1privileges(5) Standards, Environments, and Macros privileges(5)
2
6 privileges - process privilege model
7
9 Solaris software implements a set of privileges that provide fine-
10 grained control over the actions of processes. The possession of a cer‐
11 tain privilege allows a process to perform a specific set of restricted
12 operations.
13 The change to a primarily privilege-based security model in the Solaris
16 operating system gives developers an opportunity to restrict processes
17 to those privileged operations actually needed instead of all (super-
18 user) or no privileges (non-zero UIDs). Additionally, a set of previ‐
19 ously unrestricted operations now requires a privilege; these privi‐
20 leges are dubbed the "basic" privileges and are by default given to all
21 processes.
22 Taken together, all defined privileges with the exception of the
25 "basic" privileges compose the set of privileges that are traditionally
26 associated with the root user. The "basic" privileges are "privileges"
27 unprivileged processes were accustomed to having.
28 The defined privileges are:
31 PRIV_CONTRACT_EVENT
33 Allow a process to request reliable delivery of events to an event
35 endpoint.
36 Allow a process to include events in the critical event set term of
38 a template which could be generated in volume by the user.
39 PRIV_CONTRACT_IDENTITY
42 Allows a process to set the service FMRI value of a process con‐
44 tract template.
45 PRIV_CONTRACT_OBSERVER
48 Allow a process to observe contract events generated by contracts
50 created and owned by users other than the process's effective user
51 ID.
52 Allow a process to open contract event endpoints belonging to con‐
54 tracts created and owned by users other than the process's effec‐
55 tive user ID.
56 PRIV_CPC_CPU
59 Allow a process to access per-CPU hardware performance counters.
61 PRIV_DTRACE_KERNEL
64 Allow DTrace kernel-level tracing.
66 PRIV_DTRACE_PROC
69 Allow DTrace process-level tracing. Allow process-level tracing
71 probes to be placed and enabled in processes to which the user has
72 permissions.
73 PRIV_DTRACE_USER
76 Allow DTrace user-level tracing. Allow use of the syscall and pro‐
78 file DTrace providers to examine processes to which the user has
79 permissions.
80 PRIV_FILE_CHOWN
83 Allow a process to change a file's owner user ID. Allow a process
85 to change a file's group ID to one other than the process's effec‐
86 tive group ID or one of the process's supplemental group IDs.
87 PRIV_FILE_CHOWN_SELF
90 Allow a process to give away its files. A process with this privi‐
92 lege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
93 PRIV_FILE_DAC_EXECUTE
96 Allow a process to execute an executable file whose permission bits
98 or ACL would otherwise disallow the process execute permission.
99 PRIV_FILE_DAC_READ
102 Allow a process to read a file or directory whose permission bits
104 or ACL would otherwise disallow the process read permission.
105 PRIV_FILE_DAC_SEARCH
108 Allow a process to search a directory whose permission bits or ACL
110 would not otherwise allow the process search permission.
111 PRIV_FILE_DAC_WRITE
114 Allow a process to write a file or directory whose permission bits
116 or ACL do not allow the process write permission. All privileges
117 are required to write files owned by UID 0 in the absence of an
118 effective UID of 0.
119 PRIV_FILE_DOWNGRADE_SL
122 Allow a process to set the sensitivity label of a file or directory
124 to a sensitivity label that does not dominate the existing sensi‐
125 tivity label.
126 This privilege is interpreted only if the system is configured with
128 Trusted Extensions.
129 PRIV_FILE_LINK_ANY
132 Allow a process to create hardlinks to files owned by a UID differ‐
134 ent from the process's effective UID.
135 PRIV_FILE_OWNER
138 Allow a process that is not the owner of a file to modify that
140 file's access and modification times. Allow a process that is not
141 the owner of a directory to modify that directory's access and mod‐
142 ification times. Allow a process that is not the owner of a file or
143 directory to remove or rename a file or directory whose parent
144 directory has the "save text image after execution" (sticky) bit
145 set. Allow a process that is not the owner of a file to mount a
146 namefs upon that file. Allow a process that is not the owner of a
147 file or directory to modify that file's or directory's permission
148 bits or ACL.
149 PRIV_FILE_SETID
152 Allow a process to change the ownership of a file or write to a
154 file without the set-user-ID and set-group-ID bits being cleared.
155 Allow a process to set the set-group-ID bit on a file or directory
156 whose group is not the process's effective group or one of the
157 process's supplemental groups. Allow a process to set the set-user-
158 ID bit on a file with different ownership in the presence of
159 PRIV_FILE_OWNER. Additional restrictions apply when creating or
160 modifying a setuid 0 file.
161 PRIV_FILE_UPGRADE_SL
164 Allow a process to set the sensitivity label of a file or directory
166 to a sensitivity label that dominates the existing sensitivity
167 label.
168 This privilege is interpreted only if the system is configured with
170 Trusted Extensions.
171 PRIV_FILE_FLAG_SET
174 Allows a process to set immutable, nounlink or appendonly file
176 attributes.
177 PRIV_GRAPHICS_ACCESS
180 Allow a process to make privileged ioctls to graphics devices. Typ‐
182 ically only an xserver process needs to have this privilege. A
183 process with this privilege is also allowed to perform privileged
184 graphics device mappings.
185 PRIV_GRAPHICS_MAP
188 Allow a process to perform privileged mappings through a graphics
190 device.
191 PRIV_IPC_DAC_READ
194 Allow a process to read a System V IPC Message Queue, Semaphore
196 Set, or Shared Memory Segment whose permission bits would not oth‐
197 erwise allow the process read permission.
198 PRIV_IPC_DAC_WRITE
201 Allow a process to write a System V IPC Message Queue, Semaphore
203 Set, or Shared Memory Segment whose permission bits would not oth‐
204 erwise allow the process write permission.
205 PRIV_IPC_OWNER
208 Allow a process that is not the owner of a System V IPC Message
210 Queue, Semaphore Set, or Shared Memory Segment to remove, change
211 ownership of, or change permission bits of the Message Queue, Sema‐
212 phore Set, or Shared Memory Segment.
213 PRIV_NET_BINDMLP
216 Allow a process to bind to a port that is configured as a multi-
218 level port (MLP) for the process's zone. This privilege applies to
219 both shared address and zone-specific address MLPs. See
220 tnzonecfg(4) from the Trusted Extensions manual pages for informa‐
221 tion on configuring MLP ports.
222 This privilege is interpreted only if the system is configured with
224 Trusted Extensions.
225 PRIV_NET_ICMPACCESS
228 Allow a process to send and receive ICMP packets.
230 PRIV_NET_MAC_AWARE
233 Allow a process to set the NET_MAC_AWARE process flag by using
235 setpflags(2). This privilege also allows a process to set the
236 SO_MAC_EXEMPT socket option by using setsockopt(3SOCKET). The
237 NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
238 allow a local process to communicate with an unlabeled peer if the
239 local process's label dominates the peer's default label, or if the
240 local process runs in the global zone.
241 This privilege is interpreted only if the system is configured with
243 Trusted Extensions.
244 PRIV_NET_OBSERVABILITY
247 Allow a process to open a device for just receiving network traf‐
249 fic, sending traffic is disallowed.
250 PRIV_NET_PRIVADDR
253 Allow a process to bind to a privileged port number. The privilege
255 port numbers are 1-1023 (the traditional UNIX privileged ports) as
256 well as those ports marked as "udp/tcp_extra_priv_ports" with the
257 exception of the ports reserved for use by NFS and SMB.
258 PRIV_NET_RAWACCESS
261 Allow a process to have direct access to the network layer.
263 PRIV_PROC_AUDIT
266 Allow a process to generate audit records. Allow a process to get
268 its own audit pre-selection information.
269 PRIV_PROC_CHROOT
272 Allow a process to change its root directory.
274 PRIV_PROC_CLOCK_HIGHRES
277 Allow a process to use high resolution timers.
279 PRIV_PROC_EXEC
282 Allow a process to call exec(2).
284 PRIV_PROC_FORK
287 Allow a process to call fork(2), fork1(2), or vfork(2).
289 PRIV_PROC_INFO
292 Allow a process to examine the status of processes other than those
294 to which it can send signals. Processes that cannot be examined
295 cannot be seen in /proc and appear not to exist.
296 PRIV_PROC_LOCK_MEMORY
299 Allow a process to lock pages in physical memory.
301 PRIV_PROC_OWNER
304 Allow a process to send signals to other processes and inspect and
306 modify the process state in other processes, regardless of owner‐
307 ship. When modifying another process, additional restrictions
308 apply: the effective privilege set of the attaching process must be
309 a superset of the target process's effective, permitted, and inher‐
310 itable sets; the limit set must be a superset of the target's limit
311 set; if the target process has any UID set to 0 all privilege must
312 be asserted unless the effective UID is 0. Allow a process to bind
313 arbitrary processes to CPUs.
314 PRIV_PROC_PRIOCNTL
317 Allow a process to elevate its priority above its current level.
319 Allow a process to change its scheduling class to any scheduling
320 class, including the RT class.
321 PRIV_PROC_SESSION
324 Allow a process to send signals or trace processes outside its ses‐
326 sion.
327 PRIV_PROC_SETID
330 Allow a process to set its UIDs at will, assuming UID 0 requires
332 all privileges to be asserted.
333 PRIV_PROC_TASKID
336 Allow a process to assign a new task ID to the calling process.
338 PRIV_PROC_ZONE
341 Allow a process to trace or send signals to processes in other
343 zones. See zones(5).
344 PRIV_SYS_ACCT
347 Allow a process to enable and disable and manage accounting through
349 acct(2).
350 PRIV_SYS_ADMIN
353 Allow a process to perform system administration tasks such as set‐
355 ting node and domain name and specifying coreadm(1M) and nscd(1M)
356 settings
357 PRIV_SYS_AUDIT
360 Allow a process to start the (kernel) audit daemon. Allow a process
362 to view and set audit state (audit user ID, audit terminal ID,
363 audit sessions ID, audit pre-selection mask). Allow a process to
364 turn off and on auditing. Allow a process to configure the audit
365 parameters (cache and queue sizes, event to class mappings, and
366 policy options).
367 PRIV_SYS_CONFIG
370 Allow a process to perform various system configuration tasks.
372 Allow filesystem-specific administrative procedures, such as
373 filesystem configuration ioctls, quota calls, creation and deletion
374 of snapshots, and manipulating the PCFS bootsector.
375 PRIV_SYS_DEVICES
378 Allow a process to create device special files. Allow a process to
380 successfully call a kernel module that calls the kernel
381 drv_priv(9F) function to check for allowed access. Allow a process
382 to open the real console device directly. Allow a process to open
383 devices that have been exclusively opened.
384 PRIV_SYS_DL_CONFIG
387 Allow a process to configure a system's datalink interfaces.
389 PRIV_SYS_IP_CONFIG
392 Allow a process to configure a system's IP interfaces and routes.
394 Allow a process to configure network parameters for TCP/IP using
395 ndd. Allow a process access to otherwise restricted TCP/IP informa‐
396 tion using ndd. Allow a process to configure IPsec. Allow a process
397 to pop anchored STREAMs modules with matching zoneid.
398 PRIV_SYS_IPC_CONFIG
401 Allow a process to increase the size of a System V IPC Message
403 Queue buffer.
404 PRIV_SYS_LINKDIR
407 Allow a process to unlink and link directories.
409 PRIV_SYS_MOUNT
412 Allow a process to mount and unmount filesystems that would other‐
414 wise be restricted (that is, most filesystems except namefs). Allow
415 a process to add and remove swap devices.
416 PRIV_SYS_NET_CONFIG
419 Allow a process to do all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CON‐
421 FIG, and PRIV_SYS_PPP_CONFIG allow, plus the following: use the
422 rpcmod STREAMS module and insert/remove STREAMS modules on loca‐
423 tions other than the top of the module stack.
424 PRIV_SYS_NFS
427 Allow a process to provide NFS service: start NFS kernel threads,
429 perform NFS locking operations, bind to NFS reserved ports: ports
430 2049 (nfs) and port 4045 (lockd).
431 PRIV_SYS_PPP_CONFIG
434 Allow a process to create, configure, and destroy PPP instances
436 with pppd(1M) pppd(1M) and control PPPoE plumbing with sppp‐
437 tun(1M)sppptun(1M). This privilege is granted by default to exclu‐
438 sive IP stack instance zones.
439 PRIV_SYS_RES_CONFIG
442 Allow a process to create and delete processor sets, assign CPUs to
444 processor sets and override the PSET_NOESCAPE property. Allow a
445 process to change the operational status of CPUs in the system
446 using p_online(2). Allow a process to configure filesystem quotas.
447 Allow a process to configure resource pools and bind processes to
448 pools.
449 PRIV_SYS_RESOURCE
452 Allow a process to exceed the resource limits imposed on it by
454 setrlimit(2) and setrctl(2).
455 PRIV_SYS_SMB
458 Allow a process to provide NetBIOS or SMB services: start SMB ker‐
460 nel threads or bind to NetBIOS or SMB reserved ports: ports 137,
461 138, 139 (NetBIOS) and 445 (SMB).
462 PRIV_SYS_SUSER_COMPAT
465 Allow a process to successfully call a third party loadable module
467 that calls the kernel suser() function to check for allowed access.
468 This privilege exists only for third party loadable module compati‐
469 bility and is not used by Solaris proper.
470 PRIV_SYS_TIME
473 Allow a process to manipulate system time using any of the appro‐
475 priate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
476 PRIV_SYS_TRANS_LABEL
479 Allow a process to translate labels that are not dominated by the
481 process's sensitivity label to and from an external string form.
482 This privilege is interpreted only if the system is configured with
484 Trusted Extensions.
485 PRIV_VIRT_MANAGE
488 Allows a process to manage virtualized environments such as xVM(5).
490 PRIV_WIN_COLORMAP
493 Allow a process to override colormap restrictions.
495 Allow a process to install or remove colormaps.
497 Allow a process to retrieve colormap cell entries allocated by
499 other processes.
500 This privilege is interpreted only if the system is configured with
502 Trusted Extensions.
503 PRIV_WIN_CONFIG
506 Allow a process to configure or destroy resources that are perma‐
508 nently retained by the X server.
509 Allow a process to use SetScreenSaver to set the screen saver time‐
511 out value
512 Allow a process to use ChangeHosts to modify the display access
514 control list.
515 Allow a process to use GrabServer.
517 Allow a process to use the SetCloseDownMode request that can retain
519 window, pixmap, colormap, property, cursor, font, or graphic con‐
520 text resources.
521 This privilege is interpreted only if the system is configured with
523 Trusted Extensions.
524 PRIV_WIN_DAC_READ
527 Allow a process to read from a window resource that it does not own
529 (has a different user ID).
530 This privilege is interpreted only if the system is configured with
532 Trusted Extensions.
533 PRIV_WIN_DAC_WRITE
536 Allow a process to write to or create a window resource that it
538 does not own (has a different user ID). A newly created window
539 property is created with the window's user ID.
540 This privilege is interpreted only if the system is configured with
542 Trusted Extensions.
543 PRIV_WIN_DEVICES
546 Allow a process to perform operations on window input devices.
548 Allow a process to get and set keyboard and pointer controls.
550 Allow a process to modify pointer button and key mappings.
552 This privilege is interpreted only if the system is configured with
554 Trusted Extensions.
555 PRIV_WIN_DGA
558 Allow a process to use the direct graphics access (DGA) X protocol
560 extensions. Direct process access to the frame buffer is still
561 required. Thus the process must have MAC and DAC privileges that
562 allow access to the frame buffer, or the frame buffer must be allo‐
563 cated to the process.
564 This privilege is interpreted only if the system is configured with
566 Trusted Extensions.
567 PRIV_WIN_DOWNGRADE_SL
570 Allow a process to set the sensitivity label of a window resource
572 to a sensitivity label that does not dominate the existing sensi‐
573 tivity label.
574 This privilege is interpreted only if the system is configured with
576 Trusted Extensions.
577 PRIV_WIN_FONTPATH
580 Allow a process to set a font path.
582 This privilege is interpreted only if the system is configured with
584 Trusted Extensions.
585 PRIV_WIN_MAC_READ
588 Allow a process to read from a window resource whose sensitivity
590 label is not equal to the process sensitivity label.
591 This privilege is interpreted only if the system is configured with
593 Trusted Extensions.
594 PRIV_WIN_MAC_WRITE
597 Allow a process to create a window resource whose sensitivity label
599 is not equal to the process sensitivity label. A newly created win‐
600 dow property is created with the window's sensitivity label.
601 This privilege is interpreted only if the system is configured with
603 Trusted Extensions.
604 PRIV_WIN_SELECTION
607 Allow a process to request inter-window data moves without the
609 intervention of the selection confirmer.
610 This privilege is interpreted only if the system is configured with
612 Trusted Extensions.
613 PRIV_WIN_UPGRADE_SL
616 Allow a process to set the sensitivity label of a window resource
618 to a sensitivity label that dominates the existing sensitivity
619 label.
620 This privilege is interpreted only if the system is configured with
622 Trusted Extensions.
623 PRIV_XVM_CONTROL
626 Allows a process access to the xVM(5) control devices for managing
628 guest domains and the hypervisor. This privilege is used only if
629 booted into xVM on x86 platforms.
630 Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
634 PRIV_PROC_INFO, PRIV_PROC_SESSION, PRIV_PROC_FORK and PRIV_PROC_EXEC
635 are considered "basic" privileges. These are privileges that used to be
636 always available to unprivileged processes. By default, processes still
637 have the basic privileges.
638 The privileges PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
641 the Limit set (see below) of a process in order for set-uid root execs
642 to be successful, that is, get an effective UID of 0 and additional
643 privileges.
644 The privilege implementation in Solaris extends the process credential
647 with four privilege sets:
648 I, the inheritable set The privileges inherited on exec.
650 P, the permitted set The maximum set of privileges for the
653 process.
654 E, the effective set The privileges currently in effect.
657 L, the limit set The upper bound of the privileges a process
660 and its offspring can obtain. Changes to L
661 take effect on the next exec.
662 The sets I, P and E are typically identical to the basic set of privi‐
666 leges for unprivileged processes. The limit set is typically the full
667 set of privileges.
668 Each process has a Privilege Awareness State (PAS) that can take the
671 value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
672 mechanism that allows a choice between full compatibility with the old
673 superuser model and completely ignoring the effective UID.
674 To facilitate the discussion, we introduce the notion of "observed
677 effective set" (oE) and "observed permitted set" (oP) and the implemen‐
678 tation sets iE and iP.
679 A process becomes privilege-aware either by manipulating the effective,
682 permitted, or limit privilege sets through setppriv(2) or by using
683 setpflags(2). In all cases, oE and oP are invariant in the process of
684 becoming privilege-aware. In the process of becoming privilege-aware,
685 the following assignments take place:
686 iE = oE
688 iP = oP
689 When a process is privilege-aware, oE and oP are invariant under UID
693 changes. When a process is not privilege-aware, oE and oP are observed
694 as follows:
695 oE = euid == 0 ? L : iE
697 oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
698 When a non-privilege-aware process has an effective UID of 0, it can
702 exercise the privileges contained in its limit set, the upper bound of
703 its privileges. If a non-privilege-aware process has any of the UIDs 0,
704 it appears to be capable of potentially exercising all privileges in L.
705 It is possible for a process to return to the non-privilege aware state
708 using setpflags(). The kernel always attempts this on exec(2). This
709 operation is permitted only if the following conditions are met:
710 o If any of the UIDs is equal to 0, P must be equal to L.
712 o If the effective UID is equal to 0, E must be equal to L.
714 When a process gives up privilege awareness, the following assignments
717 take place:
718 if (euid == 0) iE = L & I
720 if (any uid == 0) iP = L & I
721 The privileges obtained when not having a UID of 0 are the inheritable
725 set of the process restricted by the limit set.
726 Only privileges in the process's (observed) effective privilege set
729 allow the process to perform restricted operations. A process can use
730 any of the privilege manipulation functions to add or remove privileges
731 from the privilege sets. Privileges can be removed always. Only privi‐
732 leges found in the permitted set can be added to the effective and
733 inheritable set. The limit set cannot grow. The inheritable set can be
734 larger than the permitted set.
735 When a process performs an exec(2), the kernel first tries to relin‐
738 quish privilege awareness before making the following privilege set
739 modifications:
740 E' = P' = I' = L & I
742 L is unchanged
743 If a process has not manipulated its privileges, the privilege sets
747 effectively remain the same, as E, P and I are already identical.
748 The limit set is enforced at exec time.
751 To run a non-privilege-aware application in a backward-compatible man‐
754 ner, a privilege-aware application should start the non-privilege-aware
755 application with I=basic.
756 For most privileges, absence of the privilege simply results in a fail‐
759 ure. In some instances, the absense of a privilege can cause system
760 calls to behave differently. In other instances, the removal of a priv‐
761 ilege can force a set-uid application to seriously malfunction. Privi‐
762 leges of this type are considered "unsafe". When a process is lacking
763 any of the unsafe privileges from its limit set, the system does not
764 honor the set-uid bit of set-uid root applications. The following
765 unsafe privileges have been identified: proc_setid, sys_resource and
766 proc_audit.
767 Privilege Escalation
769 In certain circumstances, a single privilege could lead to a process
770 gaining one or more additional privileges that were not explicitly
771 granted to that process. To prevent such an escalation of privileges,
772 the security policy requires explicit permission for those additional
773 privileges.
774 Common examples of escalation are those mechanisms that allow modifica‐
777 tion of system resources through "raw'' interfaces; for example, chang‐
778 ing kernel data structures through /dev/kmem or changing files through
779 /dev/dsk/*. Escalation also occurs when a process controls processes
780 with more privileges than the controlling process. A special case of
781 this is manipulating or creating objects owned by UID 0 or trying to
782 obtain UID 0 using setuid(2). The special treatment of UID 0 is needed
783 because the UID 0 owns all system configuration files and ordinary file
784 protection mechanisms allow processes with UID 0 to modify the system
785 configuration. With appropriate file modifications, a given process
786 running with an effective UID of 0 can gain all privileges.
787 In situations where a process might obtain UID 0, the security policy
790 requires additional privileges, up to the full set of privileges. Such
791 restrictions could be relaxed or removed at such time as additional
792 mechanisms for protection of system files became available. There are
793 no such mechanisms in the current Solaris release.
794 The use of UID 0 processes should be limited as much as possible. They
797 should be replaced with programs running under a different UID but with
798 exactly the privileges they need.
799 Daemons that never need to exec subprocesses should remove the
802 PRIV_PROC_EXEC privilege from their permitted and limit sets.
803 Assigned Privileges and Safeguards
805 When privileges are assigned to a user, the system administrator could
806 give that user more powers than intended. The administrator should con‐
807 sider whether safeguards are needed. For example, if the
808 PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
809 should consider setting the project.max-locked-memory resource control
810 as well, to prevent that user from locking all memory.
811 Privilege Debugging
813 When a system call fails with a permission error, it is not always
814 immediately obvious what caused the problem. To debug such a problem,
815 you can use a tool called privilege debugging. When privilege debugging
816 is enabled for a process, the kernel reports missing privileges on the
817 controlling terminal of the process. (Enable debugging for a process
818 with the -D option of ppriv(1).) Additionally, the administrator can
819 enable system-wide privilege debugging by setting the system(4) vari‐
820 able priv_debug using:
821 set priv_debug = 1
823 On a running system, you can use mdb(1) to change this variable.
827 Privilege Administration
829 The Solaris Management Console (see smc(1M)) is the preferred method of
830 modifying privileges for a command. Use usermod(1M) or smrole(1M) to
831 assign privileges to or modify privileges for, respectively, a user or
832 a role. Use ppriv(1) to enumerate the privileges supported on a system
833 and truss(1) to determine which privileges a program requires.
834
836 mdb(1), ppriv(1), add_drv(1M), ifconfig(1M), lockd(1M), nfsd(1M),
837 pppd(1M), rem_drv(1M), smbd(1M), sppptun(1M), update_drv(1M), Intro(2),
838 access(2), acct(2), acl(2), adjtime(2), audit(2), auditon(2), chmod(2),
839 chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2), fpath‐
840 conf(2), getacct(2), getpflags(2), getppriv(2), getsid(2), kill(2),
841 link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2), ntp_adj‐
842 time(2), open(2), p_online(2), priocntl(2), priocntlset(2), proces‐
843 sor_bind(2), pset_bind(2), pset_create(2), readlink(2), resolvepath(2),
844 rmdir(2), semctl(2), setauid(2), setegid(2), seteuid(2), setgid(2),
845 setgroups(2), setpflags(2), setppriv(2), setrctl(2), setregid(2),
846 setreuid(2), setrlimit(2), settaskid(2), setuid(2), shmctl(2),
847 shmget(2), shmop(2), sigsend(2), stat(2), statvfs(2), stime(2),
848 swapctl(2), sysinfo(2), uadmin(2), ulimit(2), umount(2), unlink(2),
849 utime(2), utimes(2), bind(3SOCKET), door_ucred(3C), priv_addset(3C),
850 priv_set(3C), priv_getbyname(3C), priv_getbynum(3C),
851 priv_set_to_str(3C), priv_str_to_set(3C), socket(3SOCKET),
852 t_bind(3NSL), timer_create(3C), ucred_get(3C), exec_attr(4), proc(4),
853 system(4), user_attr(4), xVM(5), ddi_cred(9F), drv_priv(9F), priv_get‐
854 byname(9F), priv_policy(9F), priv_policy_choice(9F), priv_pol‐
855 icy_only(9F)
856 System Administration Guide: Security Services
859SunOS 5.11 29 May 2009 privileges(5)