1 '\" te
2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
3 .\" Copyright 2015, Joyent, Inc. All Rights Reserved.
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH PRIVILEGES 5 "Oct 30, 2015"
8 .SH NAME
9 privileges \- process privilege model
10 .SH DESCRIPTION
11 .LP
12 Solaris software implements a set of privileges that provide fine-grained
13 control over the actions of processes. The possession of a certain privilege
14 allows a process to perform a specific set of restricted operations.
15 .sp
16 .LP
17 The change to a primarily privilege-based security model in the Solaris
18 operating system gives developers an opportunity to restrict processes to those
19 privileged operations actually needed instead of all (super-user) or no
20 privileges (non-zero UIDs). Additionally, a set of previously unrestricted
21 operations now requires a privilege; these privileges are dubbed the "basic"
22 privileges and are by default given to all processes.
23 .sp
24 .LP
25 Taken together, all defined privileges with the exception of the "basic"
26 privileges compose the set of privileges that are traditionally associated with
27 the root user. The "basic" privileges are "privileges" unprivileged processes
28 were accustomed to having.
29 .sp
30 .LP
31 The defined privileges are:
32 .sp
33 .ne 2
34 .na
35 \fB\fBPRIV_CONTRACT_EVENT\fR\fR
36 .ad
37 .sp .6
38 .RS 4n
39 Allow a process to request reliable delivery of events to an event endpoint.
40 .sp
41 Allow a process to include events in the critical event set term of a template
42 which could be generated in volume by the user.
43 .RE
44
45 .sp
46 .ne 2
47 .na
48 \fB\fBPRIV_CONTRACT_IDENTITY\fR\fR
49 .ad
50 .sp .6
51 .RS 4n
52 Allows a process to set the service FMRI value of a process contract template.
53 .RE
54
55 .sp
56 .ne 2
57 .na
58 \fB\fBPRIV_CONTRACT_OBSERVER\fR\fR
59 .ad
60 .sp .6
61 .RS 4n
62 Allow a process to observe contract events generated by contracts created and
63 owned by users other than the process's effective user ID.
64 .sp
65 Allow a process to open contract event endpoints belonging to contracts created
66 and owned by users other than the process's effective user ID.
67 .RE
68
69 .sp
70 .ne 2
71 .na
72 \fB\fBPRIV_CPC_CPU\fR\fR
73 .ad
74 .sp .6
75 .RS 4n
76 Allow a process to access per-CPU hardware performance counters.
77 .RE
78
79 .sp
80 .ne 2
81 .na
82 \fB\fBPRIV_DTRACE_KERNEL\fR\fR
83 .ad
84 .sp .6
85 .RS 4n
86 Allow DTrace kernel-level tracing.
87 .RE
88
89 .sp
90 .ne 2
91 .na
92 \fB\fBPRIV_DTRACE_PROC\fR\fR
93 .ad
94 .sp .6
95 .RS 4n
96 Allow DTrace process-level tracing. Allow process-level tracing probes to be
97 placed and enabled in processes to which the user has permissions.
98 .RE
99
100 .sp
101 .ne 2
102 .na
103 \fB\fBPRIV_DTRACE_USER\fR\fR
104 .ad
105 .sp .6
106 .RS 4n
107 Allow DTrace user-level tracing. Allow use of the syscall and profile DTrace
108 providers to examine processes to which the user has permissions.
109 .RE
110
111 .sp
112 .ne 2
113 .na
114 \fB\fBPRIV_FILE_CHOWN\fR\fR
115 .ad
116 .sp .6
117 .RS 4n
118 Allow a process to change a file's owner user ID. Allow a process to change a
119 file's group ID to one other than the process's effective group ID or one of
120 the process's supplemental group IDs.
121 .RE
122
123 .sp
124 .ne 2
125 .na
126 \fB\fBPRIV_FILE_CHOWN_SELF\fR\fR
127 .ad
128 .sp .6
129 .RS 4n
130 Allow a process to give away its files. A process with this privilege runs as
131 if {\fB_POSIX_CHOWN_RESTRICTED\fR} is not in effect.
132 .RE
133
134 .sp
135 .ne 2
136 .na
137 \fB\fBPRIV_FILE_DAC_EXECUTE\fR\fR
138 .ad
139 .sp .6
140 .RS 4n
141 Allow a process to execute an executable file whose permission bits or ACL
142 would otherwise disallow the process execute permission.
143 .RE
144
145 .sp
146 .ne 2
147 .na
148 \fB\fBPRIV_FILE_DAC_READ\fR\fR
149 .ad
150 .sp .6
151 .RS 4n
152 Allow a process to read a file or directory whose permission bits or ACL would
153 otherwise disallow the process read permission.
154 .RE
155
156 .sp
157 .ne 2
158 .na
159 \fB\fBPRIV_FILE_DAC_SEARCH\fR\fR
160 .ad
161 .sp .6
162 .RS 4n
163 Allow a process to search a directory whose permission bits or ACL would not
164 otherwise allow the process search permission.
165 .RE
166
167 .sp
168 .ne 2
169 .na
170 \fB\fBPRIV_FILE_DAC_WRITE\fR\fR
171 .ad
172 .sp .6
173 .RS 4n
174 Allow a process to write a file or directory whose permission bits or ACL do
175 not allow the process write permission. All privileges are required to write
176 files owned by UID 0 in the absence of an effective UID of 0.
177 .RE
178
179 .sp
180 .ne 2
181 .na
182 \fB\fBPRIV_FILE_DOWNGRADE_SL\fR\fR
183 .ad
184 .sp .6
185 .RS 4n
186 Allow a process to set the sensitivity label of a file or directory to a
187 sensitivity label that does not dominate the existing sensitivity label.
188 .sp
189 This privilege is interpreted only if the system is configured with Trusted
190 Extensions.
191 .RE
192
193 .sp
194 .ne 2
195 .na
196 \fB\fBPRIV_FILE_FLAG_SET\fR\fR
197 .ad
198 .sp .6
199 .RS 4n
200 Allows a process to set immutable, nounlink or appendonly file attributes.
201 .RE
202
203 .sp
204 .ne 2
205 .na
206 \fB\fBPRIV_FILE_LINK_ANY\fR\fR
207 .ad
208 .sp .6
209 .RS 4n
210 Allow a process to create hardlinks to files owned by a UID different from the
211 process's effective UID.
212 .RE
213
214 .sp
215 .ne 2
216 .na
217 \fB\fBPRIV_FILE_OWNER\fR\fR
218 .ad
219 .sp .6
220 .RS 4n
221 Allow a process that is not the owner of a file to modify that file's access
222 and modification times. Allow a process that is not the owner of a directory to
223 modify that directory's access and modification times. Allow a process that is
224 not the owner of a file or directory to remove or rename a file or directory
225 whose parent directory has the "save text image after execution" (sticky) bit
226 set. Allow a process that is not the owner of a file to mount a \fBnamefs\fR
227 upon that file. Allow a process that is not the owner of a file or directory to
228 modify that file's or directory's permission bits or ACL.
229 .RE
230
231 .sp
232 .ne 2
233 .na
234 \fB\fBPRIV_FILE_READ\fR\fR
235 .ad
236 .sp .6
237 .RS 4n
238 Allow a process to open objects in the filesystem for reading. This
239 privilege is not necessary to read from an already open file which was opened
240 before dropping the \fBPRIV_FILE_READ\fR privilege.
241 .RE
242
243 .sp
244 .ne 2
245 .na
246 \fB\fBPRIV_FILE_SETID\fR\fR
247 .ad
248 .sp .6
249 .RS 4n
250 Allow a process to change the ownership of a file or write to a file without
251 the set-user-ID and set-group-ID bits being cleared. Allow a process to set the
252 set-group-ID bit on a file or directory whose group is not the process's
253 effective group or one of the process's supplemental groups. Allow a process to
254 set the set-user-ID bit on a file with different ownership in the presence of
255 \fBPRIV_FILE_OWNER\fR. Additional restrictions apply when creating or modifying
256 a setuid 0 file.
257 .RE
258
259 .sp
260 .ne 2
261 .na
262 \fB\fBPRIV_FILE_UPGRADE_SL\fR\fR
263 .ad
264 .sp .6
265 .RS 4n
266 Allow a process to set the sensitivity label of a file or directory to a
267 sensitivity label that dominates the existing sensitivity label.
268 .sp
269 This privilege is interpreted only if the system is configured with Trusted
270 Extensions.
271 .RE
272
273 .sp
274 .ne 2
275 .na
276 \fB\fBPRIV_FILE_WRITE\fR\fR
277 .ad
278 .sp .6
279 .RS 4n
280 Allow a process to open objects in the filesytem for writing, or otherwise
281 modify them. This privilege is not necessary to write to an already open file
282 which was opened before dropping the \fBPRIV_FILE_WRITE\fR privilege.
283 .RE
284
285 .sp
286 .ne 2
287 .na
288 \fB\fBPRIV_GRAPHICS_ACCESS\fR\fR
289 .ad
290 .sp .6
291 .RS 4n
292 Allow a process to make privileged ioctls to graphics devices. Typically only
293 an xserver process needs to have this privilege. A process with this privilege
294 is also allowed to perform privileged graphics device mappings.
295 .RE
296
297 .sp
298 .ne 2
299 .na
300 \fB\fBPRIV_GRAPHICS_MAP\fR\fR
301 .ad
302 .sp .6
303 .RS 4n
304 Allow a process to perform privileged mappings through a graphics device.
305 .RE
306
307 .sp
308 .ne 2
309 .na
310 \fB\fBPRIV_IPC_DAC_READ\fR\fR
311 .ad
312 .sp .6
313 .RS 4n
314 Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared
315 Memory Segment whose permission bits would not otherwise allow the process read
316 permission.
317 .RE
318
319 .sp
320 .ne 2
321 .na
322 \fB\fBPRIV_IPC_DAC_WRITE\fR\fR
323 .ad
324 .sp .6
325 .RS 4n
326 Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared
327 Memory Segment whose permission bits would not otherwise allow the process
328 write permission.
329 .RE
330
331 .sp
332 .ne 2
333 .na
334 \fB\fBPRIV_IPC_OWNER\fR\fR
335 .ad
336 .sp .6
337 .RS 4n
338 Allow a process that is not the owner of a System V IPC Message Queue,
339 Semaphore Set, or Shared Memory Segment to remove, change ownership of, or
340 change permission bits of the Message Queue, Semaphore Set, or Shared Memory
341 Segment.
342 .RE
343
344 .sp
345 .ne 2
346 .na
347 \fB\fBPRIV_NET_ACCESS\fR\fR
348 .ad
349 .sp .6
350 .RS 4n
351 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint. This
352 privilege is not necessary to communicate using an existing endpoint already
353 opened before dropping the \fBPRIV_NET_ACCESS\fR privilege.
354 .RE
355
356 .sp
357 .ne 2
358 .na
359 \fB\fBPRIV_NET_BINDMLP\fR\fR
360 .ad
361 .sp .6
362 .RS 4n
363 Allow a process to bind to a port that is configured as a multi-level port
364 (MLP) for the process's zone. This privilege applies to both shared address and
365 zone-specific address MLPs. See \fBtnzonecfg\fR(\fB4\fR) from the Trusted
366 Extensions manual pages for information on configuring MLP ports.
367 .sp
368 This privilege is interpreted only if the system is configured with Trusted
369 Extensions.
370 .RE
371
372 .sp
373 .ne 2
374 .na
375 \fB\fBPRIV_NET_ICMPACCESS\fR\fR
376 .ad
377 .sp .6
378 .RS 4n
379 Allow a process to send and receive ICMP packets.
380 .RE
381
382 .sp
383 .ne 2
384 .na
385 \fB\fBPRIV_NET_MAC_AWARE\fR\fR
386 .ad
387 .sp .6
388 .RS 4n
389 Allow a process to set the \fBNET_MAC_AWARE\fR process flag by using
390 \fBsetpflags\fR(2). This privilege also allows a process to set the
391 \fBSO_MAC_EXEMPT\fR socket option by using \fBsetsockopt\fR(3SOCKET). The
392 \fBNET_MAC_AWARE\fR process flag and the \fBSO_MAC_EXEMPT\fR socket option both
393 allow a local process to communicate with an unlabeled peer if the local
394 process's label dominates the peer's default label, or if the local process
395 runs in the global zone.
396 .sp
397 This privilege is interpreted only if the system is configured with Trusted
398 Extensions.
399 .RE
400
401 .sp
402 .ne 2
403 .na
404 \fB\fBPRIV_NET_MAC_IMPLICIT\fR\fR
405 .ad
406 .sp .6
407 .RS 4n
408 Allow a proces to set \fBSO_MAC_IMPLICIT\fR option by using
409 \fBsetsockopt\fR(3SOCKET). This allows a privileged process to transmit
410 implicitly-labeled packets to a peer.
411 .sp
412 This privilege is interpreted only if the system is configured with
413 Trusted Extensions.
414 .RE
415
416 .sp
417 .ne 2
418 .na
419 \fB\fBPRIV_NET_OBSERVABILITY\fR\fR
420 .ad
421 .sp .6
422 .RS 4n
423 Allow a process to open a device for just receiving network traffic, sending
424 traffic is disallowed.
425 .RE
426
427 .sp
428 .ne 2
429 .na
430 \fB\fBPRIV_NET_PRIVADDR\fR\fR
431 .ad
432 .sp .6
433 .RS 4n
434 Allow a process to bind to a privileged port number. The privilege port numbers
435 are 1-1023 (the traditional UNIX privileged ports) as well as those ports
436 marked as "\fBudp/tcp_extra_priv_ports\fR" with the exception of the ports
437 reserved for use by NFS and SMB.
438 .RE
439
440 .sp
441 .ne 2
442 .na
443 \fB\fBPRIV_NET_RAWACCESS\fR\fR
444 .ad
445 .sp .6
446 .RS 4n
447 Allow a process to have direct access to the network layer.
448 .RE
449
450 .sp
451 .ne 2
452 .na
453 \fB\fBPRIV_PROC_AUDIT\fR\fR
454 .ad
455 .sp .6
456 .RS 4n
457 Allow a process to generate audit records. Allow a process to get its own audit
458 pre-selection information.
459 .RE
460
461 .sp
462 .ne 2
463 .na
464 \fB\fBPRIV_PROC_CHROOT\fR\fR
465 .ad
466 .sp .6
467 .RS 4n
468 Allow a process to change its root directory.
469 .RE
470
471 .sp
472 .ne 2
473 .na
474 \fB\fBPRIV_PROC_CLOCK_HIGHRES\fR\fR
475 .ad
476 .sp .6
477 .RS 4n
478 Allow a process to use high resolution timers.
479 .RE
480
481 .sp
482 .ne 2
483 .na
484 \fB\fBPRIV_PROC_EXEC\fR\fR
485 .ad
486 .sp .6
487 .RS 4n
488 Allow a process to call \fBexec\fR(2).
489 .RE
490
491 .sp
492 .ne 2
493 .na
494 \fB\fBPRIV_PROC_FORK\fR\fR
495 .ad
496 .sp .6
497 .RS 4n
498 Allow a process to call \fBfork\fR(2), \fBfork1\fR(2), or \fBvfork\fR(2).
499 .RE
500
501 .sp
502 .ne 2
503 .na
504 \fB\fBPRIV_PROC_INFO\fR\fR
505 .ad
506 .sp .6
507 .RS 4n
508 Allow a process to examine the status of processes other than those to which it
509 can send signals. Processes that cannot be examined cannot be seen in
510 \fB/proc\fR and appear not to exist.
511 .RE
512
513 .sp
514 .ne 2
515 .na
516 \fB\fBPRIV_PROC_LOCK_MEMORY\fR\fR
517 .ad
518 .sp .6
519 .RS 4n
520 Allow a process to lock pages in physical memory.
521 .RE
522
523 .sp
524 .ne 2
525 .na
526 \fB\fBPRIV_PROC_MEMINFO\fR\fR
527 .ad
528 .sp .6
529 .RS 4n
530 Allow a process to access physical memory information.
531 .RE
532
533 .sp
534 .ne 2
535 .na
536 \fB\fBPRIV_PROC_OWNER\fR\fR
537 .ad
538 .sp .6
539 .RS 4n
540 Allow a process to send signals to other processes and inspect and modify the
541 process state in other processes, regardless of ownership. When modifying
542 another process, additional restrictions apply: the effective privilege set of
543 the attaching process must be a superset of the target process's effective,
544 permitted, and inheritable sets; the limit set must be a superset of the
545 target's limit set; if the target process has any UID set to 0 all privilege
546 must be asserted unless the effective UID is 0. Allow a process to bind
547 arbitrary processes to CPUs.
548 .RE
549
550 .sp
551 .ne 2
552 .na
553 \fB\fBPRIV_PROC_PRIOUP\fR\fR
554 .ad
555 .sp .6
556 .RS 4n
557 Allow a process to elevate its priority above its current level.
558 .RE
559
560 .sp
561 .ne 2
562 .na
563 \fB\fBPRIV_PROC_PRIOCNTL\fR\fR
564 .ad
565 .sp .6
566 .RS 4n
567 Allows all that PRIV_PROC_PRIOUP allows.
568 Allow a process to change its scheduling class to any scheduling class,
569 including the RT class.
570 .RE
571
572 .sp
573 .ne 2
574 .na
575 \fB\fBPRIV_PROC_SESSION\fR\fR
576 .ad
577 .sp .6
578 .RS 4n
579 Allow a process to send signals or trace processes outside its session.
580 .RE
581
582 .sp
583 .ne 2
584 .na
585 \fB\fBPRIV_PROC_SETID\fR\fR
586 .ad
587 .sp .6
588 .RS 4n
589 Allow a process to set its UIDs at will, assuming UID 0 requires all privileges
590 to be asserted.
591 .RE
592
593 .sp
594 .ne 2
595 .na
596 \fB\fBPRIV_PROC_TASKID\fR\fR
597 .ad
598 .sp .6
599 .RS 4n
600 Allow a process to assign a new task ID to the calling process.
601 .RE
602
603 .sp
604 .ne 2
605 .na
606 \fB\fBPRIV_PROC_ZONE\fR\fR
607 .ad
608 .sp .6
609 .RS 4n
610 Allow a process to trace or send signals to processes in other zones. See
611 \fBzones\fR(5).
612 .RE
613
614 .sp
615 .ne 2
616 .na
617 \fB\fBPRIV_SYS_ACCT\fR\fR
618 .ad
619 .sp .6
620 .RS 4n
621 Allow a process to enable and disable and manage accounting through
622 \fBacct\fR(2).
623 .RE
624
625 .sp
626 .ne 2
627 .na
628 \fB\fBPRIV_SYS_ADMIN\fR\fR
629 .ad
630 .sp .6
631 .RS 4n
632 Allow a process to perform system administration tasks such as setting node and
633 domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
634 .RE
635
636 .sp
637 .ne 2
638 .na
639 \fB\fBPRIV_SYS_AUDIT\fR\fR
640 .ad
641 .sp .6
642 .RS 4n
643 Allow a process to start the (kernel) audit daemon. Allow a process to view and
644 set audit state (audit user ID, audit terminal ID, audit sessions ID, audit
645 pre-selection mask). Allow a process to turn off and on auditing. Allow a
646 process to configure the audit parameters (cache and queue sizes, event to
647 class mappings, and policy options).
648 .RE
649
650 .sp
651 .ne 2
652 .na
653 \fB\fBPRIV_SYS_CONFIG\fR\fR
654 .ad
655 .sp .6
656 .RS 4n
657 Allow a process to perform various system configuration tasks. Allow
658 filesystem-specific administrative procedures, such as filesystem configuration
659 ioctls, quota calls, creation and deletion of snapshots, and manipulating the
660 PCFS bootsector.
661 .RE
662
663 .sp
664 .ne 2
665 .na
666 \fB\fBPRIV_SYS_DEVICES\fR\fR
667 .ad
668 .sp .6
669 .RS 4n
670 Allow a process to create device special files. Allow a process to successfully
671 call a kernel module that calls the kernel \fBdrv_priv\fR(9F) function to check
672 for allowed access. Allow a process to open the real console device directly.
673 Allow a process to open devices that have been exclusively opened.
674 .RE
675
676 .sp
677 .ne 2
678 .na
679 \fB\fBPRIV_SYS_DL_CONFIG\fR\fR
680 .ad
681 .sp .6
682 .RS 4n
683 Allow a process to configure a system's datalink interfaces.
684 .RE
685
686 .sp
687 .ne 2
688 .na
689 \fB\fBPRIV_SYS_IP_CONFIG\fR\fR
690 .ad
691 .sp .6
692 .RS 4n
693 Allow a process to configure a system's IP interfaces and routes. Allow a
694 process to configure network parameters for \fBTCP/IP\fR using \fBndd\fR. Allow
695 a process access to otherwise restricted \fBTCP/IP\fR information using
696 \fBndd\fR. Allow a process to configure \fBIPsec\fR. Allow a process to pop
697 anchored \fBSTREAM\fRs modules with matching \fBzoneid\fR.
698 .RE
699
700 .sp
701 .ne 2
702 .na
703 \fB\fBPRIV_SYS_IPC_CONFIG\fR\fR
704 .ad
705 .sp .6
706 .RS 4n
707 Allow a process to increase the size of a System V IPC Message Queue buffer.
708 .RE
709
710 .sp
711 .ne 2
712 .na
713 \fB\fBPRIV_SYS_IPTUN_CONFIG\fR\fR
714 .ad
715 .sp .6
716 .RS 4n
717 Allow a process to configure IP tunnel links.
718 .RE
719
720 .sp
721 .ne 2
722 .na
723 \fB\fBPRIV_SYS_LINKDIR\fR\fR
724 .ad
725 .sp .6
726 .RS 4n
727 Allow a process to unlink and link directories.
728 .RE
729
730 .sp
731 .ne 2
732 .na
733 \fB\fBPRIV_SYS_MOUNT\fR\fR
734 .ad
735 .sp .6
736 .RS 4n
737 Allow a process to mount and unmount filesystems that would otherwise be
738 restricted (that is, most filesystems except \fBnamefs\fR). Allow a process to
739 add and remove swap devices.
740 .RE
741
742 .sp
743 .ne 2
744 .na
745 \fB\fBPRIV_SYS_NET_CONFIG\fR\fR
746 .ad
747 .sp .6
748 .RS 4n
749 Allow a process to do all that \fBPRIV_SYS_IP_CONFIG\fR,
750 \fBPRIV_SYS_DL_CONFIG\fR, and \fBPRIV_SYS_PPP_CONFIG\fR allow, plus the
751 following: use the \fBrpcmod\fR STREAMS module and insert/remove STREAMS
752 modules on locations other than the top of the module stack.
753 .RE
754
755 .sp
756 .ne 2
757 .na
758 \fB\fBPRIV_SYS_NFS\fR\fR
759 .ad
760 .sp .6
761 .RS 4n
762 Allow a process to provide NFS service: start NFS kernel threads, perform NFS
763 locking operations, bind to NFS reserved ports: ports 2049 (\fBnfs\fR) and port
764 4045 (\fBlockd\fR).
765 .RE
766
767 .sp
768 .ne 2
769 .na
770 \fB\fBPRIV_SYS_PPP_CONFIG\fR\fR
771 .ad
772 .sp .6
773 .RS 4n
774 Allow a process to create, configure, and destroy PPP instances with pppd(1M)
775 \fBpppd\fR(1M) and control PPPoE plumbing with \fBsppptun\fR(1M)sppptun(1M).
776 This privilege is granted by default to exclusive IP stack instance zones.
777 .RE
778
779 .sp
780 .ne 2
781 .na
782 \fB\fBPRIV_SYS_RES_BIND\fR\fR
783 .ad
784 .sp .6
785 .RS 4n
786 Allows a process to bind processes to processor sets.
787 .RE
788
789 .sp
790 .ne 2
791 .na
792 \fB\fBPRIV_SYS_RES_CONFIG\fR\fR
793 .ad
794 .sp .6
795 .RS 4n
796 Allows all that PRIV_SYS_RES_BIND allows.
797 Allow a process to create and delete processor sets, assign CPUs to processor
798 sets and override the \fBPSET_NOESCAPE\fR property. Allow a process to change
799 the operational status of CPUs in the system using \fBp_online\fR(2). Allow a
800 process to configure filesystem quotas. Allow a process to configure resource
801 pools and bind processes to pools.
802 .RE
803
804 .sp
805 .ne 2
806 .na
807 \fB\fBPRIV_SYS_RESOURCE\fR\fR
808 .ad
809 .sp .6
810 .RS 4n
811 Allow a process to exceed the resource limits imposed on it by
812 \fBsetrlimit\fR(2) and \fBsetrctl\fR(2).
813 .RE
814
815 .sp
816 .ne 2
817 .na
818 \fB\fBPRIV_SYS_SMB\fR\fR
819 .ad
820 .sp .6
821 .RS 4n
822 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
823 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
824 (SMB).
825 .RE
826
827 .sp
828 .ne 2
829 .na
830 \fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR
831 .ad
832 .sp .6
833 .RS 4n
834 Allow a process to successfully call a third party loadable module that calls
835 the kernel \fBsuser()\fR function to check for allowed access. This privilege
836 exists only for third party loadable module compatibility and is not used by
837 Solaris proper.
838 .RE
839
840 .sp
841 .ne 2
842 .na
843 \fB\fBPRIV_SYS_TIME\fR\fR
844 .ad
845 .sp .6
846 .RS 4n
847 Allow a process to manipulate system time using any of the appropriate system
848 calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2).
849 .RE
850
851 .sp
852 .ne 2
853 .na
854 \fB\fBPRIV_SYS_TRANS_LABEL\fR\fR
855 .ad
856 .sp .6
857 .RS 4n
858 Allow a process to translate labels that are not dominated by the process's
859 sensitivity label to and from an external string form.
860 .sp
861 This privilege is interpreted only if the system is configured with Trusted
862 Extensions.
863 .RE
864
865 .sp
866 .ne 2
867 .na
868 \fB\fBPRIV_VIRT_MANAGE\fR\fR
869 .ad
870 .sp .6
871 .RS 4n
872 Allows a process to manage virtualized environments such as \fBxVM\fR(5).
873 .RE
874
875 .sp
876 .ne 2
877 .na
878 \fB\fBPRIV_WIN_COLORMAP\fR\fR
879 .ad
880 .sp .6
881 .RS 4n
882 Allow a process to override colormap restrictions.
883 .sp
884 Allow a process to install or remove colormaps.
885 .sp
886 Allow a process to retrieve colormap cell entries allocated by other processes.
887 .sp
888 This privilege is interpreted only if the system is configured with Trusted
889 Extensions.
890 .RE
891
892 .sp
893 .ne 2
894 .na
895 \fB\fBPRIV_WIN_CONFIG\fR\fR
896 .ad
897 .sp .6
898 .RS 4n
899 Allow a process to configure or destroy resources that are permanently retained
900 by the X server.
901 .sp
902 Allow a process to use SetScreenSaver to set the screen saver timeout value
903 .sp
904 Allow a process to use ChangeHosts to modify the display access control list.
905 .sp
906 Allow a process to use GrabServer.
907 .sp
908 Allow a process to use the SetCloseDownMode request that can retain window,
909 pixmap, colormap, property, cursor, font, or graphic context resources.
910 .sp
911 This privilege is interpreted only if the system is configured with Trusted
912 Extensions.
913 .RE
914
915 .sp
916 .ne 2
917 .na
918 \fB\fBPRIV_WIN_DAC_READ\fR\fR
919 .ad
920 .sp .6
921 .RS 4n
922 Allow a process to read from a window resource that it does not own (has a
923 different user ID).
924 .sp
925 This privilege is interpreted only if the system is configured with Trusted
926 Extensions.
927 .RE
928
929 .sp
930 .ne 2
931 .na
932 \fB\fBPRIV_WIN_DAC_WRITE\fR\fR
933 .ad
934 .sp .6
935 .RS 4n
936 Allow a process to write to or create a window resource that it does not own
937 (has a different user ID). A newly created window property is created with the
938 window's user ID.
939 .sp
940 This privilege is interpreted only if the system is configured with Trusted
941 Extensions.
942 .RE
943
944 .sp
945 .ne 2
946 .na
947 \fB\fBPRIV_WIN_DEVICES\fR\fR
948 .ad
949 .sp .6
950 .RS 4n
951 Allow a process to perform operations on window input devices.
952 .sp
953 Allow a process to get and set keyboard and pointer controls.
954 .sp
955 Allow a process to modify pointer button and key mappings.
956 .sp
957 This privilege is interpreted only if the system is configured with Trusted
958 Extensions.
959 .RE
960
961 .sp
962 .ne 2
963 .na
964 \fB\fBPRIV_WIN_DGA\fR\fR
965 .ad
966 .sp .6
967 .RS 4n
968 Allow a process to use the direct graphics access (DGA) X protocol extensions.
969 Direct process access to the frame buffer is still required. Thus the process
970 must have MAC and DAC privileges that allow access to the frame buffer, or the
971 frame buffer must be allocated to the process.
972 .sp
973 This privilege is interpreted only if the system is configured with Trusted
974 Extensions.
975 .RE
976
977 .sp
978 .ne 2
979 .na
980 \fB\fBPRIV_WIN_DOWNGRADE_SL\fR\fR
981 .ad
982 .sp .6
983 .RS 4n
984 Allow a process to set the sensitivity label of a window resource to a
985 sensitivity label that does not dominate the existing sensitivity label.
986 .sp
987 This privilege is interpreted only if the system is configured with Trusted
988 Extensions.
989 .RE
990
991 .sp
992 .ne 2
993 .na
994 \fB\fBPRIV_WIN_FONTPATH\fR\fR
995 .ad
996 .sp .6
997 .RS 4n
998 Allow a process to set a font path.
999 .sp
1000 This privilege is interpreted only if the system is configured with Trusted
1001 Extensions.
1002 .RE
1003
1004 .sp
1005 .ne 2
1006 .na
1007 \fB\fBPRIV_WIN_MAC_READ\fR\fR
1008 .ad
1009 .sp .6
1010 .RS 4n
1011 Allow a process to read from a window resource whose sensitivity label is not
1012 equal to the process sensitivity label.
1013 .sp
1014 This privilege is interpreted only if the system is configured with Trusted
1015 Extensions.
1016 .RE
1017
1018 .sp
1019 .ne 2
1020 .na
1021 \fB\fBPRIV_WIN_MAC_WRITE\fR\fR
1022 .ad
1023 .sp .6
1024 .RS 4n
1025 Allow a process to create a window resource whose sensitivity label is not
1026 equal to the process sensitivity label. A newly created window property is
1027 created with the window's sensitivity label.
1028 .sp
1029 This privilege is interpreted only if the system is configured with Trusted
1030 Extensions.
1031 .RE
1032
1033 .sp
1034 .ne 2
1035 .na
1036 \fB\fBPRIV_WIN_SELECTION\fR\fR
1037 .ad
1038 .sp .6
1039 .RS 4n
1040 Allow a process to request inter-window data moves without the intervention of
1041 the selection confirmer.
1042 .sp
1043 This privilege is interpreted only if the system is configured with Trusted
1044 Extensions.
1045 .RE
1046
1047 .sp
1048 .ne 2
1049 .na
1050 \fB\fBPRIV_WIN_UPGRADE_SL\fR\fR
1051 .ad
1052 .sp .6
1053 .RS 4n
1054 Allow a process to set the sensitivity label of a window resource to a
1055 sensitivity label that dominates the existing sensitivity label.
1056 .sp
1057 This privilege is interpreted only if the system is configured with Trusted
1058 Extensions.
1059 .RE
1060
1061 .sp
1062 .ne 2
1063 .na
1064 \fB\fBPRIV_XVM_CONTROL\fR\fR
1065 .ad
1066 .sp .6
1067 .RS 4n
1068 Allows a process access to the \fBxVM\fR(5) control devices for managing guest
1069 domains and the hypervisor. This privilege is used only if booted into xVM on
1070 x86 platforms.
1071 .RE
1072
1073 .sp
1074 .LP
1075 Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR,
1076 \fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR,
1077 \fBPRIV_FILE_READ\fR, \fBPRIV_FILE_WRITE\fR, \fBPRIV_NET_ACCESS\fR and
1078 \fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges
1079 that used to be always available to unprivileged processes. By default,
1080 processes still have the basic privileges.
1081 .sp
1082 .LP
1083 The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
1084 in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
1085 to be successful, that is, get an effective UID of 0 and additional privileges.
1086 .sp
1087 .LP
1088 The privilege implementation in Solaris extends the process credential with
1089 four privilege sets:
1090 .sp
1091 .ne 2
1092 .na
1093 \fBI, the inheritable set\fR
1094 .ad
1095 .RS 26n
1096 The privileges inherited on \fBexec\fR.
1097 .RE
1098
1099 .sp
1100 .ne 2
1101 .na
1102 \fBP, the permitted set\fR
1103 .ad
1104 .RS 26n
1105 The maximum set of privileges for the process.
1106 .RE
1107
1108 .sp
1109 .ne 2
1110 .na
1111 \fBE, the effective set\fR
1112 .ad
1113 .RS 26n
1114 The privileges currently in effect.
1115 .RE
1116
1117 .sp
1118 .ne 2
1119 .na
1120 \fBL, the limit set\fR
1121 .ad
1122 .RS 26n
1123 The upper bound of the privileges a process and its offspring can obtain.
1124 Changes to L take effect on the next \fBexec\fR.
1125 .RE
1126
1127 .sp
1128 .LP
1129 The sets I, P and E are typically identical to the basic set of privileges for
1130 unprivileged processes. The limit set is typically the full set of privileges.
1131 .sp
1132 .LP
1133 Each process has a Privilege Awareness State (PAS) that can take the value PA
1134 (privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows
1135 a choice between full compatibility with the old superuser model and completely
1136 ignoring the effective UID.
1137 .sp
1138 .LP
1139 To facilitate the discussion, we introduce the notion of "observed effective
1140 set" (oE) and "observed permitted set" (oP) and the implementation sets iE and
1141 iP.
1142 .sp
1143 .LP
1144 A process becomes privilege-aware either by manipulating the effective,
1145 permitted, or limit privilege sets through \fBsetppriv\fR(2) or by using
1146 \fBsetpflags\fR(2). In all cases, oE and oP are invariant in the process of
1147 becoming privilege-aware. In the process of becoming privilege-aware, the
1148 following assignments take place:
1149 .sp
1150 .in +2
1151 .nf
1152 iE = oE
1153 iP = oP
1154 .fi
1155 .in -2
1156
1157 .sp
1158 .LP
1159 When a process is privilege-aware, oE and oP are invariant under UID changes.
1160 When a process is not privilege-aware, oE and oP are observed as follows:
1161 .sp
1162 .in +2
1163 .nf
1164 oE = euid == 0 ? L : iE
1165 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
1166 .fi
1167 .in -2
1168
1169 .sp
1170 .LP
1171 When a non-privilege-aware process has an effective UID of 0, it can exercise
1172 the privileges contained in its limit set, the upper bound of its privileges.
1173 If a non-privilege-aware process has any of the UIDs 0, it appears to be
1174 capable of potentially exercising all privileges in L.
1175 .sp
1176 .LP
1177 It is possible for a process to return to the non-privilege aware state using
1178 \fBsetpflags()\fR. The kernel always attempts this on \fBexec\fR(2). This
1179 operation is permitted only if the following conditions are met:
1180 .RS +4
1181 .TP
1182 .ie t \(bu
1183 .el o
1184 If any of the UIDs is equal to 0, P must be equal to L.
1185 .RE
1186 .RS +4
1187 .TP
1188 .ie t \(bu
1189 .el o
1190 If the effective UID is equal to 0, E must be equal to L.
1191 .RE
1192 .sp
1193 .LP
1194 When a process gives up privilege awareness, the following assignments take
1195 place:
1196 .sp
1197 .in +2
1198 .nf
1199 if (euid == 0) iE = L & I
1200 if (any uid == 0) iP = L & I
1201 .fi
1202 .in -2
1203
1204 .sp
1205 .LP
1206 The privileges obtained when not having a UID of \fB0\fR are the inheritable
1207 set of the process restricted by the limit set.
1208 .sp
1209 .LP
1210 Only privileges in the process's (observed) effective privilege set allow the
1211 process to perform restricted operations. A process can use any of the
1212 privilege manipulation functions to add or remove privileges from the privilege
1213 sets. Privileges can be removed always. Only privileges found in the permitted
1214 set can be added to the effective and inheritable set. The limit set cannot
1215 grow. The inheritable set can be larger than the permitted set.
1216 .sp
1217 .LP
1218 When a process performs an \fBexec\fR(2), the kernel first tries to relinquish
1219 privilege awareness before making the following privilege set modifications:
1220 .sp
1221 .in +2
1222 .nf
1223 E' = P' = I' = L & I
1224 L is unchanged
1225 .fi
1226 .in -2
1227
1228 .sp
1229 .LP
1230 If a process has not manipulated its privileges, the privilege sets effectively
1231 remain the same, as E, P and I are already identical.
1232 .sp
1233 .LP
1234 The limit set is enforced at \fBexec\fR time.
1235 .sp
1236 .LP
1237 To run a non-privilege-aware application in a backward-compatible manner, a
1238 privilege-aware application should start the non-privilege-aware application
1239 with I=basic.
1240 .sp
1241 .LP
1242 For most privileges, absence of the privilege simply results in a failure. In
1243 some instances, the absense of a privilege can cause system calls to behave
1244 differently. In other instances, the removal of a privilege can force a set-uid
1245 application to seriously malfunction. Privileges of this type are considered
1246 "unsafe". When a process is lacking any of the unsafe privileges from its limit
1247 set, the system does not honor the set-uid bit of set-uid root applications.
1248 The following unsafe privileges have been identified: \fBproc_setid\fR,
1249 \fBsys_resource\fR and \fBproc_audit\fR.
1250 .SS "Privilege Escalation"
1251 .LP
1252 In certain circumstances, a single privilege could lead to a process gaining
1253 one or more additional privileges that were not explicitly granted to that
1254 process. To prevent such an escalation of privileges, the security policy
1255 requires explicit permission for those additional privileges.
1256 .sp
1257 .LP
1258 Common examples of escalation are those mechanisms that allow modification of
1259 system resources through "raw'' interfaces; for example, changing kernel data
1260 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
1261 Escalation also occurs when a process controls processes with more privileges
1262 than the controlling process. A special case of this is manipulating or
1263 creating objects owned by UID 0 or trying to obtain UID 0 using
1264 \fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
1265 owns all system configuration files and ordinary file protection mechanisms
1266 allow processes with UID 0 to modify the system configuration. With appropriate
1267 file modifications, a given process running with an effective UID of 0 can gain
1268 all privileges.
1269 .sp
1270 .LP
1271 In situations where a process might obtain UID 0, the security policy requires
1272 additional privileges, up to the full set of privileges. Such restrictions
1273 could be relaxed or removed at such time as additional mechanisms for
1274 protection of system files became available. There are no such mechanisms in
1275 the current Solaris release.
1276 .sp
1277 .LP
1278 The use of UID 0 processes should be limited as much as possible. They should
1279 be replaced with programs running under a different UID but with exactly the
1280 privileges they need.
1281 .sp
1282 .LP
1283 Daemons that never need to \fBexec\fR subprocesses should remove the
1284 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
1285 .SS "Assigned Privileges and Safeguards"
1286 .LP
1287 When privileges are assigned to a user, the system administrator could give
1288 that user more powers than intended. The administrator should consider whether
1289 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
1290 privilege is given to a user, the administrator should consider setting the
1291 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
1292 from locking all memory.
1293 .SS "Privilege Debugging"
1294 .LP
1295 When a system call fails with a permission error, it is not always immediately
1296 obvious what caused the problem. To debug such a problem, you can use a tool
1297 called \fBprivilege debugging\fR. When privilege debugging is enabled for a
1298 process, the kernel reports missing privileges on the controlling terminal of
1299 the process. (Enable debugging for a process with the \fB-D\fR option of
1300 \fBppriv\fR(1).) Additionally, the administrator can enable system-wide
1301 privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR
1302 using:
1303 .sp
1304 .in +2
1305 .nf
1306 set priv_debug = 1
1307 .fi
1308 .in -2
1309
1310 .sp
1311 .LP
1312 On a running system, you can use \fBmdb\fR(1) to change this variable.
1313 .SS "Privilege Administration"
1314 .LP
1315 The Solaris Management Console (see \fBsmc\fR(1M)) is the preferred method of
1316 modifying privileges for a command. Use \fBusermod\fR(1M) or \fBsmrole\fR(1M)
1317 to assign privileges to or modify privileges for, respectively, a user or a
1318 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
1319 \fBtruss\fR(1) to determine which privileges a program requires.
1320 .SH SEE ALSO
1321 .LP
1322 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
1323 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
1324 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
1325 \fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
1326 \fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
1327 \fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2),
1328 \fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2),
1329 \fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2),
1330 \fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2),
1331 \fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2),
1332 \fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2),
1333 \fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2),
1334 \fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2),
1335 \fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2),
1336 \fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2),
1337 \fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2),
1338 \fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2),
1339 \fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2),
1340 \fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2),
1341 \fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C),
1342 \fBpriv_addset\fR(3C), \fBpriv_set\fR(3C), \fBpriv_getbyname\fR(3C),
1343 \fBpriv_getbynum\fR(3C), \fBpriv_set_to_str\fR(3C), \fBpriv_str_to_set\fR(3C),
1344 \fBsocket\fR(3SOCKET), \fBt_bind\fR(3NSL), \fBtimer_create\fR(3C),
1345 \fBucred_get\fR(3C), \fBexec_attr\fR(4), \fBproc\fR(4), \fBsystem\fR(4),
1346 \fBuser_attr\fR(4), \fBxVM\fR(5), \fBddi_cred\fR(9F), \fBdrv_priv\fR(9F),
1347 \fBpriv_getbyname\fR(9F), \fBpriv_policy\fR(9F), \fBpriv_policy_choice\fR(9F),
1348 \fBpriv_policy_only\fR(9F)
1349 .sp
1350 .LP
1351 \fISystem Administration Guide: Security Services\fR