1 PRIVILEGES(5) Standards, Environments, and Macros PRIVILEGES(5) 2 3 4 5 NAME 6 privileges - process privilege model 7 8 DESCRIPTION 9 Solaris software implements a set of privileges that provide fine- 10 grained control over the actions of processes. The possession of a 11 certain privilege allows a process to perform a specific set of 12 restricted operations. 13 14 15 The change to a primarily privilege-based security model in the Solaris 16 operating system gives developers an opportunity to restrict processes 17 to those privileged operations actually needed instead of all (super- 18 user) or no privileges (non-zero UIDs). Additionally, a set of 19 previously unrestricted operations now requires a privilege; these 20 privileges are dubbed the "basic" privileges and are by default given 21 to all processes. 22 23 24 Taken together, all defined privileges with the exception of the 25 "basic" privileges compose the set of privileges that are traditionally 26 associated with the root user. The "basic" privileges are "privileges" 27 unprivileged processes were accustomed to having. 28 29 30 The defined privileges are: 31 32 PRIV_CONTRACT_EVENT 33 34 Allow a process to request reliable delivery of events to an event 35 endpoint. 36 37 Allow a process to include events in the critical event set term of 38 a template which could be generated in volume by the user. 39 40 41 PRIV_CONTRACT_IDENTITY 42 43 Allows a process to set the service FMRI value of a process 44 contract template. 45 46 47 PRIV_CONTRACT_OBSERVER 48 49 Allow a process to observe contract events generated by contracts 50 created and owned by users other than the process's effective user 51 ID. 52 53 Allow a process to open contract event endpoints belonging to 54 contracts created and owned by users other than the process's 55 effective user ID. 56 57 58 PRIV_CPC_CPU 59 60 Allow a process to access per-CPU hardware performance counters. 61 62 63 PRIV_DTRACE_KERNEL 64 65 Allow DTrace kernel-level tracing. 66 67 68 PRIV_DTRACE_PROC 69 70 Allow DTrace process-level tracing. Allow process-level tracing 71 probes to be placed and enabled in processes to which the user has 72 permissions. 73 74 75 PRIV_DTRACE_USER 76 77 Allow DTrace user-level tracing. Allow use of the syscall and 78 profile DTrace providers to examine processes to which the user has 79 permissions. 80 81 82 PRIV_FILE_CHOWN 83 84 Allow a process to change a file's owner user ID. Allow a process 85 to change a file's group ID to one other than the process's 86 effective group ID or one of the process's supplemental group IDs. 87 88 89 PRIV_FILE_CHOWN_SELF 90 91 Allow a process to give away its files. A process with this 92 privilege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect. 93 94 95 PRIV_FILE_DAC_EXECUTE 96 97 Allow a process to execute an executable file whose permission bits 98 or ACL would otherwise disallow the process execute permission. 99 100 101 PRIV_FILE_DAC_READ 102 103 Allow a process to read a file or directory whose permission bits 104 or ACL would otherwise disallow the process read permission. 105 106 107 PRIV_FILE_DAC_SEARCH 108 109 Allow a process to search a directory whose permission bits or ACL 110 would not otherwise allow the process search permission. 111 112 113 PRIV_FILE_DAC_WRITE 114 115 Allow a process to write a file or directory whose permission bits 116 or ACL do not allow the process write permission. All privileges 117 are required to write files owned by UID 0 in the absence of an 118 effective UID of 0. 119 120 121 PRIV_FILE_DOWNGRADE_SL 122 123 Allow a process to set the sensitivity label of a file or directory 124 to a sensitivity label that does not dominate the existing 125 sensitivity label. 126 127 This privilege is interpreted only if the system is configured with 128 Trusted Extensions. 129 130 131 PRIV_FILE_FLAG_SET 132 133 Allows a process to set immutable, nounlink or appendonly file 134 attributes. 135 136 137 PRIV_FILE_LINK_ANY 138 139 Allow a process to create hardlinks to files owned by a UID 140 different from the process's effective UID. 141 142 143 PRIV_FILE_OWNER 144 145 Allow a process that is not the owner of a file to modify that 146 file's access and modification times. Allow a process that is not 147 the owner of a directory to modify that directory's access and 148 modification times. Allow a process that is not the owner of a file 149 or directory to remove or rename a file or directory whose parent 150 directory has the "save text image after execution" (sticky) bit 151 set. Allow a process that is not the owner of a file to mount a 152 namefs upon that file. Allow a process that is not the owner of a 153 file or directory to modify that file's or directory's permission 154 bits or ACL. 155 156 157 PRIV_FILE_READ 158 159 Allow a process to open objects in the filesystem for reading. This 160 privilege is not necessary to read from an already open file which 161 was opened before dropping the PRIV_FILE_READ privilege. 162 163 164 PRIV_FILE_SETID 165 166 Allow a process to change the ownership of a file or write to a 167 file without the set-user-ID and set-group-ID bits being cleared. 168 Allow a process to set the set-group-ID bit on a file or directory 169 whose group is not the process's effective group or one of the 170 process's supplemental groups. Allow a process to set the set-user- 171 ID bit on a file with different ownership in the presence of 172 PRIV_FILE_OWNER. Additional restrictions apply when creating or 173 modifying a setuid 0 file. 174 175 176 PRIV_FILE_UPGRADE_SL 177 178 Allow a process to set the sensitivity label of a file or directory 179 to a sensitivity label that dominates the existing sensitivity 180 label. 181 182 This privilege is interpreted only if the system is configured with 183 Trusted Extensions. 184 185 186 PRIV_FILE_WRITE 187 188 Allow a process to open objects in the filesytem for writing, or 189 otherwise modify them. This privilege is not necessary to write to 190 an already open file which was opened before dropping the 191 PRIV_FILE_WRITE privilege. 192 193 194 PRIV_GRAPHICS_ACCESS 195 196 Allow a process to make privileged ioctls to graphics devices. 197 Typically only an xserver process needs to have this privilege. A 198 process with this privilege is also allowed to perform privileged 199 graphics device mappings. 200 201 202 PRIV_GRAPHICS_MAP 203 204 Allow a process to perform privileged mappings through a graphics 205 device. 206 207 208 PRIV_IPC_DAC_READ 209 210 Allow a process to read a System V IPC Message Queue, Semaphore 211 Set, or Shared Memory Segment whose permission bits would not 212 otherwise allow the process read permission. 213 214 215 PRIV_IPC_DAC_WRITE 216 217 Allow a process to write a System V IPC Message Queue, Semaphore 218 Set, or Shared Memory Segment whose permission bits would not 219 otherwise allow the process write permission. 220 221 222 PRIV_IPC_OWNER 223 224 Allow a process that is not the owner of a System V IPC Message 225 Queue, Semaphore Set, or Shared Memory Segment to remove, change 226 ownership of, or change permission bits of the Message Queue, 227 Semaphore Set, or Shared Memory Segment. 228 229 230 PRIV_NET_ACCESS 231 232 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint. 233 This privilege is not necessary to communicate using an existing 234 endpoint already opened before dropping the PRIV_NET_ACCESS 235 privilege. 236 237 238 PRIV_NET_BINDMLP 239 240 Allow a process to bind to a port that is configured as a multi- 241 level port (MLP) for the process's zone. This privilege applies to 242 both shared address and zone-specific address MLPs. See 243 tnzonecfg(4) from the Trusted Extensions manual pages for 244 information on configuring MLP ports. 245 246 This privilege is interpreted only if the system is configured with 247 Trusted Extensions. 248 249 250 PRIV_NET_ICMPACCESS 251 252 Allow a process to send and receive ICMP packets. 253 254 255 PRIV_NET_MAC_AWARE 256 257 Allow a process to set the NET_MAC_AWARE process flag by using 258 setpflags(2). This privilege also allows a process to set the 259 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The 260 NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both 261 allow a local process to communicate with an unlabeled peer if the 262 local process's label dominates the peer's default label, or if the 263 local process runs in the global zone. 264 265 This privilege is interpreted only if the system is configured with 266 Trusted Extensions. 267 268 269 PRIV_NET_MAC_IMPLICIT 270 271 Allow a proces to set SO_MAC_IMPLICIT option by using 272 setsockopt(3SOCKET). This allows a privileged process to transmit 273 implicitly-labeled packets to a peer. 274 275 This privilege is interpreted only if the system is configured with 276 Trusted Extensions. 277 278 279 PRIV_NET_OBSERVABILITY 280 281 Allow a process to open a device for just receiving network 282 traffic, sending traffic is disallowed. 283 284 285 PRIV_NET_PRIVADDR 286 287 Allow a process to bind to a privileged port number. The privilege 288 port numbers are 1-1023 (the traditional UNIX privileged ports) as 289 well as those ports marked as "udp/tcp_extra_priv_ports" with the 290 exception of the ports reserved for use by NFS and SMB. 291 292 293 PRIV_NET_RAWACCESS 294 295 Allow a process to have direct access to the network layer. 296 297 298 PRIV_PROC_AUDIT 299 300 Allow a process to generate audit records. Allow a process to get 301 its own audit pre-selection information. 302 303 304 PRIV_PROC_CHROOT 305 306 Allow a process to change its root directory. 307 308 309 PRIV_PROC_CLOCK_HIGHRES 310 311 Allow a process to use high resolution timers. 312 313 314 PRIV_PROC_EXEC 315 316 Allow a process to call exec(2). 317 318 319 PRIV_PROC_FORK 320 321 Allow a process to call fork(2), fork1(2), or vfork(2). 322 323 324 PRIV_PROC_INFO 325 326 Allow a process to examine the status of processes other than those 327 to which it can send signals. Processes that cannot be examined 328 cannot be seen in /proc and appear not to exist. 329 330 331 PRIV_PROC_LOCK_MEMORY 332 333 Allow a process to lock pages in physical memory. 334 335 336 PRIV_PROC_MEMINFO 337 338 Allow a process to access physical memory information. 339 340 341 PRIV_PROC_OWNER 342 343 Allow a process to send signals to other processes and inspect and 344 modify the process state in other processes, regardless of 345 ownership. When modifying another process, additional restrictions 346 apply: the effective privilege set of the attaching process must be 347 a superset of the target process's effective, permitted, and 348 inheritable sets; the limit set must be a superset of the target's 349 limit set; if the target process has any UID set to 0 all privilege 350 must be asserted unless the effective UID is 0. Allow a process to 351 bind arbitrary processes to CPUs. 352 353 354 PRIV_PROC_PRIOUP 355 356 Allow a process to elevate its priority above its current level. 357 358 359 PRIV_PROC_PRIOCNTL 360 361 Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change 362 its scheduling class to any scheduling class, including the RT 363 class. 364 365 366 PRIV_PROC_SECFLAGS 367 368 Allow a process to manipulate the secflags of processes (subject 369 to, additionally, the ability to signal that process). 370 371 372 PRIV_PROC_SESSION 373 374 Allow a process to send signals or trace processes outside its 375 session. 376 377 378 PRIV_PROC_SETID 379 380 Allow a process to set its UIDs at will, assuming UID 0 requires 381 all privileges to be asserted. 382 383 384 PRIV_PROC_TASKID 385 386 Allow a process to assign a new task ID to the calling process. 387 388 389 PRIV_PROC_ZONE 390 391 Allow a process to trace or send signals to processes in other 392 zones. See zones(5). 393 394 395 PRIV_SYS_ACCT 396 397 Allow a process to enable and disable and manage accounting through 398 acct(2). 399 400 401 PRIV_SYS_ADMIN 402 403 Allow a process to perform system administration tasks such as 404 setting node and domain name and specifying coreadm(1M) and 405 nscd(1M) settings 406 407 408 PRIV_SYS_AUDIT 409 410 Allow a process to start the (kernel) audit daemon. Allow a process 411 to view and set audit state (audit user ID, audit terminal ID, 412 audit sessions ID, audit pre-selection mask). Allow a process to 413 turn off and on auditing. Allow a process to configure the audit 414 parameters (cache and queue sizes, event to class mappings, and 415 policy options). 416 417 418 PRIV_SYS_CONFIG 419 420 Allow a process to perform various system configuration tasks. 421 Allow filesystem-specific administrative procedures, such as 422 filesystem configuration ioctls, quota calls, creation and deletion 423 of snapshots, and manipulating the PCFS bootsector. 424 425 426 PRIV_SYS_DEVICES 427 428 Allow a process to create device special files. Allow a process to 429 successfully call a kernel module that calls the kernel 430 drv_priv(9F) function to check for allowed access. Allow a process 431 to open the real console device directly. Allow a process to open 432 devices that have been exclusively opened. 433 434 435 PRIV_SYS_DL_CONFIG 436 437 Allow a process to configure a system's datalink interfaces. 438 439 440 PRIV_SYS_IP_CONFIG 441 442 Allow a process to configure a system's IP interfaces and routes. 443 Allow a process to configure network parameters for TCP/IP using 444 ndd. Allow a process access to otherwise restricted TCP/IP 445 information using ndd. Allow a process to configure IPsec. Allow a 446 process to pop anchored STREAMs modules with matching zoneid. 447 448 449 PRIV_SYS_IPC_CONFIG 450 451 Allow a process to increase the size of a System V IPC Message 452 Queue buffer. 453 454 455 PRIV_SYS_IPTUN_CONFIG 456 457 Allow a process to configure IP tunnel links. 458 459 460 PRIV_SYS_LINKDIR 461 462 Allow a process to unlink and link directories. 463 464 465 PRIV_SYS_MOUNT 466 467 Allow a process to mount and unmount filesystems that would 468 otherwise be restricted (that is, most filesystems except namefs). 469 Allow a process to add and remove swap devices. 470 471 472 PRIV_SYS_NET_CONFIG 473 474 Allow a process to do all that PRIV_SYS_IP_CONFIG, 475 PRIV_SYS_DL_CONFIG, and PRIV_SYS_PPP_CONFIG allow, plus the 476 following: use the rpcmod STREAMS module and insert/remove STREAMS 477 modules on locations other than the top of the module stack. 478 479 480 PRIV_SYS_NFS 481 482 Allow a process to provide NFS service: start NFS kernel threads, 483 perform NFS locking operations, bind to NFS reserved ports: ports 484 2049 (nfs) and port 4045 (lockd). 485 486 487 PRIV_SYS_PPP_CONFIG 488 489 Allow a process to create, configure, and destroy PPP instances 490 with pppd(1M) pppd(1M) and control PPPoE plumbing with 491 sppptun(1M)sppptun(1M). This privilege is granted by default to 492 exclusive IP stack instance zones. 493 494 495 PRIV_SYS_RES_BIND 496 497 Allows a process to bind processes to processor sets. 498 499 500 PRIV_SYS_RES_CONFIG 501 502 Allows all that PRIV_SYS_RES_BIND allows. Allow a process to 503 create and delete processor sets, assign CPUs to processor sets and 504 override the PSET_NOESCAPE property. Allow a process to change the 505 operational status of CPUs in the system using p_online(2). Allow a 506 process to configure filesystem quotas. Allow a process to 507 configure resource pools and bind processes to pools. 508 509 510 PRIV_SYS_RESOURCE 511 512 Allow a process to exceed the resource limits imposed on it by 513 setrlimit(2) and setrctl(2). 514 515 516 PRIV_SYS_SMB 517 518 Allow a process to provide NetBIOS or SMB services: start SMB 519 kernel threads or bind to NetBIOS or SMB reserved ports: ports 137, 520 138, 139 (NetBIOS) and 445 (SMB). 521 522 523 PRIV_SYS_SUSER_COMPAT 524 525 Allow a process to successfully call a third party loadable module 526 that calls the kernel suser() function to check for allowed access. 527 This privilege exists only for third party loadable module 528 compatibility and is not used by Solaris proper. 529 530 531 PRIV_SYS_TIME 532 533 Allow a process to manipulate system time using any of the 534 appropriate system calls: stime(2), adjtime(2), and ntp_adjtime(2). 535 536 537 PRIV_SYS_TRANS_LABEL 538 539 Allow a process to translate labels that are not dominated by the 540 process's sensitivity label to and from an external string form. 541 542 This privilege is interpreted only if the system is configured with 543 Trusted Extensions. 544 545 546 PRIV_VIRT_MANAGE 547 548 Allows a process to manage virtualized environments such as xVM(5). 549 550 551 PRIV_WIN_COLORMAP 552 553 Allow a process to override colormap restrictions. 554 555 Allow a process to install or remove colormaps. 556 557 Allow a process to retrieve colormap cell entries allocated by 558 other processes. 559 560 This privilege is interpreted only if the system is configured with 561 Trusted Extensions. 562 563 564 PRIV_WIN_CONFIG 565 566 Allow a process to configure or destroy resources that are 567 permanently retained by the X server. 568 569 Allow a process to use SetScreenSaver to set the screen saver 570 timeout value 571 572 Allow a process to use ChangeHosts to modify the display access 573 control list. 574 575 Allow a process to use GrabServer. 576 577 Allow a process to use the SetCloseDownMode request that can retain 578 window, pixmap, colormap, property, cursor, font, or graphic 579 context resources. 580 581 This privilege is interpreted only if the system is configured with 582 Trusted Extensions. 583 584 585 PRIV_WIN_DAC_READ 586 587 Allow a process to read from a window resource that it does not own 588 (has a different user ID). 589 590 This privilege is interpreted only if the system is configured with 591 Trusted Extensions. 592 593 594 PRIV_WIN_DAC_WRITE 595 596 Allow a process to write to or create a window resource that it 597 does not own (has a different user ID). A newly created window 598 property is created with the window's user ID. 599 600 This privilege is interpreted only if the system is configured with 601 Trusted Extensions. 602 603 604 PRIV_WIN_DEVICES 605 606 Allow a process to perform operations on window input devices. 607 608 Allow a process to get and set keyboard and pointer controls. 609 610 Allow a process to modify pointer button and key mappings. 611 612 This privilege is interpreted only if the system is configured with 613 Trusted Extensions. 614 615 616 PRIV_WIN_DGA 617 618 Allow a process to use the direct graphics access (DGA) X protocol 619 extensions. Direct process access to the frame buffer is still 620 required. Thus the process must have MAC and DAC privileges that 621 allow access to the frame buffer, or the frame buffer must be 622 allocated to the process. 623 624 This privilege is interpreted only if the system is configured with 625 Trusted Extensions. 626 627 628 PRIV_WIN_DOWNGRADE_SL 629 630 Allow a process to set the sensitivity label of a window resource 631 to a sensitivity label that does not dominate the existing 632 sensitivity label. 633 634 This privilege is interpreted only if the system is configured with 635 Trusted Extensions. 636 637 638 PRIV_WIN_FONTPATH 639 640 Allow a process to set a font path. 641 642 This privilege is interpreted only if the system is configured with 643 Trusted Extensions. 644 645 646 PRIV_WIN_MAC_READ 647 648 Allow a process to read from a window resource whose sensitivity 649 label is not equal to the process sensitivity label. 650 651 This privilege is interpreted only if the system is configured with 652 Trusted Extensions. 653 654 655 PRIV_WIN_MAC_WRITE 656 657 Allow a process to create a window resource whose sensitivity label 658 is not equal to the process sensitivity label. A newly created 659 window property is created with the window's sensitivity label. 660 661 This privilege is interpreted only if the system is configured with 662 Trusted Extensions. 663 664 665 PRIV_WIN_SELECTION 666 667 Allow a process to request inter-window data moves without the 668 intervention of the selection confirmer. 669 670 This privilege is interpreted only if the system is configured with 671 Trusted Extensions. 672 673 674 PRIV_WIN_UPGRADE_SL 675 676 Allow a process to set the sensitivity label of a window resource 677 to a sensitivity label that dominates the existing sensitivity 678 label. 679 680 This privilege is interpreted only if the system is configured with 681 Trusted Extensions. 682 683 684 PRIV_XVM_CONTROL 685 686 Allows a process access to the xVM(5) control devices for managing 687 guest domains and the hypervisor. This privilege is used only if 688 booted into xVM on x86 platforms. 689 690 691 692 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY, 693 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK, PRIV_FILE_READ, 694 PRIV_FILE_WRITE, PRIV_NET_ACCESS and PRIV_PROC_EXEC are considered 695 "basic" privileges. These are privileges that used to be always 696 available to unprivileged processes. By default, processes still have 697 the basic privileges. 698 699 700 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in 701 the Limit set (see below) of a process in order for set-uid root execs 702 to be successful, that is, get an effective UID of 0 and additional 703 privileges. 704 705 706 The privilege implementation in Solaris extends the process credential 707 with four privilege sets: 708 709 I, the inheritable set 710 The privileges inherited on exec. 711 712 713 P, the permitted set 714 The maximum set of privileges for the 715 process. 716 717 718 E, the effective set 719 The privileges currently in effect. 720 721 722 L, the limit set 723 The upper bound of the privileges a process 724 and its offspring can obtain. Changes to L 725 take effect on the next exec. 726 727 728 729 The sets I, P and E are typically identical to the basic set of 730 privileges for unprivileged processes. The limit set is typically the 731 full set of privileges. 732 733 734 Each process has a Privilege Awareness State (PAS) that can take the 735 value PA (privilege-aware) and NPA (not-PA). PAS is a transitional 736 mechanism that allows a choice between full compatibility with the old 737 superuser model and completely ignoring the effective UID. 738 739 740 To facilitate the discussion, we introduce the notion of "observed 741 effective set" (oE) and "observed permitted set" (oP) and the 742 implementation sets iE and iP. 743 744 745 A process becomes privilege-aware either by manipulating the effective, 746 permitted, or limit privilege sets through setppriv(2) or by using 747 setpflags(2). In all cases, oE and oP are invariant in the process of 748 becoming privilege-aware. In the process of becoming privilege-aware, 749 the following assignments take place: 750 751 iE = oE 752 iP = oP 753 754 755 756 When a process is privilege-aware, oE and oP are invariant under UID 757 changes. When a process is not privilege-aware, oE and oP are observed 758 as follows: 759 760 oE = euid == 0 ? L : iE 761 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP 762 763 764 765 When a non-privilege-aware process has an effective UID of 0, it can 766 exercise the privileges contained in its limit set, the upper bound of 767 its privileges. If a non-privilege-aware process has any of the UIDs 768 0, it appears to be capable of potentially exercising all privileges in 769 L. 770 771 772 It is possible for a process to return to the non-privilege aware state 773 using setpflags(). The kernel always attempts this on exec(2). This 774 operation is permitted only if the following conditions are met: 775 776 o If any of the UIDs is equal to 0, P must be equal to L. 777 778 o If the effective UID is equal to 0, E must be equal to L. 779 780 781 When a process gives up privilege awareness, the following assignments 782 take place: 783 784 if (euid == 0) iE = L & I 785 if (any uid == 0) iP = L & I 786 787 788 789 The privileges obtained when not having a UID of 0 are the inheritable 790 set of the process restricted by the limit set. 791 792 793 Only privileges in the process's (observed) effective privilege set 794 allow the process to perform restricted operations. A process can use 795 any of the privilege manipulation functions to add or remove privileges 796 from the privilege sets. Privileges can be removed always. Only 797 privileges found in the permitted set can be added to the effective and 798 inheritable set. The limit set cannot grow. The inheritable set can be 799 larger than the permitted set. 800 801 802 When a process performs an exec(2), the kernel first tries to 803 relinquish privilege awareness before making the following privilege 804 set modifications: 805 806 E' = P' = I' = L & I 807 L is unchanged 808 809 810 811 If a process has not manipulated its privileges, the privilege sets 812 effectively remain the same, as E, P and I are already identical. 813 814 815 The limit set is enforced at exec time. 816 817 818 To run a non-privilege-aware application in a backward-compatible 819 manner, a privilege-aware application should start the non-privilege- 820 aware application with I=basic. 821 822 823 For most privileges, absence of the privilege simply results in a 824 failure. In some instances, the absense of a privilege can cause system 825 calls to behave differently. In other instances, the removal of a 826 privilege can force a set-uid application to seriously malfunction. 827 Privileges of this type are considered "unsafe". When a process is 828 lacking any of the unsafe privileges from its limit set, the system 829 does not honor the set-uid bit of set-uid root applications. The 830 following unsafe privileges have been identified: proc_setid, 831 sys_resource and proc_audit. 832 833 Privilege Escalation 834 In certain circumstances, a single privilege could lead to a process 835 gaining one or more additional privileges that were not explicitly 836 granted to that process. To prevent such an escalation of privileges, 837 the security policy requires explicit permission for those additional 838 privileges. 839 840 841 Common examples of escalation are those mechanisms that allow 842 modification of system resources through "raw'' interfaces; for 843 example, changing kernel data structures through /dev/kmem or changing 844 files through /dev/dsk/*. Escalation also occurs when a process 845 controls processes with more privileges than the controlling process. A 846 special case of this is manipulating or creating objects owned by UID 0 847 or trying to obtain UID 0 using setuid(2). The special treatment of UID 848 0 is needed because the UID 0 owns all system configuration files and 849 ordinary file protection mechanisms allow processes with UID 0 to 850 modify the system configuration. With appropriate file modifications, a 851 given process running with an effective UID of 0 can gain all 852 privileges. 853 854 855 In situations where a process might obtain UID 0, the security policy 856 requires additional privileges, up to the full set of privileges. Such 857 restrictions could be relaxed or removed at such time as additional 858 mechanisms for protection of system files became available. There are 859 no such mechanisms in the current Solaris release. 860 861 862 The use of UID 0 processes should be limited as much as possible. They 863 should be replaced with programs running under a different UID but with 864 exactly the privileges they need. 865 866 867 Daemons that never need to exec subprocesses should remove the 868 PRIV_PROC_EXEC privilege from their permitted and limit sets. 869 870 Assigned Privileges and Safeguards 871 When privileges are assigned to a user, the system administrator could 872 give that user more powers than intended. The administrator should 873 consider whether safeguards are needed. For example, if the 874 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator 875 should consider setting the project.max-locked-memory resource control 876 as well, to prevent that user from locking all memory. 877 878 Privilege Debugging 879 When a system call fails with a permission error, it is not always 880 immediately obvious what caused the problem. To debug such a problem, 881 you can use a tool called privilege debugging. When privilege debugging 882 is enabled for a process, the kernel reports missing privileges on the 883 controlling terminal of the process. (Enable debugging for a process 884 with the -D option of ppriv(1).) Additionally, the administrator can 885 enable system-wide privilege debugging by setting the system(4) 886 variable priv_debug using: 887 888 set priv_debug = 1 889 890 891 892 On a running system, you can use mdb(1) to change this variable. 893 894 Privilege Administration 895 The Solaris Management Console (see smc(1M)) is the preferred method of 896 modifying privileges for a command. Use usermod(1M) or smrole(1M) to 897 assign privileges to or modify privileges for, respectively, a user or 898 a role. Use ppriv(1) to enumerate the privileges supported on a system 899 and truss(1) to determine which privileges a program requires. 900 901 SEE ALSO 902 mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M), 903 pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2), 904 access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2), 905 chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2), 906 fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2), 907 kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2), 908 ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2), 909 processor_bind(2), pset_bind(2), pset_create(2), readlink(2), 910 resolvepath(2), rmdir(2), semctl(2), setauid(2), setegid(2), 911 seteuid(2), setgid(2), setgroups(2), setpflags(2), setppriv(2), 912 setrctl(2), setregid(2), setreuid(2), setrlimit(2), settaskid(2), 913 setuid(2), shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2), 914 statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2), 915 umount(2), unlink(2), utime(2), utimes(2), bind(3SOCKET), 916 door_ucred(3C), priv_addset(3C), priv_set(3C), priv_getbyname(3C), 917 priv_getbynum(3C), priv_set_to_str(3C), priv_str_to_set(3C), 918 socket(3SOCKET), t_bind(3NSL), timer_create(3C), ucred_get(3C), 919 exec_attr(4), proc(4), system(4), user_attr(4), xVM(5), ddi_cred(9F), 920 drv_priv(9F), priv_getbyname(9F), priv_policy(9F), 921 priv_policy_choice(9F), priv_policy_only(9F) 922 923 924 System Administration Guide: Security Services 925 926 927 928 October 30, 2015 PRIVILEGES(5)