setpflags(2) 맨 페이지 - 윈디하나의 솔라나라

개요

섹션
맨 페이지 이름
검색(S)

setpflags(2)

getpflags(2)                     System Calls                     getpflags(2)



NAME
       getpflags, setpflags - get or set process flags

SYNOPSIS
       #include <sys/types.h>
       #include <priv.h>

       uint_t getpflags(uint_t flag);


       int setpflags(uint_t flag, uint_t value);

DESCRIPTION
       The getpflags() and setpflags() functions obtain and modify the current
       per-process flags.


       The following values for flag are supported:

       PRIV_AWARE

           This one bit flag takes the value of 0 (unset) or 1 (set). Only  if
           this  flag is set is the current process privilege-aware. A process
           can attempt to unset this flag  but  might  fail  silently  if  the
           observed  set invariance condition cannot be met. Setting this flag
           is always successful.

           When the PRIV_AWARE flag is set or unset,  the  observed  effective
           and  permitted  set do not change. When setting PRIV_AWARE, this is
           possible but it is not always possible when  PRIV_AWARE  is  unset.
           For more information, see the privileges(7) man page.


       PRIV_AWARE_RESET

           This  one  bit  flag  takes the value of 0 (unset) or 1 (set). This
           causes a process to pretend it is non-privilege aware.  The  effec‐
           tive and permitted privilege set change on the change of the effec‐
           tive uid. When all the uid sets become the same through setuid(uid)
           or  through setreuid(uid, uid), the effective and permitted set are
           set to the intersection between the limit set and  the  inheritable
           set. At that point, both PRIV_AWARE and PRIV_AWARE_RESET are unset.

           This  flag  gets  automatically reset when a file becomes privilege
           aware, either through calling setppriv(2) or by setting  PRIV_AWARE
           to 1.


       PRIV_DEBUG

           This  one bit flag takes the value of 0 (unset) or 1 (set). Only if
           this flag is set does the current process have privilege  debugging
           enabled. Processes can set and unset this flag at will.


       PRIV_PFEXEC

           This  one-bit flag takes the value of 0 (unset) or 1 (set). Only if
           this flag is set is the current process a profile shell. Every time
           exec(2) is called, the exec_attr(5) database for the current user's
           profiles database is queried and  the  appropriate  attributes  are
           applied  to  the  new program. PRIV_PFEXEC is inherited except when
           the real UID is changed as a result of the applied attributes.


       PRIV_PFEXEC_AUTH

           This one-bit flag takes the value of 0 (unset) or 1 (set). The flag
           is  set when the user successfully reauthenticates prior to execut‐
           ing a command which matches an entry in  the  user's  authenticated
           profiles set, and the PRIV_PFEXEC flag is already set in the parent
           process. When these two flags are set, the process can execute com‐
           mands  which match the exec_attr(5) database for the user's authen‐
           ticated  profiles   set,   without   subsequent   reauthentication.
           PRIV_PFEXEC_AUTH  is  inherited except when the real UID is changed
           as  a   result   of   the   applied   attributes.   The   privilege
           PRIV_PROC_SETID is required to set this flag.


       PRIV_PROC_TPD

           This one-bit flag takes the value of 0 (unset) or 1 (set). This bit
           has no meaning outside of an immutable zone. In an immutable  zone,
           this  process  is allowed to modify files which are MWAC protected,
           such as updating the system or changing over to a new boot environ‐
           ment.  This  process will be prevented from opening files which can
           be modified by processes with this flag set unless  PRIV_TPD_UNSAFE
           is set.


       PRIV_PROC_TPD_RESET

           This  one-bit  flag takes the value of 0 (unset) or 1 (set). When a
           process is set, the PRIV_PROC_TPD will be reset on exec(). For more
           information, see the exec(2) man page.


       PRIV_TPD_KILLABLE

           This  one-bit  flag  takes  the value of 0 (unset) or 1 (set). Nor‐
           mally, a process in the Trusted Path  cannot  receive  any  signals
           outside  of the Trusted Path. When this bit is set, the system will
           forward signals from a non-TPD process.


       PRIV_TPD_UNSAFE

           This one-bit flag takes the value of 0 (unset) or 1 (set). This bit
           has no meaning outside of an immutable zone. If this flag is set in
           a TPD process it will read files which can be modified by all priv‐
           ileged  process  in the zone or can open STREAM devices, doors, and
           pipes when the peer is not a TPD process.


       PRIV_XPOLICY

           This one-bit flag takes the value of 0 (unset) or 1 (set). Only  if
           this flag is set does the current process honor its Extended Policy
           (see privileges(7)).


       NET_MAC_AWARE
       NET_MAC_AWARE_INHERIT

           These flags are available only if the  system  is  configured  with
           Trusted  Extensions.  These  one bit flags each take the value of 0
           (unset) or 1 (set). If the NET_MAC_AWARE flag is set then the  cur‐
           rent  process  is  allowed to communicate with peers at labels that
           are different than its own, subject to MAC policy.

           The NET_MAC_AWARE_INHERIT flag  controls  the  propagation  of  the
           NET_MAC_AWARE  flag.  When  a  process  performs one of the exec(2)
           functions,   the   NET_MAC_AWARE   flag   is   unset   unless   the
           NET_MAC_AWARE_INHERIT is set. NET_MAC_AWARE_INHERIT is always unset
           on one of the exec functions. The PRIV_NET_MAC_AWARE  privilege  is
           required to set either of these flags.



       PRIV_PROC_SENSITIVE

           This  one bit flag takes the value of 0 (unset) or 1 (set). If this
           flag is set, it is assumed that the process contains sensitive data
           and non-privileged users cannot observe it through proc tools, can‐
           not truss it, and cannot dump its core. Processes can set and unset
           this  flag  at  will.  For  more  information,  see the proc(1) and
           ppriv(1) man pages.

           This flag can be set automatically for the process, typically  when
           a  privileged process performs setuid or setgid. Unsetting the flag
           can expose potentially sensitive data to a wider  range  of  users.
           Historically this flag was known as SNOCD (no coredump).


RETURN VALUES
       The  getpflags()  returns the value associated with a given per-process
       flag. If the flag argument is invalid, (uint_t)-1 is returned and errno
       is set to indicate the error.


       Upon  successful  completion,  setpflags()  returns 0. Otherwise, -1 is
       returned and errno is set to indicate the error.

ERRORS
       The getpflags() and setpflags() functions will fail if:

       EINVAL    The value of flag or the value to which the flag  is  set  is
                 out of range.



       The setpflags() function will fail if:

       EPERM    An attempt was made to unset PRIV_PFEXEC.

                An  attempt  was made to unset PRIV_AWARE but the observed set
                invariance condition was not met.

                An attempt was made to  set  NET_MAC_AWARE,  PRIV_PFEXEC_AUTH,
                NET_MAC_AWARE_INHERIT,  or  PRIV_PROC_TPD  without  sufficient
                privileges.


ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE  TYPEAT‐
       TRIBUTE  VALUE  _  Interface StabilityCommitted _ MT-LevelAsync-Signal-
       Safe


SEE ALSO
       ppriv(1), exec(2), kill(2), setppriv(2), attributes(7),  privileges(7),
       tpd(7)



Oracle Solaris 11.4               3 Nov 2021                      getpflags(2)
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.
RSS ATOM XHTML 5 CSS3