1privileges(5)         Standards, Environments, and Macros        privileges(5)
2
3
4

NAME

6       privileges - process privilege model
7

DESCRIPTION

9       Solaris  software  implements  a  set  of privileges that provide fine-
10       grained control over the actions of processes. The possession of a cer‐
11       tain privilege allows a process to perform a specific set of restricted
12       operations.
13
14
15       The change to a primarily privilege-based security model in the Solaris
16       operating  system gives developers an opportunity to restrict processes
17       to those privileged operations actually needed instead of  all  (super-
18       user)  or  no privileges (non-zero UIDs). Additionally, a set of previ‐
19       ously unrestricted operations now requires a  privilege;  these  privi‐
20       leges are dubbed the "basic" privileges and are by default given to all
21       processes.
22
23
24       Taken together, all  defined  privileges  with  the  exception  of  the
25       "basic" privileges compose the set of privileges that are traditionally
26       associated with the root user. The "basic" privileges are  "privileges"
27       unprivileged processes were accustomed to having.
28
29
30       The defined privileges are:
31
32       PRIV_CONTRACT_EVENT
33
34           Allow  a process to request reliable delivery of events to an event
35           endpoint.
36
37           Allow a process to include events in the critical event set term of
38           a template which could be generated in volume by the user.
39
40
41       PRIV_CONTRACT_IDENTITY
42
43           Allows  a  process  to set the service FMRI value of a process con‐
44           tract template.
45
46
47       PRIV_CONTRACT_OBSERVER
48
49           Allow a process to observe contract events generated  by  contracts
50           created  and owned by users other than the process's effective user
51           ID.
52
53           Allow a process to open contract event endpoints belonging to  con‐
54           tracts  created  and owned by users other than the process's effec‐
55           tive user ID.
56
57
58       PRIV_CPC_CPU
59
60           Allow a process to access per-CPU hardware performance counters.
61
62
63       PRIV_DTRACE_KERNEL
64
65           Allow DTrace kernel-level tracing.
66
67
68       PRIV_DTRACE_PROC
69
70           Allow DTrace process-level  tracing.  Allow  process-level  tracing
71           probes  to be placed and enabled in processes to which the user has
72           permissions.
73
74
75       PRIV_DTRACE_USER
76
77           Allow DTrace user-level tracing. Allow use of the syscall and  pro‐
78           file  DTrace  providers  to examine processes to which the user has
79           permissions.
80
81
82       PRIV_FILE_CHOWN
83
84           Allow a process to change a file's owner user ID. Allow  a  process
85           to  change a file's group ID to one other than the process's effec‐
86           tive group ID or one of the process's supplemental group IDs.
87
88
89       PRIV_FILE_CHOWN_SELF
90
91           Allow a process to give away its files. A process with this  privi‐
92           lege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
93
94
95       PRIV_FILE_DAC_EXECUTE
96
97           Allow a process to execute an executable file whose permission bits
98           or ACL would otherwise disallow the process execute permission.
99
100
101       PRIV_FILE_DAC_READ
102
103           Allow a process to read a file or directory whose  permission  bits
104           or ACL would otherwise disallow the process read permission.
105
106
107       PRIV_FILE_DAC_SEARCH
108
109           Allow  a process to search a directory whose permission bits or ACL
110           would not otherwise allow the process search permission.
111
112
113       PRIV_FILE_DAC_WRITE
114
115           Allow a process to write a file or directory whose permission  bits
116           or  ACL  do  not allow the process write permission. All privileges
117           are required to write files owned by UID 0 in  the  absence  of  an
118           effective UID of 0.
119
120
121       PRIV_FILE_DOWNGRADE_SL
122
123           Allow a process to set the sensitivity label of a file or directory
124           to a sensitivity label that does not dominate the  existing  sensi‐
125           tivity label.
126
127           This privilege is interpreted only if the system is configured with
128           Trusted Extensions.
129
130
131       PRIV_FILE_LINK_ANY
132
133           Allow a process to create hardlinks to files owned by a UID differ‐
134           ent from the process's effective UID.
135
136
137       PRIV_FILE_OWNER
138
139           Allow  a  process  that  is  not the owner of a file to modify that
140           file's access and modification times. Allow a process that  is  not
141           the owner of a directory to modify that directory's access and mod‐
142           ification times. Allow a process that is not the owner of a file or
143           directory  to  remove  or  rename  a file or directory whose parent
144           directory has the "save text image after  execution"  (sticky)  bit
145           set.  Allow  a  process  that is not the owner of a file to mount a
146           namefs upon that file. Allow a process that is not the owner  of  a
147           file  or  directory to modify that file's or directory's permission
148           bits or ACL.
149
150
151       PRIV_FILE_SETID
152
153           Allow a process to change the ownership of a file  or  write  to  a
154           file  without  the set-user-ID and set-group-ID bits being cleared.
155           Allow a process to set the set-group-ID bit on a file or  directory
156           whose  group  is  not  the  process's effective group or one of the
157           process's supplemental groups. Allow a process to set the set-user-
158           ID  bit  on  a  file  with  different  ownership in the presence of
159           PRIV_FILE_OWNER. Additional restrictions  apply  when  creating  or
160           modifying a setuid 0 file.
161
162
163       PRIV_FILE_UPGRADE_SL
164
165           Allow a process to set the sensitivity label of a file or directory
166           to a sensitivity label  that  dominates  the  existing  sensitivity
167           label.
168
169           This privilege is interpreted only if the system is configured with
170           Trusted Extensions.
171
172
173       PRIV_FILE_FLAG_SET
174
175           Allows a process to set  immutable,  nounlink  or  appendonly  file
176           attributes.
177
178
179       PRIV_GRAPHICS_ACCESS
180
181           Allow a process to make privileged ioctls to graphics devices. Typ‐
182           ically only an xserver process needs  to  have  this  privilege.  A
183           process  with  this privilege is also allowed to perform privileged
184           graphics device mappings.
185
186
187       PRIV_GRAPHICS_MAP
188
189           Allow a process to perform privileged mappings through  a  graphics
190           device.
191
192
193       PRIV_IPC_DAC_READ
194
195           Allow  a  process  to  read a System V IPC Message Queue, Semaphore
196           Set, or Shared Memory Segment whose permission bits would not  oth‐
197           erwise allow the process read permission.
198
199
200       PRIV_IPC_DAC_WRITE
201
202           Allow  a  process  to write a System V IPC Message Queue, Semaphore
203           Set, or Shared Memory Segment whose permission bits would not  oth‐
204           erwise allow the process write permission.
205
206
207       PRIV_IPC_OWNER
208
209           Allow  a  process  that  is not the owner of a System V IPC Message
210           Queue, Semaphore Set, or Shared Memory Segment  to  remove,  change
211           ownership of, or change permission bits of the Message Queue, Sema‐
212           phore Set, or Shared Memory Segment.
213
214
215       PRIV_NET_BINDMLP
216
217           Allow a process to bind to a port that is configured  as  a  multi-
218           level  port (MLP) for the process's zone. This privilege applies to
219           both  shared  address   and   zone-specific   address   MLPs.   See
220           tnzonecfg(4)  from the Trusted Extensions manual pages for informa‐
221           tion on configuring MLP ports.
222
223           This privilege is interpreted only if the system is configured with
224           Trusted Extensions.
225
226
227       PRIV_NET_ICMPACCESS
228
229           Allow a process to send and receive ICMP packets.
230
231
232       PRIV_NET_MAC_AWARE
233
234           Allow  a  process  to  set  the NET_MAC_AWARE process flag by using
235           setpflags(2). This privilege also  allows  a  process  to  set  the
236           SO_MAC_EXEMPT  socket  option  by  using  setsockopt(3SOCKET).  The
237           NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
238           allow  a local process to communicate with an unlabeled peer if the
239           local process's label dominates the peer's default label, or if the
240           local process runs in the global zone.
241
242           This privilege is interpreted only if the system is configured with
243           Trusted Extensions.
244
245
246       PRIV_NET_OBSERVABILITY
247
248           Allow a process to open a device for just receiving  network  traf‐
249           fic, sending traffic is disallowed.
250
251
252       PRIV_NET_PRIVADDR
253
254           Allow  a process to bind to a privileged port number. The privilege
255           port numbers are 1-1023 (the traditional UNIX privileged ports)  as
256           well  as  those ports marked as "udp/tcp_extra_priv_ports" with the
257           exception of the ports reserved for use by NFS and SMB.
258
259
260       PRIV_NET_RAWACCESS
261
262           Allow a process to have direct access to the network layer.
263
264
265       PRIV_PROC_AUDIT
266
267           Allow a process to generate audit records. Allow a process  to  get
268           its own audit pre-selection information.
269
270
271       PRIV_PROC_CHROOT
272
273           Allow a process to change its root directory.
274
275
276       PRIV_PROC_CLOCK_HIGHRES
277
278           Allow a process to use high resolution timers.
279
280
281       PRIV_PROC_EXEC
282
283           Allow a process to call exec(2).
284
285
286       PRIV_PROC_FORK
287
288           Allow a process to call fork(2), fork1(2), or vfork(2).
289
290
291       PRIV_PROC_INFO
292
293           Allow a process to examine the status of processes other than those
294           to which it can send signals. Processes  that  cannot  be  examined
295           cannot be seen in /proc and appear not to exist.
296
297
298       PRIV_PROC_LOCK_MEMORY
299
300           Allow a process to lock pages in physical memory.
301
302
303       PRIV_PROC_OWNER
304
305           Allow  a process to send signals to other processes and inspect and
306           modify the process state in other processes, regardless  of  owner‐
307           ship.  When  modifying  another  process,  additional  restrictions
308           apply: the effective privilege set of the attaching process must be
309           a superset of the target process's effective, permitted, and inher‐
310           itable sets; the limit set must be a superset of the target's limit
311           set;  if the target process has any UID set to 0 all privilege must
312           be asserted unless the effective UID is 0. Allow a process to  bind
313           arbitrary processes to CPUs.
314
315
316       PRIV_PROC_PRIOCNTL
317
318           Allow  a  process  to elevate its priority above its current level.
319           Allow a process to change its scheduling class  to  any  scheduling
320           class, including the RT class.
321
322
323       PRIV_PROC_SESSION
324
325           Allow a process to send signals or trace processes outside its ses‐
326           sion.
327
328
329       PRIV_PROC_SETID
330
331           Allow a process to set its UIDs at will, assuming  UID  0  requires
332           all privileges to be asserted.
333
334
335       PRIV_PROC_TASKID
336
337           Allow a process to assign a new task ID to the calling process.
338
339
340       PRIV_PROC_ZONE
341
342           Allow  a  process  to  trace  or send signals to processes in other
343           zones. See zones(5).
344
345
346       PRIV_SYS_ACCT
347
348           Allow a process to enable and disable and manage accounting through
349           acct(2).
350
351
352       PRIV_SYS_ADMIN
353
354           Allow a process to perform system administration tasks such as set‐
355           ting node and domain name and specifying coreadm(1M)  and  nscd(1M)
356           settings
357
358
359       PRIV_SYS_AUDIT
360
361           Allow a process to start the (kernel) audit daemon. Allow a process
362           to view and set audit state (audit  user  ID,  audit  terminal  ID,
363           audit  sessions  ID,  audit pre-selection mask). Allow a process to
364           turn off and on auditing. Allow a process to  configure  the  audit
365           parameters  (cache  and  queue  sizes, event to class mappings, and
366           policy options).
367
368
369       PRIV_SYS_CONFIG
370
371           Allow a process to  perform  various  system  configuration  tasks.
372           Allow   filesystem-specific   administrative  procedures,  such  as
373           filesystem configuration ioctls, quota calls, creation and deletion
374           of snapshots, and manipulating the PCFS bootsector.
375
376
377       PRIV_SYS_DEVICES
378
379           Allow  a process to create device special files. Allow a process to
380           successfully  call  a  kernel  module   that   calls   the   kernel
381           drv_priv(9F)  function to check for allowed access. Allow a process
382           to open the real console device directly. Allow a process  to  open
383           devices that have been exclusively opened.
384
385
386       PRIV_SYS_DL_CONFIG
387
388           Allow a process to configure a system's datalink interfaces.
389
390
391       PRIV_SYS_IP_CONFIG
392
393           Allow  a  process to configure a system's IP interfaces and routes.
394           Allow a process to configure network parameters  for  TCP/IP  using
395           ndd. Allow a process access to otherwise restricted TCP/IP informa‐
396           tion using ndd. Allow a process to configure IPsec. Allow a process
397           to pop anchored STREAMs modules with matching zoneid.
398
399
400       PRIV_SYS_IPC_CONFIG
401
402           Allow  a  process  to  increase  the size of a System V IPC Message
403           Queue buffer.
404
405
406       PRIV_SYS_LINKDIR
407
408           Allow a process to unlink and link directories.
409
410
411       PRIV_SYS_MOUNT
412
413           Allow a process to mount and unmount filesystems that would  other‐
414           wise be restricted (that is, most filesystems except namefs). Allow
415           a process to add and remove swap devices.
416
417
418       PRIV_SYS_NET_CONFIG
419
420           Allow a process to do all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CON‐
421           FIG,  and  PRIV_SYS_PPP_CONFIG  allow,  plus the following: use the
422           rpcmod STREAMS module and insert/remove STREAMS  modules  on  loca‐
423           tions other than the top of the module stack.
424
425
426       PRIV_SYS_NFS
427
428           Allow  a  process to provide NFS service: start NFS kernel threads,
429           perform NFS locking operations, bind to NFS reserved  ports:  ports
430           2049 (nfs) and port 4045 (lockd).
431
432
433       PRIV_SYS_PPP_CONFIG
434
435           Allow  a  process  to  create, configure, and destroy PPP instances
436           with pppd(1M)  pppd(1M)  and  control  PPPoE  plumbing  with  sppp‐
437           tun(1M)sppptun(1M).  This privilege is granted by default to exclu‐
438           sive IP stack instance zones.
439
440
441       PRIV_SYS_RES_CONFIG
442
443           Allow a process to create and delete processor sets, assign CPUs to
444           processor  sets  and  override  the PSET_NOESCAPE property. Allow a
445           process to change the operational status  of  CPUs  in  the  system
446           using  p_online(2). Allow a process to configure filesystem quotas.
447           Allow a process to configure resource pools and bind  processes  to
448           pools.
449
450
451       PRIV_SYS_RESOURCE
452
453           Allow  a  process  to  exceed  the resource limits imposed on it by
454           setrlimit(2) and setrctl(2).
455
456
457       PRIV_SYS_SMB
458
459           Allow a process to provide NetBIOS or SMB services: start SMB  ker‐
460           nel  threads  or  bind to NetBIOS or SMB reserved ports: ports 137,
461           138, 139 (NetBIOS) and 445 (SMB).
462
463
464       PRIV_SYS_SUSER_COMPAT
465
466           Allow a process to successfully call a third party loadable  module
467           that calls the kernel suser() function to check for allowed access.
468           This privilege exists only for third party loadable module compati‐
469           bility and is not used by Solaris proper.
470
471
472       PRIV_SYS_TIME
473
474           Allow  a  process to manipulate system time using any of the appro‐
475           priate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
476
477
478       PRIV_SYS_TRANS_LABEL
479
480           Allow a process to translate labels that are not dominated  by  the
481           process's sensitivity label to and from an external string form.
482
483           This privilege is interpreted only if the system is configured with
484           Trusted Extensions.
485
486
487       PRIV_VIRT_MANAGE
488
489           Allows a process to manage virtualized environments such as xVM(5).
490
491
492       PRIV_WIN_COLORMAP
493
494           Allow a process to override colormap restrictions.
495
496           Allow a process to install or remove colormaps.
497
498           Allow a process to retrieve  colormap  cell  entries  allocated  by
499           other processes.
500
501           This privilege is interpreted only if the system is configured with
502           Trusted Extensions.
503
504
505       PRIV_WIN_CONFIG
506
507           Allow a process to configure or destroy resources that  are  perma‐
508           nently retained by the X server.
509
510           Allow a process to use SetScreenSaver to set the screen saver time‐
511           out value
512
513           Allow a process to use ChangeHosts to  modify  the  display  access
514           control list.
515
516           Allow a process to use GrabServer.
517
518           Allow a process to use the SetCloseDownMode request that can retain
519           window, pixmap, colormap, property, cursor, font, or  graphic  con‐
520           text resources.
521
522           This privilege is interpreted only if the system is configured with
523           Trusted Extensions.
524
525
526       PRIV_WIN_DAC_READ
527
528           Allow a process to read from a window resource that it does not own
529           (has a different user ID).
530
531           This privilege is interpreted only if the system is configured with
532           Trusted Extensions.
533
534
535       PRIV_WIN_DAC_WRITE
536
537           Allow a process to write to or create a  window  resource  that  it
538           does  not  own  (has  a  different user ID). A newly created window
539           property is created with the window's user ID.
540
541           This privilege is interpreted only if the system is configured with
542           Trusted Extensions.
543
544
545       PRIV_WIN_DEVICES
546
547           Allow a process to perform operations on window input devices.
548
549           Allow a process to get and set keyboard and pointer controls.
550
551           Allow a process to modify pointer button and key mappings.
552
553           This privilege is interpreted only if the system is configured with
554           Trusted Extensions.
555
556
557       PRIV_WIN_DGA
558
559           Allow a process to use the direct graphics access (DGA) X  protocol
560           extensions.  Direct  process  access  to  the frame buffer is still
561           required. Thus the process must have MAC and  DAC  privileges  that
562           allow access to the frame buffer, or the frame buffer must be allo‐
563           cated to the process.
564
565           This privilege is interpreted only if the system is configured with
566           Trusted Extensions.
567
568
569       PRIV_WIN_DOWNGRADE_SL
570
571           Allow  a  process to set the sensitivity label of a window resource
572           to a sensitivity label that does not dominate the  existing  sensi‐
573           tivity label.
574
575           This privilege is interpreted only if the system is configured with
576           Trusted Extensions.
577
578
579       PRIV_WIN_FONTPATH
580
581           Allow a process to set a font path.
582
583           This privilege is interpreted only if the system is configured with
584           Trusted Extensions.
585
586
587       PRIV_WIN_MAC_READ
588
589           Allow  a  process  to read from a window resource whose sensitivity
590           label is not equal to the process sensitivity label.
591
592           This privilege is interpreted only if the system is configured with
593           Trusted Extensions.
594
595
596       PRIV_WIN_MAC_WRITE
597
598           Allow a process to create a window resource whose sensitivity label
599           is not equal to the process sensitivity label. A newly created win‐
600           dow property is created with the window's sensitivity label.
601
602           This privilege is interpreted only if the system is configured with
603           Trusted Extensions.
604
605
606       PRIV_WIN_SELECTION
607
608           Allow a process to request  inter-window  data  moves  without  the
609           intervention of the selection confirmer.
610
611           This privilege is interpreted only if the system is configured with
612           Trusted Extensions.
613
614
615       PRIV_WIN_UPGRADE_SL
616
617           Allow a process to set the sensitivity label of a  window  resource
618           to  a  sensitivity  label  that  dominates the existing sensitivity
619           label.
620
621           This privilege is interpreted only if the system is configured with
622           Trusted Extensions.
623
624
625       PRIV_XVM_CONTROL
626
627           Allows  a process access to the xVM(5) control devices for managing
628           guest domains and the hypervisor. This privilege is  used  only  if
629           booted into xVM on x86 platforms.
630
631
632
633       Of  the  privileges  listed  above,  the privileges PRIV_FILE_LINK_ANY,
634       PRIV_PROC_INFO, PRIV_PROC_SESSION,  PRIV_PROC_FORK  and  PRIV_PROC_EXEC
635       are considered "basic" privileges. These are privileges that used to be
636       always available to unprivileged processes. By default, processes still
637       have the basic privileges.
638
639
640       The  privileges  PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
641       the Limit set (see below) of a process in order for set-uid root  execs
642       to  be  successful,  that  is, get an effective UID of 0 and additional
643       privileges.
644
645
646       The privilege implementation in Solaris extends the process  credential
647       with four privilege sets:
648
649       I, the inheritable set    The privileges inherited on exec.
650
651
652       P, the permitted set      The   maximum   set  of  privileges  for  the
653                                 process.
654
655
656       E, the effective set      The privileges currently in effect.
657
658
659       L, the limit set          The upper bound of the privileges  a  process
660                                 and  its  offspring  can obtain. Changes to L
661                                 take effect on the next exec.
662
663
664
665       The sets I, P and E are typically identical to the basic set of  privi‐
666       leges  for  unprivileged processes. The limit set is typically the full
667       set of privileges.
668
669
670       Each process has a Privilege Awareness State (PAS) that  can  take  the
671       value  PA  (privilege-aware)  and  NPA  (not-PA). PAS is a transitional
672       mechanism that allows a choice between full compatibility with the  old
673       superuser model and completely ignoring the effective UID.
674
675
676       To  facilitate  the  discussion,  we  introduce the notion of "observed
677       effective set" (oE) and "observed permitted set" (oP) and the implemen‐
678       tation sets iE and iP.
679
680
681       A process becomes privilege-aware either by manipulating the effective,
682       permitted, or limit privilege sets  through  setppriv(2)  or  by  using
683       setpflags(2).  In  all cases, oE and oP are invariant in the process of
684       becoming privilege-aware. In the process of  becoming  privilege-aware,
685       the following assignments take place:
686
687         iE = oE
688         iP = oP
689
690
691
692       When  a  process  is privilege-aware, oE and oP are invariant under UID
693       changes. When a process is not privilege-aware, oE and oP are  observed
694       as follows:
695
696         oE = euid == 0 ? L : iE
697         oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
698
699
700
701       When  a  non-privilege-aware  process has an effective UID of 0, it can
702       exercise the privileges contained in its limit set, the upper bound  of
703       its privileges. If a non-privilege-aware process has any of the UIDs 0,
704       it appears to be capable of potentially exercising all privileges in L.
705
706
707       It is possible for a process to return to the non-privilege aware state
708       using  setpflags().  The  kernel  always attempts this on exec(2). This
709       operation is permitted only if the following conditions are met:
710
711           o      If any of the UIDs is equal to 0, P must be equal to L.
712
713           o      If the effective UID is equal to 0, E must be equal to L.
714
715
716       When a process gives up privilege awareness, the following  assignments
717       take place:
718
719         if (euid == 0) iE = L & I
720         if (any uid == 0) iP = L & I
721
722
723
724       The  privileges obtained when not having a UID of 0 are the inheritable
725       set of the process restricted by the limit set.
726
727
728       Only privileges in the process's  (observed)  effective  privilege  set
729       allow  the  process to perform restricted operations. A process can use
730       any of the privilege manipulation functions to add or remove privileges
731       from  the privilege sets. Privileges can be removed always. Only privi‐
732       leges found in the permitted set can be  added  to  the  effective  and
733       inheritable  set. The limit set cannot grow. The inheritable set can be
734       larger than the permitted set.
735
736
737       When a process performs an exec(2), the kernel first  tries  to  relin‐
738       quish  privilege  awareness  before  making the following privilege set
739       modifications:
740
741         E' = P' = I' = L & I
742         L is unchanged
743
744
745
746       If a process has not manipulated its  privileges,  the  privilege  sets
747       effectively remain the same, as E, P and I are already identical.
748
749
750       The limit set is enforced at exec time.
751
752
753       To  run a non-privilege-aware application in a backward-compatible man‐
754       ner, a privilege-aware application should start the non-privilege-aware
755       application with I=basic.
756
757
758       For most privileges, absence of the privilege simply results in a fail‐
759       ure. In some instances, the absense of a  privilege  can  cause  system
760       calls to behave differently. In other instances, the removal of a priv‐
761       ilege can force a set-uid application to seriously malfunction.  Privi‐
762       leges  of  this type are considered "unsafe". When a process is lacking
763       any of the unsafe privileges from its limit set, the  system  does  not
764       honor  the  set-uid  bit  of  set-uid  root applications. The following
765       unsafe privileges have been identified:  proc_setid,  sys_resource  and
766       proc_audit.
767
768   Privilege Escalation
769       In  certain  circumstances,  a single privilege could lead to a process
770       gaining one or more additional  privileges  that  were  not  explicitly
771       granted  to  that process. To prevent such an escalation of privileges,
772       the security policy requires explicit permission for  those  additional
773       privileges.
774
775
776       Common examples of escalation are those mechanisms that allow modifica‐
777       tion of system resources through "raw'' interfaces; for example, chang‐
778       ing  kernel data structures through /dev/kmem or changing files through
779       /dev/dsk/*. Escalation also occurs when a  process  controls  processes
780       with  more  privileges  than the controlling process. A special case of
781       this is manipulating or creating objects owned by UID 0  or  trying  to
782       obtain  UID 0 using setuid(2). The special treatment of UID 0 is needed
783       because the UID 0 owns all system configuration files and ordinary file
784       protection  mechanisms  allow processes with UID 0 to modify the system
785       configuration. With appropriate file  modifications,  a  given  process
786       running with an effective UID of 0 can gain all privileges.
787
788
789       In  situations  where a process might obtain UID 0, the security policy
790       requires additional privileges, up to the full set of privileges.  Such
791       restrictions  could  be  relaxed  or removed at such time as additional
792       mechanisms for protection of system files became available.  There  are
793       no such mechanisms in the current Solaris release.
794
795
796       The  use of UID 0 processes should be limited as much as possible. They
797       should be replaced with programs running under a different UID but with
798       exactly the privileges they need.
799
800
801       Daemons  that  never  need  to  exec  subprocesses  should  remove  the
802       PRIV_PROC_EXEC privilege from their permitted and limit sets.
803
804   Assigned Privileges and Safeguards
805       When privileges are assigned to a user, the system administrator  could
806       give that user more powers than intended. The administrator should con‐
807       sider  whether   safeguards   are   needed.   For   example,   if   the
808       PRIV_PROC_LOCK_MEMORY  privilege  is given to a user, the administrator
809       should consider setting the project.max-locked-memory resource  control
810       as well, to prevent that user from locking all memory.
811
812   Privilege Debugging
813       When  a  system  call  fails  with a permission error, it is not always
814       immediately obvious what caused the problem. To debug such  a  problem,
815       you can use a tool called privilege debugging. When privilege debugging
816       is enabled for a process, the kernel reports missing privileges on  the
817       controlling  terminal  of  the process. (Enable debugging for a process
818       with the -D option of ppriv(1).) Additionally,  the  administrator  can
819       enable  system-wide  privilege debugging by setting the system(4) vari‐
820       able priv_debug using:
821
822         set priv_debug = 1
823
824
825
826       On a running system, you can use mdb(1) to change this variable.
827
828   Privilege Administration
829       The Solaris Management Console (see smc(1M)) is the preferred method of
830       modifying  privileges  for  a command. Use usermod(1M) or smrole(1M) to
831       assign privileges to or modify privileges for, respectively, a user  or
832       a  role. Use ppriv(1) to enumerate the privileges supported on a system
833       and truss(1) to determine which privileges a program requires.
834

SEE ALSO

836       mdb(1),  ppriv(1),  add_drv(1M),  ifconfig(1M),  lockd(1M),   nfsd(1M),
837       pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
838       access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
839       chown(2),  chroot(2),  creat(2),  exec(2),  fcntl(2),  fork(2),  fpath‐
840       conf(2), getacct(2),  getpflags(2),  getppriv(2),  getsid(2),  kill(2),
841       link(2),  memcntl(2),  mknod(2), mount(2), msgctl(2), nice(2), ntp_adj‐
842       time(2), open(2),  p_online(2),  priocntl(2),  priocntlset(2),  proces‐
843       sor_bind(2), pset_bind(2), pset_create(2), readlink(2), resolvepath(2),
844       rmdir(2), semctl(2),  setauid(2),  setegid(2),  seteuid(2),  setgid(2),
845       setgroups(2),   setpflags(2),   setppriv(2),  setrctl(2),  setregid(2),
846       setreuid(2),   setrlimit(2),   settaskid(2),   setuid(2),    shmctl(2),
847       shmget(2),   shmop(2),   sigsend(2),   stat(2),  statvfs(2),  stime(2),
848       swapctl(2), sysinfo(2),  uadmin(2),  ulimit(2),  umount(2),  unlink(2),
849       utime(2),  utimes(2),  bind(3SOCKET),  door_ucred(3C), priv_addset(3C),
850       priv_set(3C),          priv_getbyname(3C),           priv_getbynum(3C),
851       priv_set_to_str(3C),        priv_str_to_set(3C),       socket(3SOCKET),
852       t_bind(3NSL), timer_create(3C), ucred_get(3C),  exec_attr(4),  proc(4),
853       system(4),  user_attr(4), xVM(5), ddi_cred(9F), drv_priv(9F), priv_get‐
854       byname(9F),    priv_policy(9F),    priv_policy_choice(9F),    priv_pol‐
855       icy_only(9F)
856
857
858       System Administration Guide: Security Services
859
860
861
862SunOS 5.11                        29 May 2009                    privileges(5)
Impressum