Print this page
uts: add a concept of a 'default' set of privileges, separate from 'basic'
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man5/privileges.5
+++ new/usr/src/man/man5/privileges.5
1 1 '\" te
2 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 3 .\" Copyright 2015, Joyent, Inc. All Rights Reserved.
4 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
6 6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 7 .TH PRIVILEGES 5 "Oct 30, 2015"
8 8 .SH NAME
9 9 privileges \- process privilege model
10 10 .SH DESCRIPTION
11 11 .LP
|
↓ open down ↓ |
11 lines elided |
↑ open up ↑ |
12 12 Solaris software implements a set of privileges that provide fine-grained
13 13 control over the actions of processes. The possession of a certain privilege
14 14 allows a process to perform a specific set of restricted operations.
15 15 .sp
16 16 .LP
17 17 The change to a primarily privilege-based security model in the Solaris
18 18 operating system gives developers an opportunity to restrict processes to those
19 19 privileged operations actually needed instead of all (super-user) or no
20 20 privileges (non-zero UIDs). Additionally, a set of previously unrestricted
21 21 operations now requires a privilege; these privileges are dubbed the "basic"
22 -privileges and are by default given to all processes.
22 +privileges.
23 23 .sp
24 24 .LP
25 -Taken together, all defined privileges with the exception of the "basic"
25 +The "basic" privileges, and certain privileges representing concepts not
26 +traditionally present are, by default, given to all processes. These are the
27 +"default" set of privileges.
28 +.sp
29 +.LP
30 +Taken together, all defined privileges with the exception of the "default"
26 31 privileges compose the set of privileges that are traditionally associated with
27 32 the root user. The "basic" privileges are "privileges" unprivileged processes
28 -were accustomed to having.
33 +were accustomed to having, and the "default" privileges are the "basic"
34 +privileges plus additions that while unprivileged processes aren't accustomed to,
35 +they should now have.
29 36 .sp
30 37 .LP
31 38 The defined privileges are:
32 39 .sp
33 40 .ne 2
34 41 .na
35 42 \fB\fBPRIV_CONTRACT_EVENT\fR\fR
36 43 .ad
37 44 .sp .6
38 45 .RS 4n
39 46 Allow a process to request reliable delivery of events to an event endpoint.
40 47 .sp
41 48 Allow a process to include events in the critical event set term of a template
42 49 which could be generated in volume by the user.
43 50 .RE
44 51
45 52 .sp
46 53 .ne 2
47 54 .na
48 55 \fB\fBPRIV_CONTRACT_IDENTITY\fR\fR
49 56 .ad
50 57 .sp .6
51 58 .RS 4n
52 59 Allows a process to set the service FMRI value of a process contract template.
53 60 .RE
54 61
55 62 .sp
56 63 .ne 2
57 64 .na
58 65 \fB\fBPRIV_CONTRACT_OBSERVER\fR\fR
59 66 .ad
60 67 .sp .6
61 68 .RS 4n
62 69 Allow a process to observe contract events generated by contracts created and
63 70 owned by users other than the process's effective user ID.
64 71 .sp
65 72 Allow a process to open contract event endpoints belonging to contracts created
66 73 and owned by users other than the process's effective user ID.
67 74 .RE
68 75
69 76 .sp
70 77 .ne 2
71 78 .na
72 79 \fB\fBPRIV_CPC_CPU\fR\fR
73 80 .ad
74 81 .sp .6
75 82 .RS 4n
76 83 Allow a process to access per-CPU hardware performance counters.
77 84 .RE
78 85
79 86 .sp
80 87 .ne 2
81 88 .na
82 89 \fB\fBPRIV_DTRACE_KERNEL\fR\fR
83 90 .ad
84 91 .sp .6
85 92 .RS 4n
86 93 Allow DTrace kernel-level tracing.
87 94 .RE
88 95
89 96 .sp
90 97 .ne 2
91 98 .na
92 99 \fB\fBPRIV_DTRACE_PROC\fR\fR
93 100 .ad
94 101 .sp .6
95 102 .RS 4n
96 103 Allow DTrace process-level tracing. Allow process-level tracing probes to be
97 104 placed and enabled in processes to which the user has permissions.
98 105 .RE
99 106
100 107 .sp
101 108 .ne 2
102 109 .na
103 110 \fB\fBPRIV_DTRACE_USER\fR\fR
104 111 .ad
105 112 .sp .6
106 113 .RS 4n
107 114 Allow DTrace user-level tracing. Allow use of the syscall and profile DTrace
108 115 providers to examine processes to which the user has permissions.
109 116 .RE
110 117
111 118 .sp
112 119 .ne 2
113 120 .na
114 121 \fB\fBPRIV_FILE_CHOWN\fR\fR
115 122 .ad
116 123 .sp .6
117 124 .RS 4n
118 125 Allow a process to change a file's owner user ID. Allow a process to change a
119 126 file's group ID to one other than the process's effective group ID or one of
120 127 the process's supplemental group IDs.
121 128 .RE
122 129
123 130 .sp
124 131 .ne 2
125 132 .na
126 133 \fB\fBPRIV_FILE_CHOWN_SELF\fR\fR
127 134 .ad
128 135 .sp .6
129 136 .RS 4n
130 137 Allow a process to give away its files. A process with this privilege runs as
131 138 if {\fB_POSIX_CHOWN_RESTRICTED\fR} is not in effect.
132 139 .RE
133 140
134 141 .sp
135 142 .ne 2
136 143 .na
137 144 \fB\fBPRIV_FILE_DAC_EXECUTE\fR\fR
138 145 .ad
139 146 .sp .6
140 147 .RS 4n
141 148 Allow a process to execute an executable file whose permission bits or ACL
142 149 would otherwise disallow the process execute permission.
143 150 .RE
144 151
145 152 .sp
146 153 .ne 2
147 154 .na
148 155 \fB\fBPRIV_FILE_DAC_READ\fR\fR
149 156 .ad
150 157 .sp .6
151 158 .RS 4n
152 159 Allow a process to read a file or directory whose permission bits or ACL would
153 160 otherwise disallow the process read permission.
154 161 .RE
155 162
156 163 .sp
157 164 .ne 2
158 165 .na
159 166 \fB\fBPRIV_FILE_DAC_SEARCH\fR\fR
160 167 .ad
161 168 .sp .6
162 169 .RS 4n
163 170 Allow a process to search a directory whose permission bits or ACL would not
164 171 otherwise allow the process search permission.
165 172 .RE
166 173
167 174 .sp
168 175 .ne 2
169 176 .na
170 177 \fB\fBPRIV_FILE_DAC_WRITE\fR\fR
171 178 .ad
172 179 .sp .6
173 180 .RS 4n
174 181 Allow a process to write a file or directory whose permission bits or ACL do
175 182 not allow the process write permission. All privileges are required to write
176 183 files owned by UID 0 in the absence of an effective UID of 0.
177 184 .RE
178 185
179 186 .sp
180 187 .ne 2
181 188 .na
182 189 \fB\fBPRIV_FILE_DOWNGRADE_SL\fR\fR
183 190 .ad
184 191 .sp .6
185 192 .RS 4n
186 193 Allow a process to set the sensitivity label of a file or directory to a
187 194 sensitivity label that does not dominate the existing sensitivity label.
188 195 .sp
189 196 This privilege is interpreted only if the system is configured with Trusted
190 197 Extensions.
191 198 .RE
192 199
193 200 .sp
194 201 .ne 2
195 202 .na
196 203 \fB\fBPRIV_FILE_FLAG_SET\fR\fR
197 204 .ad
198 205 .sp .6
199 206 .RS 4n
200 207 Allows a process to set immutable, nounlink or appendonly file attributes.
201 208 .RE
202 209
203 210 .sp
204 211 .ne 2
205 212 .na
206 213 \fB\fBPRIV_FILE_LINK_ANY\fR\fR
207 214 .ad
208 215 .sp .6
209 216 .RS 4n
210 217 Allow a process to create hardlinks to files owned by a UID different from the
211 218 process's effective UID.
212 219 .RE
213 220
214 221 .sp
215 222 .ne 2
216 223 .na
217 224 \fB\fBPRIV_FILE_OWNER\fR\fR
218 225 .ad
219 226 .sp .6
220 227 .RS 4n
221 228 Allow a process that is not the owner of a file to modify that file's access
222 229 and modification times. Allow a process that is not the owner of a directory to
223 230 modify that directory's access and modification times. Allow a process that is
224 231 not the owner of a file or directory to remove or rename a file or directory
225 232 whose parent directory has the "save text image after execution" (sticky) bit
226 233 set. Allow a process that is not the owner of a file to mount a \fBnamefs\fR
227 234 upon that file. Allow a process that is not the owner of a file or directory to
228 235 modify that file's or directory's permission bits or ACL.
229 236 .RE
230 237
231 238 .sp
232 239 .ne 2
233 240 .na
234 241 \fB\fBPRIV_FILE_READ\fR\fR
235 242 .ad
236 243 .sp .6
237 244 .RS 4n
238 245 Allow a process to open objects in the filesystem for reading. This
239 246 privilege is not necessary to read from an already open file which was opened
240 247 before dropping the \fBPRIV_FILE_READ\fR privilege.
241 248 .RE
242 249
243 250 .sp
244 251 .ne 2
245 252 .na
246 253 \fB\fBPRIV_FILE_SETID\fR\fR
247 254 .ad
248 255 .sp .6
249 256 .RS 4n
250 257 Allow a process to change the ownership of a file or write to a file without
251 258 the set-user-ID and set-group-ID bits being cleared. Allow a process to set the
252 259 set-group-ID bit on a file or directory whose group is not the process's
253 260 effective group or one of the process's supplemental groups. Allow a process to
254 261 set the set-user-ID bit on a file with different ownership in the presence of
255 262 \fBPRIV_FILE_OWNER\fR. Additional restrictions apply when creating or modifying
256 263 a setuid 0 file.
257 264 .RE
258 265
259 266 .sp
260 267 .ne 2
261 268 .na
262 269 \fB\fBPRIV_FILE_UPGRADE_SL\fR\fR
263 270 .ad
264 271 .sp .6
265 272 .RS 4n
266 273 Allow a process to set the sensitivity label of a file or directory to a
267 274 sensitivity label that dominates the existing sensitivity label.
268 275 .sp
269 276 This privilege is interpreted only if the system is configured with Trusted
270 277 Extensions.
271 278 .RE
272 279
273 280 .sp
274 281 .ne 2
275 282 .na
276 283 \fB\fBPRIV_FILE_WRITE\fR\fR
277 284 .ad
278 285 .sp .6
279 286 .RS 4n
280 287 Allow a process to open objects in the filesytem for writing, or otherwise
281 288 modify them. This privilege is not necessary to write to an already open file
282 289 which was opened before dropping the \fBPRIV_FILE_WRITE\fR privilege.
283 290 .RE
284 291
285 292 .sp
286 293 .ne 2
287 294 .na
288 295 \fB\fBPRIV_GRAPHICS_ACCESS\fR\fR
289 296 .ad
290 297 .sp .6
291 298 .RS 4n
292 299 Allow a process to make privileged ioctls to graphics devices. Typically only
293 300 an xserver process needs to have this privilege. A process with this privilege
294 301 is also allowed to perform privileged graphics device mappings.
295 302 .RE
296 303
297 304 .sp
298 305 .ne 2
299 306 .na
300 307 \fB\fBPRIV_GRAPHICS_MAP\fR\fR
301 308 .ad
302 309 .sp .6
303 310 .RS 4n
304 311 Allow a process to perform privileged mappings through a graphics device.
305 312 .RE
306 313
307 314 .sp
308 315 .ne 2
309 316 .na
310 317 \fB\fBPRIV_IPC_DAC_READ\fR\fR
311 318 .ad
312 319 .sp .6
313 320 .RS 4n
314 321 Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared
315 322 Memory Segment whose permission bits would not otherwise allow the process read
316 323 permission.
317 324 .RE
318 325
319 326 .sp
320 327 .ne 2
321 328 .na
322 329 \fB\fBPRIV_IPC_DAC_WRITE\fR\fR
323 330 .ad
324 331 .sp .6
325 332 .RS 4n
326 333 Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared
327 334 Memory Segment whose permission bits would not otherwise allow the process
328 335 write permission.
329 336 .RE
330 337
331 338 .sp
332 339 .ne 2
333 340 .na
334 341 \fB\fBPRIV_IPC_OWNER\fR\fR
335 342 .ad
336 343 .sp .6
337 344 .RS 4n
338 345 Allow a process that is not the owner of a System V IPC Message Queue,
339 346 Semaphore Set, or Shared Memory Segment to remove, change ownership of, or
340 347 change permission bits of the Message Queue, Semaphore Set, or Shared Memory
341 348 Segment.
342 349 .RE
343 350
344 351 .sp
345 352 .ne 2
346 353 .na
347 354 \fB\fBPRIV_NET_ACCESS\fR\fR
348 355 .ad
349 356 .sp .6
350 357 .RS 4n
351 358 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint. This
352 359 privilege is not necessary to communicate using an existing endpoint already
353 360 opened before dropping the \fBPRIV_NET_ACCESS\fR privilege.
354 361 .RE
355 362
356 363 .sp
357 364 .ne 2
358 365 .na
359 366 \fB\fBPRIV_NET_BINDMLP\fR\fR
360 367 .ad
361 368 .sp .6
362 369 .RS 4n
363 370 Allow a process to bind to a port that is configured as a multi-level port
364 371 (MLP) for the process's zone. This privilege applies to both shared address and
365 372 zone-specific address MLPs. See \fBtnzonecfg\fR(\fB4\fR) from the Trusted
366 373 Extensions manual pages for information on configuring MLP ports.
367 374 .sp
368 375 This privilege is interpreted only if the system is configured with Trusted
369 376 Extensions.
370 377 .RE
371 378
372 379 .sp
373 380 .ne 2
374 381 .na
375 382 \fB\fBPRIV_NET_ICMPACCESS\fR\fR
376 383 .ad
377 384 .sp .6
378 385 .RS 4n
379 386 Allow a process to send and receive ICMP packets.
380 387 .RE
381 388
382 389 .sp
383 390 .ne 2
384 391 .na
385 392 \fB\fBPRIV_NET_MAC_AWARE\fR\fR
386 393 .ad
387 394 .sp .6
388 395 .RS 4n
389 396 Allow a process to set the \fBNET_MAC_AWARE\fR process flag by using
390 397 \fBsetpflags\fR(2). This privilege also allows a process to set the
391 398 \fBSO_MAC_EXEMPT\fR socket option by using \fBsetsockopt\fR(3SOCKET). The
392 399 \fBNET_MAC_AWARE\fR process flag and the \fBSO_MAC_EXEMPT\fR socket option both
393 400 allow a local process to communicate with an unlabeled peer if the local
394 401 process's label dominates the peer's default label, or if the local process
395 402 runs in the global zone.
396 403 .sp
397 404 This privilege is interpreted only if the system is configured with Trusted
398 405 Extensions.
399 406 .RE
400 407
401 408 .sp
402 409 .ne 2
403 410 .na
404 411 \fB\fBPRIV_NET_MAC_IMPLICIT\fR\fR
405 412 .ad
406 413 .sp .6
407 414 .RS 4n
408 415 Allow a proces to set \fBSO_MAC_IMPLICIT\fR option by using
409 416 \fBsetsockopt\fR(3SOCKET). This allows a privileged process to transmit
410 417 implicitly-labeled packets to a peer.
411 418 .sp
412 419 This privilege is interpreted only if the system is configured with
413 420 Trusted Extensions.
414 421 .RE
415 422
416 423 .sp
417 424 .ne 2
418 425 .na
419 426 \fB\fBPRIV_NET_OBSERVABILITY\fR\fR
420 427 .ad
421 428 .sp .6
422 429 .RS 4n
423 430 Allow a process to open a device for just receiving network traffic, sending
424 431 traffic is disallowed.
425 432 .RE
426 433
427 434 .sp
428 435 .ne 2
429 436 .na
430 437 \fB\fBPRIV_NET_PRIVADDR\fR\fR
431 438 .ad
432 439 .sp .6
433 440 .RS 4n
434 441 Allow a process to bind to a privileged port number. The privilege port numbers
435 442 are 1-1023 (the traditional UNIX privileged ports) as well as those ports
436 443 marked as "\fBudp/tcp_extra_priv_ports\fR" with the exception of the ports
437 444 reserved for use by NFS and SMB.
438 445 .RE
439 446
440 447 .sp
441 448 .ne 2
442 449 .na
443 450 \fB\fBPRIV_NET_RAWACCESS\fR\fR
444 451 .ad
445 452 .sp .6
446 453 .RS 4n
447 454 Allow a process to have direct access to the network layer.
448 455 .RE
449 456
450 457 .sp
451 458 .ne 2
452 459 .na
453 460 \fB\fBPRIV_PROC_AUDIT\fR\fR
454 461 .ad
455 462 .sp .6
456 463 .RS 4n
457 464 Allow a process to generate audit records. Allow a process to get its own audit
458 465 pre-selection information.
459 466 .RE
460 467
461 468 .sp
462 469 .ne 2
463 470 .na
464 471 \fB\fBPRIV_PROC_CHROOT\fR\fR
465 472 .ad
466 473 .sp .6
467 474 .RS 4n
468 475 Allow a process to change its root directory.
469 476 .RE
470 477
471 478 .sp
472 479 .ne 2
473 480 .na
474 481 \fB\fBPRIV_PROC_CLOCK_HIGHRES\fR\fR
475 482 .ad
476 483 .sp .6
477 484 .RS 4n
478 485 Allow a process to use high resolution timers.
479 486 .RE
480 487
481 488 .sp
482 489 .ne 2
483 490 .na
484 491 \fB\fBPRIV_PROC_EXEC\fR\fR
485 492 .ad
486 493 .sp .6
487 494 .RS 4n
488 495 Allow a process to call \fBexec\fR(2).
489 496 .RE
490 497
491 498 .sp
492 499 .ne 2
493 500 .na
494 501 \fB\fBPRIV_PROC_FORK\fR\fR
495 502 .ad
496 503 .sp .6
497 504 .RS 4n
498 505 Allow a process to call \fBfork\fR(2), \fBfork1\fR(2), or \fBvfork\fR(2).
499 506 .RE
500 507
501 508 .sp
502 509 .ne 2
503 510 .na
504 511 \fB\fBPRIV_PROC_INFO\fR\fR
505 512 .ad
506 513 .sp .6
507 514 .RS 4n
508 515 Allow a process to examine the status of processes other than those to which it
509 516 can send signals. Processes that cannot be examined cannot be seen in
510 517 \fB/proc\fR and appear not to exist.
511 518 .RE
512 519
513 520 .sp
514 521 .ne 2
515 522 .na
516 523 \fB\fBPRIV_PROC_LOCK_MEMORY\fR\fR
517 524 .ad
518 525 .sp .6
519 526 .RS 4n
520 527 Allow a process to lock pages in physical memory.
521 528 .RE
522 529
523 530 .sp
524 531 .ne 2
525 532 .na
526 533 \fB\fBPRIV_PROC_MEMINFO\fR\fR
527 534 .ad
528 535 .sp .6
529 536 .RS 4n
530 537 Allow a process to access physical memory information.
531 538 .RE
532 539
533 540 .sp
534 541 .ne 2
535 542 .na
536 543 \fB\fBPRIV_PROC_OWNER\fR\fR
537 544 .ad
538 545 .sp .6
539 546 .RS 4n
540 547 Allow a process to send signals to other processes and inspect and modify the
541 548 process state in other processes, regardless of ownership. When modifying
542 549 another process, additional restrictions apply: the effective privilege set of
543 550 the attaching process must be a superset of the target process's effective,
544 551 permitted, and inheritable sets; the limit set must be a superset of the
545 552 target's limit set; if the target process has any UID set to 0 all privilege
546 553 must be asserted unless the effective UID is 0. Allow a process to bind
547 554 arbitrary processes to CPUs.
548 555 .RE
549 556
550 557 .sp
551 558 .ne 2
552 559 .na
553 560 \fB\fBPRIV_PROC_PRIOUP\fR\fR
554 561 .ad
555 562 .sp .6
556 563 .RS 4n
557 564 Allow a process to elevate its priority above its current level.
558 565 .RE
559 566
560 567 .sp
561 568 .ne 2
562 569 .na
563 570 \fB\fBPRIV_PROC_PRIOCNTL\fR\fR
564 571 .ad
565 572 .sp .6
566 573 .RS 4n
567 574 Allows all that PRIV_PROC_PRIOUP allows.
568 575 Allow a process to change its scheduling class to any scheduling class,
569 576 including the RT class.
570 577 .RE
571 578
572 579 .sp
573 580 .ne 2
574 581 .na
575 582 \fB\fBPRIV_PROC_SESSION\fR\fR
576 583 .ad
577 584 .sp .6
578 585 .RS 4n
579 586 Allow a process to send signals or trace processes outside its session.
580 587 .RE
581 588
582 589 .sp
583 590 .ne 2
584 591 .na
585 592 \fB\fBPRIV_PROC_SETID\fR\fR
586 593 .ad
587 594 .sp .6
588 595 .RS 4n
589 596 Allow a process to set its UIDs at will, assuming UID 0 requires all privileges
590 597 to be asserted.
591 598 .RE
592 599
593 600 .sp
594 601 .ne 2
595 602 .na
596 603 \fB\fBPRIV_PROC_TASKID\fR\fR
597 604 .ad
598 605 .sp .6
599 606 .RS 4n
600 607 Allow a process to assign a new task ID to the calling process.
601 608 .RE
602 609
603 610 .sp
604 611 .ne 2
605 612 .na
606 613 \fB\fBPRIV_PROC_ZONE\fR\fR
607 614 .ad
608 615 .sp .6
609 616 .RS 4n
610 617 Allow a process to trace or send signals to processes in other zones. See
611 618 \fBzones\fR(5).
612 619 .RE
613 620
614 621 .sp
615 622 .ne 2
616 623 .na
617 624 \fB\fBPRIV_SYS_ACCT\fR\fR
618 625 .ad
619 626 .sp .6
620 627 .RS 4n
621 628 Allow a process to enable and disable and manage accounting through
622 629 \fBacct\fR(2).
623 630 .RE
624 631
625 632 .sp
626 633 .ne 2
627 634 .na
628 635 \fB\fBPRIV_SYS_ADMIN\fR\fR
629 636 .ad
630 637 .sp .6
631 638 .RS 4n
632 639 Allow a process to perform system administration tasks such as setting node and
633 640 domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
634 641 .RE
635 642
636 643 .sp
637 644 .ne 2
638 645 .na
639 646 \fB\fBPRIV_SYS_AUDIT\fR\fR
640 647 .ad
641 648 .sp .6
642 649 .RS 4n
643 650 Allow a process to start the (kernel) audit daemon. Allow a process to view and
644 651 set audit state (audit user ID, audit terminal ID, audit sessions ID, audit
645 652 pre-selection mask). Allow a process to turn off and on auditing. Allow a
646 653 process to configure the audit parameters (cache and queue sizes, event to
647 654 class mappings, and policy options).
648 655 .RE
649 656
650 657 .sp
651 658 .ne 2
652 659 .na
653 660 \fB\fBPRIV_SYS_CONFIG\fR\fR
654 661 .ad
655 662 .sp .6
656 663 .RS 4n
657 664 Allow a process to perform various system configuration tasks. Allow
658 665 filesystem-specific administrative procedures, such as filesystem configuration
659 666 ioctls, quota calls, creation and deletion of snapshots, and manipulating the
660 667 PCFS bootsector.
661 668 .RE
662 669
663 670 .sp
664 671 .ne 2
665 672 .na
666 673 \fB\fBPRIV_SYS_DEVICES\fR\fR
667 674 .ad
668 675 .sp .6
669 676 .RS 4n
670 677 Allow a process to create device special files. Allow a process to successfully
671 678 call a kernel module that calls the kernel \fBdrv_priv\fR(9F) function to check
672 679 for allowed access. Allow a process to open the real console device directly.
673 680 Allow a process to open devices that have been exclusively opened.
674 681 .RE
675 682
676 683 .sp
677 684 .ne 2
678 685 .na
679 686 \fB\fBPRIV_SYS_DL_CONFIG\fR\fR
680 687 .ad
681 688 .sp .6
682 689 .RS 4n
683 690 Allow a process to configure a system's datalink interfaces.
684 691 .RE
685 692
686 693 .sp
687 694 .ne 2
688 695 .na
689 696 \fB\fBPRIV_SYS_IP_CONFIG\fR\fR
690 697 .ad
691 698 .sp .6
692 699 .RS 4n
693 700 Allow a process to configure a system's IP interfaces and routes. Allow a
694 701 process to configure network parameters for \fBTCP/IP\fR using \fBndd\fR. Allow
695 702 a process access to otherwise restricted \fBTCP/IP\fR information using
696 703 \fBndd\fR. Allow a process to configure \fBIPsec\fR. Allow a process to pop
697 704 anchored \fBSTREAM\fRs modules with matching \fBzoneid\fR.
698 705 .RE
699 706
700 707 .sp
701 708 .ne 2
702 709 .na
703 710 \fB\fBPRIV_SYS_IPC_CONFIG\fR\fR
704 711 .ad
705 712 .sp .6
706 713 .RS 4n
707 714 Allow a process to increase the size of a System V IPC Message Queue buffer.
708 715 .RE
709 716
710 717 .sp
711 718 .ne 2
712 719 .na
713 720 \fB\fBPRIV_SYS_IPTUN_CONFIG\fR\fR
714 721 .ad
715 722 .sp .6
716 723 .RS 4n
717 724 Allow a process to configure IP tunnel links.
718 725 .RE
719 726
720 727 .sp
721 728 .ne 2
722 729 .na
723 730 \fB\fBPRIV_SYS_LINKDIR\fR\fR
724 731 .ad
725 732 .sp .6
726 733 .RS 4n
727 734 Allow a process to unlink and link directories.
728 735 .RE
729 736
730 737 .sp
731 738 .ne 2
732 739 .na
733 740 \fB\fBPRIV_SYS_MOUNT\fR\fR
734 741 .ad
735 742 .sp .6
736 743 .RS 4n
737 744 Allow a process to mount and unmount filesystems that would otherwise be
738 745 restricted (that is, most filesystems except \fBnamefs\fR). Allow a process to
739 746 add and remove swap devices.
740 747 .RE
741 748
742 749 .sp
743 750 .ne 2
744 751 .na
745 752 \fB\fBPRIV_SYS_NET_CONFIG\fR\fR
746 753 .ad
747 754 .sp .6
748 755 .RS 4n
749 756 Allow a process to do all that \fBPRIV_SYS_IP_CONFIG\fR,
750 757 \fBPRIV_SYS_DL_CONFIG\fR, and \fBPRIV_SYS_PPP_CONFIG\fR allow, plus the
751 758 following: use the \fBrpcmod\fR STREAMS module and insert/remove STREAMS
752 759 modules on locations other than the top of the module stack.
753 760 .RE
754 761
755 762 .sp
756 763 .ne 2
757 764 .na
758 765 \fB\fBPRIV_SYS_NFS\fR\fR
759 766 .ad
760 767 .sp .6
761 768 .RS 4n
762 769 Allow a process to provide NFS service: start NFS kernel threads, perform NFS
763 770 locking operations, bind to NFS reserved ports: ports 2049 (\fBnfs\fR) and port
764 771 4045 (\fBlockd\fR).
765 772 .RE
766 773
767 774 .sp
768 775 .ne 2
769 776 .na
770 777 \fB\fBPRIV_SYS_PPP_CONFIG\fR\fR
771 778 .ad
772 779 .sp .6
773 780 .RS 4n
774 781 Allow a process to create, configure, and destroy PPP instances with pppd(1M)
775 782 \fBpppd\fR(1M) and control PPPoE plumbing with \fBsppptun\fR(1M)sppptun(1M).
776 783 This privilege is granted by default to exclusive IP stack instance zones.
777 784 .RE
778 785
779 786 .sp
780 787 .ne 2
781 788 .na
782 789 \fB\fBPRIV_SYS_RES_BIND\fR\fR
783 790 .ad
784 791 .sp .6
785 792 .RS 4n
786 793 Allows a process to bind processes to processor sets.
787 794 .RE
788 795
789 796 .sp
790 797 .ne 2
791 798 .na
792 799 \fB\fBPRIV_SYS_RES_CONFIG\fR\fR
793 800 .ad
794 801 .sp .6
795 802 .RS 4n
796 803 Allows all that PRIV_SYS_RES_BIND allows.
797 804 Allow a process to create and delete processor sets, assign CPUs to processor
798 805 sets and override the \fBPSET_NOESCAPE\fR property. Allow a process to change
799 806 the operational status of CPUs in the system using \fBp_online\fR(2). Allow a
800 807 process to configure filesystem quotas. Allow a process to configure resource
801 808 pools and bind processes to pools.
802 809 .RE
803 810
804 811 .sp
805 812 .ne 2
806 813 .na
807 814 \fB\fBPRIV_SYS_RESOURCE\fR\fR
808 815 .ad
809 816 .sp .6
810 817 .RS 4n
811 818 Allow a process to exceed the resource limits imposed on it by
812 819 \fBsetrlimit\fR(2) and \fBsetrctl\fR(2).
813 820 .RE
814 821
815 822 .sp
816 823 .ne 2
817 824 .na
818 825 \fB\fBPRIV_SYS_SMB\fR\fR
819 826 .ad
820 827 .sp .6
821 828 .RS 4n
822 829 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
823 830 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
824 831 (SMB).
825 832 .RE
826 833
827 834 .sp
828 835 .ne 2
829 836 .na
830 837 \fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR
831 838 .ad
832 839 .sp .6
833 840 .RS 4n
834 841 Allow a process to successfully call a third party loadable module that calls
835 842 the kernel \fBsuser()\fR function to check for allowed access. This privilege
836 843 exists only for third party loadable module compatibility and is not used by
837 844 Solaris proper.
838 845 .RE
839 846
840 847 .sp
841 848 .ne 2
842 849 .na
843 850 \fB\fBPRIV_SYS_TIME\fR\fR
844 851 .ad
845 852 .sp .6
846 853 .RS 4n
847 854 Allow a process to manipulate system time using any of the appropriate system
848 855 calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2).
849 856 .RE
850 857
851 858 .sp
852 859 .ne 2
853 860 .na
854 861 \fB\fBPRIV_SYS_TRANS_LABEL\fR\fR
855 862 .ad
856 863 .sp .6
857 864 .RS 4n
858 865 Allow a process to translate labels that are not dominated by the process's
859 866 sensitivity label to and from an external string form.
860 867 .sp
861 868 This privilege is interpreted only if the system is configured with Trusted
862 869 Extensions.
863 870 .RE
864 871
865 872 .sp
866 873 .ne 2
867 874 .na
868 875 \fB\fBPRIV_VIRT_MANAGE\fR\fR
869 876 .ad
870 877 .sp .6
871 878 .RS 4n
872 879 Allows a process to manage virtualized environments such as \fBxVM\fR(5).
873 880 .RE
874 881
875 882 .sp
876 883 .ne 2
877 884 .na
878 885 \fB\fBPRIV_WIN_COLORMAP\fR\fR
879 886 .ad
880 887 .sp .6
881 888 .RS 4n
882 889 Allow a process to override colormap restrictions.
883 890 .sp
884 891 Allow a process to install or remove colormaps.
885 892 .sp
886 893 Allow a process to retrieve colormap cell entries allocated by other processes.
887 894 .sp
888 895 This privilege is interpreted only if the system is configured with Trusted
889 896 Extensions.
890 897 .RE
891 898
892 899 .sp
893 900 .ne 2
894 901 .na
895 902 \fB\fBPRIV_WIN_CONFIG\fR\fR
896 903 .ad
897 904 .sp .6
898 905 .RS 4n
899 906 Allow a process to configure or destroy resources that are permanently retained
900 907 by the X server.
901 908 .sp
902 909 Allow a process to use SetScreenSaver to set the screen saver timeout value
903 910 .sp
904 911 Allow a process to use ChangeHosts to modify the display access control list.
905 912 .sp
906 913 Allow a process to use GrabServer.
907 914 .sp
908 915 Allow a process to use the SetCloseDownMode request that can retain window,
909 916 pixmap, colormap, property, cursor, font, or graphic context resources.
910 917 .sp
911 918 This privilege is interpreted only if the system is configured with Trusted
912 919 Extensions.
913 920 .RE
914 921
915 922 .sp
916 923 .ne 2
917 924 .na
918 925 \fB\fBPRIV_WIN_DAC_READ\fR\fR
919 926 .ad
920 927 .sp .6
921 928 .RS 4n
922 929 Allow a process to read from a window resource that it does not own (has a
923 930 different user ID).
924 931 .sp
925 932 This privilege is interpreted only if the system is configured with Trusted
926 933 Extensions.
927 934 .RE
928 935
929 936 .sp
930 937 .ne 2
931 938 .na
932 939 \fB\fBPRIV_WIN_DAC_WRITE\fR\fR
933 940 .ad
934 941 .sp .6
935 942 .RS 4n
936 943 Allow a process to write to or create a window resource that it does not own
937 944 (has a different user ID). A newly created window property is created with the
938 945 window's user ID.
939 946 .sp
940 947 This privilege is interpreted only if the system is configured with Trusted
941 948 Extensions.
942 949 .RE
943 950
944 951 .sp
945 952 .ne 2
946 953 .na
947 954 \fB\fBPRIV_WIN_DEVICES\fR\fR
948 955 .ad
949 956 .sp .6
950 957 .RS 4n
951 958 Allow a process to perform operations on window input devices.
952 959 .sp
953 960 Allow a process to get and set keyboard and pointer controls.
954 961 .sp
955 962 Allow a process to modify pointer button and key mappings.
956 963 .sp
957 964 This privilege is interpreted only if the system is configured with Trusted
958 965 Extensions.
959 966 .RE
960 967
961 968 .sp
962 969 .ne 2
963 970 .na
964 971 \fB\fBPRIV_WIN_DGA\fR\fR
965 972 .ad
966 973 .sp .6
967 974 .RS 4n
968 975 Allow a process to use the direct graphics access (DGA) X protocol extensions.
969 976 Direct process access to the frame buffer is still required. Thus the process
970 977 must have MAC and DAC privileges that allow access to the frame buffer, or the
971 978 frame buffer must be allocated to the process.
972 979 .sp
973 980 This privilege is interpreted only if the system is configured with Trusted
974 981 Extensions.
975 982 .RE
976 983
977 984 .sp
978 985 .ne 2
979 986 .na
980 987 \fB\fBPRIV_WIN_DOWNGRADE_SL\fR\fR
981 988 .ad
982 989 .sp .6
983 990 .RS 4n
984 991 Allow a process to set the sensitivity label of a window resource to a
985 992 sensitivity label that does not dominate the existing sensitivity label.
986 993 .sp
987 994 This privilege is interpreted only if the system is configured with Trusted
988 995 Extensions.
989 996 .RE
990 997
991 998 .sp
992 999 .ne 2
993 1000 .na
994 1001 \fB\fBPRIV_WIN_FONTPATH\fR\fR
995 1002 .ad
996 1003 .sp .6
997 1004 .RS 4n
998 1005 Allow a process to set a font path.
999 1006 .sp
1000 1007 This privilege is interpreted only if the system is configured with Trusted
1001 1008 Extensions.
1002 1009 .RE
1003 1010
1004 1011 .sp
1005 1012 .ne 2
1006 1013 .na
1007 1014 \fB\fBPRIV_WIN_MAC_READ\fR\fR
1008 1015 .ad
1009 1016 .sp .6
1010 1017 .RS 4n
1011 1018 Allow a process to read from a window resource whose sensitivity label is not
1012 1019 equal to the process sensitivity label.
1013 1020 .sp
1014 1021 This privilege is interpreted only if the system is configured with Trusted
1015 1022 Extensions.
1016 1023 .RE
1017 1024
1018 1025 .sp
1019 1026 .ne 2
1020 1027 .na
1021 1028 \fB\fBPRIV_WIN_MAC_WRITE\fR\fR
1022 1029 .ad
1023 1030 .sp .6
1024 1031 .RS 4n
1025 1032 Allow a process to create a window resource whose sensitivity label is not
1026 1033 equal to the process sensitivity label. A newly created window property is
1027 1034 created with the window's sensitivity label.
1028 1035 .sp
1029 1036 This privilege is interpreted only if the system is configured with Trusted
1030 1037 Extensions.
1031 1038 .RE
1032 1039
1033 1040 .sp
1034 1041 .ne 2
1035 1042 .na
1036 1043 \fB\fBPRIV_WIN_SELECTION\fR\fR
1037 1044 .ad
1038 1045 .sp .6
1039 1046 .RS 4n
1040 1047 Allow a process to request inter-window data moves without the intervention of
1041 1048 the selection confirmer.
1042 1049 .sp
1043 1050 This privilege is interpreted only if the system is configured with Trusted
1044 1051 Extensions.
1045 1052 .RE
1046 1053
1047 1054 .sp
1048 1055 .ne 2
1049 1056 .na
1050 1057 \fB\fBPRIV_WIN_UPGRADE_SL\fR\fR
1051 1058 .ad
1052 1059 .sp .6
1053 1060 .RS 4n
1054 1061 Allow a process to set the sensitivity label of a window resource to a
1055 1062 sensitivity label that dominates the existing sensitivity label.
1056 1063 .sp
1057 1064 This privilege is interpreted only if the system is configured with Trusted
1058 1065 Extensions.
1059 1066 .RE
1060 1067
1061 1068 .sp
1062 1069 .ne 2
1063 1070 .na
1064 1071 \fB\fBPRIV_XVM_CONTROL\fR\fR
1065 1072 .ad
1066 1073 .sp .6
1067 1074 .RS 4n
1068 1075 Allows a process access to the \fBxVM\fR(5) control devices for managing guest
1069 1076 domains and the hypervisor. This privilege is used only if booted into xVM on
1070 1077 x86 platforms.
1071 1078 .RE
1072 1079
1073 1080 .sp
1074 1081 .LP
1075 1082 Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR,
1076 1083 \fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR,
1077 1084 \fBPRIV_FILE_READ\fR, \fBPRIV_FILE_WRITE\fR, \fBPRIV_NET_ACCESS\fR and
1078 1085 \fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges
1079 1086 that used to be always available to unprivileged processes. By default,
1080 1087 processes still have the basic privileges.
1081 1088 .sp
1082 1089 .LP
1083 1090 The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
1084 1091 in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
1085 1092 to be successful, that is, get an effective UID of 0 and additional privileges.
1086 1093 .sp
1087 1094 .LP
1088 1095 The privilege implementation in Solaris extends the process credential with
1089 1096 four privilege sets:
1090 1097 .sp
1091 1098 .ne 2
1092 1099 .na
1093 1100 \fBI, the inheritable set\fR
1094 1101 .ad
1095 1102 .RS 26n
1096 1103 The privileges inherited on \fBexec\fR.
1097 1104 .RE
1098 1105
1099 1106 .sp
1100 1107 .ne 2
1101 1108 .na
1102 1109 \fBP, the permitted set\fR
1103 1110 .ad
1104 1111 .RS 26n
1105 1112 The maximum set of privileges for the process.
1106 1113 .RE
1107 1114
1108 1115 .sp
1109 1116 .ne 2
1110 1117 .na
1111 1118 \fBE, the effective set\fR
1112 1119 .ad
1113 1120 .RS 26n
1114 1121 The privileges currently in effect.
1115 1122 .RE
1116 1123
1117 1124 .sp
1118 1125 .ne 2
1119 1126 .na
1120 1127 \fBL, the limit set\fR
1121 1128 .ad
1122 1129 .RS 26n
1123 1130 The upper bound of the privileges a process and its offspring can obtain.
1124 1131 Changes to L take effect on the next \fBexec\fR.
1125 1132 .RE
1126 1133
1127 1134 .sp
1128 1135 .LP
1129 1136 The sets I, P and E are typically identical to the basic set of privileges for
1130 1137 unprivileged processes. The limit set is typically the full set of privileges.
1131 1138 .sp
1132 1139 .LP
1133 1140 Each process has a Privilege Awareness State (PAS) that can take the value PA
1134 1141 (privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows
1135 1142 a choice between full compatibility with the old superuser model and completely
1136 1143 ignoring the effective UID.
1137 1144 .sp
1138 1145 .LP
1139 1146 To facilitate the discussion, we introduce the notion of "observed effective
1140 1147 set" (oE) and "observed permitted set" (oP) and the implementation sets iE and
1141 1148 iP.
1142 1149 .sp
1143 1150 .LP
1144 1151 A process becomes privilege-aware either by manipulating the effective,
1145 1152 permitted, or limit privilege sets through \fBsetppriv\fR(2) or by using
1146 1153 \fBsetpflags\fR(2). In all cases, oE and oP are invariant in the process of
1147 1154 becoming privilege-aware. In the process of becoming privilege-aware, the
1148 1155 following assignments take place:
1149 1156 .sp
1150 1157 .in +2
1151 1158 .nf
1152 1159 iE = oE
1153 1160 iP = oP
1154 1161 .fi
1155 1162 .in -2
1156 1163
1157 1164 .sp
1158 1165 .LP
1159 1166 When a process is privilege-aware, oE and oP are invariant under UID changes.
1160 1167 When a process is not privilege-aware, oE and oP are observed as follows:
1161 1168 .sp
1162 1169 .in +2
1163 1170 .nf
1164 1171 oE = euid == 0 ? L : iE
1165 1172 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
1166 1173 .fi
1167 1174 .in -2
1168 1175
1169 1176 .sp
1170 1177 .LP
1171 1178 When a non-privilege-aware process has an effective UID of 0, it can exercise
1172 1179 the privileges contained in its limit set, the upper bound of its privileges.
1173 1180 If a non-privilege-aware process has any of the UIDs 0, it appears to be
1174 1181 capable of potentially exercising all privileges in L.
1175 1182 .sp
1176 1183 .LP
1177 1184 It is possible for a process to return to the non-privilege aware state using
1178 1185 \fBsetpflags()\fR. The kernel always attempts this on \fBexec\fR(2). This
1179 1186 operation is permitted only if the following conditions are met:
1180 1187 .RS +4
1181 1188 .TP
1182 1189 .ie t \(bu
1183 1190 .el o
1184 1191 If any of the UIDs is equal to 0, P must be equal to L.
1185 1192 .RE
1186 1193 .RS +4
1187 1194 .TP
1188 1195 .ie t \(bu
1189 1196 .el o
1190 1197 If the effective UID is equal to 0, E must be equal to L.
1191 1198 .RE
1192 1199 .sp
1193 1200 .LP
1194 1201 When a process gives up privilege awareness, the following assignments take
1195 1202 place:
1196 1203 .sp
1197 1204 .in +2
1198 1205 .nf
1199 1206 if (euid == 0) iE = L & I
1200 1207 if (any uid == 0) iP = L & I
1201 1208 .fi
1202 1209 .in -2
1203 1210
1204 1211 .sp
1205 1212 .LP
1206 1213 The privileges obtained when not having a UID of \fB0\fR are the inheritable
1207 1214 set of the process restricted by the limit set.
1208 1215 .sp
1209 1216 .LP
1210 1217 Only privileges in the process's (observed) effective privilege set allow the
1211 1218 process to perform restricted operations. A process can use any of the
1212 1219 privilege manipulation functions to add or remove privileges from the privilege
1213 1220 sets. Privileges can be removed always. Only privileges found in the permitted
1214 1221 set can be added to the effective and inheritable set. The limit set cannot
1215 1222 grow. The inheritable set can be larger than the permitted set.
1216 1223 .sp
1217 1224 .LP
1218 1225 When a process performs an \fBexec\fR(2), the kernel first tries to relinquish
1219 1226 privilege awareness before making the following privilege set modifications:
1220 1227 .sp
1221 1228 .in +2
1222 1229 .nf
1223 1230 E' = P' = I' = L & I
1224 1231 L is unchanged
1225 1232 .fi
1226 1233 .in -2
1227 1234
1228 1235 .sp
1229 1236 .LP
1230 1237 If a process has not manipulated its privileges, the privilege sets effectively
1231 1238 remain the same, as E, P and I are already identical.
1232 1239 .sp
1233 1240 .LP
1234 1241 The limit set is enforced at \fBexec\fR time.
1235 1242 .sp
1236 1243 .LP
1237 1244 To run a non-privilege-aware application in a backward-compatible manner, a
1238 1245 privilege-aware application should start the non-privilege-aware application
1239 1246 with I=basic.
1240 1247 .sp
1241 1248 .LP
1242 1249 For most privileges, absence of the privilege simply results in a failure. In
1243 1250 some instances, the absense of a privilege can cause system calls to behave
1244 1251 differently. In other instances, the removal of a privilege can force a set-uid
1245 1252 application to seriously malfunction. Privileges of this type are considered
1246 1253 "unsafe". When a process is lacking any of the unsafe privileges from its limit
1247 1254 set, the system does not honor the set-uid bit of set-uid root applications.
1248 1255 The following unsafe privileges have been identified: \fBproc_setid\fR,
1249 1256 \fBsys_resource\fR and \fBproc_audit\fR.
1250 1257 .SS "Privilege Escalation"
1251 1258 .LP
1252 1259 In certain circumstances, a single privilege could lead to a process gaining
1253 1260 one or more additional privileges that were not explicitly granted to that
1254 1261 process. To prevent such an escalation of privileges, the security policy
1255 1262 requires explicit permission for those additional privileges.
1256 1263 .sp
1257 1264 .LP
1258 1265 Common examples of escalation are those mechanisms that allow modification of
1259 1266 system resources through "raw'' interfaces; for example, changing kernel data
1260 1267 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
1261 1268 Escalation also occurs when a process controls processes with more privileges
1262 1269 than the controlling process. A special case of this is manipulating or
1263 1270 creating objects owned by UID 0 or trying to obtain UID 0 using
1264 1271 \fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
1265 1272 owns all system configuration files and ordinary file protection mechanisms
1266 1273 allow processes with UID 0 to modify the system configuration. With appropriate
1267 1274 file modifications, a given process running with an effective UID of 0 can gain
1268 1275 all privileges.
1269 1276 .sp
1270 1277 .LP
1271 1278 In situations where a process might obtain UID 0, the security policy requires
1272 1279 additional privileges, up to the full set of privileges. Such restrictions
1273 1280 could be relaxed or removed at such time as additional mechanisms for
1274 1281 protection of system files became available. There are no such mechanisms in
1275 1282 the current Solaris release.
1276 1283 .sp
1277 1284 .LP
1278 1285 The use of UID 0 processes should be limited as much as possible. They should
1279 1286 be replaced with programs running under a different UID but with exactly the
1280 1287 privileges they need.
1281 1288 .sp
1282 1289 .LP
1283 1290 Daemons that never need to \fBexec\fR subprocesses should remove the
1284 1291 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
1285 1292 .SS "Assigned Privileges and Safeguards"
1286 1293 .LP
1287 1294 When privileges are assigned to a user, the system administrator could give
1288 1295 that user more powers than intended. The administrator should consider whether
1289 1296 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
1290 1297 privilege is given to a user, the administrator should consider setting the
1291 1298 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
1292 1299 from locking all memory.
1293 1300 .SS "Privilege Debugging"
1294 1301 .LP
1295 1302 When a system call fails with a permission error, it is not always immediately
1296 1303 obvious what caused the problem. To debug such a problem, you can use a tool
1297 1304 called \fBprivilege debugging\fR. When privilege debugging is enabled for a
1298 1305 process, the kernel reports missing privileges on the controlling terminal of
1299 1306 the process. (Enable debugging for a process with the \fB-D\fR option of
1300 1307 \fBppriv\fR(1).) Additionally, the administrator can enable system-wide
1301 1308 privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR
1302 1309 using:
1303 1310 .sp
1304 1311 .in +2
1305 1312 .nf
1306 1313 set priv_debug = 1
1307 1314 .fi
1308 1315 .in -2
1309 1316
1310 1317 .sp
1311 1318 .LP
1312 1319 On a running system, you can use \fBmdb\fR(1) to change this variable.
1313 1320 .SS "Privilege Administration"
1314 1321 .LP
1315 1322 The Solaris Management Console (see \fBsmc\fR(1M)) is the preferred method of
1316 1323 modifying privileges for a command. Use \fBusermod\fR(1M) or \fBsmrole\fR(1M)
1317 1324 to assign privileges to or modify privileges for, respectively, a user or a
1318 1325 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
1319 1326 \fBtruss\fR(1) to determine which privileges a program requires.
1320 1327 .SH SEE ALSO
1321 1328 .LP
1322 1329 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
1323 1330 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
1324 1331 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
1325 1332 \fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
1326 1333 \fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
1327 1334 \fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2),
1328 1335 \fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2),
1329 1336 \fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2),
1330 1337 \fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2),
1331 1338 \fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2),
1332 1339 \fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2),
1333 1340 \fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2),
1334 1341 \fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2),
1335 1342 \fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2),
1336 1343 \fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2),
1337 1344 \fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2),
1338 1345 \fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2),
1339 1346 \fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2),
1340 1347 \fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2),
1341 1348 \fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C),
1342 1349 \fBpriv_addset\fR(3C), \fBpriv_set\fR(3C), \fBpriv_getbyname\fR(3C),
1343 1350 \fBpriv_getbynum\fR(3C), \fBpriv_set_to_str\fR(3C), \fBpriv_str_to_set\fR(3C),
1344 1351 \fBsocket\fR(3SOCKET), \fBt_bind\fR(3NSL), \fBtimer_create\fR(3C),
1345 1352 \fBucred_get\fR(3C), \fBexec_attr\fR(4), \fBproc\fR(4), \fBsystem\fR(4),
1346 1353 \fBuser_attr\fR(4), \fBxVM\fR(5), \fBddi_cred\fR(9F), \fBdrv_priv\fR(9F),
1347 1354 \fBpriv_getbyname\fR(9F), \fBpriv_policy\fR(9F), \fBpriv_policy_choice\fR(9F),
1348 1355 \fBpriv_policy_only\fR(9F)
1349 1356 .sp
1350 1357 .LP
1351 1358 \fISystem Administration Guide: Security Services\fR
|
↓ open down ↓ |
1313 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX