Print this page
uts: Allow for address space randomisation.
Randomise the base addresses of shared objects, non-fixed mappings, the
stack and the heap. Introduce a service, svc:/system/process-security,
and a tool psecflags(1) to control and observe it
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man5/privileges.5.man.txt
+++ new/usr/src/man/man5/privileges.5.man.txt
1 1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5)
2 2
3 3
4 4
5 5 NAME
6 6 privileges - process privilege model
7 7
8 8 DESCRIPTION
9 9 Solaris software implements a set of privileges that provide fine-
10 10 grained control over the actions of processes. The possession of a
11 11 certain privilege allows a process to perform a specific set of
12 12 restricted operations.
13 13
14 14
15 15 The change to a primarily privilege-based security model in the Solaris
16 16 operating system gives developers an opportunity to restrict processes
17 17 to those privileged operations actually needed instead of all (super-
18 18 user) or no privileges (non-zero UIDs). Additionally, a set of
19 19 previously unrestricted operations now requires a privilege; these
20 20 privileges are dubbed the "basic" privileges and are by default given
21 21 to all processes.
22 22
23 23
24 24 Taken together, all defined privileges with the exception of the
25 25 "basic" privileges compose the set of privileges that are traditionally
26 26 associated with the root user. The "basic" privileges are "privileges"
27 27 unprivileged processes were accustomed to having.
28 28
29 29
30 30 The defined privileges are:
31 31
32 32 PRIV_CONTRACT_EVENT
33 33 Allow a process to request reliable delivery of events to an event
34 34 endpoint.
35 35
36 36 Allow a process to include events in the critical event set term of
37 37 a template which could be generated in volume by the user.
38 38
39 39
40 40 PRIV_CONTRACT_IDENTITY
41 41 Allows a process to set the service FMRI value of a process
42 42 contract template.
43 43
44 44
45 45 PRIV_CONTRACT_OBSERVER
46 46 Allow a process to observe contract events generated by contracts
47 47 created and owned by users other than the process's effective user
48 48 ID.
49 49
50 50 Allow a process to open contract event endpoints belonging to
51 51 contracts created and owned by users other than the process's
52 52 effective user ID.
53 53
54 54
55 55 PRIV_CPC_CPU
56 56 Allow a process to access per-CPU hardware performance counters.
57 57
58 58
59 59 PRIV_DTRACE_KERNEL
60 60 Allow DTrace kernel-level tracing.
61 61
62 62
63 63 PRIV_DTRACE_PROC
64 64 Allow DTrace process-level tracing. Allow process-level tracing
65 65 probes to be placed and enabled in processes to which the user has
66 66 permissions.
67 67
68 68
69 69 PRIV_DTRACE_USER
70 70 Allow DTrace user-level tracing. Allow use of the syscall and
71 71 profile DTrace providers to examine processes to which the user has
72 72 permissions.
73 73
74 74
75 75 PRIV_FILE_CHOWN
76 76 Allow a process to change a file's owner user ID. Allow a process
77 77 to change a file's group ID to one other than the process's
78 78 effective group ID or one of the process's supplemental group IDs.
79 79
80 80
81 81 PRIV_FILE_CHOWN_SELF
82 82 Allow a process to give away its files. A process with this
83 83 privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
84 84
85 85
86 86 PRIV_FILE_DAC_EXECUTE
87 87 Allow a process to execute an executable file whose permission bits
88 88 or ACL would otherwise disallow the process execute permission.
89 89
90 90
91 91 PRIV_FILE_DAC_READ
92 92 Allow a process to read a file or directory whose permission bits
93 93 or ACL would otherwise disallow the process read permission.
94 94
95 95
96 96 PRIV_FILE_DAC_SEARCH
97 97 Allow a process to search a directory whose permission bits or ACL
98 98 would not otherwise allow the process search permission.
99 99
100 100
101 101 PRIV_FILE_DAC_WRITE
102 102 Allow a process to write a file or directory whose permission bits
103 103 or ACL do not allow the process write permission. All privileges
104 104 are required to write files owned by UID 0 in the absence of an
105 105 effective UID of 0.
106 106
107 107
108 108 PRIV_FILE_DOWNGRADE_SL
109 109 Allow a process to set the sensitivity label of a file or directory
110 110 to a sensitivity label that does not dominate the existing
111 111 sensitivity label.
112 112
113 113 This privilege is interpreted only if the system is configured with
114 114 Trusted Extensions.
115 115
116 116
117 117 PRIV_FILE_FLAG_SET
118 118 Allows a process to set immutable, nounlink or appendonly file
119 119 attributes.
120 120
121 121
122 122 PRIV_FILE_LINK_ANY
123 123 Allow a process to create hardlinks to files owned by a UID
124 124 different from the process's effective UID.
125 125
126 126
127 127 PRIV_FILE_OWNER
128 128 Allow a process that is not the owner of a file to modify that
129 129 file's access and modification times. Allow a process that is not
130 130 the owner of a directory to modify that directory's access and
131 131 modification times. Allow a process that is not the owner of a file
132 132 or directory to remove or rename a file or directory whose parent
133 133 directory has the "save text image after execution" (sticky) bit
134 134 set. Allow a process that is not the owner of a file to mount a
135 135 namefs upon that file. Allow a process that is not the owner of a
136 136 file or directory to modify that file's or directory's permission
137 137 bits or ACL.
138 138
139 139
140 140 PRIV_FILE_READ
141 141 Allow a process to read objects in the filesystem.
142 142
143 143
144 144 PRIV_FILE_SETID
145 145 Allow a process to change the ownership of a file or write to a
146 146 file without the set-user-ID and set-group-ID bits being cleared. Allow
147 147 a process to set the set-group-ID bit on a file or directory whose
148 148 group is not the process's effective group or one of the process's
149 149 supplemental groups. Allow a process to set the set-user-ID bit on a
150 150 file with different ownership in the presence of PRIV_FILE_OWNER.
151 151 Additional restrictions apply when creating or modifying a setuid 0
152 152 file.
153 153
154 154
155 155 PRIV_FILE_UPGRADE_SL
156 156 Allow a process to set the sensitivity label of a file or directory
157 157 to a sensitivity label that dominates the existing sensitivity
158 158 label.
159 159
160 160 This privilege is interpreted only if the system is configured with
161 161 Trusted Extensions.
162 162
163 163
164 164 PRIV_FILE_WRITE
165 165 Allow a process to modify objects in the filesytem.
166 166
167 167
168 168 PRIV_GRAPHICS_ACCESS
169 169 Allow a process to make privileged ioctls to graphics devices.
170 170 Typically only an xserver process needs to have this privilege. A
171 171 process with this privilege is also allowed to perform privileged
172 172 graphics device mappings.
173 173
174 174
175 175 PRIV_GRAPHICS_MAP
176 176 Allow a process to perform privileged mappings through a graphics
177 177 device.
178 178
179 179
180 180 PRIV_IPC_DAC_READ
181 181 Allow a process to read a System V IPC Message Queue, Semaphore
182 182 Set, or Shared Memory Segment whose permission bits would not
183 183 otherwise allow the process read permission.
184 184
185 185
186 186 PRIV_IPC_DAC_WRITE
187 187 Allow a process to write a System V IPC Message Queue, Semaphore
188 188 Set, or Shared Memory Segment whose permission bits would not
189 189 otherwise allow the process write permission.
190 190
191 191
192 192 PRIV_IPC_OWNER
193 193 Allow a process that is not the owner of a System V IPC Message
194 194 Queue, Semaphore Set, or Shared Memory Segment to remove, change
195 195 ownership of, or change permission bits of the Message Queue,
196 196 Semaphore Set, or Shared Memory Segment.
197 197
198 198
199 199 PRIV_NET_ACCESS
200 200 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
201 201
202 202
203 203 PRIV_NET_BINDMLP
204 204 Allow a process to bind to a port that is configured as a multi-
205 205 level port (MLP) for the process's zone. This privilege applies to
206 206 both shared address and zone-specific address MLPs. See tnzonecfg(4)
207 207 from the Trusted Extensions manual pages for information on
208 208 configuring MLP ports.
209 209
210 210 This privilege is interpreted only if the system is configured with
211 211 Trusted Extensions.
212 212
213 213
214 214 PRIV_NET_ICMPACCESS
215 215 Allow a process to send and receive ICMP packets.
216 216
217 217
218 218 PRIV_NET_MAC_AWARE
219 219 Allow a process to set the NET_MAC_AWARE process flag by using
220 220 setpflags(2). This privilege also allows a process to set the
221 221 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The
222 222 NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
223 223 allow a local process to communicate with an unlabeled peer if the
224 224 local process's label dominates the peer's default label, or if the
225 225 local process runs in the global zone.
226 226
227 227 This privilege is interpreted only if the system is configured with
228 228 Trusted Extensions.
229 229
230 230
231 231 PRIV_NET_MAC_IMPLICIT
232 232 Allow a proces to set SO_MAC_IMPLICIT option by using
233 233 setsockopt(3SOCKET). This allows a privileged process to transmit
234 234 implicitly-labeled packets to a peer.
235 235
236 236 This privilege is interpreted only if the system is configured with
237 237 Trusted Extensions.
238 238
239 239
240 240 PRIV_NET_OBSERVABILITY
241 241 Allow a process to open a device for just receiving network
242 242 traffic, sending traffic is disallowed.
243 243
244 244
245 245 PRIV_NET_PRIVADDR
246 246 Allow a process to bind to a privileged port number. The privilege
247 247 port numbers are 1-1023 (the traditional UNIX privileged ports) as
248 248 well as those ports marked as "udp/tcp_extra_priv_ports" with the
249 249 exception of the ports reserved for use by NFS and SMB.
250 250
251 251
252 252 PRIV_NET_RAWACCESS
253 253 Allow a process to have direct access to the network layer.
254 254
255 255
256 256 PRIV_PROC_AUDIT
257 257 Allow a process to generate audit records. Allow a process to get
258 258 its own audit pre-selection information.
259 259
260 260
261 261 PRIV_PROC_CHROOT
262 262 Allow a process to change its root directory.
263 263
264 264
265 265 PRIV_PROC_CLOCK_HIGHRES
266 266 Allow a process to use high resolution timers.
267 267
268 268
269 269 PRIV_PROC_EXEC
270 270 Allow a process to call exec(2).
271 271
272 272
273 273 PRIV_PROC_FORK
274 274 Allow a process to call fork(2), fork1(2), or vfork(2).
275 275
276 276
277 277 PRIV_PROC_INFO
278 278 Allow a process to examine the status of processes other than those
279 279 to which it can send signals. Processes that cannot be examined
280 280 cannot be seen in /proc and appear not to exist.
281 281
282 282
283 283 PRIV_PROC_LOCK_MEMORY
284 284 Allow a process to lock pages in physical memory.
285 285
286 286
287 287 PRIV_PROC_OWNER
288 288 Allow a process to send signals to other processes and inspect and
289 289 modify the process state in other processes, regardless of
290 290 ownership. When modifying another process, additional restrictions
291 291 apply: the effective privilege set of the attaching process must be
292 292 a superset of the target process's effective, permitted, and
293 293 inheritable sets; the limit set must be a superset of the target's
294 294 limit set; if the target process has any UID set to 0 all privilege
295 295 must be asserted unless the effective UID is 0. Allow a process to
296 296 bind arbitrary processes to CPUs.
297 297
298 298
|
↓ open down ↓ |
298 lines elided |
↑ open up ↑ |
299 299 PRIV_PROC_PRIOUP
300 300 Allow a process to elevate its priority above its current level.
301 301
302 302
303 303 PRIV_PROC_PRIOCNTL
304 304 Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change
305 305 its scheduling class to any scheduling class, including the RT
306 306 class.
307 307
308 308
309 + PRIV_PROC_SECFLAGS
310 + Allow a process to manipulate the secflags of processes (subject
311 + to, additionally, the ability to signal that process)
312 +
313 +
309 314 PRIV_PROC_SESSION
310 315 Allow a process to send signals or trace processes outside its
311 316 session.
312 317
313 318
314 319 PRIV_PROC_SETID
315 320 Allow a process to set its UIDs at will, assuming UID 0 requires
316 321 all privileges to be asserted.
317 322
318 323
319 324 PRIV_PROC_TASKID
320 325 Allow a process to assign a new task ID to the calling process.
321 326
322 327
323 328 PRIV_PROC_ZONE
324 329 Allow a process to trace or send signals to processes in other
325 330 zones. See zones(5).
326 331
327 332
328 333 PRIV_SYS_ACCT
329 334 Allow a process to enable and disable and manage accounting through
330 335 acct(2).
331 336
332 337
333 338 PRIV_SYS_ADMIN
334 339 Allow a process to perform system administration tasks such as
335 340 setting node and domain name and specifying coreadm(1M) and
336 341 nscd(1M) settings
337 342
338 343
339 344 PRIV_SYS_AUDIT
340 345 Allow a process to start the (kernel) audit daemon. Allow a process
341 346 to view and set audit state (audit user ID, audit terminal ID,
342 347 audit sessions ID, audit pre-selection mask). Allow a process to
343 348 turn off and on auditing. Allow a process to configure the audit
344 349 parameters (cache and queue sizes, event to class mappings, and
345 350 policy options).
346 351
347 352
348 353 PRIV_SYS_CONFIG
349 354 Allow a process to perform various system configuration tasks.
350 355 Allow filesystem-specific administrative procedures, such as
351 356 filesystem configuration ioctls, quota calls, creation and deletion
352 357 of snapshots, and manipulating the PCFS bootsector.
353 358
354 359
355 360 PRIV_SYS_DEVICES
356 361 Allow a process to create device special files. Allow a process to
357 362 successfully call a kernel module that calls the kernel
358 363 drv_priv(9F) function to check for allowed access. Allow a process
359 364 to open the real console device directly. Allow a process to open
360 365 devices that have been exclusively opened.
361 366
362 367
363 368 PRIV_SYS_DL_CONFIG
364 369 Allow a process to configure a system's datalink interfaces.
365 370
366 371
367 372 PRIV_SYS_IP_CONFIG
368 373 Allow a process to configure a system's IP interfaces and routes.
369 374 Allow a process to configure network parameters for TCP/IP using
370 375 ndd. Allow a process access to otherwise restricted TCP/IP
371 376 information using ndd. Allow a process to configure IPsec. Allow a
372 377 process to pop anchored STREAMs modules with matching zoneid.
373 378
374 379
375 380 PRIV_SYS_IPC_CONFIG
376 381 Allow a process to increase the size of a System V IPC Message
377 382 Queue buffer.
378 383
379 384
380 385 PRIV_SYS_IPTUN_CONFIG
381 386 Allow a process to configure IP tunnel links.
382 387
383 388
384 389 PRIV_SYS_LINKDIR
385 390 Allow a process to unlink and link directories.
386 391
387 392
388 393 PRIV_SYS_MOUNT
389 394 Allow a process to mount and unmount filesystems that would
390 395 otherwise be restricted (that is, most filesystems except namefs).
391 396 Allow a process to add and remove swap devices.
392 397
393 398
394 399 PRIV_SYS_NET_CONFIG
395 400 Allow a process to do all that PRIV_SYS_IP_CONFIG,
396 401 PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the
397 402 following: use the rpcmod STREAMS module and insert/remove STREAMS
398 403 modules on locations other than the top of the module stack.
399 404
400 405
401 406 PRIV_SYS_NFS
402 407 Allow a process to provide NFS service: start NFS kernel threads,
403 408 perform NFS locking operations, bind to NFS reserved ports: ports
404 409 2049 (nfs) and port 4045 (lockd).
405 410
406 411
407 412 PRIV_SYS_PPP_CONFIG
408 413 Allow a process to create, configure, and destroy PPP instances
409 414 with pppd(1M) pppd(1M) and control PPPoE plumbing with
410 415 sppptun(1M)sppptun(1M). This privilege is granted by default to
411 416 exclusive IP stack instance zones.
412 417
413 418
414 419 PRIV_SYS_RES_BIND
415 420 Allows a process to bind processes to processor sets.
416 421
417 422
418 423 PRIV_SYS_RES_CONFIG
419 424 Allows all that PRIV_SYS_RES_BIND allows. Allow a process to
420 425 create and delete processor sets, assign CPUs to processor sets and
421 426 override the PSET_NOESCAPE property. Allow a process to change the
422 427 operational status of CPUs in the system using p_online(2). Allow a
423 428 process to configure filesystem quotas. Allow a process to
424 429 configure resource pools and bind processes to pools.
425 430
426 431
427 432 PRIV_SYS_RESOURCE
428 433 Allow a process to exceed the resource limits imposed on it by
429 434 setrlimit(2) and setrctl(2).
430 435
431 436
432 437 PRIV_SYS_SMB
433 438 Allow a process to provide NetBIOS or SMB services: start SMB
434 439 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
435 440 138, 139 (NetBIOS) and 445 (SMB).
436 441
437 442
438 443 PRIV_SYS_SUSER_COMPAT
439 444 Allow a process to successfully call a third party loadable module
440 445 that calls the kernel suser() function to check for allowed access.
441 446 This privilege exists only for third party loadable module
442 447 compatibility and is not used by Solaris proper.
443 448
444 449
445 450 PRIV_SYS_TIME
446 451 Allow a process to manipulate system time using any of the
447 452 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
448 453
449 454
450 455 PRIV_SYS_TRANS_LABEL
451 456 Allow a process to translate labels that are not dominated by the
452 457 process's sensitivity label to and from an external string form.
453 458
454 459 This privilege is interpreted only if the system is configured with
455 460 Trusted Extensions.
456 461
457 462
458 463 PRIV_VIRT_MANAGE
459 464 Allows a process to manage virtualized environments such as xVM(5).
460 465
461 466
462 467 PRIV_WIN_COLORMAP
463 468 Allow a process to override colormap restrictions.
464 469
465 470 Allow a process to install or remove colormaps.
466 471
467 472 Allow a process to retrieve colormap cell entries allocated by
468 473 other processes.
469 474
470 475 This privilege is interpreted only if the system is configured with
471 476 Trusted Extensions.
472 477
473 478
474 479 PRIV_WIN_CONFIG
475 480 Allow a process to configure or destroy resources that are
476 481 permanently retained by the X server.
477 482
478 483 Allow a process to use SetScreenSaver to set the screen saver
479 484 timeout value
480 485
481 486 Allow a process to use ChangeHosts to modify the display access
482 487 control list.
483 488
484 489 Allow a process to use GrabServer.
485 490
486 491 Allow a process to use the SetCloseDownMode request that can retain
487 492 window, pixmap, colormap, property, cursor, font, or graphic
488 493 context resources.
489 494
490 495 This privilege is interpreted only if the system is configured with
491 496 Trusted Extensions.
492 497
493 498
494 499 PRIV_WIN_DAC_READ
495 500 Allow a process to read from a window resource that it does not own
496 501 (has a different user ID).
497 502
498 503 This privilege is interpreted only if the system is configured with
499 504 Trusted Extensions.
500 505
501 506
502 507 PRIV_WIN_DAC_WRITE
503 508 Allow a process to write to or create a window resource that it
504 509 does not own (has a different user ID). A newly created window
505 510 property is created with the window's user ID.
506 511
507 512 This privilege is interpreted only if the system is configured with
508 513 Trusted Extensions.
509 514
510 515
511 516 PRIV_WIN_DEVICES
512 517 Allow a process to perform operations on window input devices.
513 518
514 519 Allow a process to get and set keyboard and pointer controls.
515 520
516 521 Allow a process to modify pointer button and key mappings.
517 522
518 523 This privilege is interpreted only if the system is configured with
519 524 Trusted Extensions.
520 525
521 526
522 527 PRIV_WIN_DGA
523 528 Allow a process to use the direct graphics access (DGA) X protocol
524 529 extensions. Direct process access to the frame buffer is still
525 530 required. Thus the process must have MAC and DAC privileges that
526 531 allow access to the frame buffer, or the frame buffer must be
527 532 allocated to the process.
528 533
529 534 This privilege is interpreted only if the system is configured with
530 535 Trusted Extensions.
531 536
532 537
533 538 PRIV_WIN_DOWNGRADE_SL
534 539 Allow a process to set the sensitivity label of a window resource
535 540 to a sensitivity label that does not dominate the existing
536 541 sensitivity label.
537 542
538 543 This privilege is interpreted only if the system is configured with
539 544 Trusted Extensions.
540 545
541 546
542 547 PRIV_WIN_FONTPATH
543 548 Allow a process to set a font path.
544 549
545 550 This privilege is interpreted only if the system is configured with
546 551 Trusted Extensions.
547 552
548 553
549 554 PRIV_WIN_MAC_READ
550 555 Allow a process to read from a window resource whose sensitivity
551 556 label is not equal to the process sensitivity label.
552 557
553 558 This privilege is interpreted only if the system is configured with
554 559 Trusted Extensions.
555 560
556 561
557 562 PRIV_WIN_MAC_WRITE
558 563 Allow a process to create a window resource whose sensitivity label
559 564 is not equal to the process sensitivity label. A newly created
560 565 window property is created with the window's sensitivity label.
561 566
562 567 This privilege is interpreted only if the system is configured with
563 568 Trusted Extensions.
564 569
565 570
566 571 PRIV_WIN_SELECTION
567 572 Allow a process to request inter-window data moves without the
568 573 intervention of the selection confirmer.
569 574
570 575 This privilege is interpreted only if the system is configured with
571 576 Trusted Extensions.
572 577
573 578
574 579 PRIV_WIN_UPGRADE_SL
575 580 Allow a process to set the sensitivity label of a window resource
576 581 to a sensitivity label that dominates the existing sensitivity
577 582 label.
578 583
579 584 This privilege is interpreted only if the system is configured with
580 585 Trusted Extensions.
581 586
582 587
583 588 PRIV_XVM_CONTROL
584 589 Allows a process access to the xVM(5) control devices for managing
585 590 guest domains and the hypervisor. This privilege is used only if
586 591 booted into xVM on x86 platforms.
587 592
588 593
589 594
590 595 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
591 596 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK and PRIV_PROC_EXEC
592 597 are considered "basic" privileges. These are privileges that used to be
593 598 always available to unprivileged processes. By default, processes still
594 599 have the basic privileges.
595 600
596 601
597 602 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
598 603 the Limit set (see below) of a process in order for set-uid root execs
599 604 to be successful, that is, get an effective UID of 0 and additional
600 605 privileges.
601 606
602 607
603 608 The privilege implementation in Solaris extends the process credential
604 609 with four privilege sets:
605 610
606 611 I, the inheritable set
607 612 The privileges inherited on exec.
608 613
609 614
610 615 P, the permitted set
611 616 The maximum set of privileges for the
612 617 process.
613 618
614 619
615 620 E, the effective set
616 621 The privileges currently in effect.
617 622
618 623
619 624 L, the limit set
620 625 The upper bound of the privileges a process
621 626 and its offspring can obtain. Changes to L
622 627 take effect on the next exec.
623 628
624 629
625 630
626 631 The sets I, P and E are typically identical to the basic set of
627 632 privileges for unprivileged processes. The limit set is typically the
628 633 full set of privileges.
629 634
630 635
631 636 Each process has a Privilege Awareness State (PAS) that can take the
632 637 value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
633 638 mechanism that allows a choice between full compatibility with the old
634 639 superuser model and completely ignoring the effective UID.
635 640
636 641
637 642 To facilitate the discussion, we introduce the notion of "observed
638 643 effective set" (oE) and "observed permitted set" (oP) and the
639 644 implementation sets iE and iP.
640 645
641 646
642 647 A process becomes privilege-aware either by manipulating the effective,
643 648 permitted, or limit privilege sets through setppriv(2) or by using
644 649 setpflags(2). In all cases, oE and oP are invariant in the process of
645 650 becoming privilege-aware. In the process of becoming privilege-aware, the
646 651 following assignments take place:
647 652
648 653 iE = oE
649 654 iP = oP
650 655
651 656
652 657
653 658 When a process is privilege-aware, oE and oP are invariant under UID
654 659 changes. When a process is not privilege-aware, oE and oP are observed
655 660 as follows:
656 661
657 662 oE = euid == 0 ? L : iE
658 663 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
659 664
660 665
661 666
662 667 When a non-privilege-aware process has an effective UID of 0, it can
663 668 exercise the privileges contained in its limit set, the upper bound of
664 669 its privileges. If a non-privilege-aware process has any of the UIDs 0,
665 670 it appears to be capable of potentially exercising all privileges in L.
666 671
667 672
668 673 It is possible for a process to return to the non-privilege aware state
669 674 using setpflags(). The kernel always attempts this on exec(2). This
670 675 operation is permitted only if the following conditions are met:
671 676
672 677 o If any of the UIDs is equal to 0, P must be equal to L.
673 678
674 679 o If the effective UID is equal to 0, E must be equal to L.
675 680
676 681
677 682 When a process gives up privilege awareness, the following assignments
678 683 take place:
679 684
680 685 if (euid == 0) iE = L & I
681 686 if (any uid == 0) iP = L & I
682 687
683 688
684 689
685 690 The privileges obtained when not having a UID of 0 are the inheritable
686 691 set of the process restricted by the limit set.
687 692
688 693
689 694 Only privileges in the process's (observed) effective privilege set
690 695 allow the process to perform restricted operations. A process can use
691 696 any of the privilege manipulation functions to add or remove privileges
692 697 from the privilege sets. Privileges can be removed always. Only
693 698 privileges found in the permitted set can be added to the effective and
694 699 inheritable set. The limit set cannot grow. The inheritable set can be
695 700 larger than the permitted set.
696 701
697 702
698 703 When a process performs an exec(2), the kernel first tries to
699 704 relinquish privilege awareness before making the following privilege
700 705 set modifications:
701 706
702 707 E' = P' = I' = L & I
703 708 L is unchanged
704 709
705 710
706 711
707 712 If a process has not manipulated its privileges, the privilege sets
708 713 effectively remain the same, as E, P and I are already identical.
709 714
710 715
711 716 The limit set is enforced at exec time.
712 717
713 718
714 719 To run a non-privilege-aware application in a backward-compatible manner,
715 720 a privilege-aware application should start the non-privilege-aware
716 721 application with I=basic.
717 722
718 723
719 724 For most privileges, absence of the privilege simply results in a
720 725 failure. In some instances, the absense of a privilege can cause system
721 726 calls to behave differently. In other instances, the removal of a
722 727 privilege can force a set-uid application to seriously malfunction.
723 728 Privileges of this type are considered "unsafe". When a process is
724 729 lacking any of the unsafe privileges from its limit set, the system
725 730 does not honor the set-uid bit of set-uid root applications. The
726 731 following unsafe privileges have been identified: proc_setid,
727 732 sys_resource and proc_audit.
728 733
729 734 Privilege Escalation
730 735 In certain circumstances, a single privilege could lead to a process
731 736 gaining one or more additional privileges that were not explicitly
732 737 granted to that process. To prevent such an escalation of privileges,
733 738 the security policy requires explicit permission for those additional
734 739 privileges.
735 740
736 741
737 742 Common examples of escalation are those mechanisms that allow
738 743 modification of system resources through "raw'' interfaces; for
739 744 example, changing kernel data structures through /dev/kmem or changing
740 745 files through /dev/dsk/*. Escalation also occurs when a process
741 746 controls processes with more privileges than the controlling process. A
742 747 special case of this is manipulating or creating objects owned by UID 0
743 748 or trying to obtain UID 0 using setuid(2). The special treatment of UID
744 749 0 is needed because the UID 0 owns all system configuration files and
745 750 ordinary file protection mechanisms allow processes with UID 0 to
746 751 modify the system configuration. With appropriate file modifications, a
747 752 given process running with an effective UID of 0 can gain all
748 753 privileges.
749 754
750 755
751 756 In situations where a process might obtain UID 0, the security policy
752 757 requires additional privileges, up to the full set of privileges. Such
753 758 restrictions could be relaxed or removed at such time as additional
754 759 mechanisms for protection of system files became available. There are
755 760 no such mechanisms in the current Solaris release.
756 761
757 762
758 763 The use of UID 0 processes should be limited as much as possible. They
759 764 should be replaced with programs running under a different UID but with
760 765 exactly the privileges they need.
761 766
762 767
763 768 Daemons that never need to exec subprocesses should remove the
764 769 PRIV_PROC_EXEC privilege from their permitted and limit sets.
765 770
766 771 Assigned Privileges and Safeguards
767 772 When privileges are assigned to a user, the system administrator could
768 773 give that user more powers than intended. The administrator should
769 774 consider whether safeguards are needed. For example, if the
770 775 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
771 776 should consider setting the project.max-locked-memory resource control as
772 777 well, to prevent that user from locking all memory.
773 778
774 779 Privilege Debugging
775 780 When a system call fails with a permission error, it is not always
776 781 immediately obvious what caused the problem. To debug such a problem,
777 782 you can use a tool called privilege debugging. When privilege debugging
778 783 is enabled for a process, the kernel reports missing privileges on the
779 784 controlling terminal of the process. (Enable debugging for a process
780 785 with the -D option of ppriv(1).) Additionally, the administrator can
781 786 enable system-wide privilege debugging by setting the system(4) variable
782 787 priv_debug using:
783 788
784 789 set priv_debug = 1
785 790
786 791
787 792
788 793 On a running system, you can use mdb(1) to change this variable.
789 794
790 795 Privilege Administration
791 796 The Solaris Management Console (see smc(1M)) is the preferred method of
792 797 modifying privileges for a command. Use usermod(1M) or smrole(1M) to
793 798 assign privileges to or modify privileges for, respectively, a user or
794 799 a role. Use ppriv(1) to enumerate the privileges supported on a system
795 800 and truss(1) to determine which privileges a program requires.
796 801
797 802 SEE ALSO
798 803 mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M),
799 804 pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
800 805 access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
801 806 chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2),
802 807 fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2),
803 808 kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2),
804 809 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
805 810 processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
806 811 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
807 812 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
808 813 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
809 814 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
810 815 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
811 816 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
812 817 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
813 818 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
814 819 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
815 820 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
816 821 drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
817 822 priv_policy_choice(9F), priv_policy_only(9F)
818 823
819 824
820 825 System Administration Guide: Security Services
821 826
822 827
823 828
824 829 February 3, 2015 PRIVILEGES(5)
|
↓ open down ↓ |
506 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX