svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
privileges(7)
Standards, Environments, Macros, Character Sets, and miscellany
privileges(7)
NAME
privileges - process privilege model
DESCRIPTION
Oracle Solaris software implements a set of privileges that provide
fine-grained control over the actions of processes. The possession of a
certain privilege allows a process to perform a specific set of
restricted operations.
The change to a primarily privilege-based security model in the Oracle
Solaris operating system gives developers an opportunity to restrict
processes to those privileged operations actually needed instead of all
(super-user) or no privileges (non-zero UIDs). Additionally, a set of
previously unrestricted operations now requires a privilege; these
privileges are dubbed the "basic" privileges and are by default given
to all processes.
Taken together, all defined privileges with the exception of the
"basic" privileges compose the set of privileges that are traditionally
associated with the root user. The "basic" privileges are "privileges"
unprivileged processes were accustomed to having.
The defined privileges are:
PRIV_CMI_ACCESS
Allow a process to perform basic segment operations defined in Ora‐
cle Coherent Memory Interface (CMI), including create/destroy,
map/unmap, read/write, and token management. See cmi(7).
PRIV_CMI_OWNER
Allow a process to delete any memory reservation associated with
CMI segments created by any user.
PRIV_CONTRACT_EVENT
Allow a process to request reliable delivery of events to an event
endpoint.
Allow a process to include events in the critical event set term of
a template which could be generated in volume by the user.
PRIV_CONTRACT_IDENTITY
Allows a process to set the service FMRI value of a process con‐
tract template.
PRIV_CONTRACT_OBSERVER
Allow a process to observe contract events generated by contracts
created and owned by users other than the process's effective user
ID.
Allow a process to open contract event endpoints belonging to con‐
tracts created and owned by users other than the process's effec‐
tive user ID.
PRIV_CPC_CPU
Allow a process to access per-CPU hardware performance counters.
PRIV_DAX_ACCESS
Allow a process to perform all operations supported by the Data
Analytics Accelerator (DAX) hardware.
This privilege will be available on systems that support DAX in
hardware.
PRIV_DTRACE_KERNEL
Allow DTrace kernel-level tracing.
PRIV_DTRACE_PROC
Allow DTrace process-level tracing. Allow process-level tracing
probes to be placed and enabled in processes to which the user has
permissions.
PRIV_DTRACE_USER
Allow DTrace user-level tracing. Allow use of the syscall and pro‐
file DTrace providers to examine processes to which the user has
permissions.
PRIV_FILE_AUDIT
Allow a process to to get and set a files Audit ACL.
PRIV_FILE_CHOWN
Allow a process to change a file's owner user ID. Allow a process
to change a file's group ID to one other than the process's effec‐
tive group ID or one of the process's supplemental group IDs.
PRIV_FILE_CHOWN_SELF
Allow a process to give away its files. A process with this privi‐
lege runs as if {_POSIX_CHOWN_RESTRICTED} is not in effect.
PRIV_FILE_DAC_EXECUTE
Allow a process to execute an executable file whose permission bits
or ACL would otherwise disallow the process execute permission.
PRIV_FILE_DAC_READ
Allow a process to read a file or directory whose permission bits
or ACL would otherwise disallow the process read permission.
PRIV_FILE_DAC_SEARCH
Allow a process to search a directory whose permission bits or ACL
would not otherwise allow the process search permission.
PRIV_FILE_DAC_WRITE
Allow a process to write a file or directory whose permission bits
or ACL do not allow the process write permission. All privileges
are required to write files owned by UID 0 in the absence of an
effective UID of 0.
PRIV_FILE_DOWNGRADE_SL
Allow a process to set the sensitivity label of a file or directory
to a sensitivity label that does not dominate the existing sensi‐
tivity label.
PRIV_FILE_FLAG_SET
Allows a process to set immutable, nounlink or appendonly file
attributes.
PRIV_FILE_LINK_ANY
Allow a process to create hardlinks to files owned by a UID differ‐
ent from the process's effective UID.
PRIV_FILE_OWNER
Allow a process that is not the owner of a file to modify that
file's access and modification times. Allow a process that is not
the owner of a directory to modify that directory's access and mod‐
ification times. Allow a process that is not the owner of a file or
directory to remove or rename a file or directory whose parent
directory has the "save text image after execution" (sticky) bit
set. Allow a process that is not the owner of a file to mount a
namefs upon that file. Allow a process that is not the owner of a
file or directory to modify that file's or directory's permission
bits or ACL.
PRIV_FILE_READ
Allow a process to read a file or directory whose permission or ACL
allow the process read permission.
PRIV_FILE_SETID
Allow a process to change the ownership of a file or write to a
file without the set-user-ID and set-group-ID bits being cleared.
Allow a process to set the set-group-ID bit on a file or directory
whose group is not the process's effective group or one of the
process's supplemental groups. Allow a process to set the set-user-
ID bit on a file with different ownership in the presence of
PRIV_FILE_OWNER. Additional restrictions apply when creating or
modifying a setuid 0 file.
PRIV_FILE_UPGRADE_SL
Allow a process to set the sensitivity label of a file or directory
to a sensitivity label that dominates the existing sensitivity
label.
PRIV_FILE_WRITE
Allow a process to write a file or directory whose permission or
ACL allow the process write permission.
PRIV_GRAPHICS_ACCESS
Allow a process to make privileged ioctls to graphics devices. Typ‐
ically only an xserver process needs to have this privilege. A
process with this privilege is also allowed to perform privileged
graphics device mappings.
PRIV_GRAPHICS_MAP
Allow a process to perform privileged mappings through a graphics
device.
PRIV_IPC_DAC_READ
Allow a process to read a System V IPC Message Queue, Semaphore
Set, or Shared Memory Segment whose permission bits would not oth‐
erwise allow the process read permission.
PRIV_IPC_DAC_WRITE
Allow a process to write a System V IPC Message Queue, Semaphore
Set, or Shared Memory Segment whose permission bits would not oth‐
erwise allow the process write permission.
PRIV_IPC_MRP_ACCESS
Allows a process in a non-global zone to lookup and access Memory
Reservation Pools (MRPs) that reside in the global zone. This is
used for booting Kernel Zones that are configured to allocate mem‐
ory from an MRP.
PRIV_IPC_OWNER
Allow a process that is not the owner of a System V IPC Message
Queue, Semaphore Set, or Shared Memory Segment to remove, change
ownership of, or change permission bits of the Message Queue, Sema‐
phore Set, or Shared Memory Segment.
PRIV_KSTAT_RD_SENSITIVE
Allow a process to see the header of kstat and read a kstat which
has the KSTAT2_MF_PRIV flag set in metadata.
PRIV_KSTAT_MANAGE
Allow a process to enable and disable optional kstats. Note that
the process also requires the solaris.smf.manage.kstats authoriza‐
tion.
PRIV_NET_ACCESS
Allow a process to open a TCP, UDP, SDP or SCTP network endpoint.
PRIV_NET_BINDMLP
Allow a process to bind to a port that is configured as a multi-
level port (MLP) for the process's zone. This privilege applies to
both shared address and zone-specific address MLPs. See tncfg(8)
for information on configuring MLP ports.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_NET_ICMPACCESS
Allow a process to send and receive ICMP packets.
PRIV_NET_MAC_AWARE
Allow a process to set the NET_MAC_AWARE process flag by using
setpflags(2). This privilege also allows a process to set the
SO_MAC_EXEMPT socket option by using setsockopt(3C). The
NET_MAC_AWARE process flag and the SO_MAC_EXEMPT socket option both
allow a local process to communicate with an unlabeled peer if the
local process's label dominates the peer's default label, or if the
local process runs in the global zone.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_NET_OBSERVABILITY
Allow a process to open a device for just receiving network traf‐
fic, sending traffic is disallowed.
PRIV_NET_PRIVADDR
Allow a process to bind to a privileged port number. The privileged
port numbers are 1-1023 (the traditional UNIX privileged ports) as
well as those ports marked as "extra-priv-ports" by ipadm(8), with
the exception of the ports reserved for use by NFS and SMB, which
are controlled via the PRIV_SYS_NFS and PRIV_SYS_SMB privileges
instead.
PRIV_NET_RAWACCESS
Allow a process to have direct access to the network layer.
PRIV_PROC_AUDIT
Allow a process to generate audit records. Allow a process to get
its own audit pre-selection information.
PRIV_PROC_CHROOT
Allow a process to change its root directory.
PRIV_PROC_CLOCK_HIGHRES
Allow a process to use high resolution timers.
PRIV_PROC_EXEC
Allow a process to call exec(2) or spawn(2).
PRIV_PROC_FORK
Allow a process to call fork(2), fork1(2), vfork(2) or spawn(2).
PRIV_PROC_INFO
Allow a process to examine the status of processes other than those
to which it can send signals. Processes that cannot be examined
cannot be seen in /proc and appear not to exist.
PRIV_PROC_SELF is also required when using this privilege.
PRIV_PROC_LOCK_MEMORY
Allow a process to lock pages in physical memory.
PRIV_PROC_OWNER
Allow a process to send signals to other processes and inspect and
modify the process state in other processes, regardless of owner‐
ship. When modifying another process, additional restrictions
apply: the effective privilege set of the attaching process must be
a superset of the target process's effective, permitted, and inher‐
itable sets; the limit set must be a superset of the target's limit
set; if the target process has any UID set to 0 all privilege must
be asserted unless the effective UID is 0. Allow a process to bind
arbitrary processes to CPUs.
PRIV_PROC_PRIOCNTL
Allow a process to elevate its priority above its current level.
Allow a process to change its scheduling class to any scheduling
class, including the RT class.
PRIV_PROC_SELF
Allow a process to access files under /proc, including /proc/self.
PRIV_PROC_SESSION
Allow a process to send signals or trace processes outside its ses‐
sion.
PRIV_PROC_SELF is also required when using this privilege.
PRIV_PROC_SETID
Allow a process to set its UIDs at will, assuming UID 0 requires
all privileges to be asserted. Also allows setting the process flag
PRIV_PFEXEC_AUTH.
PRIV_PROC_TASKID
Allow a process to assign a new task ID to the calling process.
PRIV_PROC_ZONE
Allow a process to trace or send signals to processes in other
zones. See zones(7).
PRIV_SYS_ACCT
Allow a process to enable and disable and manage accounting through
acct(2).
PRIV_SYS_ADMIN
Allow a process to perform system administration tasks such as set‐
ting node and domain name and specifying coreadm(8) and nscd(8)
settings
PRIV_SYS_AUDIT
Allow a process to start the (kernel) audit daemon. Allow a process
to view and set audit state (audit user ID, audit terminal ID,
audit sessions ID, audit pre-selection mask). Allow a process to
turn off and on auditing. Allow a process to configure the audit
parameters (cache and queue sizes, event to class mappings, and
policy options).
PRIV_SYS_CONFIG
Allow a process to perform various system configuration tasks.
Allow filesystem-specific administrative procedures, such as
filesystem configuration ioctls, quota calls, creation and deletion
of snapshots, and manipulating the PCFS bootsector.
PRIV_SYS_DEVICES
Allow a process to create device special files. Allow a process to
successfully call a kernel module that calls the kernel
drv_priv(9F) function to check for allowed access. Allow a process
to open the real console device directly. Allow a process to open
devices that have been exclusively opened.
PRIV_SYS_DL_CONFIG
Allow a process to configure a system's datalink interfaces.
PRIV_SYS_IB_CONFIG
Allow a process access to all InfiniBand Management (IB) Datagram
(MAD) APIs and host-based IB management and diagnostics tools.
PRIV_SYS_IB_INFO
Allow a process access to InfiniBand Management (IB) Datagram (MAD)
APIs and host-based IB management and diagnostics tools to read
configuration information.
PRIV_SYS_IP_CONFIG
Allow a process to configure a system's IP interfaces and routes.
Allow a process to configure TCP/IP parameters. Allow a process to
pop anchored STREAMS modules with matching zoneid.
PRIV_SYS_IPC_CONFIG
Allow a process to increase the size of a System V IPC Message
Queue buffer.
PRIV_SYS_LINKDIR
Obsolete: Used to allow a process to unlink and link directories.
This implementation prohibits link and unlink operations on direc‐
tories.
PRIV_SYS_MOUNT
Allow a process to mount and unmount filesystems that would other‐
wise be restricted (that is, most filesystems except namefs). Allow
a process to add and remove swap devices.
PRIV_SYS_NET_CONFIG
Allow a process to do all that PRIV_SYS_IP_CONFIG, PRIV_SYS_DL_CON‐
FIG, PRIV_SYS_PPP_CONFIG, and PRIV_SYS_IB_CONFIG allow, plus the
following: use the rpcmod STREAMS module and insert/remove STREAMS
modules on locations other than the top of the module stack.
PRIV_SYS_NFS
Allow a process to provide NFS service: start NFS kernel threads,
perform NFS locking operations, bind to NFS reserved ports: ports
2049 (nfs) and port 4045 (lockd).
PRIV_SYS_PPP_CONFIG
Obsolete: Allow a process to create, configure, and destroy PPP
instances and control PPPoE plumbing. This privilege is granted by
default to exclusive IP stack instance zones.
PRIV_SYS_RES_BIND
Allow a process to bind processes to processor sets.
PRIV_SYS_RES_CONFIG
Allow a process to bind processes to processor sets, as
PRIV_SYS_RES_BIND, in addition to the following outlined in this
paragraph. Allow a process to create and delete processor sets,
assign CPUs to processor sets and override the PSET_NOESCAPE prop‐
erty. Allow a process to change the operational status of CPUs in
the system using p_online(2). Allow a process to configure filesys‐
tem quotas. Allow a process to configure resource pools and bind
processes to pools.
PRIV_SYS_RESOURCE
Allow a process to exceed the resource limits imposed on it by
setrlimit(2) and setrctl(2).
PRIV_SYS_SHARE
Allow a process to share and unshare filesystems.
PRIV_SYS_SMB
Allow a process to provide NetBIOS or SMB services: start SMB ker‐
nel threads or bind to NetBIOS or SMB reserved ports: ports 137,
138, 139 (NetBIOS) and 445 (SMB).
PRIV_SYS_SUSER_COMPAT
Allow a process to successfully call a third party loadable module
that calls the kernel suser() function to check for allowed access.
This privilege exists only for third party loadable module compati‐
bility and is not used by Oracle Solaris proper.
PRIV_SYS_TIME
Allow a process to manipulate system time using any of the appro‐
priate system calls: stime(2), adjtime(2), and ntp_adjtime(2).
PRIV_SYS_TRANS_LABEL
Allow a process to translate labels that are not dominated by the
process's sensitivity label to and from an external string form.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_VIRT_MANAGE
Allows a process to manage virtualized environments.
PRIV_WIN_COLORMAP
Allow a process to override colormap restrictions.
Allow a process to install or remove colormaps.
Allow a process to retrieve colormap cell entries allocated by
other processes.
This privilege is obsolete.
PRIV_WIN_CONFIG
Allow a process to configure or destroy resources that are perma‐
nently retained by the X server.
Allow a process to use SetScreenSaver to set the screen saver time‐
out value
Allow a process to use ChangeHosts to modify the display access
control list.
Allow a process to use GrabServer.
Allow a process to use the SetCloseDownMode request that can retain
window, pixmap, colormap, property, cursor, font, or graphic con‐
text resources.
This privilege is obsolete.
PRIV_WIN_DAC_READ
Allow a process to read from a window resource that it does not own
(has a different user ID).
This privilege is obsolete.
PRIV_WIN_DAC_WRITE
Allow a process to write to or create a window resource that it
does not own (has a different user ID). A newly created window
property is created with the window's user ID.
This privilege is obsolete.
PRIV_WIN_DEVICES
Allow a process to perform operations on window input devices.
Allow a process to get and set keyboard and pointer controls.
Allow a process to modify pointer button and key mappings.
This privilege is obsolete.
PRIV_WIN_DGA
Allow a process to use the direct graphics access (DGA) X protocol
extensions. Direct process access to the frame buffer is still
required. Thus the process must have MAC and DAC privileges that
allow access to the frame buffer, or the frame buffer must be allo‐
cated to the process.
This privilege is obsolete.
PRIV_WIN_DOWNGRADE_SL
Allow a process to set the sensitivity label of a window resource
to a sensitivity label that does not dominate the existing sensi‐
tivity label.
This privilege is obsolete.
PRIV_WIN_FONTPATH
Allow a process to set a font path.
This privilege is obsolete.
PRIV_WIN_MAC_READ
Allow a process to read from a window resource whose sensitivity
label is not equal to the process sensitivity label.
This privilege is obsolete.
PRIV_WIN_MAC_WRITE
Allow a process to create a window resource whose sensitivity label
is not equal to the process sensitivity label. A newly created win‐
dow property is created with the window's sensitivity label.
This privilege is obsolete.
PRIV_WIN_SELECTION
Allow a process to request inter-window data moves without the
intervention of the selection confirmer.
This privilege is obsolete.
PRIV_WIN_UPGRADE_SL
Allow a process to set the sensitivity label of a window resource
to a sensitivity label that dominates the existing sensitivity
label.
This privilege is obsolete.
Of the privileges listed above, the privileges PRIV_FILE_LINK_ANY,
PRIV_FILE_READ, PRIV_FILE_WRITE, PRIV_PROC_INFO, PRIV_PROC_SESSION,
PRIV_NET_ACCESS, PRIV_PROC_FORK, and PRIV_PROC_EXEC are considered
"basic" privileges. These are privileges that used to be always avail‐
able to unprivileged processes. By default, processes still have the
basic privileges.
The privileges PRIV_PROC_SETID, PRIV_PROC_AUDIT, and PRIV_SYS_RESOURCE
must be present in the Limit set (see below) of a process in order for
setuid root execs to be successful; that is, get an effective UID of 0
and additional privileges.
The privilege implementation in Oracle Solaris extends the process cre‐
dential with four privilege sets:
I, the inheritable set The privileges inherited on exec.
P, the permitted set The maximum set of privileges for the
process.
E, the effective set The privileges currently in effect.
L, the limit set The upper bound of the privileges a process
and its offspring can obtain. Changes to L
take effect on the next exec.
The sets I, P and E are typically identical to the basic set of privi‐
leges for unprivileged processes. The limit set is typically the full
set of privileges.
Each process has a Privilege Awareness State (PAS) that can take the
value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
mechanism that allows a choice between full compatibility with the old
superuser model and completely ignoring the effective UID.
To facilitate the discussion, we introduce the notion of "observed
effective set" (oE) and "observed permitted set" (oP) and the implemen‐
tation sets iE and iP.
A process becomes privilege-aware either by manipulating the effective,
permitted, or limit privilege sets through setppriv(2) or by using
setpflags(2). In all cases, oE and oP are invariant in the process of
becoming privilege-aware. In the process of becoming privilege-aware,
the following assignments take place:
iE = oE
iP = oP
When a process is privilege-aware, oE and oP are invariant under UID
changes. When a process is not privilege-aware, oE and oP are observed
as follows:
oE = euid == 0 ? L : iE
oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
When a non-privilege-aware process has an effective UID of 0, it can
exercise the privileges contained in its limit set, the upper bound of
its privileges. If a non-privilege-aware process has any of the UIDs 0,
it appears to be capable of potentially exercising all privileges in L.
It is possible for a process to return to the non-privilege aware state
using setpflags(). The kernel always attempts this on exec(2). This
operation is permitted only if the following conditions are met:
o If any of the UIDs is equal to 0, P must be equal to L, and
no Extended Policy is applied.
o If the effective UID is equal to 0, E must be equal to L.
When a process gives up privilege awareness, the following assignments
take place:
if (euid == 0) iE = L & I
if (any uid == 0) iP = L & I
The privileges obtained when not having a UID of 0 are the inheritable
set of the process restricted by the limit set.
Only privileges in the process's (observed) effective privilege set
allow the process to perform restricted operations. A process can use
any of the privilege manipulation functions to add or remove privileges
from the privilege sets. Privileges can be removed always. Only privi‐
leges found in the permitted set can be added to the effective and
inheritable set. The limit set cannot grow. The inheritable set can be
larger than the permitted set.
When a process performs an exec(2), the kernel first tries to relin‐
quish privilege awareness before making the following privilege set
modifications:
E' = P' = I' = L & I
L is unchanged
If a process has not manipulated its privileges, the privilege sets
effectively remain the same, as E, P and I are already identical.
The limit set is enforced at exec time.
To run a non-privilege-aware application in a backward-compatible man‐
ner, a privilege-aware application should start the non-privilege-aware
application with I=basic.
For most privileges, absence of the privilege simply results in a fail‐
ure. In some instances, the absence of a privilege can cause system
calls to behave differently. In other instances, the removal of a priv‐
ilege can force a setuid root application to seriously malfunction.
Privileges of this type are considered "unsafe". When a process is
lacking any of the unsafe privileges from its limit set, the system
does not honor the setuid bit of setuid root applications. An exec of a
setuid root application would proceed without the change in effective
user ID or increase in privilege. The following unsafe privileges have
been identified: PRIV_PROC_SETID, PRIV_SYS_RESOURCE, PRIV_PROC_AUDIT,
and PRIV_FILE_AUDIT.
Privilege Escalation
In certain circumstances, a single privilege could lead to a process
gaining one or more additional privileges that were not explicitly
granted to that process. To prevent such an escalation of privileges,
the security policy requires explicit permission for those additional
privileges.
Common examples of escalation are those mechanisms that allow modifica‐
tion of system resources through "raw" interfaces; for example, chang‐
ing kernel data structures through /dev/kmem or changing files through
/dev/dsk/*. Escalation also occurs when a process controls processes
with more privileges than the controlling process. A special case of
this is manipulating or creating objects owned by UID 0 or trying to
obtain UID 0 using setuid(2). The special treatment of UID 0 is needed
because the UID 0 owns all system configuration files and ordinary file
protection mechanisms allow processes with UID 0 to modify the system
configuration. With appropriate file modifications, a given process
running with an effective UID of 0 can gain all privileges.
In situations where a process might obtain UID 0, the security policy
requires additional privileges, up to the full set of privileges. Such
restrictions could be relaxed or removed at such time as additional
mechanisms for protection of system files became available. There are
no such mechanisms in the current Oracle Solaris release.
The use of UID 0 processes should be limited as much as possible. They
should be replaced with programs running under a different UID but with
exactly the privileges they need.
Daemons that never need to exec subprocesses should remove the
PRIV_PROC_EXEC privilege from their permitted and limit sets.
Assigned Privileges and Safeguards
When privileges are assigned to a user, the system administrator could
give that user more powers than intended. The administrator should con‐
sider whether safeguards are needed. For example, if the
PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
should consider setting the project.max-locked-memory resource control
as well, to prevent that user from locking all memory.
Extended Policy
When privileges are listed in configuration files or on the command
line, it is sometimes possible to use the Extended Policy syntax. An
Extended Policy is a privilege set enclosed in braces followed by a
colon and an object. An extended policy adds the ability to use that
list of privileges on the specified object. Currently we support
extended policies for network ports, UIDs, and file objects.
For example,
{file_dac_read}:/var/core/*
Allows the use of the privilege file_dac_read when accessing files
under /var/core.
{net_privaddr}:80/tcp,{net_privaddr}:443/tcp
Allows a process to bind a network endpoint to TCP port 80 and 443.
{proc_setid}:80-100
Allows a process to change UID to UID 80 through 100, inclusive.
{proc_setid}:casper
Allows a process to change the UID to the UID of the username
"casper".
{zone}:/var/user
Grants all the privileges available in the current zone for manipu‐
lating /var/user. For the definition of Zone and other special key‐
words, see the priv_str_to_set(3C) man page.
{zone}:/system/volatile/service.pid
Allows an application that is not running as the super user to cre‐
ate the service.pid file in the root owned, mode 755 directory,
/system/volatile.
{zone}:/system/volatile/ikev2
Allows an application that is not running as the super user to cre‐
ate a file or directory ikev2 in the root owned, mode 755 direc‐
tory, /system/volatile. As the newly created file or directory is
owned by the user creating the file or directory, no wild card
needs to be used.
A privilege set listed in an extended policy will be removed from the
inheritable set and consequently from the permitted and the effective
set when the Extended Policy is installed unless the privilege set in
the policy includes all privileges available in the zone. For example,
when installing an Extended Policy of the form {zone}:/etc/shadow, no
privileges are dropped; if, on the other hand, the Extended Policy has
the form {file_dac_read}:/etc/shadow, the PRIV_FILE_DAC_READ privilege
is removed.
The Extended Policy is in effect only when a privilege is missing from
the effective set.
While it is possible to specify an Extended Policy such as
{all}:/some/file, the system will still restrict some applications such
as adding a setuid bit.
All privileges listed in an Extended Policy need to be effective in the
process when that process installs that policy. For example, when
ppriv(1) is used to install a policy, it needs to have all privileges
listed in its effective set. No such restrictions apply to the process
that is the object of ppriv. However, its Limit set overrides any priv‐
ileges in the Extended Policy.
In some contexts it is required to escape part of Extended Policy syn‐
tax. For example, in exec_attr(5), the colon (:) needs to be escaped
using a backslash (\). Some characters in filenames may also need to be
escaped using a backslash, depending on the context.
The Extended Policy is evaluated at every layer in the filesystem; in
the case of lofs(4FS) file systems, the specified policy needs to takes
this into account: the policy needs to specify both the lofs filesystem
and the underlying filesystem.
The following list contains types of objects and relevant privileges.
tab(); lw(1.19i) lw(1.85i) lw(2.46i) lw(1.19i) lw(1.85i) lw(2.46i)
ObjectSyntaxPrivilege _ Usernamenameproc_setid Uiduidproc_setid Range
of uidsuid1-uid2proc_setid Network port^1port/udp, port/tcp, net_pri‐
vaddr port/sctp, port/* Range of portsport1-port2/<proto>net_privaddr
Filenamepathnamefile privileges, proc_exec Wildcard^2pathname*file
privileges, proc_exec
^1 numeric as defined in services(5)
^2 matches all filenames starting with the specified pathname
Privilege Debugging
When a system call fails with a permission error, it is not always
immediately obvious what caused the problem. To debug such a problem,
you can use a tool called privilege debugging. When privilege debugging
is enabled for a process, the kernel reports missing privileges on the
controlling terminal of the process. (Enable debugging for a process
with the -D option of ppriv(1).) Additionally, the administrator can
enable system-wide privilege debugging by setting the system(5) vari‐
able priv_debug using:
set priv_debug = 1
On a running system, you can use mdb(1) to change this variable.
Privilege Administration
Use usermod(8) or rolemod(8) to modify privilege assignment to a user
or role, respectively. Use ppriv(1) to enumerate the privileges sup‐
ported on a system and truss(1) to determine which privileges a program
requires.
SEE ALSO
mdb(1), ppriv(1), Intro(2), access(2), acct(2), acl(2), adjtime(2),
chmod(2), chown(2), chroot(2), creat(2), exec(2), fcntl(2), fork(2),
fpathconf(2), getacct(2), getpflags(2), getppriv(2), getsid(2),
kill(2), link(2), memcntl(2), mknod(2), mount(2), msgctl(2), nice(2),
ntp_adjtime(2), open(2), p_online(2), priocntl(2), priocntlset(2),
processor_bind(2), pset_bind(2), pset_create(2), readlink(2),
resolvepath(2), rmdir(2), semctl(2), setegid(2), seteuid(2), setgid(2),
setgroups(2), setpflags(2), setppriv(2), setrctl(2), setregid(2),
setreuid(2), setrlimit(2), settaskid(2), setuid(2), shmctl(2),
shmget(2), shmop(2), sigsend(2), spawn(2), stat(2), statvfs(2),
stime(2), swapctl(2), sysinfo(2), uadmin(2), ulimit(2), umount(2),
unlink(2), utime(2), utimes(2), bind(3C), door_ucred(3C),
priv_addset(3C), priv_getbyname(3C), priv_getbynum(3C), priv_set(3C),
priv_set_to_str(3C), priv_str_to_set(3C), socket(3C), t_bind(3C),
timer_create(3C), ucred_get(3C), lofs(4FS), exec_attr(5), proc(5),
services(5), system(5), user_attr(5), add_drv(8), ifconfig(8),
lockd(8), nfsd(8), rem_drv(8), smbd(8), tncfg(8), update_drv(8),
ddi_cred(9F), drv_priv(9F), priv_getbyname(9F), priv_policy(9F),
priv_policy_choice(9F), priv_policy_only(9F)
About Privileges in Developer's Guide to Oracle Solaris 11.4 Security
Process Rights Management in Securing Users and Processes in Oracle
Solaris 11.4
NOTES
Removal of any of the basic privileges from a process leaves it in a
non-standards compliant state, may cause unexpected application fail‐
ures, and should only be performed with full knowledge of the potential
side effects.
HISTORY
The process privilege model was added in Solaris 10 3/05.
Support for Extended Policies was added in Oracle Solaris 11.1.0.
Support for the following privileges was first added in the listed Ora‐
cle Solaris release:
tab() box; cw(4.71i) |cw(0.79i) lw(4.71i) |lw(0.79i) PRIVILEGERELEASE _
PRIV_PROC_SELF11.4.5 _ PRIV_IPC_MRP_ACCESS11.4.1 _ T{ PRIV_FILE_AUDIT,
PRIV_KSTAT_MANAGE, PRIV_KSTAT_RD_SENSITIVE T}11.4.0 _ PRIV_CMI_ACCESS,
PRIV_CMI_OWNER11.3.11 _ PRIV_DAX_ACCESS11.2.8 _ PRIV_SYS_IB_CONFIG,
PRIV_SYS_IB_INFO11.0.12 _ T{ PRIV_CONTRACT_IDENTITY,
PRIV_FILE_FLAG_SET, PRIV_FILE_READ, PRIV_FILE_WRITE,
PRIV_NET_MAC_IMPLICIT, PRIV_NET_OBSERVABILITY, PRIV_SYS_DL_CONFIG
PRIV_SYS_FLOW_CONFIG, PRIV_SYS_IPTUN_CONFIG, PRIV_SYS_PPP_CONFIG,
PRIV_SYS_RES_BIND, PRIV_SYS_SHARE, PRIV_SYS_SMB T}11.0.0 _
PRIV_NET_ACCESS10 9/10 (Update 9) _ PRIV_SYS_IP_CONFIG10 8/07 (Update
4) _ T{ PRIV_FILE_DOWNGRADE_SL, PRIV_FILE_UPGRADE_SL,
PRIV_GRAPHICS_ACCESS, PRIV_GRAPHICS_MAP, PRIV_NET_BINDMLP,
PRIV_NET_MAC_AWARE, PRIV_SYS_TRANS_LABEL, PRIV_WIN_COLORMAP,
PRIV_WIN_CONFIG, PRIV_WIN_DAC_READ, PRIV_WIN_DAC_WRITE,
PRIV_WIN_DEVICES, PRIV_WIN_DGA, PRIV_WIN_DOWNGRADE_SL,
PRIV_WIN_FONTPATH, PRIV_WIN_MAC_READ, PRIV_WIN_MAC_WRITE,
PRIV_WIN_SELECTION, PRIV_WIN_UPGRADE_SL T}10 11/06 (Update 3) _ T{
PRIV_CONTRACT_EVENT, PRIV_CONTRACT_OBSERVER, PRIV_CPC_CPU,
PRIV_DTRACE_KERNEL, PRIV_DTRACE_PROC, PRIV_DTRACE_USER,
PRIV_FILE_CHOWN, PRIV_FILE_CHOWN_SELF, PRIV_FILE_DAC_EXECUTE,
PRIV_FILE_DAC_READ, PRIV_FILE_DAC_SEARCH, PRIV_FILE_DAC_WRITE,
PRIV_FILE_LINK_ANY, PRIV_FILE_OWNER, PRIV_FILE_SETID,
PRIV_IPC_DAC_READ, PRIV_IPC_DAC_WRITE, PRIV_IPC_OWNER,
PRIV_NET_ICMPACCESS, PRIV_NET_PRIVADDR, PRIV_NET_RAWACCESS,
PRIV_PROC_AUDIT, PRIV_PROC_CHROOT, PRIV_PROC_CLOCK_HIGHRES,
PRIV_PROC_EXEC, PRIV_PROC_FORK, PRIV_PROC_INFO, PRIV_PROC_LOCK_MEMORY,
PRIV_PROC_OWNER, PRIV_PROC_PRIOCNTL, PRIV_PROC_SESSION,
PRIV_PROC_SETID, PRIV_PROC_TASKID, PRIV_PROC_ZONE, PRIV_SYS_ACCT,
PRIV_SYS_ADMIN, PRIV_SYS_AUDIT, PRIV_SYS_CONFIG, PRIV_SYS_DEVICES,
PRIV_SYS_IPC_CONFIG, PRIV_SYS_LINKDIR, PRIV_SYS_MOUNT,
PRIV_SYS_NET_CONFIG, PRIV_SYS_NFS, PRIV_SYS_RESOURCE,
PRIV_SYS_RES_CONFIG, PRIV_SYS_SUSER_COMPAT, PRIV_SYS_TIME T}10 3/05
Oracle Solaris 11.4 21 Jun 2021 privileges(7)