011 .RE
1012 
1013 .sp
1014 .ne 2
1015 .na
1016 \fB\fBPRIV_WIN_MAC_WRITE\fR\fR
1017 .ad
1018 .sp .6
1019 .RS 4n
1020 Allow a process to create a window resource whose sensitivity label is not
1021 equal to the process sensitivity label. A newly created window property is
1022 created with the window's sensitivity label.
1023 .sp
1024 This privilege is interpreted only if the system is configured with Trusted
1025 Extensions.
1026 .RE
1027 
1028 .sp
1029 .ne 2
1030 .na
1031 \fB\fBPRIV_WIN_SELECTION\fR\fR
1032 .ad
1033 .sp .6
1034 .RS 4n
1035 Allow a process to request inter-window data moves without the intervention of
1036 the selection confirmer.
1037 .sp
1038 This privilege is interpreted only if the system is configured with Trusted
1039 Extensions.
1040 .RE
1041 
1042 .sp
1043 .ne 2
1044 .na
1045 \fB\fBPRIV_WIN_UPGRADE_SL\fR\fR
1046 .ad
1047 .sp .6
1048 .RS 4n
1049 Allow a process to set the sensitivity label of a window resource to a
1050 sensitivity label that dominates the existing sensitivity label.
1051 .sp
1052 This privilege is interpreted only if the system is configured with Trusted
1053 Extensions.
1054 .RE
1055 
1056 .sp
1057 .ne 2
1058 .na
1059 \fB\fBPRIV_XVM_CONTROL\fR\fR
1060 .ad
1061 .sp .6
1062 .RS 4n
1063 Allows a process access to the \fBxVM\fR(5) control devices for managing guest
1064 domains and the hypervisor. This privilege is used only if booted into xVM on
1065 x86 platforms.
1066 .RE
1067 
1068 .sp
1069 .LP
1070 Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR,
1071 \fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR and
1072 \fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges
1073 that used to be always available to unprivileged processes. By default,
1074 processes still have the basic privileges.
1075 .sp
1076 .LP
1077 The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
1078 in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
1079 to be successful, that is, get an effective UID of 0 and additional privileges.
1080 .sp
1081 .LP
1082 The privilege implementation in Solaris extends the process credential with
1083 four privilege sets:
1084 .sp
1085 .ne 2
1086 .na
1087 \fBI, the inheritable set\fR
1088 .ad
1089 .RS 26n
1090 The privileges inherited on \fBexec\fR.
1091 .RE
1092 
1093 .sp
1094 .ne 2
1095 .na
1096 \fBP, the permitted set\fR
1097 .ad
1098 .RS 26n
1099 The maximum set of privileges for the process.
1100 .RE
1101 
1102 .sp
1103 .ne 2
1104 .na
1105 \fBE, the effective set\fR
1106 .ad
1107 .RS 26n
1108 The privileges currently in effect.
1109 .RE
1110 
1111 .sp
1112 .ne 2
1113 .na
1114 \fBL, the limit set\fR
1115 .ad
1116 .RS 26n
1117 The upper bound of the privileges a process and its offspring can obtain.
1118 Changes to L take effect on the next \fBexec\fR.
1119 .RE
1120 
1121 .sp
1122 .LP
1123 The sets I, P and E are typically identical to the basic set of privileges for
1124 unprivileged processes. The limit set is typically the full set of privileges.
1125 .sp
1126 .LP
1127 Each process has a Privilege Awareness State (PAS) that can take the value PA
1128 (privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows
1129 a choice between full compatibility with the old superuser model and completely
1130 ignoring the effective UID.
1131 .sp
1132 .LP
1133 To facilitate the discussion, we introduce the notion of "observed effective
1134 set" (oE) and "observed permitted set" (oP) and the implementation sets iE and
1135 iP.
1136 .sp
1137 .LP
1138 A process becomes privilege-aware either by manipulating the effective,
1139 permitted, or limit privilege sets through \fBsetppriv\fR(2) or by using
1140 \fBsetpflags\fR(2). In all cases, oE and oP are invariant in the process of
1141 becoming privilege-aware. In the process of becoming privilege-aware, the
1142 following assignments take place:
1143 .sp
1144 .in +2
1145 .nf
1146 iE = oE
1147 iP = oP
1148 .fi
1149 .in -2
1150 
1151 .sp
1152 .LP
1153 When a process is privilege-aware, oE and oP are invariant under UID changes.
1154 When a process is not privilege-aware, oE and oP are observed as follows:
1155 .sp
1156 .in +2
1157 .nf
1158 oE = euid == 0 ? L : iE
1159 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
1160 .fi
1161 .in -2
1162 
1163 .sp
1164 .LP
1165 When a non-privilege-aware process has an effective UID of 0, it can exercise
1166 the privileges contained in its limit set, the upper bound of its privileges.
1167 If a non-privilege-aware process has any of the UIDs 0, it appears to be
1168 capable of potentially exercising all privileges in L.
1169 .sp
1170 .LP
1171 It is possible for a process to return to the non-privilege aware state using
1172 \fBsetpflags()\fR. The kernel always attempts this on \fBexec\fR(2). This
1173 operation is permitted only if the following conditions are met:
1174 .RS +4
1175 .TP
1176 .ie t \(bu
1177 .el o
1178 If any of the UIDs is equal to 0, P must be equal to L.
1179 .RE
1180 .RS +4
1181 .TP
1182 .ie t \(bu
1183 .el o
1184 If the effective UID is equal to 0, E must be equal to L.
1185 .RE
1186 .sp
1187 .LP
1188 When a process gives up privilege awareness, the following assignments take
1189 place:
1190 .sp
1191 .in +2
1192 .nf
1193 if (euid == 0) iE = L & I
1194 if (any uid == 0) iP = L & I
1195 .fi
1196 .in -2
1197 
1198 .sp
1199 .LP
1200 The privileges obtained when not having a UID of \fB0\fR are the inheritable
1201 set of the process restricted by the limit set.
1202 .sp
1203 .LP
1204 Only privileges in the process's (observed) effective privilege set allow the
1205 process to perform restricted operations. A process can use any of the
1206 privilege manipulation functions to add or remove privileges from the privilege
1207 sets. Privileges can be removed always. Only privileges found in the permitted
1208 set can be added to the effective and inheritable set. The limit set cannot
1209 grow. The inheritable set can be larger than the permitted set.
1210 .sp
1211 .LP
1212 When a process performs an \fBexec\fR(2), the kernel first tries to relinquish
1213 privilege awareness before making the following privilege set modifications:
1214 .sp
1215 .in +2
1216 .nf
1217 E' = P' = I' = L & I
1218 L is unchanged
1219 .fi
1220 .in -2
1221 
1222 .sp
1223 .LP
1224 If a process has not manipulated its privileges, the privilege sets effectively
1225 remain the same, as E, P and I are already identical.
1226 .sp
1227 .LP
1228 The limit set is enforced at \fBexec\fR time.
1229 .sp
1230 .LP
1231 To run a non-privilege-aware application in a backward-compatible manner, a
1232 privilege-aware application should start the non-privilege-aware application
1233 with I=basic.
1234 .sp
1235 .LP
1236 For most privileges, absence of the privilege simply results in a failure. In
1237 some instances, the absense of a privilege can cause system calls to behave
1238 differently. In other instances, the removal of a privilege can force a set-uid
1239 application to seriously malfunction. Privileges of this type are considered
1240 "unsafe". When a process is lacking any of the unsafe privileges from its limit
1241 set, the system does not honor the set-uid bit of set-uid root applications.
1242 The following unsafe privileges have been identified: \fBproc_setid\fR,
1243 \fBsys_resource\fR and \fBproc_audit\fR.
1244 .SS "Privilege Escalation"
1245 .LP
1246 In certain circumstances, a single privilege could lead to a process gaining
1247 one or more additional privileges that were not explicitly granted to that
1248 process. To prevent such an escalation of privileges, the security policy
1249 requires explicit permission for those additional privileges.
1250 .sp
1251 .LP
1252 Common examples of escalation are those mechanisms that allow modification of
1253 system resources through "raw'' interfaces; for example, changing kernel data
1254 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
1255 Escalation also occurs when a process controls processes with more privileges
1256 than the controlling process. A special case of this is manipulating or
1257 creating objects owned by UID 0 or trying to obtain UID 0 using
1258 \fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
1259 owns all system configuration files and ordinary file protection mechanisms
1260 allow processes with UID 0 to modify the system configuration. With appropriate
1261 file modifications, a given process running with an effective UID of 0 can gain
1262 all privileges.
1263 .sp
1264 .LP
1265 In situations where a process might obtain UID 0, the security policy requires
1266 additional privileges, up to the full set of privileges. Such restrictions
1267 could be relaxed or removed at such time as additional mechanisms for
1268 protection of system files became available. There are no such mechanisms in
1269 the current Solaris release.
1270 .sp
1271 .LP
1272 The use of UID 0 processes should be limited as much as possible. They should
1273 be replaced with programs running under a different UID but with exactly the
1274 privileges they need.
1275 .sp
1276 .LP
1277 Daemons that never need to \fBexec\fR subprocesses should remove the
1278 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
1279 .SS "Assigned Privileges and Safeguards"
1280 .LP
1281 When privileges are assigned to a user, the system administrator could give
1282 that user more powers than intended. The administrator should consider whether
1283 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
1284 privilege is given to a user, the administrator should consider setting the
1285 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
1286 from locking all memory.
1287 .SS "Privilege Debugging"
1288 .LP
1289 When a system call fails with a permission error, it is not always immediately
1290 obvious what caused the problem. To debug such a problem, you can use a tool
1291 called \fBprivilege debugging\fR. When privilege debugging is enabled for a
1292 process, the kernel reports missing privileges on the controlling terminal of
1293 the process. (Enable debugging for a process with the \fB-D\fR option of
1294 \fBppriv\fR(1).) Additionally, the administrator can enable system-wide
1295 privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR
1296 using:
1297 .sp
1298 .in +2
1299 .nf
1300 set priv_debug = 1
1301 .fi
1302 .in -2
1303 
1304 .sp
1305 .LP
1306 On a running system, you can use \fBmdb\fR(1) to change this variable.
1307 .SS "Privilege Administration"
1308 .LP
1309 The Solaris Management Console (see \fBsmc\fR(1M)) is the preferred method of
1310 modifying privileges for a command. Use \fBusermod\fR(1M) or \fBsmrole\fR(1M)
1311 to assign privileges to or modify privileges for, respectively, a user or a
1312 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
1313 \fBtruss\fR(1) to determine which privileges a program requires.
1314 .SH SEE ALSO
1315 .LP
1316 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
1317 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
1318 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
1319 \fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
1320 \fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
1321 \fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2),
1322 \fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2),
1323 \fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2),
1324 \fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2),
1325 \fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2),
1326 \fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2),
1327 \fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2),
1328 \fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2),
1329 \fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2),
1330 \fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2),
1331 \fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2),
1332 \fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2),
1333 \fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2),
1334 \fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2),
1335 \fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C),
1336 \fBpriv_addset\fR(3C), \fBpriv_set\fR(3C), \fBpriv_getbyname\fR(3C),
1337 \fBpriv_getbynum\fR(3C), \fBpriv_set_to_str\fR(3C), \fBpriv_str_to_set\fR(3C),
1338 \fBsocket\fR(3SOCKET), \fBt_bind\fR(3NSL), \fBtimer_create\fR(3C),
1339 \fBucred_get\fR(3C), \fBexec_attr\fR(4), \fBproc\fR(4), \fBsystem\fR(4),
1340 \fBuser_attr\fR(4), \fBxVM\fR(5), \fBddi_cred\fR(9F), \fBdrv_priv\fR(9F),
1341 \fBpriv_getbyname\fR(9F), \fBpriv_policy\fR(9F), \fBpriv_policy_choice\fR(9F),
1342 \fBpriv_policy_only\fR(9F)
1343 .sp
1344 .LP
1345 \fISystem Administration Guide: Security Services\fR