1 '\" te 2 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 3 .\" Copyright 2015, Joyent, Inc. All Rights Reserved. 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. 5 .\" See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with 6 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] 7 .TH PRIVILEGES 5 "Jun 6, 2016" 8 .SH NAME 9 privileges \- process privilege model 10 .SH DESCRIPTION 11 .LP 12 Solaris software implements a set of privileges that provide fine-grained 13 control over the actions of processes. The possession of a certain privilege 14 allows a process to perform a specific set of restricted operations. 15 .sp 16 .LP 17 The change to a primarily privilege-based security model in the Solaris 18 operating system gives developers an opportunity to restrict processes to those 19 privileged operations actually needed instead of all (super-user) or no 20 privileges (non-zero UIDs). Additionally, a set of previously unrestricted 21 operations now requires a privilege; these privileges are dubbed the "basic" 22 privileges and are by default given to all processes. 23 .sp 24 .LP 25 Taken together, all defined privileges with the exception of the "basic" 26 privileges compose the set of privileges that are traditionally associated with 27 the root user. The "basic" privileges are "privileges" unprivileged processes 28 were accustomed to having. 29 .sp 30 .LP 31 The defined privileges are: 32 .sp 33 .ne 2 34 .na 35 \fB\fBPRIV_CONTRACT_EVENT\fR\fR 36 .ad 37 .sp .6 38 .RS 4n 39 Allow a process to request reliable delivery of events to an event endpoint. 40 .sp 41 Allow a process to include events in the critical event set term of a template 42 which could be generated in volume by the user. 43 .RE 44 45 .sp 46 .ne 2 47 .na 48 \fB\fBPRIV_CONTRACT_IDENTITY\fR\fR 49 .ad 50 .sp .6 51 .RS 4n 52 Allows a process to set the service FMRI value of a process contract template. 53 .RE 54 55 .sp 56 .ne 2 57 .na 58 \fB\fBPRIV_CONTRACT_OBSERVER\fR\fR 59 .ad 60 .sp .6 61 .RS 4n 62 Allow a process to observe contract events generated by contracts created and 63 owned by users other than the process's effective user ID. 64 .sp 65 Allow a process to open contract event endpoints belonging to contracts created 66 and owned by users other than the process's effective user ID. 67 .RE 68 69 .sp 70 .ne 2 71 .na 72 \fB\fBPRIV_CPC_CPU\fR\fR 73 .ad 74 .sp .6 75 .RS 4n 76 Allow a process to access per-CPU hardware performance counters. 77 .RE 78 79 .sp 80 .ne 2 81 .na 82 \fB\fBPRIV_DTRACE_KERNEL\fR\fR 83 .ad 84 .sp .6 85 .RS 4n 86 Allow DTrace kernel-level tracing. 87 .RE 88 89 .sp 90 .ne 2 91 .na 92 \fB\fBPRIV_DTRACE_PROC\fR\fR 93 .ad 94 .sp .6 95 .RS 4n 96 Allow DTrace process-level tracing. Allow process-level tracing probes to be 97 placed and enabled in processes to which the user has permissions. 98 .RE 99 100 .sp 101 .ne 2 102 .na 103 \fB\fBPRIV_DTRACE_USER\fR\fR 104 .ad 105 .sp .6 106 .RS 4n 107 Allow DTrace user-level tracing. Allow use of the syscall and profile DTrace 108 providers to examine processes to which the user has permissions. 109 .RE 110 111 .sp 112 .ne 2 113 .na 114 \fB\fBPRIV_FILE_CHOWN\fR\fR 115 .ad 116 .sp .6 117 .RS 4n 118 Allow a process to change a file's owner user ID. Allow a process to change a 119 file's group ID to one other than the process's effective group ID or one of 120 the process's supplemental group IDs. 121 .RE 122 123 .sp 124 .ne 2 125 .na 126 \fB\fBPRIV_FILE_CHOWN_SELF\fR\fR 127 .ad 128 .sp .6 129 .RS 4n 130 Allow a process to give away its files. A process with this privilege runs as 131 if {\fB_POSIX_CHOWN_RESTRICTED\fR} is not in effect. 132 .RE 133 134 .sp 135 .ne 2 136 .na 137 \fB\fBPRIV_FILE_DAC_EXECUTE\fR\fR 138 .ad 139 .sp .6 140 .RS 4n 141 Allow a process to execute an executable file whose permission bits or ACL 142 would otherwise disallow the process execute permission. 143 .RE 144 145 .sp 146 .ne 2 147 .na 148 \fB\fBPRIV_FILE_DAC_READ\fR\fR 149 .ad 150 .sp .6 151 .RS 4n 152 Allow a process to read a file or directory whose permission bits or ACL would 153 otherwise disallow the process read permission. 154 .RE 155 156 .sp 157 .ne 2 158 .na 159 \fB\fBPRIV_FILE_DAC_SEARCH\fR\fR 160 .ad 161 .sp .6 162 .RS 4n 163 Allow a process to search a directory whose permission bits or ACL would not 164 otherwise allow the process search permission. 165 .RE 166 167 .sp 168 .ne 2 169 .na 170 \fB\fBPRIV_FILE_DAC_WRITE\fR\fR 171 .ad 172 .sp .6 173 .RS 4n 174 Allow a process to write a file or directory whose permission bits or ACL do 175 not allow the process write permission. All privileges are required to write 176 files owned by UID 0 in the absence of an effective UID of 0. 177 .RE 178 179 .sp 180 .ne 2 181 .na 182 \fB\fBPRIV_FILE_DOWNGRADE_SL\fR\fR 183 .ad 184 .sp .6 185 .RS 4n 186 Allow a process to set the sensitivity label of a file or directory to a 187 sensitivity label that does not dominate the existing sensitivity label. 188 .sp 189 This privilege is interpreted only if the system is configured with Trusted 190 Extensions. 191 .RE 192 193 .sp 194 .ne 2 195 .na 196 \fB\fBPRIV_FILE_FLAG_SET\fR\fR 197 .ad 198 .sp .6 199 .RS 4n 200 Allows a process to set immutable, nounlink or appendonly file attributes. 201 .RE 202 203 .sp 204 .ne 2 205 .na 206 \fB\fBPRIV_FILE_LINK_ANY\fR\fR 207 .ad 208 .sp .6 209 .RS 4n 210 Allow a process to create hardlinks to files owned by a UID different from the 211 process's effective UID. 212 .RE 213 214 .sp 215 .ne 2 216 .na 217 \fB\fBPRIV_FILE_OWNER\fR\fR 218 .ad 219 .sp .6 220 .RS 4n 221 Allow a process that is not the owner of a file to modify that file's access 222 and modification times. Allow a process that is not the owner of a directory to 223 modify that directory's access and modification times. Allow a process that is 224 not the owner of a file or directory to remove or rename a file or directory 225 whose parent directory has the "save text image after execution" (sticky) bit 226 set. Allow a process that is not the owner of a file to mount a \fBnamefs\fR 227 upon that file. Allow a process that is not the owner of a file or directory to 228 modify that file's or directory's permission bits or ACL. 229 .RE 230 231 .sp 232 .ne 2 233 .na 234 \fB\fBPRIV_FILE_READ\fR\fR 235 .ad 236 .sp .6 237 .RS 4n 238 Allow a process to open objects in the filesystem for reading. This 239 privilege is not necessary to read from an already open file which was opened 240 before dropping the \fBPRIV_FILE_READ\fR privilege. 241 .RE 242 243 .sp 244 .ne 2 245 .na 246 \fB\fBPRIV_FILE_SETID\fR\fR 247 .ad 248 .sp .6 249 .RS 4n 250 Allow a process to change the ownership of a file or write to a file without 251 the set-user-ID and set-group-ID bits being cleared. Allow a process to set the 252 set-group-ID bit on a file or directory whose group is not the process's 253 effective group or one of the process's supplemental groups. Allow a process to 254 set the set-user-ID bit on a file with different ownership in the presence of 255 \fBPRIV_FILE_OWNER\fR. Additional restrictions apply when creating or modifying 256 a setuid 0 file. 257 .RE 258 259 .sp 260 .ne 2 261 .na 262 \fB\fBPRIV_FILE_UPGRADE_SL\fR\fR 263 .ad 264 .sp .6 265 .RS 4n 266 Allow a process to set the sensitivity label of a file or directory to a 267 sensitivity label that dominates the existing sensitivity label. 268 .sp 269 This privilege is interpreted only if the system is configured with Trusted 270 Extensions. 271 .RE 272 273 .sp 274 .ne 2 275 .na 276 \fB\fBPRIV_FILE_WRITE\fR\fR 277 .ad 278 .sp .6 279 .RS 4n 280 Allow a process to open objects in the filesytem for writing, or otherwise 281 modify them. This privilege is not necessary to write to an already open file 282 which was opened before dropping the \fBPRIV_FILE_WRITE\fR privilege. 283 .RE 284 285 .sp 286 .ne 2 287 .na 288 \fB\fBPRIV_GRAPHICS_ACCESS\fR\fR 289 .ad 290 .sp .6 291 .RS 4n 292 Allow a process to make privileged ioctls to graphics devices. Typically only 293 an xserver process needs to have this privilege. A process with this privilege 294 is also allowed to perform privileged graphics device mappings. 295 .RE 296 297 .sp 298 .ne 2 299 .na 300 \fB\fBPRIV_GRAPHICS_MAP\fR\fR 301 .ad 302 .sp .6 303 .RS 4n 304 Allow a process to perform privileged mappings through a graphics device. 305 .RE 306 307 .sp 308 .ne 2 309 .na 310 \fB\fBPRIV_IPC_DAC_READ\fR\fR 311 .ad 312 .sp .6 313 .RS 4n 314 Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared 315 Memory Segment whose permission bits would not otherwise allow the process read 316 permission. 317 .RE 318 319 .sp 320 .ne 2 321 .na 322 \fB\fBPRIV_IPC_DAC_WRITE\fR\fR 323 .ad 324 .sp .6 325 .RS 4n 326 Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared 327 Memory Segment whose permission bits would not otherwise allow the process 328 write permission. 329 .RE 330 331 .sp 332 .ne 2 333 .na 334 \fB\fBPRIV_IPC_OWNER\fR\fR 335 .ad 336 .sp .6 337 .RS 4n 338 Allow a process that is not the owner of a System V IPC Message Queue, 339 Semaphore Set, or Shared Memory Segment to remove, change ownership of, or 340 change permission bits of the Message Queue, Semaphore Set, or Shared Memory 341 Segment. 342 .RE 343 344 .sp 345 .ne 2 346 .na 347 \fB\fBPRIV_NET_ACCESS\fR\fR 348 .ad 349 .sp .6 350 .RS 4n 351 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint. This 352 privilege is not necessary to communicate using an existing endpoint already 353 opened before dropping the \fBPRIV_NET_ACCESS\fR privilege. 354 .RE 355 356 .sp 357 .ne 2 358 .na 359 \fB\fBPRIV_NET_BINDMLP\fR\fR 360 .ad 361 .sp .6 362 .RS 4n 363 Allow a process to bind to a port that is configured as a multi-level port 364 (MLP) for the process's zone. This privilege applies to both shared address and 365 zone-specific address MLPs. See \fBtnzonecfg\fR(\fB4\fR) from the Trusted 366 Extensions manual pages for information on configuring MLP ports. 367 .sp 368 This privilege is interpreted only if the system is configured with Trusted 369 Extensions. 370 .RE 371 372 .sp 373 .ne 2 374 .na 375 \fB\fBPRIV_NET_ICMPACCESS\fR\fR 376 .ad 377 .sp .6 378 .RS 4n 379 Allow a process to send and receive ICMP packets. 380 .RE 381 382 .sp 383 .ne 2 384 .na 385 \fB\fBPRIV_NET_MAC_AWARE\fR\fR 386 .ad 387 .sp .6 388 .RS 4n 389 Allow a process to set the \fBNET_MAC_AWARE\fR process flag by using 390 \fBsetpflags\fR(2). This privilege also allows a process to set the 391 \fBSO_MAC_EXEMPT\fR socket option by using \fBsetsockopt\fR(3SOCKET). The 392 \fBNET_MAC_AWARE\fR process flag and the \fBSO_MAC_EXEMPT\fR socket option both 393 allow a local process to communicate with an unlabeled peer if the local 394 process's label dominates the peer's default label, or if the local process 395 runs in the global zone. 396 .sp 397 This privilege is interpreted only if the system is configured with Trusted 398 Extensions. 399 .RE 400 401 .sp 402 .ne 2 403 .na 404 \fB\fBPRIV_NET_MAC_IMPLICIT\fR\fR 405 .ad 406 .sp .6 407 .RS 4n 408 Allow a process to set \fBSO_MAC_IMPLICIT\fR option by using 409 \fBsetsockopt\fR(3SOCKET). This allows a privileged process to transmit 410 implicitly-labeled packets to a peer. 411 .sp 412 This privilege is interpreted only if the system is configured with 413 Trusted Extensions. 414 .RE 415 416 .sp 417 .ne 2 418 .na 419 \fB\fBPRIV_NET_OBSERVABILITY\fR\fR 420 .ad 421 .sp .6 422 .RS 4n 423 Allow a process to open a device for just receiving network traffic, sending 424 traffic is disallowed. 425 .RE 426 427 .sp 428 .ne 2 429 .na 430 \fB\fBPRIV_NET_PRIVADDR\fR\fR 431 .ad 432 .sp .6 433 .RS 4n 434 Allow a process to bind to a privileged port number. The privilege port numbers 435 are 1-1023 (the traditional UNIX privileged ports) as well as those ports 436 marked as "\fBudp/tcp_extra_priv_ports\fR" with the exception of the ports 437 reserved for use by NFS and SMB. 438 .RE 439 440 .sp 441 .ne 2 442 .na 443 \fB\fBPRIV_NET_RAWACCESS\fR\fR 444 .ad 445 .sp .6 446 .RS 4n 447 Allow a process to have direct access to the network layer. 448 .RE 449 450 .sp 451 .ne 2 452 .na 453 \fB\fBPRIV_PROC_AUDIT\fR\fR 454 .ad 455 .sp .6 456 .RS 4n 457 Allow a process to generate audit records. Allow a process to get its own audit 458 pre-selection information. 459 .RE 460 461 .sp 462 .ne 2 463 .na 464 \fB\fBPRIV_PROC_CHROOT\fR\fR 465 .ad 466 .sp .6 467 .RS 4n 468 Allow a process to change its root directory. 469 .RE 470 471 .sp 472 .ne 2 473 .na 474 \fB\fBPRIV_PROC_CLOCK_HIGHRES\fR\fR 475 .ad 476 .sp .6 477 .RS 4n 478 Allow a process to use high resolution timers. 479 .RE 480 481 .sp 482 .ne 2 483 .na 484 \fB\fBPRIV_PROC_EXEC\fR\fR 485 .ad 486 .sp .6 487 .RS 4n 488 Allow a process to call \fBexec\fR(2). 489 .RE 490 491 .sp 492 .ne 2 493 .na 494 \fB\fBPRIV_PROC_FORK\fR\fR 495 .ad 496 .sp .6 497 .RS 4n 498 Allow a process to call \fBfork\fR(2), \fBfork1\fR(2), or \fBvfork\fR(2). 499 .RE 500 501 .sp 502 .ne 2 503 .na 504 \fB\fBPRIV_PROC_INFO\fR\fR 505 .ad 506 .sp .6 507 .RS 4n 508 Allow a process to examine the status of processes other than those to which it 509 can send signals. Processes that cannot be examined cannot be seen in 510 \fB/proc\fR and appear not to exist. 511 .RE 512 513 .sp 514 .ne 2 515 .na 516 \fB\fBPRIV_PROC_LOCK_MEMORY\fR\fR 517 .ad 518 .sp .6 519 .RS 4n 520 Allow a process to lock pages in physical memory. 521 .RE 522 523 .sp 524 .ne 2 525 .na 526 \fB\fBPRIV_PROC_MEMINFO\fR\fR 527 .ad 528 .sp .6 529 .RS 4n 530 Allow a process to access physical memory information. 531 .RE 532 533 .sp 534 .ne 2 535 .na 536 \fB\fBPRIV_PROC_OWNER\fR\fR 537 .ad 538 .sp .6 539 .RS 4n 540 Allow a process to send signals to other processes and inspect and modify the 541 process state in other processes, regardless of ownership. When modifying 542 another process, additional restrictions apply: the effective privilege set of 543 the attaching process must be a superset of the target process's effective, 544 permitted, and inheritable sets; the limit set must be a superset of the 545 target's limit set; if the target process has any UID set to 0 all privilege 546 must be asserted unless the effective UID is 0. Allow a process to bind 547 arbitrary processes to CPUs. 548 .RE 549 550 .sp 551 .ne 2 552 .na 553 \fB\fBPRIV_PROC_PRIOUP\fR\fR 554 .ad 555 .sp .6 556 .RS 4n 557 Allow a process to elevate its priority above its current level. 558 .RE 559 560 .sp 561 .ne 2 562 .na 563 \fB\fBPRIV_PROC_PRIOCNTL\fR\fR 564 .ad 565 .sp .6 566 .RS 4n 567 Allows all that PRIV_PROC_PRIOUP allows. 568 Allow a process to change its scheduling class to any scheduling class, 569 including the RT class. 570 .RE 571 572 .sp 573 .ne 2 574 .na 575 \fB\PRIV_PROC_SECFLAGS\fR 576 .ad 577 .sp .6 578 .RS 4n 579 Allow a process to manipulate the secflags of processes (subject to, 580 additionally, the ability to signal that process). 581 .RE 582 583 .sp 584 .ne 2 585 .na 586 \fB\fBPRIV_PROC_SESSION\fR\fR 587 .ad 588 .sp .6 589 .RS 4n 590 Allow a process to send signals or trace processes outside its session. 591 .RE 592 593 .sp 594 .ne 2 595 .na 596 \fB\fBPRIV_PROC_SETID\fR\fR 597 .ad 598 .sp .6 599 .RS 4n 600 Allow a process to set its UIDs at will, assuming UID 0 requires all privileges 601 to be asserted. 602 .RE 603 604 .sp 605 .ne 2 606 .na 607 \fB\fBPRIV_PROC_TASKID\fR\fR 608 .ad 609 .sp .6 610 .RS 4n 611 Allow a process to assign a new task ID to the calling process. 612 .RE 613 614 .sp 615 .ne 2 616 .na 617 \fB\fBPRIV_PROC_ZONE\fR\fR 618 .ad 619 .sp .6 620 .RS 4n 621 Allow a process to trace or send signals to processes in other zones. See 622 \fBzones\fR(5). 623 .RE 624 625 .sp 626 .ne 2 627 .na 628 \fB\fBPRIV_SYS_ACCT\fR\fR 629 .ad 630 .sp .6 631 .RS 4n 632 Allow a process to enable and disable and manage accounting through 633 \fBacct\fR(2). 634 .RE 635 636 .sp 637 .ne 2 638 .na 639 \fB\fBPRIV_SYS_ADMIN\fR\fR 640 .ad 641 .sp .6 642 .RS 4n 643 Allow a process to perform system administration tasks such as setting node and 644 domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings 645 .RE 646 647 .sp 648 .ne 2 649 .na 650 \fB\fBPRIV_SYS_AUDIT\fR\fR 651 .ad 652 .sp .6 653 .RS 4n 654 Allow a process to start the (kernel) audit daemon. Allow a process to view and 655 set audit state (audit user ID, audit terminal ID, audit sessions ID, audit 656 pre-selection mask). Allow a process to turn off and on auditing. Allow a 657 process to configure the audit parameters (cache and queue sizes, event to 658 class mappings, and policy options). 659 .RE 660 661 .sp 662 .ne 2 663 .na 664 \fB\fBPRIV_SYS_CONFIG\fR\fR 665 .ad 666 .sp .6 667 .RS 4n 668 Allow a process to perform various system configuration tasks. Allow 669 filesystem-specific administrative procedures, such as filesystem configuration 670 ioctls, quota calls, creation and deletion of snapshots, and manipulating the 671 PCFS bootsector. 672 .RE 673 674 .sp 675 .ne 2 676 .na 677 \fB\fBPRIV_SYS_DEVICES\fR\fR 678 .ad 679 .sp .6 680 .RS 4n 681 Allow a process to create device special files. Allow a process to successfully 682 call a kernel module that calls the kernel \fBdrv_priv\fR(9F) function to check 683 for allowed access. Allow a process to open the real console device directly. 684 Allow a process to open devices that have been exclusively opened. 685 .RE 686 687 .sp 688 .ne 2 689 .na 690 \fB\fBPRIV_SYS_DL_CONFIG\fR\fR 691 .ad 692 .sp .6 693 .RS 4n 694 Allow a process to configure a system's datalink interfaces. 695 .RE 696 697 .sp 698 .ne 2 699 .na 700 \fB\fBPRIV_SYS_IP_CONFIG\fR\fR 701 .ad 702 .sp .6 703 .RS 4n 704 Allow a process to configure a system's IP interfaces and routes. Allow a 705 process to configure network parameters for \fBTCP/IP\fR using \fBndd\fR. Allow 706 a process access to otherwise restricted \fBTCP/IP\fR information using 707 \fBndd\fR. Allow a process to configure \fBIPsec\fR. Allow a process to pop 708 anchored \fBSTREAM\fRs modules with matching \fBzoneid\fR. 709 .RE 710 711 .sp 712 .ne 2 713 .na 714 \fB\fBPRIV_SYS_IPC_CONFIG\fR\fR 715 .ad 716 .sp .6 717 .RS 4n 718 Allow a process to increase the size of a System V IPC Message Queue buffer. 719 .RE 720 721 .sp 722 .ne 2 723 .na 724 \fB\fBPRIV_SYS_IPTUN_CONFIG\fR\fR 725 .ad 726 .sp .6 727 .RS 4n 728 Allow a process to configure IP tunnel links. 729 .RE 730 731 .sp 732 .ne 2 733 .na 734 \fB\fBPRIV_SYS_LINKDIR\fR\fR 735 .ad 736 .sp .6 737 .RS 4n 738 Allow a process to unlink and link directories. 739 .RE 740 741 .sp 742 .ne 2 743 .na 744 \fB\fBPRIV_SYS_MOUNT\fR\fR 745 .ad 746 .sp .6 747 .RS 4n 748 Allow a process to mount and unmount filesystems that would otherwise be 749 restricted (that is, most filesystems except \fBnamefs\fR). Allow a process to 750 add and remove swap devices. 751 .RE 752 753 .sp 754 .ne 2 755 .na 756 \fB\fBPRIV_SYS_NET_CONFIG\fR\fR 757 .ad 758 .sp .6 759 .RS 4n 760 Allow a process to do all that \fBPRIV_SYS_IP_CONFIG\fR, 761 \fBPRIV_SYS_DL_CONFIG\fR, and \fBPRIV_SYS_PPP_CONFIG\fR allow, plus the 762 following: use the \fBrpcmod\fR STREAMS module and insert/remove STREAMS 763 modules on locations other than the top of the module stack. 764 .RE 765 766 .sp 767 .ne 2 768 .na 769 \fB\fBPRIV_SYS_NFS\fR\fR 770 .ad 771 .sp .6 772 .RS 4n 773 Allow a process to provide NFS service: start NFS kernel threads, perform NFS 774 locking operations, bind to NFS reserved ports: ports 2049 (\fBnfs\fR) and port 775 4045 (\fBlockd\fR). 776 .RE 777 778 .sp 779 .ne 2 780 .na 781 \fB\fBPRIV_SYS_PPP_CONFIG\fR\fR 782 .ad 783 .sp .6 784 .RS 4n 785 Allow a process to create, configure, and destroy PPP instances with pppd(1M) 786 \fBpppd\fR(1M) and control PPPoE plumbing with \fBsppptun\fR(1M)sppptun(1M). 787 This privilege is granted by default to exclusive IP stack instance zones. 788 .RE 789 790 .sp 791 .ne 2 792 .na 793 \fB\fBPRIV_SYS_RES_BIND\fR\fR 794 .ad 795 .sp .6 796 .RS 4n 797 Allows a process to bind processes to processor sets. 798 .RE 799 800 .sp 801 .ne 2 802 .na 803 \fB\fBPRIV_SYS_RES_CONFIG\fR\fR 804 .ad 805 .sp .6 806 .RS 4n 807 Allows all that PRIV_SYS_RES_BIND allows. 808 Allow a process to create and delete processor sets, assign CPUs to processor 809 sets and override the \fBPSET_NOESCAPE\fR property. Allow a process to change 810 the operational status of CPUs in the system using \fBp_online\fR(2). Allow a 811 process to configure filesystem quotas. Allow a process to configure resource 812 pools and bind processes to pools. 813 .RE 814 815 .sp 816 .ne 2 817 .na 818 \fB\fBPRIV_SYS_RESOURCE\fR\fR 819 .ad 820 .sp .6 821 .RS 4n 822 Allow a process to exceed the resource limits imposed on it by 823 \fBsetrlimit\fR(2) and \fBsetrctl\fR(2). 824 .RE 825 826 .sp 827 .ne 2 828 .na 829 \fB\fBPRIV_SYS_SMB\fR\fR 830 .ad 831 .sp .6 832 .RS 4n 833 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or 834 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445 835 (SMB). 836 .RE 837 838 .sp 839 .ne 2 840 .na 841 \fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR 842 .ad 843 .sp .6 844 .RS 4n 845 Allow a process to successfully call a third party loadable module that calls 846 the kernel \fBsuser()\fR function to check for allowed access. This privilege 847 exists only for third party loadable module compatibility and is not used by 848 Solaris proper. 849 .RE 850 851 .sp 852 .ne 2 853 .na 854 \fB\fBPRIV_SYS_TIME\fR\fR 855 .ad 856 .sp .6 857 .RS 4n 858 Allow a process to manipulate system time using any of the appropriate system 859 calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2). 860 .RE 861 862 .sp 863 .ne 2 864 .na 865 \fB\fBPRIV_SYS_TRANS_LABEL\fR\fR 866 .ad 867 .sp .6 868 .RS 4n 869 Allow a process to translate labels that are not dominated by the process's 870 sensitivity label to and from an external string form. 871 .sp 872 This privilege is interpreted only if the system is configured with Trusted 873 Extensions. 874 .RE 875 876 .sp 877 .ne 2 878 .na 879 \fB\fBPRIV_VIRT_MANAGE\fR\fR 880 .ad 881 .sp .6 882 .RS 4n 883 Allows a process to manage virtualized environments such as \fBxVM\fR(5). 884 .RE 885 886 .sp 887 .ne 2 888 .na 889 \fB\fBPRIV_WIN_COLORMAP\fR\fR 890 .ad 891 .sp .6 892 .RS 4n 893 Allow a process to override colormap restrictions. 894 .sp 895 Allow a process to install or remove colormaps. 896 .sp 897 Allow a process to retrieve colormap cell entries allocated by other processes. 898 .sp 899 This privilege is interpreted only if the system is configured with Trusted 900 Extensions. 901 .RE 902 903 .sp 904 .ne 2 905 .na 906 \fB\fBPRIV_WIN_CONFIG\fR\fR 907 .ad 908 .sp .6 909 .RS 4n 910 Allow a process to configure or destroy resources that are permanently retained 911 by the X server. 912 .sp 913 Allow a process to use SetScreenSaver to set the screen saver timeout value 914 .sp 915 Allow a process to use ChangeHosts to modify the display access control list. 916 .sp 917 Allow a process to use GrabServer. 918 .sp 919 Allow a process to use the SetCloseDownMode request that can retain window, 920 pixmap, colormap, property, cursor, font, or graphic context resources. 921 .sp 922 This privilege is interpreted only if the system is configured with Trusted 923 Extensions. 924 .RE 925 926 .sp 927 .ne 2 928 .na 929 \fB\fBPRIV_WIN_DAC_READ\fR\fR 930 .ad 931 .sp .6 932 .RS 4n 933 Allow a process to read from a window resource that it does not own (has a 934 different user ID). 935 .sp 936 This privilege is interpreted only if the system is configured with Trusted 937 Extensions. 938 .RE 939 940 .sp 941 .ne 2 942 .na 943 \fB\fBPRIV_WIN_DAC_WRITE\fR\fR 944 .ad 945 .sp .6 946 .RS 4n 947 Allow a process to write to or create a window resource that it does not own 948 (has a different user ID). A newly created window property is created with the 949 window's user ID. 950 .sp 951 This privilege is interpreted only if the system is configured with Trusted 952 Extensions. 953 .RE 954 955 .sp 956 .ne 2 957 .na 958 \fB\fBPRIV_WIN_DEVICES\fR\fR 959 .ad 960 .sp .6 961 .RS 4n 962 Allow a process to perform operations on window input devices. 963 .sp 964 Allow a process to get and set keyboard and pointer controls. 965 .sp 966 Allow a process to modify pointer button and key mappings. 967 .sp 968 This privilege is interpreted only if the system is configured with Trusted 969 Extensions. 970 .RE 971 972 .sp 973 .ne 2 974 .na 975 \fB\fBPRIV_WIN_DGA\fR\fR 976 .ad 977 .sp .6 978 .RS 4n 979 Allow a process to use the direct graphics access (DGA) X protocol extensions. 980 Direct process access to the frame buffer is still required. Thus the process 981 must have MAC and DAC privileges that allow access to the frame buffer, or the 982 frame buffer must be allocated to the process. 983 .sp 984 This privilege is interpreted only if the system is configured with Trusted 985 Extensions. 986 .RE 987 988 .sp 989 .ne 2 990 .na 991 \fB\fBPRIV_WIN_DOWNGRADE_SL\fR\fR 992 .ad 993 .sp .6 994 .RS 4n 995 Allow a process to set the sensitivity label of a window resource to a 996 sensitivity label that does not dominate the existing sensitivity label. 997 .sp 998 This privilege is interpreted only if the system is configured with Trusted 999 Extensions. 1000 .RE 1001 1002 .sp 1003 .ne 2 1004 .na 1005 \fB\fBPRIV_WIN_FONTPATH\fR\fR 1006 .ad 1007 .sp .6 1008 .RS 4n 1009 Allow a process to set a font path. 1010 .sp 1011 This privilege is interpreted only if the system is configured with Trusted 1012 Extensions. 1013 .RE 1014 1015 .sp 1016 .ne 2 1017 .na 1018 \fB\fBPRIV_WIN_MAC_READ\fR\fR 1019 .ad 1020 .sp .6 1021 .RS 4n 1022 Allow a process to read from a window resource whose sensitivity label is not 1023 equal to the process sensitivity label. 1024 .sp 1025 This privilege is interpreted only if the system is configured with Trusted 1026 Extensions. 1027 .RE 1028 1029 .sp 1030 .ne 2 1031 .na 1032 \fB\fBPRIV_WIN_MAC_WRITE\fR\fR 1033 .ad 1034 .sp .6 1035 .RS 4n 1036 Allow a process to create a window resource whose sensitivity label is not 1037 equal to the process sensitivity label. A newly created window property is 1038 created with the window's sensitivity label. 1039 .sp 1040 This privilege is interpreted only if the system is configured with Trusted 1041 Extensions. 1042 .RE 1043 1044 .sp 1045 .ne 2 1046 .na 1047 \fB\fBPRIV_WIN_SELECTION\fR\fR 1048 .ad 1049 .sp .6 1050 .RS 4n 1051 Allow a process to request inter-window data moves without the intervention of 1052 the selection confirmer. 1053 .sp 1054 This privilege is interpreted only if the system is configured with Trusted 1055 Extensions. 1056 .RE 1057 1058 .sp 1059 .ne 2 1060 .na 1061 \fB\fBPRIV_WIN_UPGRADE_SL\fR\fR 1062 .ad 1063 .sp .6 1064 .RS 4n 1065 Allow a process to set the sensitivity label of a window resource to a 1066 sensitivity label that dominates the existing sensitivity label. 1067 .sp 1068 This privilege is interpreted only if the system is configured with Trusted 1069 Extensions. 1070 .RE 1071 1072 .sp 1073 .ne 2 1074 .na 1075 \fB\fBPRIV_XVM_CONTROL\fR\fR 1076 .ad 1077 .sp .6 1078 .RS 4n 1079 Allows a process access to the \fBxVM\fR(5) control devices for managing guest 1080 domains and the hypervisor. This privilege is used only if booted into xVM on 1081 x86 platforms. 1082 .RE 1083 1084 .sp 1085 .LP 1086 Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR, 1087 \fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR, 1088 \fBPRIV_FILE_READ\fR, \fBPRIV_FILE_WRITE\fR, \fBPRIV_NET_ACCESS\fR and 1089 \fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges 1090 that used to be always available to unprivileged processes. By default, 1091 processes still have the basic privileges. 1092 .sp 1093 .LP 1094 The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present 1095 in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs 1096 to be successful, that is, get an effective UID of 0 and additional privileges. 1097 .sp 1098 .LP 1099 The privilege implementation in Solaris extends the process credential with 1100 four privilege sets: 1101 .sp 1102 .ne 2 1103 .na 1104 \fBI, the inheritable set\fR 1105 .ad 1106 .RS 26n 1107 The privileges inherited on \fBexec\fR. 1108 .RE 1109 1110 .sp 1111 .ne 2 1112 .na 1113 \fBP, the permitted set\fR 1114 .ad 1115 .RS 26n 1116 The maximum set of privileges for the process. 1117 .RE 1118 1119 .sp 1120 .ne 2 1121 .na 1122 \fBE, the effective set\fR 1123 .ad 1124 .RS 26n 1125 The privileges currently in effect. 1126 .RE 1127 1128 .sp 1129 .ne 2 1130 .na 1131 \fBL, the limit set\fR 1132 .ad 1133 .RS 26n 1134 The upper bound of the privileges a process and its offspring can obtain. 1135 Changes to L take effect on the next \fBexec\fR. 1136 .RE 1137 1138 .sp 1139 .LP 1140 The sets I, P and E are typically identical to the basic set of privileges for 1141 unprivileged processes. The limit set is typically the full set of privileges. 1142 .sp 1143 .LP 1144 Each process has a Privilege Awareness State (PAS) that can take the value PA 1145 (privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows 1146 a choice between full compatibility with the old superuser model and completely 1147 ignoring the effective UID. 1148 .sp 1149 .LP 1150 To facilitate the discussion, we introduce the notion of "observed effective 1151 set" (oE) and "observed permitted set" (oP) and the implementation sets iE and 1152 iP. 1153 .sp 1154 .LP 1155 A process becomes privilege-aware either by manipulating the effective, 1156 permitted, or limit privilege sets through \fBsetppriv\fR(2) or by using 1157 \fBsetpflags\fR(2). In all cases, oE and oP are invariant in the process of 1158 becoming privilege-aware. In the process of becoming privilege-aware, the 1159 following assignments take place: 1160 .sp 1161 .in +2 1162 .nf 1163 iE = oE 1164 iP = oP 1165 .fi 1166 .in -2 1167 1168 .sp 1169 .LP 1170 When a process is privilege-aware, oE and oP are invariant under UID changes. 1171 When a process is not privilege-aware, oE and oP are observed as follows: 1172 .sp 1173 .in +2 1174 .nf 1175 oE = euid == 0 ? L : iE 1176 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP 1177 .fi 1178 .in -2 1179 1180 .sp 1181 .LP 1182 When a non-privilege-aware process has an effective UID of 0, it can exercise 1183 the privileges contained in its limit set, the upper bound of its privileges. 1184 If a non-privilege-aware process has any of the UIDs 0, it appears to be 1185 capable of potentially exercising all privileges in L. 1186 .sp 1187 .LP 1188 It is possible for a process to return to the non-privilege aware state using 1189 \fBsetpflags()\fR. The kernel always attempts this on \fBexec\fR(2). This 1190 operation is permitted only if the following conditions are met: 1191 .RS +4 1192 .TP 1193 .ie t \(bu 1194 .el o 1195 If any of the UIDs is equal to 0, P must be equal to L. 1196 .RE 1197 .RS +4 1198 .TP 1199 .ie t \(bu 1200 .el o 1201 If the effective UID is equal to 0, E must be equal to L. 1202 .RE 1203 .sp 1204 .LP 1205 When a process gives up privilege awareness, the following assignments take 1206 place: 1207 .sp 1208 .in +2 1209 .nf 1210 if (euid == 0) iE = L & I 1211 if (any uid == 0) iP = L & I 1212 .fi 1213 .in -2 1214 1215 .sp 1216 .LP 1217 The privileges obtained when not having a UID of \fB0\fR are the inheritable 1218 set of the process restricted by the limit set. 1219 .sp 1220 .LP 1221 Only privileges in the process's (observed) effective privilege set allow the 1222 process to perform restricted operations. A process can use any of the 1223 privilege manipulation functions to add or remove privileges from the privilege 1224 sets. Privileges can be removed always. Only privileges found in the permitted 1225 set can be added to the effective and inheritable set. The limit set cannot 1226 grow. The inheritable set can be larger than the permitted set. 1227 .sp 1228 .LP 1229 When a process performs an \fBexec\fR(2), the kernel first tries to relinquish 1230 privilege awareness before making the following privilege set modifications: 1231 .sp 1232 .in +2 1233 .nf 1234 E' = P' = I' = L & I 1235 L is unchanged 1236 .fi 1237 .in -2 1238 1239 .sp 1240 .LP 1241 If a process has not manipulated its privileges, the privilege sets effectively 1242 remain the same, as E, P and I are already identical. 1243 .sp 1244 .LP 1245 The limit set is enforced at \fBexec\fR time. 1246 .sp 1247 .LP 1248 To run a non-privilege-aware application in a backward-compatible manner, a 1249 privilege-aware application should start the non-privilege-aware application 1250 with I=basic. 1251 .sp 1252 .LP 1253 For most privileges, absence of the privilege simply results in a failure. In 1254 some instances, the absence of a privilege can cause system calls to behave 1255 differently. In other instances, the removal of a privilege can force a set-uid 1256 application to seriously malfunction. Privileges of this type are considered 1257 "unsafe". When a process is lacking any of the unsafe privileges from its limit 1258 set, the system does not honor the set-uid bit of set-uid root applications. 1259 The following unsafe privileges have been identified: \fBproc_setid\fR, 1260 \fBsys_resource\fR and \fBproc_audit\fR. 1261 .SS "Privilege Escalation" 1262 .LP 1263 In certain circumstances, a single privilege could lead to a process gaining 1264 one or more additional privileges that were not explicitly granted to that 1265 process. To prevent such an escalation of privileges, the security policy 1266 requires explicit permission for those additional privileges. 1267 .sp 1268 .LP 1269 Common examples of escalation are those mechanisms that allow modification of 1270 system resources through "raw'' interfaces; for example, changing kernel data 1271 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR. 1272 Escalation also occurs when a process controls processes with more privileges 1273 than the controlling process. A special case of this is manipulating or 1274 creating objects owned by UID 0 or trying to obtain UID 0 using 1275 \fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0 1276 owns all system configuration files and ordinary file protection mechanisms 1277 allow processes with UID 0 to modify the system configuration. With appropriate 1278 file modifications, a given process running with an effective UID of 0 can gain 1279 all privileges. 1280 .sp 1281 .LP 1282 In situations where a process might obtain UID 0, the security policy requires 1283 additional privileges, up to the full set of privileges. Such restrictions 1284 could be relaxed or removed at such time as additional mechanisms for 1285 protection of system files became available. There are no such mechanisms in 1286 the current Solaris release. 1287 .sp 1288 .LP 1289 The use of UID 0 processes should be limited as much as possible. They should 1290 be replaced with programs running under a different UID but with exactly the 1291 privileges they need. 1292 .sp 1293 .LP 1294 Daemons that never need to \fBexec\fR subprocesses should remove the 1295 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets. 1296 .SS "Assigned Privileges and Safeguards" 1297 .LP 1298 When privileges are assigned to a user, the system administrator could give 1299 that user more powers than intended. The administrator should consider whether 1300 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR 1301 privilege is given to a user, the administrator should consider setting the 1302 \fBproject.max-locked-memory\fR resource control as well, to prevent that user 1303 from locking all memory. 1304 .SS "Privilege Debugging" 1305 .LP 1306 When a system call fails with a permission error, it is not always immediately 1307 obvious what caused the problem. To debug such a problem, you can use a tool 1308 called \fBprivilege debugging\fR. When privilege debugging is enabled for a 1309 process, the kernel reports missing privileges on the controlling terminal of 1310 the process. (Enable debugging for a process with the \fB-D\fR option of 1311 \fBppriv\fR(1).) Additionally, the administrator can enable system-wide 1312 privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR 1313 using: 1314 .sp 1315 .in +2 1316 .nf 1317 set priv_debug = 1 1318 .fi 1319 .in -2 1320 1321 .sp 1322 .LP 1323 On a running system, you can use \fBmdb\fR(1) to change this variable. 1324 .SS "Privilege Administration" 1325 .LP 1326 The Solaris Management Console (see \fBsmc\fR(1M)) is the preferred method of 1327 modifying privileges for a command. Use \fBusermod\fR(1M) or \fBsmrole\fR(1M) 1328 to assign privileges to or modify privileges for, respectively, a user or a 1329 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and 1330 \fBtruss\fR(1) to determine which privileges a program requires. 1331 .SH SEE ALSO 1332 .LP 1333 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M), 1334 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M), 1335 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2), 1336 \fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2), 1337 \fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2), 1338 \fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2), 1339 \fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2), 1340 \fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2), 1341 \fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2), 1342 \fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2), 1343 \fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2), 1344 \fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2), 1345 \fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2), 1346 \fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2), 1347 \fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2), 1348 \fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2), 1349 \fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2), 1350 \fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2), 1351 \fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2), 1352 \fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C), 1353 \fBpriv_addset\fR(3C), \fBpriv_set\fR(3C), \fBpriv_getbyname\fR(3C), 1354 \fBpriv_getbynum\fR(3C), \fBpriv_set_to_str\fR(3C), \fBpriv_str_to_set\fR(3C), 1355 \fBsocket\fR(3SOCKET), \fBt_bind\fR(3NSL), \fBtimer_create\fR(3C), 1356 \fBucred_get\fR(3C), \fBexec_attr\fR(4), \fBproc\fR(4), \fBsystem\fR(4), 1357 \fBuser_attr\fR(4), \fBxVM\fR(5), \fBddi_cred\fR(9F), \fBdrv_priv\fR(9F), 1358 \fBpriv_getbyname\fR(9F), \fBpriv_policy\fR(9F), \fBpriv_policy_choice\fR(9F), 1359 \fBpriv_policy_only\fR(9F) 1360 .sp 1361 .LP 1362 \fISystem Administration Guide: Security Services\fR