1 PRIVILEGES(5)         Standards, Environments, and Macros        PRIVILEGES(5)
   2 
   3 
   4 
   5 NAME
   6        privileges - process privilege model
   7 
   8 DESCRIPTION
   9        Solaris software implements a set of privileges that provide fine-
  10        grained control over the actions of processes. The possession of a
  11        certain privilege allows a process to perform a specific set of
  12        restricted operations.
  13 
  14 
  15        The change to a primarily privilege-based security model in the Solaris
  16        operating system gives developers an opportunity to restrict processes
  17        to those privileged operations actually needed instead of all (super-
  18        user) or no privileges (non-zero UIDs). Additionally, a set of
  19        previously unrestricted operations now requires a privilege; these
  20        privileges are dubbed the "basic" privileges and are by default given
  21        to all processes.
  22 
  23 
  24        Taken together, all defined privileges with the exception of the
  25        "basic" privileges compose the set of privileges that are traditionally
  26        associated with the root user. The "basic" privileges are "privileges"
  27        unprivileged processes were accustomed to having.
  28 
  29 
  30        The defined privileges are:
  31 
  32        PRIV_CONTRACT_EVENT
  33 
  34            Allow a process to request reliable delivery of events to an event
  35            endpoint.
  36 
  37            Allow a process to include events in the critical event set term of
  38            a template which could be generated in volume by the user.
  39 
  40 
  41        PRIV_CONTRACT_IDENTITY
  42 
  43            Allows a process to set the service FMRI value of a process
  44            contract template.
  45 
  46 
  47        PRIV_CONTRACT_OBSERVER
  48 
  49            Allow a process to observe contract events generated by contracts
  50            created and owned by users other than the process's effective user
  51            ID.
  52 
  53            Allow a process to open contract event endpoints belonging to
  54            contracts created and owned by users other than the process's
  55            effective user ID.
  56 
  57 
  58        PRIV_CPC_CPU
  59 
  60            Allow a process to access per-CPU hardware performance counters.
  61 
  62 
  63        PRIV_DTRACE_KERNEL
  64 
  65            Allow DTrace kernel-level tracing.
  66 
  67 
  68        PRIV_DTRACE_PROC
  69 
  70            Allow DTrace process-level tracing. Allow process-level tracing
  71            probes to be placed and enabled in processes to which the user has
  72            permissions.
  73 
  74 
  75        PRIV_DTRACE_USER
  76 
  77            Allow DTrace user-level tracing. Allow use of the syscall and
  78            profile DTrace providers to examine processes to which the user has
  79            permissions.
  80 
  81 
  82        PRIV_FILE_CHOWN
  83 
  84            Allow a process to change a file's owner user ID. Allow a process
  85            to change a file's group ID to one other than the process's
  86            effective group ID or one of the process's supplemental group IDs.
  87 
  88 
  89        PRIV_FILE_CHOWN_SELF
  90 
  91            Allow a process to give away its files. A process with this
  92            privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
  93 
  94 
  95        PRIV_FILE_DAC_EXECUTE
  96 
  97            Allow a process to execute an executable file whose permission bits
  98            or ACL would otherwise disallow the process execute permission.
  99 
 100 
 101        PRIV_FILE_DAC_READ
 102 
 103            Allow a process to read a file or directory whose permission bits
 104            or ACL would otherwise disallow the process read permission.
 105 
 106 
 107        PRIV_FILE_DAC_SEARCH
 108 
 109            Allow a process to search a directory whose permission bits or ACL
 110            would not otherwise allow the process search permission.
 111 
 112 
 113        PRIV_FILE_DAC_WRITE
 114 
 115            Allow a process to write a file or directory whose permission bits
 116            or ACL do not allow the process write permission. All privileges
 117            are required to write files owned by UID 0 in the absence of an
 118            effective UID of 0.
 119 
 120 
 121        PRIV_FILE_DOWNGRADE_SL
 122 
 123            Allow a process to set the sensitivity label of a file or directory
 124            to a sensitivity label that does not dominate the existing
 125            sensitivity label.
 126 
 127            This privilege is interpreted only if the system is configured with
 128            Trusted Extensions.
 129 
 130 
 131        PRIV_FILE_FLAG_SET
 132 
 133            Allows a process to set immutable, nounlink or appendonly file
 134            attributes.
 135 
 136 
 137        PRIV_FILE_LINK_ANY
 138 
 139            Allow a process to create hardlinks to files owned by a UID
 140            different from the process's effective UID.
 141 
 142 
 143        PRIV_FILE_OWNER
 144 
 145            Allow a process that is not the owner of a file to modify that
 146            file's access and modification times. Allow a process that is not
 147            the owner of a directory to modify that directory's access and
 148            modification times. Allow a process that is not the owner of a file
 149            or directory to remove or rename a file or directory whose parent
 150            directory has the "save text image after execution" (sticky) bit
 151            set. Allow a process that is not the owner of a file to mount a
 152            namefs upon that file. Allow a process that is not the owner of a
 153            file or directory to modify that file's or directory's permission
 154            bits or ACL.
 155 
 156 
 157        PRIV_FILE_READ
 158 
 159            Allow a process to open objects in the filesystem for reading. This
 160            privilege is not necessary to read from an already open file which
 161            was opened before dropping the PRIV_FILE_READ privilege.
 162 
 163 
 164        PRIV_FILE_SETID
 165 
 166            Allow a process to change the ownership of a file or write to a
 167            file without the set-user-ID and set-group-ID bits being cleared.
 168            Allow a process to set the set-group-ID bit on a file or directory
 169            whose group is not the process's effective group or one of the
 170            process's supplemental groups. Allow a process to set the set-user-
 171            ID bit on a file with different ownership in the presence of
 172            PRIV_FILE_OWNER. Additional restrictions apply when creating or
 173            modifying a setuid 0 file.
 174 
 175 
 176        PRIV_FILE_UPGRADE_SL
 177 
 178            Allow a process to set the sensitivity label of a file or directory
 179            to a sensitivity label that dominates the existing sensitivity
 180            label.
 181 
 182            This privilege is interpreted only if the system is configured with
 183            Trusted Extensions.
 184 
 185 
 186        PRIV_FILE_WRITE
 187 
 188            Allow a process to open objects in the filesytem for writing, or
 189            otherwise modify them. This privilege is not necessary to write to
 190            an already open file which was opened before dropping the
 191            PRIV_FILE_WRITE privilege.
 192 
 193 
 194        PRIV_GRAPHICS_ACCESS
 195 
 196            Allow a process to make privileged ioctls to graphics devices.
 197            Typically only an xserver process needs to have this privilege. A
 198            process with this privilege is also allowed to perform privileged
 199            graphics device mappings.
 200 
 201 
 202        PRIV_GRAPHICS_MAP
 203 
 204            Allow a process to perform privileged mappings through a graphics
 205            device.
 206 
 207 
 208        PRIV_IPC_DAC_READ
 209 
 210            Allow a process to read a System V IPC Message Queue, Semaphore
 211            Set, or Shared Memory Segment whose permission bits would not
 212            otherwise allow the process read permission.
 213 
 214 
 215        PRIV_IPC_DAC_WRITE
 216 
 217            Allow a process to write a System V IPC Message Queue, Semaphore
 218            Set, or Shared Memory Segment whose permission bits would not
 219            otherwise allow the process write permission.
 220 
 221 
 222        PRIV_IPC_OWNER
 223 
 224            Allow a process that is not the owner of a System V IPC Message
 225            Queue, Semaphore Set, or Shared Memory Segment to remove, change
 226            ownership of, or change permission bits of the Message Queue,
 227            Semaphore Set, or Shared Memory Segment.
 228 
 229 
 230        PRIV_NET_ACCESS
 231 
 232            Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
 233            This privilege is not necessary to communicate using an existing
 234            endpoint already opened before dropping the PRIV_NET_ACCESS
 235            privilege.
 236 
 237 
 238        PRIV_NET_BINDMLP
 239 
 240            Allow a process to bind to a port that is configured as a multi-
 241            level port (MLP) for the process's zone. This privilege applies to
 242            both shared address and zone-specific address MLPs. See
 243            tnzonecfg(4) from the Trusted Extensions manual pages for
 244            information on configuring MLP ports.
 245 
 246            This privilege is interpreted only if the system is configured with
 247            Trusted Extensions.
 248 
 249 
 250        PRIV_NET_ICMPACCESS
 251 
 252            Allow a process to send and receive ICMP packets.
 253 
 254 
 255        PRIV_NET_MAC_AWARE
 256 
 257            Allow a process to set the NET_MAC_AWARE process flag by using
 258            setpflags(2). This privilege also allows a process to set the
 259            SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The
 260            NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
 261            allow a local process to communicate with an unlabeled peer if the
 262            local process's label dominates the peer's default label, or if the
 263            local process runs in the global zone.
 264 
 265            This privilege is interpreted only if the system is configured with
 266            Trusted Extensions.
 267 
 268 
 269        PRIV_NET_MAC_IMPLICIT
 270 
 271            Allow a process to set SO_MAC_IMPLICIT option by using
 272            setsockopt(3SOCKET).  This allows a privileged process to transmit
 273            implicitly-labeled packets to a peer.
 274 
 275            This privilege is interpreted only if the system is configured with
 276            Trusted Extensions.
 277 
 278 
 279        PRIV_NET_OBSERVABILITY
 280 
 281            Allow a process to open a device for just receiving network
 282            traffic, sending traffic is disallowed.
 283 
 284 
 285        PRIV_NET_PRIVADDR
 286 
 287            Allow a process to bind to a privileged port number. The privilege
 288            port numbers are 1-1023 (the traditional UNIX privileged ports) as
 289            well as those ports marked as "udp/tcp_extra_priv_ports" with the
 290            exception of the ports reserved for use by NFS and SMB.
 291 
 292 
 293        PRIV_NET_RAWACCESS
 294 
 295            Allow a process to have direct access to the network layer.
 296 
 297 
 298        PRIV_PROC_AUDIT
 299 
 300            Allow a process to generate audit records. Allow a process to get
 301            its own audit pre-selection information.
 302 
 303 
 304        PRIV_PROC_CHROOT
 305 
 306            Allow a process to change its root directory.
 307 
 308 
 309        PRIV_PROC_CLOCK_HIGHRES
 310 
 311            Allow a process to use high resolution timers.
 312 
 313 
 314        PRIV_PROC_EXEC
 315 
 316            Allow a process to call exec(2).
 317 
 318 
 319        PRIV_PROC_FORK
 320 
 321            Allow a process to call fork(2), fork1(2), or vfork(2).
 322 
 323 
 324        PRIV_PROC_INFO
 325 
 326            Allow a process to examine the status of processes other than those
 327            to which it can send signals. Processes that cannot be examined
 328            cannot be seen in /proc and appear not to exist.
 329 
 330 
 331        PRIV_PROC_LOCK_MEMORY
 332 
 333            Allow a process to lock pages in physical memory.
 334 
 335 
 336        PRIV_PROC_MEMINFO
 337 
 338            Allow a process to access physical memory information.
 339 
 340 
 341        PRIV_PROC_OWNER
 342 
 343            Allow a process to send signals to other processes and inspect and
 344            modify the process state in other processes, regardless of
 345            ownership. When modifying another process, additional restrictions
 346            apply: the effective privilege set of the attaching process must be
 347            a superset of the target process's effective, permitted, and
 348            inheritable sets; the limit set must be a superset of the target's
 349            limit set; if the target process has any UID set to 0 all privilege
 350            must be asserted unless the effective UID is 0. Allow a process to
 351            bind arbitrary processes to CPUs.
 352 
 353 
 354        PRIV_PROC_PRIOUP
 355 
 356            Allow a process to elevate its priority above its current level.
 357 
 358 
 359        PRIV_PROC_PRIOCNTL
 360 
 361            Allows all that PRIV_PROC_PRIOUP allows.  Allow a process to change
 362            its scheduling class to any scheduling class, including the RT
 363            class.
 364 
 365 
 366        PRIV_PROC_SECFLAGS
 367 
 368            Allow a process to manipulate the secflags of processes (subject
 369            to, additionally, the ability to signal that process).
 370 
 371 
 372        PRIV_PROC_SESSION
 373 
 374            Allow a process to send signals or trace processes outside its
 375            session.
 376 
 377 
 378        PRIV_PROC_SETID
 379 
 380            Allow a process to set its UIDs at will, assuming UID 0 requires
 381            all privileges to be asserted.
 382 
 383 
 384        PRIV_PROC_TASKID
 385 
 386            Allow a process to assign a new task ID to the calling process.
 387 
 388 
 389        PRIV_PROC_ZONE
 390 
 391            Allow a process to trace or send signals to processes in other
 392            zones. See zones(5).
 393 
 394 
 395        PRIV_SYS_ACCT
 396 
 397            Allow a process to enable and disable and manage accounting through
 398            acct(2).
 399 
 400 
 401        PRIV_SYS_ADMIN
 402 
 403            Allow a process to perform system administration tasks such as
 404            setting node and domain name and specifying coreadm(1M) and
 405            nscd(1M) settings
 406 
 407 
 408        PRIV_SYS_AUDIT
 409 
 410            Allow a process to start the (kernel) audit daemon. Allow a process
 411            to view and set audit state (audit user ID, audit terminal ID,
 412            audit sessions ID, audit pre-selection mask). Allow a process to
 413            turn off and on auditing. Allow a process to configure the audit
 414            parameters (cache and queue sizes, event to class mappings, and
 415            policy options).
 416 
 417 
 418        PRIV_SYS_CONFIG
 419 
 420            Allow a process to perform various system configuration tasks.
 421            Allow filesystem-specific administrative procedures, such as
 422            filesystem configuration ioctls, quota calls, creation and deletion
 423            of snapshots, and manipulating the PCFS bootsector.
 424 
 425 
 426        PRIV_SYS_DEVICES
 427 
 428            Allow a process to create device special files. Allow a process to
 429            successfully call a kernel module that calls the kernel
 430            drv_priv(9F) function to check for allowed access. Allow a process
 431            to open the real console device directly.  Allow a process to open
 432            devices that have been exclusively opened.
 433 
 434 
 435        PRIV_SYS_DL_CONFIG
 436 
 437            Allow a process to configure a system's datalink interfaces.
 438 
 439 
 440        PRIV_SYS_IP_CONFIG
 441 
 442            Allow a process to configure a system's IP interfaces and routes.
 443            Allow a process to configure network parameters for TCP/IP using
 444            ndd. Allow a process access to otherwise restricted TCP/IP
 445            information using ndd. Allow a process to configure IPsec. Allow a
 446            process to pop anchored STREAMs modules with matching zoneid.
 447 
 448 
 449        PRIV_SYS_IPC_CONFIG
 450 
 451            Allow a process to increase the size of a System V IPC Message
 452            Queue buffer.
 453 
 454 
 455        PRIV_SYS_IPTUN_CONFIG
 456 
 457            Allow a process to configure IP tunnel links.
 458 
 459 
 460        PRIV_SYS_LINKDIR
 461 
 462            Allow a process to unlink and link directories.
 463 
 464 
 465        PRIV_SYS_MOUNT
 466 
 467            Allow a process to mount and unmount filesystems that would
 468            otherwise be restricted (that is, most filesystems except namefs).
 469            Allow a process to add and remove swap devices.
 470 
 471 
 472        PRIV_SYS_NET_CONFIG
 473 
 474            Allow a process to do all that PRIV_SYS_IP_CONFIG,
 475            PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the
 476            following: use the rpcmod STREAMS module and insert/remove STREAMS
 477            modules on locations other than the top of the module stack.
 478 
 479 
 480        PRIV_SYS_NFS
 481 
 482            Allow a process to provide NFS service: start NFS kernel threads,
 483            perform NFS locking operations, bind to NFS reserved ports: ports
 484            2049 (nfs) and port 4045 (lockd).
 485 
 486 
 487        PRIV_SYS_PPP_CONFIG
 488 
 489            Allow a process to create, configure, and destroy PPP instances
 490            with pppd(1M) pppd(1M) and control PPPoE plumbing with
 491            sppptun(1M)sppptun(1M).  This privilege is granted by default to
 492            exclusive IP stack instance zones.
 493 
 494 
 495        PRIV_SYS_RES_BIND
 496 
 497            Allows a process to bind processes to processor sets.
 498 
 499 
 500        PRIV_SYS_RES_CONFIG
 501 
 502            Allows all that PRIV_SYS_RES_BIND allows.  Allow a process to
 503            create and delete processor sets, assign CPUs to processor sets and
 504            override the PSET_NOESCAPE property. Allow a process to change the
 505            operational status of CPUs in the system using p_online(2). Allow a
 506            process to configure filesystem quotas. Allow a process to
 507            configure resource pools and bind processes to pools.
 508 
 509 
 510        PRIV_SYS_RESOURCE
 511 
 512            Allow a process to exceed the resource limits imposed on it by
 513            setrlimit(2) and setrctl(2).
 514 
 515 
 516        PRIV_SYS_SMB
 517 
 518            Allow a process to provide NetBIOS or SMB services: start SMB
 519            kernel threads or bind to NetBIOS or SMB reserved ports: ports 137,
 520            138, 139 (NetBIOS) and 445 (SMB).
 521 
 522 
 523        PRIV_SYS_SUSER_COMPAT
 524 
 525            Allow a process to successfully call a third party loadable module
 526            that calls the kernel suser() function to check for allowed access.
 527            This privilege exists only for third party loadable module
 528            compatibility and is not used by Solaris proper.
 529 
 530 
 531        PRIV_SYS_TIME
 532 
 533            Allow a process to manipulate system time using any of the
 534            appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
 535 
 536 
 537        PRIV_SYS_TRANS_LABEL
 538 
 539            Allow a process to translate labels that are not dominated by the
 540            process's sensitivity label to and from an external string form.
 541 
 542            This privilege is interpreted only if the system is configured with
 543            Trusted Extensions.
 544 
 545 
 546        PRIV_VIRT_MANAGE
 547 
 548            Allows a process to manage virtualized environments such as xVM(5).
 549 
 550 
 551        PRIV_WIN_COLORMAP
 552 
 553            Allow a process to override colormap restrictions.
 554 
 555            Allow a process to install or remove colormaps.
 556 
 557            Allow a process to retrieve colormap cell entries allocated by
 558            other processes.
 559 
 560            This privilege is interpreted only if the system is configured with
 561            Trusted Extensions.
 562 
 563 
 564        PRIV_WIN_CONFIG
 565 
 566            Allow a process to configure or destroy resources that are
 567            permanently retained by the X server.
 568 
 569            Allow a process to use SetScreenSaver to set the screen saver
 570            timeout value
 571 
 572            Allow a process to use ChangeHosts to modify the display access
 573            control list.
 574 
 575            Allow a process to use GrabServer.
 576 
 577            Allow a process to use the SetCloseDownMode request that can retain
 578            window, pixmap, colormap, property, cursor, font, or graphic
 579            context resources.
 580 
 581            This privilege is interpreted only if the system is configured with
 582            Trusted Extensions.
 583 
 584 
 585        PRIV_WIN_DAC_READ
 586 
 587            Allow a process to read from a window resource that it does not own
 588            (has a different user ID).
 589 
 590            This privilege is interpreted only if the system is configured with
 591            Trusted Extensions.
 592 
 593 
 594        PRIV_WIN_DAC_WRITE
 595 
 596            Allow a process to write to or create a window resource that it
 597            does not own (has a different user ID). A newly created window
 598            property is created with the window's user ID.
 599 
 600            This privilege is interpreted only if the system is configured with
 601            Trusted Extensions.
 602 
 603 
 604        PRIV_WIN_DEVICES
 605 
 606            Allow a process to perform operations on window input devices.
 607 
 608            Allow a process to get and set keyboard and pointer controls.
 609 
 610            Allow a process to modify pointer button and key mappings.
 611 
 612            This privilege is interpreted only if the system is configured with
 613            Trusted Extensions.
 614 
 615 
 616        PRIV_WIN_DGA
 617 
 618            Allow a process to use the direct graphics access (DGA) X protocol
 619            extensions.  Direct process access to the frame buffer is still
 620            required. Thus the process must have MAC and DAC privileges that
 621            allow access to the frame buffer, or the frame buffer must be
 622            allocated to the process.
 623 
 624            This privilege is interpreted only if the system is configured with
 625            Trusted Extensions.
 626 
 627 
 628        PRIV_WIN_DOWNGRADE_SL
 629 
 630            Allow a process to set the sensitivity label of a window resource
 631            to a sensitivity label that does not dominate the existing
 632            sensitivity label.
 633 
 634            This privilege is interpreted only if the system is configured with
 635            Trusted Extensions.
 636 
 637 
 638        PRIV_WIN_FONTPATH
 639 
 640            Allow a process to set a font path.
 641 
 642            This privilege is interpreted only if the system is configured with
 643            Trusted Extensions.
 644 
 645 
 646        PRIV_WIN_MAC_READ
 647 
 648            Allow a process to read from a window resource whose sensitivity
 649            label is not equal to the process sensitivity label.
 650 
 651            This privilege is interpreted only if the system is configured with
 652            Trusted Extensions.
 653 
 654 
 655        PRIV_WIN_MAC_WRITE
 656 
 657            Allow a process to create a window resource whose sensitivity label
 658            is not equal to the process sensitivity label. A newly created
 659            window property is created with the window's sensitivity label.
 660 
 661            This privilege is interpreted only if the system is configured with
 662            Trusted Extensions.
 663 
 664 
 665        PRIV_WIN_SELECTION
 666 
 667            Allow a process to request inter-window data moves without the
 668            intervention of the selection confirmer.
 669 
 670            This privilege is interpreted only if the system is configured with
 671            Trusted Extensions.
 672 
 673 
 674        PRIV_WIN_UPGRADE_SL
 675 
 676            Allow a process to set the sensitivity label of a window resource
 677            to a sensitivity label that dominates the existing sensitivity
 678            label.
 679 
 680            This privilege is interpreted only if the system is configured with
 681            Trusted Extensions.
 682 
 683 
 684        PRIV_XVM_CONTROL
 685 
 686            Allows a process access to the xVM(5) control devices for managing
 687            guest domains and the hypervisor. This privilege is used only if
 688            booted into xVM on x86 platforms.
 689 
 690 
 691 
 692        Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
 693        PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK, PRIV_FILE_READ,
 694        PRIV_FILE_WRITE, PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered
 695        "basic" privileges. These are privileges that used to be always
 696        available to unprivileged processes. By default, processes still have
 697        the basic privileges.
 698 
 699 
 700        The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
 701        the Limit set (see below) of a process in order for set-uid root execs
 702        to be successful, that is, get an effective UID of 0 and additional
 703        privileges.
 704 
 705 
 706        The privilege implementation in Solaris extends the process credential
 707        with four privilege sets:
 708 
 709        I, the inheritable set
 710                                  The privileges inherited on exec.
 711 
 712 
 713        P, the permitted set
 714                                  The maximum set of privileges for the
 715                                  process.
 716 
 717 
 718        E, the effective set
 719                                  The privileges currently in effect.
 720 
 721 
 722        L, the limit set
 723                                  The upper bound of the privileges a process
 724                                  and its offspring can obtain.  Changes to L
 725                                  take effect on the next exec.
 726 
 727 
 728 
 729        The sets I, P and E are typically identical to the basic set of
 730        privileges for unprivileged processes. The limit set is typically the
 731        full set of privileges.
 732 
 733 
 734        Each process has a Privilege Awareness State (PAS) that can take the
 735        value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
 736        mechanism that allows a choice between full compatibility with the old
 737        superuser model and completely ignoring the effective UID.
 738 
 739 
 740        To facilitate the discussion, we introduce the notion of "observed
 741        effective set" (oE) and "observed permitted set" (oP) and the
 742        implementation sets iE and iP.
 743 
 744 
 745        A process becomes privilege-aware either by manipulating the effective,
 746        permitted, or limit privilege sets through setppriv(2) or by using
 747        setpflags(2). In all cases, oE and oP are invariant in the process of
 748        becoming privilege-aware. In the process of becoming privilege-aware,
 749        the following assignments take place:
 750 
 751          iE = oE
 752          iP = oP
 753 
 754 
 755 
 756        When a process is privilege-aware, oE and oP are invariant under UID
 757        changes.  When a process is not privilege-aware, oE and oP are observed
 758        as follows:
 759 
 760          oE = euid == 0 ? L : iE
 761          oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
 762 
 763 
 764 
 765        When a non-privilege-aware process has an effective UID of 0, it can
 766        exercise the privileges contained in its limit set, the upper bound of
 767        its privileges.  If a non-privilege-aware process has any of the UIDs
 768        0, it appears to be capable of potentially exercising all privileges in
 769        L.
 770 
 771 
 772        It is possible for a process to return to the non-privilege aware state
 773        using setpflags(). The kernel always attempts this on exec(2). This
 774        operation is permitted only if the following conditions are met:
 775 
 776            o      If any of the UIDs is equal to 0, P must be equal to L.
 777 
 778            o      If the effective UID is equal to 0, E must be equal to L.
 779 
 780 
 781        When a process gives up privilege awareness, the following assignments
 782        take place:
 783 
 784          if (euid == 0) iE = L & I
 785          if (any uid == 0) iP = L & I
 786 
 787 
 788 
 789        The privileges obtained when not having a UID of 0 are the inheritable
 790        set of the process restricted by the limit set.
 791 
 792 
 793        Only privileges in the process's (observed) effective privilege set
 794        allow the process to perform restricted operations. A process can use
 795        any of the privilege manipulation functions to add or remove privileges
 796        from the privilege sets. Privileges can be removed always. Only
 797        privileges found in the permitted set can be added to the effective and
 798        inheritable set. The limit set cannot grow. The inheritable set can be
 799        larger than the permitted set.
 800 
 801 
 802        When a process performs an exec(2), the kernel first tries to
 803        relinquish privilege awareness before making the following privilege
 804        set modifications:
 805 
 806          E' = P' = I' = L & I
 807          L is unchanged
 808 
 809 
 810 
 811        If a process has not manipulated its privileges, the privilege sets
 812        effectively remain the same, as E, P and I are already identical.
 813 
 814 
 815        The limit set is enforced at exec time.
 816 
 817 
 818        To run a non-privilege-aware application in a backward-compatible
 819        manner, a privilege-aware application should start the non-privilege-
 820        aware application with I=basic.
 821 
 822 
 823        For most privileges, absence of the privilege simply results in a
 824        failure. In some instances, the absence of a privilege can cause system
 825        calls to behave differently. In other instances, the removal of a
 826        privilege can force a set-uid application to seriously malfunction.
 827        Privileges of this type are considered "unsafe". When a process is
 828        lacking any of the unsafe privileges from its limit set, the system
 829        does not honor the set-uid bit of set-uid root applications.  The
 830        following unsafe privileges have been identified: proc_setid,
 831        sys_resource and proc_audit.
 832 
 833    Privilege Escalation
 834        In certain circumstances, a single privilege could lead to a process
 835        gaining one or more additional privileges that were not explicitly
 836        granted to that process. To prevent such an escalation of privileges,
 837        the security policy requires explicit permission for those additional
 838        privileges.
 839 
 840 
 841        Common examples of escalation are those mechanisms that allow
 842        modification of system resources through "raw'' interfaces; for
 843        example, changing kernel data structures through /dev/kmem or changing
 844        files through /dev/dsk/*.  Escalation also occurs when a process
 845        controls processes with more privileges than the controlling process. A
 846        special case of this is manipulating or creating objects owned by UID 0
 847        or trying to obtain UID 0 using setuid(2). The special treatment of UID
 848        0 is needed because the UID 0 owns all system configuration files and
 849        ordinary file protection mechanisms allow processes with UID 0 to
 850        modify the system configuration. With appropriate file modifications, a
 851        given process running with an effective UID of 0 can gain all
 852        privileges.
 853 
 854 
 855        In situations where a process might obtain UID 0, the security policy
 856        requires additional privileges, up to the full set of privileges. Such
 857        restrictions could be relaxed or removed at such time as additional
 858        mechanisms for protection of system files became available. There are
 859        no such mechanisms in the current Solaris release.
 860 
 861 
 862        The use of UID 0 processes should be limited as much as possible. They
 863        should be replaced with programs running under a different UID but with
 864        exactly the privileges they need.
 865 
 866 
 867        Daemons that never need to exec subprocesses should remove the
 868        PRIV_PROC_EXEC privilege from their permitted and limit sets.
 869 
 870    Assigned Privileges and Safeguards
 871        When privileges are assigned to a user, the system administrator could
 872        give that user more powers than intended. The administrator should
 873        consider whether safeguards are needed. For example, if the
 874        PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
 875        should consider setting the project.max-locked-memory resource control
 876        as well, to prevent that user from locking all memory.
 877 
 878    Privilege Debugging
 879        When a system call fails with a permission error, it is not always
 880        immediately obvious what caused the problem. To debug such a problem,
 881        you can use a tool called privilege debugging. When privilege debugging
 882        is enabled for a process, the kernel reports missing privileges on the
 883        controlling terminal of the process. (Enable debugging for a process
 884        with the -D option of ppriv(1).) Additionally, the administrator can
 885        enable system-wide privilege debugging by setting the system(4)
 886        variable priv_debug using:
 887 
 888          set priv_debug = 1
 889 
 890 
 891 
 892        On a running system, you can use mdb(1) to change this variable.
 893 
 894    Privilege Administration
 895        The Solaris Management Console (see smc(1M)) is the preferred method of
 896        modifying privileges for a command. Use usermod(1M) or smrole(1M) to
 897        assign privileges to or modify privileges for, respectively, a user or
 898        a role. Use ppriv(1) to enumerate the privileges supported on a system
 899        and truss(1) to determine which privileges a program requires.
 900 
 901 SEE ALSO
 902        mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M),
 903        pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
 904        access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
 905        chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2),
 906        fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2),
 907        kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2),
 908        ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
 909        processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
 910        resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2),
 911        seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2),
 912        setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2),
 913        setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
 914        statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2),
 915        umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET),
 916        door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C),
 917        priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C),
 918        socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C),
 919        exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F),
 920        drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
 921        priv_policy_choice(9F), priv_policy_only(9F)
 922 
 923 
 924        System Administration Guide: Security Services
 925 
 926 
 927 
 928                                  June 6, 2016                    PRIVILEGES(5)