Print this page
Code review comments from jeffpc
7029 want per-process exploit mitigation features (secflags)
7030 want basic address space layout randomization (aslr)
7031 noexec_user_stack should be a secflag
7032 want a means to forbid mappings around NULL.
Split |
Close |
Expand all |
Collapse all |
--- old/usr/src/man/man5/privileges.5.man.txt
+++ new/usr/src/man/man5/privileges.5.man.txt
1 1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5)
2 2
3 3
4 4
5 5 NAME
6 6 privileges - process privilege model
7 7
8 8 DESCRIPTION
9 9 Solaris software implements a set of privileges that provide fine-
10 10 grained control over the actions of processes. The possession of a
11 11 certain privilege allows a process to perform a specific set of
12 12 restricted operations.
13 13
14 14
15 15 The change to a primarily privilege-based security model in the Solaris
16 16 operating system gives developers an opportunity to restrict processes
17 17 to those privileged operations actually needed instead of all (super-
18 18 user) or no privileges (non-zero UIDs). Additionally, a set of
19 19 previously unrestricted operations now requires a privilege; these
20 20 privileges are dubbed the "basic" privileges and are by default given
21 21 to all processes.
22 22
23 23
24 24 Taken together, all defined privileges with the exception of the
25 25 "basic" privileges compose the set of privileges that are traditionally
26 26 associated with the root user. The "basic" privileges are "privileges"
27 27 unprivileged processes were accustomed to having.
28 28
29 29
30 30 The defined privileges are:
31 31
32 32 PRIV_CONTRACT_EVENT
33 33
34 34 Allow a process to request reliable delivery of events to an event
35 35 endpoint.
36 36
37 37 Allow a process to include events in the critical event set term of
38 38 a template which could be generated in volume by the user.
39 39
40 40
41 41 PRIV_CONTRACT_IDENTITY
42 42
43 43 Allows a process to set the service FMRI value of a process
44 44 contract template.
45 45
46 46
47 47 PRIV_CONTRACT_OBSERVER
48 48
49 49 Allow a process to observe contract events generated by contracts
50 50 created and owned by users other than the process's effective user
51 51 ID.
52 52
53 53 Allow a process to open contract event endpoints belonging to
54 54 contracts created and owned by users other than the process's
55 55 effective user ID.
56 56
57 57
58 58 PRIV_CPC_CPU
59 59
60 60 Allow a process to access per-CPU hardware performance counters.
61 61
62 62
63 63 PRIV_DTRACE_KERNEL
64 64
65 65 Allow DTrace kernel-level tracing.
66 66
67 67
68 68 PRIV_DTRACE_PROC
69 69
70 70 Allow DTrace process-level tracing. Allow process-level tracing
71 71 probes to be placed and enabled in processes to which the user has
72 72 permissions.
73 73
74 74
75 75 PRIV_DTRACE_USER
76 76
77 77 Allow DTrace user-level tracing. Allow use of the syscall and
78 78 profile DTrace providers to examine processes to which the user has
79 79 permissions.
80 80
81 81
82 82 PRIV_FILE_CHOWN
83 83
84 84 Allow a process to change a file's owner user ID. Allow a process
85 85 to change a file's group ID to one other than the process's
86 86 effective group ID or one of the process's supplemental group IDs.
87 87
88 88
89 89 PRIV_FILE_CHOWN_SELF
90 90
91 91 Allow a process to give away its files. A process with this
92 92 privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
93 93
94 94
95 95 PRIV_FILE_DAC_EXECUTE
96 96
97 97 Allow a process to execute an executable file whose permission bits
98 98 or ACL would otherwise disallow the process execute permission.
99 99
100 100
101 101 PRIV_FILE_DAC_READ
102 102
103 103 Allow a process to read a file or directory whose permission bits
104 104 or ACL would otherwise disallow the process read permission.
105 105
106 106
107 107 PRIV_FILE_DAC_SEARCH
108 108
109 109 Allow a process to search a directory whose permission bits or ACL
110 110 would not otherwise allow the process search permission.
111 111
112 112
113 113 PRIV_FILE_DAC_WRITE
114 114
115 115 Allow a process to write a file or directory whose permission bits
116 116 or ACL do not allow the process write permission. All privileges
117 117 are required to write files owned by UID 0 in the absence of an
118 118 effective UID of 0.
119 119
120 120
121 121 PRIV_FILE_DOWNGRADE_SL
122 122
123 123 Allow a process to set the sensitivity label of a file or directory
124 124 to a sensitivity label that does not dominate the existing
125 125 sensitivity label.
126 126
127 127 This privilege is interpreted only if the system is configured with
128 128 Trusted Extensions.
129 129
130 130
131 131 PRIV_FILE_FLAG_SET
132 132
133 133 Allows a process to set immutable, nounlink or appendonly file
134 134 attributes.
135 135
136 136
137 137 PRIV_FILE_LINK_ANY
138 138
139 139 Allow a process to create hardlinks to files owned by a UID
140 140 different from the process's effective UID.
141 141
142 142
143 143 PRIV_FILE_OWNER
144 144
145 145 Allow a process that is not the owner of a file to modify that
146 146 file's access and modification times. Allow a process that is not
147 147 the owner of a directory to modify that directory's access and
148 148 modification times. Allow a process that is not the owner of a file
149 149 or directory to remove or rename a file or directory whose parent
150 150 directory has the "save text image after execution" (sticky) bit
151 151 set. Allow a process that is not the owner of a file to mount a
152 152 namefs upon that file. Allow a process that is not the owner of a
153 153 file or directory to modify that file's or directory's permission
154 154 bits or ACL.
155 155
156 156
157 157 PRIV_FILE_READ
158 158
159 159 Allow a process to open objects in the filesystem for reading. This
160 160 privilege is not necessary to read from an already open file which
161 161 was opened before dropping the PRIV_FILE_READ privilege.
162 162
163 163
164 164 PRIV_FILE_SETID
165 165
166 166 Allow a process to change the ownership of a file or write to a
167 167 file without the set-user-ID and set-group-ID bits being cleared.
168 168 Allow a process to set the set-group-ID bit on a file or directory
169 169 whose group is not the process's effective group or one of the
170 170 process's supplemental groups. Allow a process to set the set-user-
171 171 ID bit on a file with different ownership in the presence of
172 172 PRIV_FILE_OWNER. Additional restrictions apply when creating or
173 173 modifying a setuid 0 file.
174 174
175 175
176 176 PRIV_FILE_UPGRADE_SL
177 177
178 178 Allow a process to set the sensitivity label of a file or directory
179 179 to a sensitivity label that dominates the existing sensitivity
180 180 label.
181 181
182 182 This privilege is interpreted only if the system is configured with
183 183 Trusted Extensions.
184 184
185 185
186 186 PRIV_FILE_WRITE
187 187
188 188 Allow a process to open objects in the filesytem for writing, or
189 189 otherwise modify them. This privilege is not necessary to write to
190 190 an already open file which was opened before dropping the
191 191 PRIV_FILE_WRITE privilege.
192 192
193 193
194 194 PRIV_GRAPHICS_ACCESS
195 195
196 196 Allow a process to make privileged ioctls to graphics devices.
197 197 Typically only an xserver process needs to have this privilege. A
198 198 process with this privilege is also allowed to perform privileged
199 199 graphics device mappings.
200 200
201 201
202 202 PRIV_GRAPHICS_MAP
203 203
204 204 Allow a process to perform privileged mappings through a graphics
205 205 device.
206 206
207 207
208 208 PRIV_IPC_DAC_READ
209 209
210 210 Allow a process to read a System V IPC Message Queue, Semaphore
211 211 Set, or Shared Memory Segment whose permission bits would not
212 212 otherwise allow the process read permission.
213 213
214 214
215 215 PRIV_IPC_DAC_WRITE
216 216
217 217 Allow a process to write a System V IPC Message Queue, Semaphore
218 218 Set, or Shared Memory Segment whose permission bits would not
219 219 otherwise allow the process write permission.
220 220
221 221
222 222 PRIV_IPC_OWNER
223 223
224 224 Allow a process that is not the owner of a System V IPC Message
225 225 Queue, Semaphore Set, or Shared Memory Segment to remove, change
226 226 ownership of, or change permission bits of the Message Queue,
227 227 Semaphore Set, or Shared Memory Segment.
228 228
229 229
230 230 PRIV_NET_ACCESS
231 231
232 232 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
233 233 This privilege is not necessary to communicate using an existing
234 234 endpoint already opened before dropping the PRIV_NET_ACCESS
235 235 privilege.
236 236
237 237
238 238 PRIV_NET_BINDMLP
239 239
240 240 Allow a process to bind to a port that is configured as a multi-
241 241 level port (MLP) for the process's zone. This privilege applies to
242 242 both shared address and zone-specific address MLPs. See
243 243 tnzonecfg(4) from the Trusted Extensions manual pages for
244 244 information on configuring MLP ports.
245 245
246 246 This privilege is interpreted only if the system is configured with
247 247 Trusted Extensions.
248 248
249 249
250 250 PRIV_NET_ICMPACCESS
251 251
252 252 Allow a process to send and receive ICMP packets.
253 253
254 254
255 255 PRIV_NET_MAC_AWARE
256 256
257 257 Allow a process to set the NET_MAC_AWARE process flag by using
258 258 setpflags(2). This privilege also allows a process to set the
259 259 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The
260 260 NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
261 261 allow a local process to communicate with an unlabeled peer if the
262 262 local process's label dominates the peer's default label, or if the
263 263 local process runs in the global zone.
264 264
265 265 This privilege is interpreted only if the system is configured with
266 266 Trusted Extensions.
267 267
268 268
269 269 PRIV_NET_MAC_IMPLICIT
270 270
271 271 Allow a proces to set SO_MAC_IMPLICIT option by using
272 272 setsockopt(3SOCKET). This allows a privileged process to transmit
273 273 implicitly-labeled packets to a peer.
274 274
275 275 This privilege is interpreted only if the system is configured with
276 276 Trusted Extensions.
277 277
278 278
279 279 PRIV_NET_OBSERVABILITY
280 280
281 281 Allow a process to open a device for just receiving network
282 282 traffic, sending traffic is disallowed.
283 283
284 284
285 285 PRIV_NET_PRIVADDR
286 286
287 287 Allow a process to bind to a privileged port number. The privilege
288 288 port numbers are 1-1023 (the traditional UNIX privileged ports) as
289 289 well as those ports marked as "udp/tcp_extra_priv_ports" with the
290 290 exception of the ports reserved for use by NFS and SMB.
291 291
292 292
293 293 PRIV_NET_RAWACCESS
294 294
295 295 Allow a process to have direct access to the network layer.
296 296
297 297
298 298 PRIV_PROC_AUDIT
299 299
300 300 Allow a process to generate audit records. Allow a process to get
301 301 its own audit pre-selection information.
302 302
303 303
304 304 PRIV_PROC_CHROOT
305 305
306 306 Allow a process to change its root directory.
307 307
308 308
309 309 PRIV_PROC_CLOCK_HIGHRES
310 310
311 311 Allow a process to use high resolution timers.
312 312
313 313
314 314 PRIV_PROC_EXEC
315 315
316 316 Allow a process to call exec(2).
317 317
318 318
319 319 PRIV_PROC_FORK
320 320
321 321 Allow a process to call fork(2), fork1(2), or vfork(2).
322 322
323 323
324 324 PRIV_PROC_INFO
325 325
326 326 Allow a process to examine the status of processes other than those
327 327 to which it can send signals. Processes that cannot be examined
328 328 cannot be seen in /proc and appear not to exist.
329 329
330 330
331 331 PRIV_PROC_LOCK_MEMORY
332 332
333 333 Allow a process to lock pages in physical memory.
334 334
335 335
336 336 PRIV_PROC_MEMINFO
337 337
338 338 Allow a process to access physical memory information.
339 339
340 340
341 341 PRIV_PROC_OWNER
342 342
343 343 Allow a process to send signals to other processes and inspect and
344 344 modify the process state in other processes, regardless of
345 345 ownership. When modifying another process, additional restrictions
346 346 apply: the effective privilege set of the attaching process must be
347 347 a superset of the target process's effective, permitted, and
348 348 inheritable sets; the limit set must be a superset of the target's
349 349 limit set; if the target process has any UID set to 0 all privilege
350 350 must be asserted unless the effective UID is 0. Allow a process to
351 351 bind arbitrary processes to CPUs.
352 352
353 353
354 354 PRIV_PROC_PRIOUP
355 355
↓ open down ↓ |
355 lines elided |
↑ open up ↑ |
356 356 Allow a process to elevate its priority above its current level.
357 357
358 358
359 359 PRIV_PROC_PRIOCNTL
360 360
361 361 Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change
362 362 its scheduling class to any scheduling class, including the RT
363 363 class.
364 364
365 365
366 + PRIV_PROC_SECFLAGS
367 +
368 + Allow a process to manipulate the secflags of processes (subject
369 + to, additionally, the ability to signal that process).
370 +
371 +
366 372 PRIV_PROC_SESSION
367 373
368 374 Allow a process to send signals or trace processes outside its
369 375 session.
370 376
371 377
372 378 PRIV_PROC_SETID
373 379
374 380 Allow a process to set its UIDs at will, assuming UID 0 requires
375 381 all privileges to be asserted.
376 382
377 383
378 384 PRIV_PROC_TASKID
379 385
380 386 Allow a process to assign a new task ID to the calling process.
381 387
382 388
383 389 PRIV_PROC_ZONE
384 390
385 391 Allow a process to trace or send signals to processes in other
386 392 zones. See zones(5).
387 393
388 394
389 395 PRIV_SYS_ACCT
390 396
391 397 Allow a process to enable and disable and manage accounting through
392 398 acct(2).
393 399
394 400
395 401 PRIV_SYS_ADMIN
396 402
397 403 Allow a process to perform system administration tasks such as
398 404 setting node and domain name and specifying coreadm(1M) and
399 405 nscd(1M) settings
400 406
401 407
402 408 PRIV_SYS_AUDIT
403 409
404 410 Allow a process to start the (kernel) audit daemon. Allow a process
405 411 to view and set audit state (audit user ID, audit terminal ID,
406 412 audit sessions ID, audit pre-selection mask). Allow a process to
407 413 turn off and on auditing. Allow a process to configure the audit
408 414 parameters (cache and queue sizes, event to class mappings, and
409 415 policy options).
410 416
411 417
412 418 PRIV_SYS_CONFIG
413 419
414 420 Allow a process to perform various system configuration tasks.
415 421 Allow filesystem-specific administrative procedures, such as
416 422 filesystem configuration ioctls, quota calls, creation and deletion
417 423 of snapshots, and manipulating the PCFS bootsector.
418 424
419 425
420 426 PRIV_SYS_DEVICES
421 427
422 428 Allow a process to create device special files. Allow a process to
423 429 successfully call a kernel module that calls the kernel
424 430 drv_priv(9F) function to check for allowed access. Allow a process
425 431 to open the real console device directly. Allow a process to open
426 432 devices that have been exclusively opened.
427 433
428 434
429 435 PRIV_SYS_DL_CONFIG
430 436
431 437 Allow a process to configure a system's datalink interfaces.
432 438
433 439
434 440 PRIV_SYS_IP_CONFIG
435 441
436 442 Allow a process to configure a system's IP interfaces and routes.
437 443 Allow a process to configure network parameters for TCP/IP using
438 444 ndd. Allow a process access to otherwise restricted TCP/IP
439 445 information using ndd. Allow a process to configure IPsec. Allow a
440 446 process to pop anchored STREAMs modules with matching zoneid.
441 447
442 448
443 449 PRIV_SYS_IPC_CONFIG
444 450
445 451 Allow a process to increase the size of a System V IPC Message
446 452 Queue buffer.
447 453
448 454
449 455 PRIV_SYS_IPTUN_CONFIG
450 456
451 457 Allow a process to configure IP tunnel links.
452 458
453 459
454 460 PRIV_SYS_LINKDIR
455 461
456 462 Allow a process to unlink and link directories.
457 463
458 464
459 465 PRIV_SYS_MOUNT
460 466
461 467 Allow a process to mount and unmount filesystems that would
462 468 otherwise be restricted (that is, most filesystems except namefs).
463 469 Allow a process to add and remove swap devices.
464 470
465 471
466 472 PRIV_SYS_NET_CONFIG
467 473
468 474 Allow a process to do all that PRIV_SYS_IP_CONFIG,
469 475 PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the
470 476 following: use the rpcmod STREAMS module and insert/remove STREAMS
471 477 modules on locations other than the top of the module stack.
472 478
473 479
474 480 PRIV_SYS_NFS
475 481
476 482 Allow a process to provide NFS service: start NFS kernel threads,
477 483 perform NFS locking operations, bind to NFS reserved ports: ports
478 484 2049 (nfs) and port 4045 (lockd).
479 485
480 486
481 487 PRIV_SYS_PPP_CONFIG
482 488
483 489 Allow a process to create, configure, and destroy PPP instances
484 490 with pppd(1M) pppd(1M) and control PPPoE plumbing with
485 491 sppptun(1M)sppptun(1M). This privilege is granted by default to
486 492 exclusive IP stack instance zones.
487 493
488 494
489 495 PRIV_SYS_RES_BIND
490 496
491 497 Allows a process to bind processes to processor sets.
492 498
493 499
494 500 PRIV_SYS_RES_CONFIG
495 501
496 502 Allows all that PRIV_SYS_RES_BIND allows. Allow a process to
497 503 create and delete processor sets, assign CPUs to processor sets and
498 504 override the PSET_NOESCAPE property. Allow a process to change the
499 505 operational status of CPUs in the system using p_online(2). Allow a
500 506 process to configure filesystem quotas. Allow a process to
501 507 configure resource pools and bind processes to pools.
502 508
503 509
504 510 PRIV_SYS_RESOURCE
505 511
506 512 Allow a process to exceed the resource limits imposed on it by
507 513 setrlimit(2) and setrctl(2).
508 514
509 515
510 516 PRIV_SYS_SMB
511 517
512 518 Allow a process to provide NetBIOS or SMB services: start SMB
513 519 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
514 520 138, 139 (NetBIOS) and 445 (SMB).
515 521
516 522
517 523 PRIV_SYS_SUSER_COMPAT
518 524
519 525 Allow a process to successfully call a third party loadable module
520 526 that calls the kernel suser() function to check for allowed access.
521 527 This privilege exists only for third party loadable module
522 528 compatibility and is not used by Solaris proper.
523 529
524 530
525 531 PRIV_SYS_TIME
526 532
527 533 Allow a process to manipulate system time using any of the
528 534 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
529 535
530 536
531 537 PRIV_SYS_TRANS_LABEL
532 538
533 539 Allow a process to translate labels that are not dominated by the
534 540 process's sensitivity label to and from an external string form.
535 541
536 542 This privilege is interpreted only if the system is configured with
537 543 Trusted Extensions.
538 544
539 545
540 546 PRIV_VIRT_MANAGE
541 547
542 548 Allows a process to manage virtualized environments such as xVM(5).
543 549
544 550
545 551 PRIV_WIN_COLORMAP
546 552
547 553 Allow a process to override colormap restrictions.
548 554
549 555 Allow a process to install or remove colormaps.
550 556
551 557 Allow a process to retrieve colormap cell entries allocated by
552 558 other processes.
553 559
554 560 This privilege is interpreted only if the system is configured with
555 561 Trusted Extensions.
556 562
557 563
558 564 PRIV_WIN_CONFIG
559 565
560 566 Allow a process to configure or destroy resources that are
561 567 permanently retained by the X server.
562 568
563 569 Allow a process to use SetScreenSaver to set the screen saver
564 570 timeout value
565 571
566 572 Allow a process to use ChangeHosts to modify the display access
567 573 control list.
568 574
569 575 Allow a process to use GrabServer.
570 576
571 577 Allow a process to use the SetCloseDownMode request that can retain
572 578 window, pixmap, colormap, property, cursor, font, or graphic
573 579 context resources.
574 580
575 581 This privilege is interpreted only if the system is configured with
576 582 Trusted Extensions.
577 583
578 584
579 585 PRIV_WIN_DAC_READ
580 586
581 587 Allow a process to read from a window resource that it does not own
582 588 (has a different user ID).
583 589
584 590 This privilege is interpreted only if the system is configured with
585 591 Trusted Extensions.
586 592
587 593
588 594 PRIV_WIN_DAC_WRITE
589 595
590 596 Allow a process to write to or create a window resource that it
591 597 does not own (has a different user ID). A newly created window
592 598 property is created with the window's user ID.
593 599
594 600 This privilege is interpreted only if the system is configured with
595 601 Trusted Extensions.
596 602
597 603
598 604 PRIV_WIN_DEVICES
599 605
600 606 Allow a process to perform operations on window input devices.
601 607
602 608 Allow a process to get and set keyboard and pointer controls.
603 609
604 610 Allow a process to modify pointer button and key mappings.
605 611
606 612 This privilege is interpreted only if the system is configured with
607 613 Trusted Extensions.
608 614
609 615
610 616 PRIV_WIN_DGA
611 617
612 618 Allow a process to use the direct graphics access (DGA) X protocol
613 619 extensions. Direct process access to the frame buffer is still
614 620 required. Thus the process must have MAC and DAC privileges that
615 621 allow access to the frame buffer, or the frame buffer must be
616 622 allocated to the process.
617 623
618 624 This privilege is interpreted only if the system is configured with
619 625 Trusted Extensions.
620 626
621 627
622 628 PRIV_WIN_DOWNGRADE_SL
623 629
624 630 Allow a process to set the sensitivity label of a window resource
625 631 to a sensitivity label that does not dominate the existing
626 632 sensitivity label.
627 633
628 634 This privilege is interpreted only if the system is configured with
629 635 Trusted Extensions.
630 636
631 637
632 638 PRIV_WIN_FONTPATH
633 639
634 640 Allow a process to set a font path.
635 641
636 642 This privilege is interpreted only if the system is configured with
637 643 Trusted Extensions.
638 644
639 645
640 646 PRIV_WIN_MAC_READ
641 647
642 648 Allow a process to read from a window resource whose sensitivity
643 649 label is not equal to the process sensitivity label.
644 650
645 651 This privilege is interpreted only if the system is configured with
646 652 Trusted Extensions.
647 653
648 654
649 655 PRIV_WIN_MAC_WRITE
650 656
651 657 Allow a process to create a window resource whose sensitivity label
652 658 is not equal to the process sensitivity label. A newly created
653 659 window property is created with the window's sensitivity label.
654 660
655 661 This privilege is interpreted only if the system is configured with
656 662 Trusted Extensions.
657 663
658 664
659 665 PRIV_WIN_SELECTION
660 666
661 667 Allow a process to request inter-window data moves without the
662 668 intervention of the selection confirmer.
663 669
664 670 This privilege is interpreted only if the system is configured with
665 671 Trusted Extensions.
666 672
667 673
668 674 PRIV_WIN_UPGRADE_SL
669 675
670 676 Allow a process to set the sensitivity label of a window resource
671 677 to a sensitivity label that dominates the existing sensitivity
672 678 label.
673 679
674 680 This privilege is interpreted only if the system is configured with
675 681 Trusted Extensions.
676 682
677 683
678 684 PRIV_XVM_CONTROL
679 685
680 686 Allows a process access to the xVM(5) control devices for managing
681 687 guest domains and the hypervisor. This privilege is used only if
682 688 booted into xVM on x86 platforms.
683 689
684 690
685 691
686 692 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
687 693 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK, PRIV_FILE_READ,
688 694 PRIV_FILE_WRITE, PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered
689 695 "basic" privileges. These are privileges that used to be always
690 696 available to unprivileged processes. By default, processes still have
691 697 the basic privileges.
692 698
693 699
694 700 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
695 701 the Limit set (see below) of a process in order for set-uid root execs
696 702 to be successful, that is, get an effective UID of 0 and additional
697 703 privileges.
698 704
699 705
700 706 The privilege implementation in Solaris extends the process credential
701 707 with four privilege sets:
702 708
703 709 I, the inheritable set
704 710 The privileges inherited on exec.
705 711
706 712
707 713 P, the permitted set
708 714 The maximum set of privileges for the
709 715 process.
710 716
711 717
712 718 E, the effective set
713 719 The privileges currently in effect.
714 720
715 721
716 722 L, the limit set
717 723 The upper bound of the privileges a process
718 724 and its offspring can obtain. Changes to L
719 725 take effect on the next exec.
720 726
721 727
722 728
723 729 The sets I, P and E are typically identical to the basic set of
724 730 privileges for unprivileged processes. The limit set is typically the
725 731 full set of privileges.
726 732
727 733
728 734 Each process has a Privilege Awareness State (PAS) that can take the
729 735 value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
730 736 mechanism that allows a choice between full compatibility with the old
731 737 superuser model and completely ignoring the effective UID.
732 738
733 739
734 740 To facilitate the discussion, we introduce the notion of "observed
735 741 effective set" (oE) and "observed permitted set" (oP) and the
736 742 implementation sets iE and iP.
737 743
738 744
739 745 A process becomes privilege-aware either by manipulating the effective,
740 746 permitted, or limit privilege sets through setppriv(2) or by using
741 747 setpflags(2). In all cases, oE and oP are invariant in the process of
742 748 becoming privilege-aware. In the process of becoming privilege-aware,
743 749 the following assignments take place:
744 750
745 751 iE = oE
746 752 iP = oP
747 753
748 754
749 755
750 756 When a process is privilege-aware, oE and oP are invariant under UID
751 757 changes. When a process is not privilege-aware, oE and oP are observed
752 758 as follows:
753 759
754 760 oE = euid == 0 ? L : iE
755 761 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
756 762
757 763
758 764
759 765 When a non-privilege-aware process has an effective UID of 0, it can
760 766 exercise the privileges contained in its limit set, the upper bound of
761 767 its privileges. If a non-privilege-aware process has any of the UIDs
762 768 0, it appears to be capable of potentially exercising all privileges in
763 769 L.
764 770
765 771
766 772 It is possible for a process to return to the non-privilege aware state
767 773 using setpflags(). The kernel always attempts this on exec(2). This
768 774 operation is permitted only if the following conditions are met:
769 775
770 776 o If any of the UIDs is equal to 0, P must be equal to L.
771 777
772 778 o If the effective UID is equal to 0, E must be equal to L.
773 779
774 780
775 781 When a process gives up privilege awareness, the following assignments
776 782 take place:
777 783
778 784 if (euid == 0) iE = L & I
779 785 if (any uid == 0) iP = L & I
780 786
781 787
782 788
783 789 The privileges obtained when not having a UID of 0 are the inheritable
784 790 set of the process restricted by the limit set.
785 791
786 792
787 793 Only privileges in the process's (observed) effective privilege set
788 794 allow the process to perform restricted operations. A process can use
789 795 any of the privilege manipulation functions to add or remove privileges
790 796 from the privilege sets. Privileges can be removed always. Only
791 797 privileges found in the permitted set can be added to the effective and
792 798 inheritable set. The limit set cannot grow. The inheritable set can be
793 799 larger than the permitted set.
794 800
795 801
796 802 When a process performs an exec(2), the kernel first tries to
797 803 relinquish privilege awareness before making the following privilege
798 804 set modifications:
799 805
800 806 E' = P' = I' = L & I
801 807 L is unchanged
802 808
803 809
804 810
805 811 If a process has not manipulated its privileges, the privilege sets
806 812 effectively remain the same, as E, P and I are already identical.
807 813
808 814
809 815 The limit set is enforced at exec time.
810 816
811 817
812 818 To run a non-privilege-aware application in a backward-compatible
813 819 manner, a privilege-aware application should start the non-privilege-
814 820 aware application with I=basic.
815 821
816 822
817 823 For most privileges, absence of the privilege simply results in a
818 824 failure. In some instances, the absense of a privilege can cause system
819 825 calls to behave differently. In other instances, the removal of a
820 826 privilege can force a set-uid application to seriously malfunction.
821 827 Privileges of this type are considered "unsafe". When a process is
822 828 lacking any of the unsafe privileges from its limit set, the system
823 829 does not honor the set-uid bit of set-uid root applications. The
824 830 following unsafe privileges have been identified: proc_setid,
825 831 sys_resource and proc_audit.
826 832
827 833 Privilege Escalation
828 834 In certain circumstances, a single privilege could lead to a process
829 835 gaining one or more additional privileges that were not explicitly
830 836 granted to that process. To prevent such an escalation of privileges,
831 837 the security policy requires explicit permission for those additional
832 838 privileges.
833 839
834 840
835 841 Common examples of escalation are those mechanisms that allow
836 842 modification of system resources through "raw'' interfaces; for
837 843 example, changing kernel data structures through /dev/kmem or changing
838 844 files through /dev/dsk/*. Escalation also occurs when a process
839 845 controls processes with more privileges than the controlling process. A
840 846 special case of this is manipulating or creating objects owned by UID 0
841 847 or trying to obtain UID 0 using setuid(2). The special treatment of UID
842 848 0 is needed because the UID 0 owns all system configuration files and
843 849 ordinary file protection mechanisms allow processes with UID 0 to
844 850 modify the system configuration. With appropriate file modifications, a
845 851 given process running with an effective UID of 0 can gain all
846 852 privileges.
847 853
848 854
849 855 In situations where a process might obtain UID 0, the security policy
850 856 requires additional privileges, up to the full set of privileges. Such
851 857 restrictions could be relaxed or removed at such time as additional
852 858 mechanisms for protection of system files became available. There are
853 859 no such mechanisms in the current Solaris release.
854 860
855 861
856 862 The use of UID 0 processes should be limited as much as possible. They
857 863 should be replaced with programs running under a different UID but with
858 864 exactly the privileges they need.
859 865
860 866
861 867 Daemons that never need to exec subprocesses should remove the
862 868 PRIV_PROC_EXEC privilege from their permitted and limit sets.
863 869
864 870 Assigned Privileges and Safeguards
865 871 When privileges are assigned to a user, the system administrator could
866 872 give that user more powers than intended. The administrator should
867 873 consider whether safeguards are needed. For example, if the
868 874 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
869 875 should consider setting the project.max-locked-memory resource control
870 876 as well, to prevent that user from locking all memory.
871 877
872 878 Privilege Debugging
873 879 When a system call fails with a permission error, it is not always
874 880 immediately obvious what caused the problem. To debug such a problem,
875 881 you can use a tool called privilege debugging. When privilege debugging
876 882 is enabled for a process, the kernel reports missing privileges on the
877 883 controlling terminal of the process. (Enable debugging for a process
878 884 with the -D option of ppriv(1).) Additionally, the administrator can
879 885 enable system-wide privilege debugging by setting the system(4)
880 886 variable priv_debug using:
881 887
882 888 set priv_debug = 1
883 889
884 890
885 891
886 892 On a running system, you can use mdb(1) to change this variable.
887 893
888 894 Privilege Administration
889 895 The Solaris Management Console (see smc(1M)) is the preferred method of
890 896 modifying privileges for a command. Use usermod(1M) or smrole(1M) to
891 897 assign privileges to or modify privileges for, respectively, a user or
892 898 a role. Use ppriv(1) to enumerate the privileges supported on a system
893 899 and truss(1) to determine which privileges a program requires.
894 900
895 901 SEE ALSO
896 902 mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M),
897 903 pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
898 904 access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
899 905 chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2),
900 906 fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2),
901 907 kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2),
902 908 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
903 909 processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
904 910 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
905 911 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
906 912 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
907 913 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
908 914 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
909 915 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
910 916 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
911 917 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
↓ open down ↓ |
536 lines elided |
↑ open up ↑ |
912 918 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
913 919 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
914 920 drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
915 921 priv_policy_choice(9F), priv_policy_only(9F)
916 922
917 923
918 924 System Administration Guide: Security Services
919 925
920 926
921 927
922 - October 30, 2015 PRIVILEGES(5)
928 + June 6, 2016 PRIVILEGES(5)
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX