Print this page
uts: add a concept of a 'default' set of privileges, separate from 'basic'
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/man/man5/privileges.5.man.txt
+++ new/usr/src/man/man5/privileges.5.man.txt
1 1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5)
2 2
3 3
4 4
5 5 NAME
6 6 privileges - process privilege model
7 7
8 8 DESCRIPTION
9 9 Solaris software implements a set of privileges that provide fine-
↓ open down ↓ |
9 lines elided |
↑ open up ↑ |
10 10 grained control over the actions of processes. The possession of a
11 11 certain privilege allows a process to perform a specific set of
12 12 restricted operations.
13 13
14 14
15 15 The change to a primarily privilege-based security model in the Solaris
16 16 operating system gives developers an opportunity to restrict processes
17 17 to those privileged operations actually needed instead of all (super-
18 18 user) or no privileges (non-zero UIDs). Additionally, a set of
19 19 previously unrestricted operations now requires a privilege; these
20 - privileges are dubbed the "basic" privileges and are by default given
21 - to all processes.
20 + privileges are dubbed the "basic" privileges.
21 +
22 +
23 + The "basic" privileges, and certain privileges representing concepts
24 + not traditionally present are, by default, given to all processes.
25 + These are the "default" set of privileges.
22 26
23 27
24 28 Taken together, all defined privileges with the exception of the
25 - "basic" privileges compose the set of privileges that are traditionally
26 - associated with the root user. The "basic" privileges are "privileges"
27 - unprivileged processes were accustomed to having.
29 + "default" privileges compose the set of privileges that are
30 + traditionally associated with the root user. The "basic" privileges are
31 + "privileges" unprivileged processes were accustomed to having, and the
32 + "default" privileges are the "basic" privileges plus additions that
33 + while unprivileged processes aren't accustomed to, they should now
34 + have.
28 35
29 36
30 37 The defined privileges are:
31 38
32 39 PRIV_CONTRACT_EVENT
33 40
34 41 Allow a process to request reliable delivery of events to an event
35 42 endpoint.
36 43
37 44 Allow a process to include events in the critical event set term of
38 45 a template which could be generated in volume by the user.
39 46
40 47
41 48 PRIV_CONTRACT_IDENTITY
42 49
43 50 Allows a process to set the service FMRI value of a process
44 51 contract template.
45 52
46 53
47 54 PRIV_CONTRACT_OBSERVER
48 55
49 56 Allow a process to observe contract events generated by contracts
50 57 created and owned by users other than the process's effective user
51 58 ID.
52 59
53 60 Allow a process to open contract event endpoints belonging to
54 61 contracts created and owned by users other than the process's
55 62 effective user ID.
56 63
57 64
58 65 PRIV_CPC_CPU
59 66
60 67 Allow a process to access per-CPU hardware performance counters.
61 68
62 69
63 70 PRIV_DTRACE_KERNEL
64 71
65 72 Allow DTrace kernel-level tracing.
66 73
67 74
68 75 PRIV_DTRACE_PROC
69 76
70 77 Allow DTrace process-level tracing. Allow process-level tracing
71 78 probes to be placed and enabled in processes to which the user has
72 79 permissions.
73 80
74 81
75 82 PRIV_DTRACE_USER
76 83
77 84 Allow DTrace user-level tracing. Allow use of the syscall and
78 85 profile DTrace providers to examine processes to which the user has
79 86 permissions.
80 87
81 88
82 89 PRIV_FILE_CHOWN
83 90
84 91 Allow a process to change a file's owner user ID. Allow a process
85 92 to change a file's group ID to one other than the process's
86 93 effective group ID or one of the process's supplemental group IDs.
87 94
88 95
89 96 PRIV_FILE_CHOWN_SELF
90 97
91 98 Allow a process to give away its files. A process with this
92 99 privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
93 100
94 101
95 102 PRIV_FILE_DAC_EXECUTE
96 103
97 104 Allow a process to execute an executable file whose permission bits
98 105 or ACL would otherwise disallow the process execute permission.
99 106
100 107
101 108 PRIV_FILE_DAC_READ
102 109
103 110 Allow a process to read a file or directory whose permission bits
104 111 or ACL would otherwise disallow the process read permission.
105 112
106 113
107 114 PRIV_FILE_DAC_SEARCH
108 115
109 116 Allow a process to search a directory whose permission bits or ACL
110 117 would not otherwise allow the process search permission.
111 118
112 119
113 120 PRIV_FILE_DAC_WRITE
114 121
115 122 Allow a process to write a file or directory whose permission bits
116 123 or ACL do not allow the process write permission. All privileges
117 124 are required to write files owned by UID 0 in the absence of an
118 125 effective UID of 0.
119 126
120 127
121 128 PRIV_FILE_DOWNGRADE_SL
122 129
123 130 Allow a process to set the sensitivity label of a file or directory
124 131 to a sensitivity label that does not dominate the existing
125 132 sensitivity label.
126 133
127 134 This privilege is interpreted only if the system is configured with
128 135 Trusted Extensions.
129 136
130 137
131 138 PRIV_FILE_FLAG_SET
132 139
133 140 Allows a process to set immutable, nounlink or appendonly file
134 141 attributes.
135 142
136 143
137 144 PRIV_FILE_LINK_ANY
138 145
139 146 Allow a process to create hardlinks to files owned by a UID
140 147 different from the process's effective UID.
141 148
142 149
143 150 PRIV_FILE_OWNER
144 151
145 152 Allow a process that is not the owner of a file to modify that
146 153 file's access and modification times. Allow a process that is not
147 154 the owner of a directory to modify that directory's access and
148 155 modification times. Allow a process that is not the owner of a file
149 156 or directory to remove or rename a file or directory whose parent
150 157 directory has the "save text image after execution" (sticky) bit
151 158 set. Allow a process that is not the owner of a file to mount a
152 159 namefs upon that file. Allow a process that is not the owner of a
153 160 file or directory to modify that file's or directory's permission
154 161 bits or ACL.
155 162
156 163
157 164 PRIV_FILE_READ
158 165
159 166 Allow a process to open objects in the filesystem for reading. This
160 167 privilege is not necessary to read from an already open file which
161 168 was opened before dropping the PRIV_FILE_READ privilege.
162 169
163 170
164 171 PRIV_FILE_SETID
165 172
166 173 Allow a process to change the ownership of a file or write to a
167 174 file without the set-user-ID and set-group-ID bits being cleared.
168 175 Allow a process to set the set-group-ID bit on a file or directory
169 176 whose group is not the process's effective group or one of the
170 177 process's supplemental groups. Allow a process to set the set-user-
171 178 ID bit on a file with different ownership in the presence of
172 179 PRIV_FILE_OWNER. Additional restrictions apply when creating or
173 180 modifying a setuid 0 file.
174 181
175 182
176 183 PRIV_FILE_UPGRADE_SL
177 184
178 185 Allow a process to set the sensitivity label of a file or directory
179 186 to a sensitivity label that dominates the existing sensitivity
180 187 label.
181 188
182 189 This privilege is interpreted only if the system is configured with
183 190 Trusted Extensions.
184 191
185 192
186 193 PRIV_FILE_WRITE
187 194
188 195 Allow a process to open objects in the filesytem for writing, or
189 196 otherwise modify them. This privilege is not necessary to write to
190 197 an already open file which was opened before dropping the
191 198 PRIV_FILE_WRITE privilege.
192 199
193 200
194 201 PRIV_GRAPHICS_ACCESS
195 202
196 203 Allow a process to make privileged ioctls to graphics devices.
197 204 Typically only an xserver process needs to have this privilege. A
198 205 process with this privilege is also allowed to perform privileged
199 206 graphics device mappings.
200 207
201 208
202 209 PRIV_GRAPHICS_MAP
203 210
204 211 Allow a process to perform privileged mappings through a graphics
205 212 device.
206 213
207 214
208 215 PRIV_IPC_DAC_READ
209 216
210 217 Allow a process to read a System V IPC Message Queue, Semaphore
211 218 Set, or Shared Memory Segment whose permission bits would not
212 219 otherwise allow the process read permission.
213 220
214 221
215 222 PRIV_IPC_DAC_WRITE
216 223
217 224 Allow a process to write a System V IPC Message Queue, Semaphore
218 225 Set, or Shared Memory Segment whose permission bits would not
219 226 otherwise allow the process write permission.
220 227
221 228
222 229 PRIV_IPC_OWNER
223 230
224 231 Allow a process that is not the owner of a System V IPC Message
225 232 Queue, Semaphore Set, or Shared Memory Segment to remove, change
226 233 ownership of, or change permission bits of the Message Queue,
227 234 Semaphore Set, or Shared Memory Segment.
228 235
229 236
230 237 PRIV_NET_ACCESS
231 238
232 239 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
233 240 This privilege is not necessary to communicate using an existing
234 241 endpoint already opened before dropping the PRIV_NET_ACCESS
235 242 privilege.
236 243
237 244
238 245 PRIV_NET_BINDMLP
239 246
240 247 Allow a process to bind to a port that is configured as a multi-
241 248 level port (MLP) for the process's zone. This privilege applies to
242 249 both shared address and zone-specific address MLPs. See
243 250 tnzonecfg(4) from the Trusted Extensions manual pages for
244 251 information on configuring MLP ports.
245 252
246 253 This privilege is interpreted only if the system is configured with
247 254 Trusted Extensions.
248 255
249 256
250 257 PRIV_NET_ICMPACCESS
251 258
252 259 Allow a process to send and receive ICMP packets.
253 260
254 261
255 262 PRIV_NET_MAC_AWARE
256 263
257 264 Allow a process to set the NET_MAC_AWARE process flag by using
258 265 setpflags(2). This privilege also allows a process to set the
259 266 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The
260 267 NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
261 268 allow a local process to communicate with an unlabeled peer if the
262 269 local process's label dominates the peer's default label, or if the
263 270 local process runs in the global zone.
264 271
265 272 This privilege is interpreted only if the system is configured with
266 273 Trusted Extensions.
267 274
268 275
269 276 PRIV_NET_MAC_IMPLICIT
270 277
271 278 Allow a proces to set SO_MAC_IMPLICIT option by using
272 279 setsockopt(3SOCKET). This allows a privileged process to transmit
273 280 implicitly-labeled packets to a peer.
274 281
275 282 This privilege is interpreted only if the system is configured with
276 283 Trusted Extensions.
277 284
278 285
279 286 PRIV_NET_OBSERVABILITY
280 287
281 288 Allow a process to open a device for just receiving network
282 289 traffic, sending traffic is disallowed.
283 290
284 291
285 292 PRIV_NET_PRIVADDR
286 293
287 294 Allow a process to bind to a privileged port number. The privilege
288 295 port numbers are 1-1023 (the traditional UNIX privileged ports) as
289 296 well as those ports marked as "udp/tcp_extra_priv_ports" with the
290 297 exception of the ports reserved for use by NFS and SMB.
291 298
292 299
293 300 PRIV_NET_RAWACCESS
294 301
295 302 Allow a process to have direct access to the network layer.
296 303
297 304
298 305 PRIV_PROC_AUDIT
299 306
300 307 Allow a process to generate audit records. Allow a process to get
301 308 its own audit pre-selection information.
302 309
303 310
304 311 PRIV_PROC_CHROOT
305 312
306 313 Allow a process to change its root directory.
307 314
308 315
309 316 PRIV_PROC_CLOCK_HIGHRES
310 317
311 318 Allow a process to use high resolution timers.
312 319
313 320
314 321 PRIV_PROC_EXEC
315 322
316 323 Allow a process to call exec(2).
317 324
318 325
319 326 PRIV_PROC_FORK
320 327
321 328 Allow a process to call fork(2), fork1(2), or vfork(2).
322 329
323 330
324 331 PRIV_PROC_INFO
325 332
326 333 Allow a process to examine the status of processes other than those
327 334 to which it can send signals. Processes that cannot be examined
328 335 cannot be seen in /proc and appear not to exist.
329 336
330 337
331 338 PRIV_PROC_LOCK_MEMORY
332 339
333 340 Allow a process to lock pages in physical memory.
334 341
335 342
336 343 PRIV_PROC_MEMINFO
337 344
338 345 Allow a process to access physical memory information.
339 346
340 347
341 348 PRIV_PROC_OWNER
342 349
343 350 Allow a process to send signals to other processes and inspect and
344 351 modify the process state in other processes, regardless of
345 352 ownership. When modifying another process, additional restrictions
346 353 apply: the effective privilege set of the attaching process must be
347 354 a superset of the target process's effective, permitted, and
348 355 inheritable sets; the limit set must be a superset of the target's
349 356 limit set; if the target process has any UID set to 0 all privilege
350 357 must be asserted unless the effective UID is 0. Allow a process to
351 358 bind arbitrary processes to CPUs.
352 359
353 360
354 361 PRIV_PROC_PRIOUP
355 362
356 363 Allow a process to elevate its priority above its current level.
357 364
358 365
359 366 PRIV_PROC_PRIOCNTL
360 367
361 368 Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change
362 369 its scheduling class to any scheduling class, including the RT
363 370 class.
364 371
365 372
366 373 PRIV_PROC_SESSION
367 374
368 375 Allow a process to send signals or trace processes outside its
369 376 session.
370 377
371 378
372 379 PRIV_PROC_SETID
373 380
374 381 Allow a process to set its UIDs at will, assuming UID 0 requires
375 382 all privileges to be asserted.
376 383
377 384
378 385 PRIV_PROC_TASKID
379 386
380 387 Allow a process to assign a new task ID to the calling process.
381 388
382 389
383 390 PRIV_PROC_ZONE
384 391
385 392 Allow a process to trace or send signals to processes in other
386 393 zones. See zones(5).
387 394
388 395
389 396 PRIV_SYS_ACCT
390 397
391 398 Allow a process to enable and disable and manage accounting through
392 399 acct(2).
393 400
394 401
395 402 PRIV_SYS_ADMIN
396 403
397 404 Allow a process to perform system administration tasks such as
398 405 setting node and domain name and specifying coreadm(1M) and
399 406 nscd(1M) settings
400 407
401 408
402 409 PRIV_SYS_AUDIT
403 410
404 411 Allow a process to start the (kernel) audit daemon. Allow a process
405 412 to view and set audit state (audit user ID, audit terminal ID,
406 413 audit sessions ID, audit pre-selection mask). Allow a process to
407 414 turn off and on auditing. Allow a process to configure the audit
408 415 parameters (cache and queue sizes, event to class mappings, and
409 416 policy options).
410 417
411 418
412 419 PRIV_SYS_CONFIG
413 420
414 421 Allow a process to perform various system configuration tasks.
415 422 Allow filesystem-specific administrative procedures, such as
416 423 filesystem configuration ioctls, quota calls, creation and deletion
417 424 of snapshots, and manipulating the PCFS bootsector.
418 425
419 426
420 427 PRIV_SYS_DEVICES
421 428
422 429 Allow a process to create device special files. Allow a process to
423 430 successfully call a kernel module that calls the kernel
424 431 drv_priv(9F) function to check for allowed access. Allow a process
425 432 to open the real console device directly. Allow a process to open
426 433 devices that have been exclusively opened.
427 434
428 435
429 436 PRIV_SYS_DL_CONFIG
430 437
431 438 Allow a process to configure a system's datalink interfaces.
432 439
433 440
434 441 PRIV_SYS_IP_CONFIG
435 442
436 443 Allow a process to configure a system's IP interfaces and routes.
437 444 Allow a process to configure network parameters for TCP/IP using
438 445 ndd. Allow a process access to otherwise restricted TCP/IP
439 446 information using ndd. Allow a process to configure IPsec. Allow a
440 447 process to pop anchored STREAMs modules with matching zoneid.
441 448
442 449
443 450 PRIV_SYS_IPC_CONFIG
444 451
445 452 Allow a process to increase the size of a System V IPC Message
446 453 Queue buffer.
447 454
448 455
449 456 PRIV_SYS_IPTUN_CONFIG
450 457
451 458 Allow a process to configure IP tunnel links.
452 459
453 460
454 461 PRIV_SYS_LINKDIR
455 462
456 463 Allow a process to unlink and link directories.
457 464
458 465
459 466 PRIV_SYS_MOUNT
460 467
461 468 Allow a process to mount and unmount filesystems that would
462 469 otherwise be restricted (that is, most filesystems except namefs).
463 470 Allow a process to add and remove swap devices.
464 471
465 472
466 473 PRIV_SYS_NET_CONFIG
467 474
468 475 Allow a process to do all that PRIV_SYS_IP_CONFIG,
469 476 PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the
470 477 following: use the rpcmod STREAMS module and insert/remove STREAMS
471 478 modules on locations other than the top of the module stack.
472 479
473 480
474 481 PRIV_SYS_NFS
475 482
476 483 Allow a process to provide NFS service: start NFS kernel threads,
477 484 perform NFS locking operations, bind to NFS reserved ports: ports
478 485 2049 (nfs) and port 4045 (lockd).
479 486
480 487
481 488 PRIV_SYS_PPP_CONFIG
482 489
483 490 Allow a process to create, configure, and destroy PPP instances
484 491 with pppd(1M) pppd(1M) and control PPPoE plumbing with
485 492 sppptun(1M)sppptun(1M). This privilege is granted by default to
486 493 exclusive IP stack instance zones.
487 494
488 495
489 496 PRIV_SYS_RES_BIND
490 497
491 498 Allows a process to bind processes to processor sets.
492 499
493 500
494 501 PRIV_SYS_RES_CONFIG
495 502
496 503 Allows all that PRIV_SYS_RES_BIND allows. Allow a process to
497 504 create and delete processor sets, assign CPUs to processor sets and
498 505 override the PSET_NOESCAPE property. Allow a process to change the
499 506 operational status of CPUs in the system using p_online(2). Allow a
500 507 process to configure filesystem quotas. Allow a process to
501 508 configure resource pools and bind processes to pools.
502 509
503 510
504 511 PRIV_SYS_RESOURCE
505 512
506 513 Allow a process to exceed the resource limits imposed on it by
507 514 setrlimit(2) and setrctl(2).
508 515
509 516
510 517 PRIV_SYS_SMB
511 518
512 519 Allow a process to provide NetBIOS or SMB services: start SMB
513 520 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
514 521 138, 139 (NetBIOS) and 445 (SMB).
515 522
516 523
517 524 PRIV_SYS_SUSER_COMPAT
518 525
519 526 Allow a process to successfully call a third party loadable module
520 527 that calls the kernel suser() function to check for allowed access.
521 528 This privilege exists only for third party loadable module
522 529 compatibility and is not used by Solaris proper.
523 530
524 531
525 532 PRIV_SYS_TIME
526 533
527 534 Allow a process to manipulate system time using any of the
528 535 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
529 536
530 537
531 538 PRIV_SYS_TRANS_LABEL
532 539
533 540 Allow a process to translate labels that are not dominated by the
534 541 process's sensitivity label to and from an external string form.
535 542
536 543 This privilege is interpreted only if the system is configured with
537 544 Trusted Extensions.
538 545
539 546
540 547 PRIV_VIRT_MANAGE
541 548
542 549 Allows a process to manage virtualized environments such as xVM(5).
543 550
544 551
545 552 PRIV_WIN_COLORMAP
546 553
547 554 Allow a process to override colormap restrictions.
548 555
549 556 Allow a process to install or remove colormaps.
550 557
551 558 Allow a process to retrieve colormap cell entries allocated by
552 559 other processes.
553 560
554 561 This privilege is interpreted only if the system is configured with
555 562 Trusted Extensions.
556 563
557 564
558 565 PRIV_WIN_CONFIG
559 566
560 567 Allow a process to configure or destroy resources that are
561 568 permanently retained by the X server.
562 569
563 570 Allow a process to use SetScreenSaver to set the screen saver
564 571 timeout value
565 572
566 573 Allow a process to use ChangeHosts to modify the display access
567 574 control list.
568 575
569 576 Allow a process to use GrabServer.
570 577
571 578 Allow a process to use the SetCloseDownMode request that can retain
572 579 window, pixmap, colormap, property, cursor, font, or graphic
573 580 context resources.
574 581
575 582 This privilege is interpreted only if the system is configured with
576 583 Trusted Extensions.
577 584
578 585
579 586 PRIV_WIN_DAC_READ
580 587
581 588 Allow a process to read from a window resource that it does not own
582 589 (has a different user ID).
583 590
584 591 This privilege is interpreted only if the system is configured with
585 592 Trusted Extensions.
586 593
587 594
588 595 PRIV_WIN_DAC_WRITE
589 596
590 597 Allow a process to write to or create a window resource that it
591 598 does not own (has a different user ID). A newly created window
592 599 property is created with the window's user ID.
593 600
594 601 This privilege is interpreted only if the system is configured with
595 602 Trusted Extensions.
596 603
597 604
598 605 PRIV_WIN_DEVICES
599 606
600 607 Allow a process to perform operations on window input devices.
601 608
602 609 Allow a process to get and set keyboard and pointer controls.
603 610
604 611 Allow a process to modify pointer button and key mappings.
605 612
606 613 This privilege is interpreted only if the system is configured with
607 614 Trusted Extensions.
608 615
609 616
610 617 PRIV_WIN_DGA
611 618
612 619 Allow a process to use the direct graphics access (DGA) X protocol
613 620 extensions. Direct process access to the frame buffer is still
614 621 required. Thus the process must have MAC and DAC privileges that
615 622 allow access to the frame buffer, or the frame buffer must be
616 623 allocated to the process.
617 624
618 625 This privilege is interpreted only if the system is configured with
619 626 Trusted Extensions.
620 627
621 628
622 629 PRIV_WIN_DOWNGRADE_SL
623 630
624 631 Allow a process to set the sensitivity label of a window resource
625 632 to a sensitivity label that does not dominate the existing
626 633 sensitivity label.
627 634
628 635 This privilege is interpreted only if the system is configured with
629 636 Trusted Extensions.
630 637
631 638
632 639 PRIV_WIN_FONTPATH
633 640
634 641 Allow a process to set a font path.
635 642
636 643 This privilege is interpreted only if the system is configured with
637 644 Trusted Extensions.
638 645
639 646
640 647 PRIV_WIN_MAC_READ
641 648
642 649 Allow a process to read from a window resource whose sensitivity
643 650 label is not equal to the process sensitivity label.
644 651
645 652 This privilege is interpreted only if the system is configured with
646 653 Trusted Extensions.
647 654
648 655
649 656 PRIV_WIN_MAC_WRITE
650 657
651 658 Allow a process to create a window resource whose sensitivity label
652 659 is not equal to the process sensitivity label. A newly created
653 660 window property is created with the window's sensitivity label.
654 661
655 662 This privilege is interpreted only if the system is configured with
656 663 Trusted Extensions.
657 664
658 665
659 666 PRIV_WIN_SELECTION
660 667
661 668 Allow a process to request inter-window data moves without the
662 669 intervention of the selection confirmer.
663 670
664 671 This privilege is interpreted only if the system is configured with
665 672 Trusted Extensions.
666 673
667 674
668 675 PRIV_WIN_UPGRADE_SL
669 676
670 677 Allow a process to set the sensitivity label of a window resource
671 678 to a sensitivity label that dominates the existing sensitivity
672 679 label.
673 680
674 681 This privilege is interpreted only if the system is configured with
675 682 Trusted Extensions.
676 683
677 684
678 685 PRIV_XVM_CONTROL
679 686
680 687 Allows a process access to the xVM(5) control devices for managing
681 688 guest domains and the hypervisor. This privilege is used only if
682 689 booted into xVM on x86 platforms.
683 690
684 691
685 692
686 693 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
687 694 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK, PRIV_FILE_READ,
688 695 PRIV_FILE_WRITE, PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered
689 696 "basic" privileges. These are privileges that used to be always
690 697 available to unprivileged processes. By default, processes still have
691 698 the basic privileges.
692 699
693 700
694 701 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
695 702 the Limit set (see below) of a process in order for set-uid root execs
696 703 to be successful, that is, get an effective UID of 0 and additional
697 704 privileges.
698 705
699 706
700 707 The privilege implementation in Solaris extends the process credential
701 708 with four privilege sets:
702 709
703 710 I, the inheritable set
704 711 The privileges inherited on exec.
705 712
706 713
707 714 P, the permitted set
708 715 The maximum set of privileges for the
709 716 process.
710 717
711 718
712 719 E, the effective set
713 720 The privileges currently in effect.
714 721
715 722
716 723 L, the limit set
717 724 The upper bound of the privileges a process
718 725 and its offspring can obtain. Changes to L
719 726 take effect on the next exec.
720 727
721 728
722 729
723 730 The sets I, P and E are typically identical to the basic set of
724 731 privileges for unprivileged processes. The limit set is typically the
725 732 full set of privileges.
726 733
727 734
728 735 Each process has a Privilege Awareness State (PAS) that can take the
729 736 value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
730 737 mechanism that allows a choice between full compatibility with the old
731 738 superuser model and completely ignoring the effective UID.
732 739
733 740
734 741 To facilitate the discussion, we introduce the notion of "observed
735 742 effective set" (oE) and "observed permitted set" (oP) and the
736 743 implementation sets iE and iP.
737 744
738 745
739 746 A process becomes privilege-aware either by manipulating the effective,
740 747 permitted, or limit privilege sets through setppriv(2) or by using
741 748 setpflags(2). In all cases, oE and oP are invariant in the process of
742 749 becoming privilege-aware. In the process of becoming privilege-aware,
743 750 the following assignments take place:
744 751
745 752 iE = oE
746 753 iP = oP
747 754
748 755
749 756
750 757 When a process is privilege-aware, oE and oP are invariant under UID
751 758 changes. When a process is not privilege-aware, oE and oP are observed
752 759 as follows:
753 760
754 761 oE = euid == 0 ? L : iE
755 762 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
756 763
757 764
758 765
759 766 When a non-privilege-aware process has an effective UID of 0, it can
760 767 exercise the privileges contained in its limit set, the upper bound of
761 768 its privileges. If a non-privilege-aware process has any of the UIDs
762 769 0, it appears to be capable of potentially exercising all privileges in
763 770 L.
764 771
765 772
766 773 It is possible for a process to return to the non-privilege aware state
767 774 using setpflags(). The kernel always attempts this on exec(2). This
768 775 operation is permitted only if the following conditions are met:
769 776
770 777 o If any of the UIDs is equal to 0, P must be equal to L.
771 778
772 779 o If the effective UID is equal to 0, E must be equal to L.
773 780
774 781
775 782 When a process gives up privilege awareness, the following assignments
776 783 take place:
777 784
778 785 if (euid == 0) iE = L & I
779 786 if (any uid == 0) iP = L & I
780 787
781 788
782 789
783 790 The privileges obtained when not having a UID of 0 are the inheritable
784 791 set of the process restricted by the limit set.
785 792
786 793
787 794 Only privileges in the process's (observed) effective privilege set
788 795 allow the process to perform restricted operations. A process can use
789 796 any of the privilege manipulation functions to add or remove privileges
790 797 from the privilege sets. Privileges can be removed always. Only
791 798 privileges found in the permitted set can be added to the effective and
792 799 inheritable set. The limit set cannot grow. The inheritable set can be
793 800 larger than the permitted set.
794 801
795 802
796 803 When a process performs an exec(2), the kernel first tries to
797 804 relinquish privilege awareness before making the following privilege
798 805 set modifications:
799 806
800 807 E' = P' = I' = L & I
801 808 L is unchanged
802 809
803 810
804 811
805 812 If a process has not manipulated its privileges, the privilege sets
806 813 effectively remain the same, as E, P and I are already identical.
807 814
808 815
809 816 The limit set is enforced at exec time.
810 817
811 818
812 819 To run a non-privilege-aware application in a backward-compatible
813 820 manner, a privilege-aware application should start the non-privilege-
814 821 aware application with I=basic.
815 822
816 823
817 824 For most privileges, absence of the privilege simply results in a
818 825 failure. In some instances, the absense of a privilege can cause system
819 826 calls to behave differently. In other instances, the removal of a
820 827 privilege can force a set-uid application to seriously malfunction.
821 828 Privileges of this type are considered "unsafe". When a process is
822 829 lacking any of the unsafe privileges from its limit set, the system
823 830 does not honor the set-uid bit of set-uid root applications. The
824 831 following unsafe privileges have been identified: proc_setid,
825 832 sys_resource and proc_audit.
826 833
827 834 Privilege Escalation
828 835 In certain circumstances, a single privilege could lead to a process
829 836 gaining one or more additional privileges that were not explicitly
830 837 granted to that process. To prevent such an escalation of privileges,
831 838 the security policy requires explicit permission for those additional
832 839 privileges.
833 840
834 841
835 842 Common examples of escalation are those mechanisms that allow
836 843 modification of system resources through "raw'' interfaces; for
837 844 example, changing kernel data structures through /dev/kmem or changing
838 845 files through /dev/dsk/*. Escalation also occurs when a process
839 846 controls processes with more privileges than the controlling process. A
840 847 special case of this is manipulating or creating objects owned by UID 0
841 848 or trying to obtain UID 0 using setuid(2). The special treatment of UID
842 849 0 is needed because the UID 0 owns all system configuration files and
843 850 ordinary file protection mechanisms allow processes with UID 0 to
844 851 modify the system configuration. With appropriate file modifications, a
845 852 given process running with an effective UID of 0 can gain all
846 853 privileges.
847 854
848 855
849 856 In situations where a process might obtain UID 0, the security policy
850 857 requires additional privileges, up to the full set of privileges. Such
851 858 restrictions could be relaxed or removed at such time as additional
852 859 mechanisms for protection of system files became available. There are
853 860 no such mechanisms in the current Solaris release.
854 861
855 862
856 863 The use of UID 0 processes should be limited as much as possible. They
857 864 should be replaced with programs running under a different UID but with
858 865 exactly the privileges they need.
859 866
860 867
861 868 Daemons that never need to exec subprocesses should remove the
862 869 PRIV_PROC_EXEC privilege from their permitted and limit sets.
863 870
864 871 Assigned Privileges and Safeguards
865 872 When privileges are assigned to a user, the system administrator could
866 873 give that user more powers than intended. The administrator should
867 874 consider whether safeguards are needed. For example, if the
868 875 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
869 876 should consider setting the project.max-locked-memory resource control
870 877 as well, to prevent that user from locking all memory.
871 878
872 879 Privilege Debugging
873 880 When a system call fails with a permission error, it is not always
874 881 immediately obvious what caused the problem. To debug such a problem,
875 882 you can use a tool called privilege debugging. When privilege debugging
876 883 is enabled for a process, the kernel reports missing privileges on the
877 884 controlling terminal of the process. (Enable debugging for a process
878 885 with the -D option of ppriv(1).) Additionally, the administrator can
879 886 enable system-wide privilege debugging by setting the system(4)
880 887 variable priv_debug using:
881 888
882 889 set priv_debug = 1
883 890
884 891
885 892
886 893 On a running system, you can use mdb(1) to change this variable.
887 894
888 895 Privilege Administration
889 896 The Solaris Management Console (see smc(1M)) is the preferred method of
890 897 modifying privileges for a command. Use usermod(1M) or smrole(1M) to
891 898 assign privileges to or modify privileges for, respectively, a user or
892 899 a role. Use ppriv(1) to enumerate the privileges supported on a system
893 900 and truss(1) to determine which privileges a program requires.
894 901
895 902 SEE ALSO
896 903 mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M),
897 904 pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
898 905 access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
899 906 chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2),
900 907 fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2),
901 908 kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2),
902 909 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
903 910 processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
904 911 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
905 912 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
906 913 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
907 914 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
908 915 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
909 916 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
910 917 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
911 918 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
912 919 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
913 920 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
914 921 drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
915 922 priv_policy_choice(9F), priv_policy_only(9F)
916 923
917 924
918 925 System Administration Guide: Security Services
919 926
920 927
921 928
922 929 October 30, 2015 PRIVILEGES(5)
↓ open down ↓ |
885 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX