1 '\" te
2 .\" This file and its contents are supplied under the terms of the
3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
4 .\" You may only use this file in accordance with the terms of version
5 .\" 1.0 of the CDDL.
6 .\"
7 .\" A full copy of the text of the CDDL should have accompanied this
8 .\" source. A copy of the CDDL is also available via the Internet at
9 .\" http://www.illumos.org/license/CDDL.
10 .\"
11 .\" Copyright 2015, Richard Lowe.
12 .\"
13 .TH "PSECFLAGS" "1" "May 3, 2014"
14 .SH "NAME"
15 \fBpsecflags\fR - inspect or modify process security flags
16 .SH "SYNOPSIS"
17 .LP
18 .nf
19 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR
20 [\fIarg\fR]...
21 .fi
22 .LP
23 .nf
24 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR]
25 \fIid\fR ...
26 .fi
27 .LP
28 .nf
29 \fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR }
30 .fi
31 .LP
32 .nf
33 \fB/usr/bin/psecflags\fR \fI-l\fR
34 .fi
35
36 .SH "DESCRIPTION"
37 The first invocation of the \fBpsecflags\fR command runs the specified
38 \fIcommand\fR with the security-flags modified as described by the \fI-s\fR
39 argument.
40 .P
41 The second invocation modifies the security-flags of the processes described
42 by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument.
43 .P
44 The third invocation describes the security-flags of the specified processes
45 or core files. The effective set is signified by '\fBE\fR', the inheritable
204 "none" and "current" are supported, to indicate that all flags, no flags, or
205 the current set of flags (respectively) are to be included.
206 .P
207 By default, the inheritable flags are changed. You may optionally specify the
208 set to change using their single-letter identifiers and an equals sign.
209 .P
210 For a list of valid security-flags, see \fBpsecflags -l\fR.
211 .RE
212
213 .SH "EXAMPLES"
214 .LP
215 \fBExample 1\fR Display the security-flags of the current shell.
216 .sp
217 .in +2
218 .nf
219 example$ \fBpsecflags $$\fR
220 100718: -sh
221 E: aslr
222 I: aslr
223 L: none
224 U: aslr, forbidnullmap, noexecstack
225 .fi
226 .in -2
227 .sp
228
229 .LP
230 \fBExample 2\fR Run a user command with ASLR enabled in addition to any
231 inherited security flags.
232 .sp
233 .in +2
234 .nf
235 example$ \fBpsecflags -s current,aslr -e /bin/sh\fR
236 $ psecflags $$
237 100724: -sh
238 E: none
239 I: aslr
240 L: none
241 U: aslr, forbidnullmap, noexecstack
242 .fi
243 .in -2
244 .sp
245
246 .LP
247 \fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes.
248 .sp
249 .in +2
250 .nf
251 example# \fBpsecflags -s current,-aslr -i uid bob\fR
252 .fi
253 .in -2
254
255 .LP
256 \fBExample 4\fR Add the aslr flag to the lower set, so that all future
257 child processes must have this flag set.
258 .sp
259 .in +2
260 .nf
261 example# \fBpsecflags -s L=current,aslr $$\fR
|
1 '\" te
2 .\" This file and its contents are supplied under the terms of the
3 .\" Common Development and Distribution License ("CDDL"), version 1.0.
4 .\" You may only use this file in accordance with the terms of version
5 .\" 1.0 of the CDDL.
6 .\"
7 .\" A full copy of the text of the CDDL should have accompanied this
8 .\" source. A copy of the CDDL is also available via the Internet at
9 .\" http://www.illumos.org/license/CDDL.
10 .\"
11 .\" Copyright 2015, Richard Lowe.
12 .\"
13 .TH "PSECFLAGS" "1" "June 6, 2016"
14 .SH "NAME"
15 \fBpsecflags\fR - inspect or modify process security flags
16 .SH "SYNOPSIS"
17 .LP
18 .nf
19 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR \fI-e\fR \fIcommand\fR \
20 [\fIarg\fR]...
21 .fi
22 .LP
23 .nf
24 \fB/usr/bin/psecflags\fR \fI-s\fR \fIspec\fR [\fI-i\fR \fIidtype\fR] \
25 \fIid\fR ...
26 .fi
27 .LP
28 .nf
29 \fB/usr/bin/psecflags\fR [\fI-F\fR] { \fIpid\fR | \fIcore\fR }
30 .fi
31 .LP
32 .nf
33 \fB/usr/bin/psecflags\fR \fI-l\fR
34 .fi
35
36 .SH "DESCRIPTION"
37 The first invocation of the \fBpsecflags\fR command runs the specified
38 \fIcommand\fR with the security-flags modified as described by the \fI-s\fR
39 argument.
40 .P
41 The second invocation modifies the security-flags of the processes described
42 by \fIidtype\fR and \fIid\fR according as described by the \fI-s\fR argument.
43 .P
44 The third invocation describes the security-flags of the specified processes
45 or core files. The effective set is signified by '\fBE\fR', the inheritable
204 "none" and "current" are supported, to indicate that all flags, no flags, or
205 the current set of flags (respectively) are to be included.
206 .P
207 By default, the inheritable flags are changed. You may optionally specify the
208 set to change using their single-letter identifiers and an equals sign.
209 .P
210 For a list of valid security-flags, see \fBpsecflags -l\fR.
211 .RE
212
213 .SH "EXAMPLES"
214 .LP
215 \fBExample 1\fR Display the security-flags of the current shell.
216 .sp
217 .in +2
218 .nf
219 example$ \fBpsecflags $$\fR
220 100718: -sh
221 E: aslr
222 I: aslr
223 L: none
224 U: aslr,forbidnullmap,noexecstack
225 .fi
226 .in -2
227 .sp
228
229 .LP
230 \fBExample 2\fR Run a user command with ASLR enabled in addition to any
231 inherited security flags.
232 .sp
233 .in +2
234 .nf
235 example$ \fBpsecflags -s current,aslr -e /bin/sh\fR
236 $ psecflags $$
237 100724: -sh
238 E: none
239 I: aslr
240 L: none
241 U: aslr,forbidnullmap,noexecstack
242 .fi
243 .in -2
244 .sp
245
246 .LP
247 \fBExample 3\fR Remove aslr from the inheritable flags of all Bob's processes.
248 .sp
249 .in +2
250 .nf
251 example# \fBpsecflags -s current,-aslr -i uid bob\fR
252 .fi
253 .in -2
254
255 .LP
256 \fBExample 4\fR Add the aslr flag to the lower set, so that all future
257 child processes must have this flag set.
258 .sp
259 .in +2
260 .nf
261 example# \fBpsecflags -s L=current,aslr $$\fR
|