Standards, Environments, and Macros privileges(5)
NAME
privileges - process privilege model
DESCRIPTION
Solaris software implements a set of privileges that provide
fine-grained control over the actions of processes. The pos-
session of a certain privilege allows a process to perform a
specific set of restricted operations.
The change to a primarily privilege-based security model in
the Solaris operating system gives developers an opportunity
to restrict processes to those privileged operations actu-
ally needed instead of all (super-user) or no privileges
(non-zero UIDs). Additionally, a set of previously unres-
tricted operations now requires a privilege; these
privileges are dubbed the "basic" privileges and are by
default given to all processes.
Taken together, all defined privileges with the exception of
the "basic" privileges compose the set of privileges that
are traditionally associated with the root user. The "basic"
privileges are "privileges" unprivileged processes were
accustomed to having.
The defined privileges are:
PRIVCONTRACTEVENT
Allow a process to request reliable delivery of events
to an event endpoint.
Allow a process to include events in the critical event
set term of a template which could be generated in
volume by the user.
PRIVCONTRACTIDENTITY
Allows a process to set the service FMRI value of a pro-
cess contract template.
PRIVCONTRACTOBSERVER
Allow a process to observe contract events generated by
contracts created and owned by users other than the
process's effective user ID.
Allow a process to open contract event endpoints
SunOS 5.11 Last change: 3 Mar 2009 1
Standards, Environments, and Macros privileges(5)
belonging to contracts created and owned by users other
than the process's effective user ID.
PRIVCPCPU
Allow a process to access per-CPU hardware performance
counters.
PRIVDTRACEKERNEL
Allow DTrace kernel-level tracing.
PRIVDTRACEPROC
Allow DTrace process-level tracing. Allow process-level
tracing probes to be placed and enabled in processes to
which the user has permissions.
PRIVDTRACEUSER
Allow DTrace user-level tracing. Allow use of the sys-
call and profile DTrace providers to examine processes
to which the user has permissions.
PRIVFILECHOWN
Allow a process to change a file's owner user ID. Allow
a process to change a file's group ID to one other than
the process's effective group ID or one of the process's
supplemental group IDs.
PRIVFILECHOWNSELF
Allow a process to give away its files. A process with
this privilege will run as if {POSIXCHOWNRESTRICTED}
is not in effect.
PRIVFILEDACEXECUTE
Allow a process to execute an executable file whose per-
mission bits or ACL would otherwise disallow the process
execute permission.
SunOS 5.11 Last change: 3 Mar 2009 2
Standards, Environments, and Macros privileges(5)
PRIVFILEDACREAD
Allow a process to read a file or directory whose per-
mission bits or ACL would otherwise disallow the process
read permission.
PRIVFILEDACSEARCH
Allow a process to search a directory whose permission
bits or ACL would not otherwise allow the process search
permission.
PRIVFILEDACWRITE
Allow a process to write a file or directory whose per-
mission bits or ACL do not allow the process write per-
mission. All privileges are required to write files
owned by UID 0 in the absence of an effective UID of 0.
PRIVFILEDOWNGRADESL
Allow a process to set the sensitivity label of a file
or directory to a sensitivity label that does not dom-
inate the existing sensitivity label.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVFILELINKANY
Allow a process to create hardlinks to files owned by a
UID different from the process's effective UID.
PRIVFILEOWNER
Allow a process that is not the owner of a file to
modify that file's access and modification times. Allow
a process that is not the owner of a directory to modify
that directory's access and modification times. Allow a
process that is not the owner of a file or directory to
remove or rename a file or directory whose parent direc-
tory has the "save text image after execution" (sticky)
bit set. Allow a process that is not the owner of a file
to mount a namefs upon that file. Allow a process that
is not the owner of a file or directory to modify that
file's or directory's permission bits or ACL.
SunOS 5.11 Last change: 3 Mar 2009 3
Standards, Environments, and Macros privileges(5)
PRIVFILESETID
Allow a process to change the ownership of a file or
write to a file without the set-user-ID and set-group-ID
bits being cleared. Allow a process to set the set-
group-ID bit on a file or directory whose group is not
the process's effective group or one of the process's
supplemental groups. Allow a process to set the set-
user-ID bit on a file with different ownership in the
presence of PRIVFILEOWNER. Additional restrictions
apply when creating or modifying a setuid 0 file.
PRIVFILEUPGRADESL
Allow a process to set the sensitivity label of a file
or directory to a sensitivity label that dominates the
existingsensitivity label.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVFILEFLAGSET
Allows a process to set immutable, nounlink or appen-
donly file attributes.
PRIVGRAPHICSACES
Allow a process to make privileged ioctls to graphics
devices. Typically only an xserver process needs to have
this privilege. A process with this privilege is also
allowed to perform privileged graphics device mappings.
PRIVGRAPHICSMAP
Allow a process to perform privileged mappings through a
graphics device.
PRIVIPCDACREAD
Allow a process to read a System V IPC Message Queue,
Semaphore Set, or Shared Memory Segment whose permission
bits would not otherwise allow the process read permis-
sion.
SunOS 5.11 Last change: 3 Mar 2009 4
Standards, Environments, and Macros privileges(5)
PRIVIPCDACWRITE
Allow a process to write a System V IPC Message Queue,
Semaphore Set, or Shared Memory Segment whose permission
bits would not otherwise allow the process write permis-
sion.
PRIVIPCOWNER
Allow a process that is not the owner of a System V IPC
Message Queue, Semaphore Set, or Shared Memory Segment
to remove, change ownership of, or change permission
bits of the Message Queue, Semaphore Set, or Shared
Memory Segment.
PRIVNETBINDMLP
Allow a process to bind to a port that is configured as
a multi-level port (MLP) for the process's zone. This
privilege applies to both shared address and zone-
specific address MLPs. See tnzonecfg(4) from the Trusted
Extensions manual pages for information on configuring
MLP ports.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVNETICMPACES
Allow a process to send and receive ICMP packets.
PRIVNETMACAWARE
Allow a process to set the NETMACAWARE process flag by
using setpflags(2). This privilege also allows a process
to set the SOMACEXEMPT socket option by using
setsockopt(3SOCKET). The NETMACAWARE process flag and
the SOMACEXEMPT socket option both allow a local pro-
cess to communicate with an unlabeled peer if the local
process's label dominates the peer's default label, or
if the local process runs in the global zone.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVNETOBSERVABILITY
SunOS 5.11 Last change: 3 Mar 2009 5
Standards, Environments, and Macros privileges(5)
Allow a process to open a device for just receiving net-
work traffic, sending traffic is disallowed.
PRIVNETPRIVADR
Allow a process to bind to a privileged port number. The
privilege port numbers are 1-1023 (the traditional UNIX
privileged ports) as well as those ports marked as
"udp/tcpextraprivports" with the exception of the
ports reserved for use by NFS and SMB.
PRIVNETRAWACES
Allow a process to have direct access to the network
layer.
PRIVPROCAUDIT
Allow a process to generate audit records. Allow a pro-
cess to get its own audit pre-selection information.
PRIVPROCHROT
Allow a process to change its root directory.
PRIVPROCLOCKHIGHRES
Allow a process to use high resolution timers.
PRIVPROCEXEC
Allow a process to call exec(2).
PRIVPROCFORK
Allow a process to call fork(2), fork1(2), or vfork(2).
PRIVPROCINFO
Allow a process to examine the status of processes other
than those to which it can send signals. Processes that
cannot be examined cannot be seen in /proc and appear
not to exist.
SunOS 5.11 Last change: 3 Mar 2009 6
Standards, Environments, and Macros privileges(5)
PRIVPROCLOCKMEMORY
Allow a process to lock pages in physical memory.
PRIVPROCOWNER
Allow a process to send signals to other processes and
inspect and modify the process state in other processes,
regardless of ownership. When modifying another process,
additional restrictions apply: the effective privilege
set of the attaching process must be a superset of the
target process's effective, permitted, and inheritable
sets; the limit set must be a superset of the target's
limit set; if the target process has any UID set to 0
all privilege must be asserted unless the effective UID
is 0. Allow a process to bind arbitrary processes to
CPUs.
PRIVPROCPRIOCNTL
Allow a process to elevate its priority above its
current level. Allow a process to change its scheduling
class to any scheduling class, including the RT class.
PRIVPROCSESION
Allow a process to send signals or trace processes out-
side its session.
PRIVPROCSETID
Allow a process to set its UIDs at will, assuming UID 0
requires all privileges to be asserted.
PRIVPROCTASKID
Allow a process to assign a new task ID to the calling
process.
PRIVPROCZONE
Allow a process to trace or send signals to processes in
other zones. See zones(5).
SunOS 5.11 Last change: 3 Mar 2009 7
Standards, Environments, and Macros privileges(5)
PRIVSYSACT
Allow a process to enable and disable and manage
accounting through acct(2).
PRIVSYSADMIN
Allow a process to perform system administration tasks
such as setting node and domain name and specifying
coreadm(1M) and nscd(1M) settings
PRIVSYSAUDIT
Allow a process to start the (kernel) audit daemon.
Allow a process to view and set audit state (audit user
ID, audit terminal ID, audit sessions ID, audit pre-
selection mask). Allow a process to turn off and on
auditing. Allow a process to configure the audit parame-
ters (cache and queue sizes, event to class mappings,
and policy options).
PRIVSYSCONFIG
Allow a process to perform various system configuration
tasks. Allow filesystem-specific administrative pro-
cedures, such as filesystem configuration ioctls, quota
calls, creation and deletion of snapshots, and manipu-
lating the PCFS bootsector.
PRIVSYSDEVICES
Allow a process to create device special files. Allow a
process to successfully call a kernel module that calls
the kernel drvpriv(9F) function to check for allowed
access. Allow a process to open the real console device
directly. Allow a process to open devices that have been
exclusively opened.
PRIVSYSDLCONFIG
Allow a process to configure a system's datalink inter-
faces.
PRIVSYSIPCONFIG
Allow a process to configure a system's IP interfaces
SunOS 5.11 Last change: 3 Mar 2009 8
Standards, Environments, and Macros privileges(5)
and routes. Allow a process to configure network parame-
ters for TCP/IP using ndd. Allow a process access to
otherwise restricted TCP/IP information using ndd. Allow
a process to configure IPsec. Allow a process to pop
anchored STREAMs modules with matching zoneid.
PRIVSYSIPCONFIG
Allow a process to increase the size of a System V IPC
Message Queue buffer.
PRIVSYSLINKDIR
Allow a process to unlink and link directories.
PRIVSYSMOUNT
Allow a process to mount and unmount filesystems that
would otherwise be restricted (that is, most filesystems
except namefs). Allow a process to add and remove swap
devices.
PRIVSYSNETCONFIG
Allow a process to do all that PRIVSYSIPCONFIG and
PRIVSYSDLCONFIG allow, plus the following: use the
rpcmod STREAMS module and insert/remove STREAMS modules
on locations other than the top of the module stack.
PRIVSYSNFS
Allow a process to provide NFS service: start NFS kernel
threads, perform NFS locking operations, bind to NFS
reserved ports: ports 2049 (nfs) and port 4045 (lockd).
PRIVSYSRESCONFIG
Allow a process to create and delete processor sets,
assign CPUs to processor sets and override the
PSETNOESCAPE property. Allow a process to change the
operational status of CPUs in the system using
ponline(2). Allow a process to configure filesystem
quotas. Allow a process to configure resource pools and
bind processes to pools.
SunOS 5.11 Last change: 3 Mar 2009 9
Standards, Environments, and Macros privileges(5)
PRIVSYSRESOURCE
Allow a process to exceed the resource limits imposed on
it by setrlimit(2) and setrctl(2).
PRIVSYSMB
Allow a process to provide NetBIOS or SMB services:
start SMB kernel threads or bind to NetBIOS or SMB
reserved ports: ports 137, 138, 139 (NetBIOS) and 445
(SMB).
PRIVSYSUSERCOMPAT
Allow a process to successfully call a third party load-
able module that calls the kernel suser() function to
check for allowed access. This privilege exists only for
third party loadable module compatibility and is not
used by Solaris proper.
PRIVSYSTIME
Allow a process to manipulate system time using any of
the appropriate system calls: stime(2), adjtime(2), and
ntpadjtime(2).
PRIVSYSTRANSLABEL
Allow a process to translate labels that are not dom-
inated by the process's sensitivity label to and from an
external string form.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVIRTMANAGE
Allows a process to manage virtualized environments such
as xVM(5).
PRIVWINCOLORMAP
Allow a process to override colormap restrictions.
Allow a process to install or remove colormaps.
SunOS 5.11 Last change: 3 Mar 2009 10
Standards, Environments, and Macros privileges(5)
Allow a process to retrieve colormap cell entries allo-
cated by other processes.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINCONFIG
Allow a process to configure or destroy resources that
are permanently retained by the X server.
Allow a process to use SetScreenSaver to set the screen
saver timeout value
Allow a process to use ChangeHosts to modify the display
access control list.
Allow a process to use GrabServer.
Allow a process to use the SetCloseDownMode request that
can retain window, pixmap, colormap, property, cursor,
font, or graphic context resources.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINDACREAD
Allow a process to read from a window resource that it
does not own (has a different user ID).
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINDACWRITE
Allow a process to write to or create a window resource
that it does not own (has a different user ID). A newly
created window property is created with the window's
user ID.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINDEVICES
Allow a process to perform operations on window input
devices.
SunOS 5.11 Last change: 3 Mar 2009 11
Standards, Environments, and Macros privileges(5)
Allow a process to get and set keyboard and pointer con-
trols.
Allow a process to modify pointer button and key map-
pings.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINDGA
Allow a process to use the direct graphics access (DGA)
X protocol extensions. Direct process access to the
frame buffer is still required. Thus the process must
have MAC and DAC privileges that allow access to the
frame buffer, or the frame buffer must be allocated to
the process.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINDOWNGRADESL
Allow a process to set the sensitivity label of a window
resource to a sensitivity label that does not dominate
the existing sensitivity label.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINFONTPATH
Allow a process to set a font path.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINMACREAD
Allow a process to read from a window resource whose
sensitivity label is not equal to the process sensi-
tivity label.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
SunOS 5.11 Last change: 3 Mar 2009 12
Standards, Environments, and Macros privileges(5)
PRIVWINMACWRITE
Allow a process to create a window resource whose sensi-
tivity label is not equal to the process sensitivity
label. A newly created window property is created with
the window's sensitivity label.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINSELECTION
Allow a process to request inter-window data moves
without the intervention of the selection confirmer.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVWINUPGRADESL
Allow a process to set the sensitivity label of a window
resource to a sensitivity label that dominates the
existing sensitivity label.
This privilege is interpreted only if the system is con-
figured with Trusted Extensions.
PRIVXVMCONTROL
Allows a process access to the xVM(5) control devices
for managing guest domains and the hypervisor. This
privilege is used only if booted into xVM on x86 plat-
forms.
Of the privileges listed above, the privileges
PRIVFILELINKANY, PRIVPROCINFO, PRIVPROCSESION,
PRIVPROCFORK and PRIVPROCEXEC are considered "basic"
privileges. These are privileges that used to be always
available to unprivileged processes. By default, processes
still have the basic privileges.
The privileges PRIVPROCSETID and PRIVPROCAUDIT must be
present in the Limit set (see below) of a process in order
for set-uid root execs to be successful, that is, get an
effective UID of 0 and additional privileges.
SunOS 5.11 Last change: 3 Mar 2009 13
Standards, Environments, and Macros privileges(5)
The privilege implementation in Solaris extends the process
credential with four privilege sets:
I, the inheritable set The privileges inherited on exec.
P, the permitted set The maximum set of privileges for
the process.
E, the effective set The privileges currently in
effect.
L, the limit set The upper bound of the privileges
a process and its offspring can
obtain. Changes to L take effect
on the next exec.
The sets I, P and E are typically identical to the basic set
of privileges for unprivileged processes. The limit set is
typically the full set of privileges.
Each process has a Privilege Awareness State (PAS) that can
take the value PA (privilege-aware) and NPA (not-PA). PAS is
a transitional mechanism that allows a choice between full
compatibility with the old superuser model and completely
ignoring the effective UID.
To facilitate the discussion, we introduce the notion of
"observed effective set" (oE) and "observed permitted set"
(oP) and the implementation sets iE and iP.
A process becomes privilege-aware either by manipulating the
effective, permitted, or limit privilege sets through
setppriv(2) or by using setpflags(2). In all cases, oE and
oP are invariant in the process of becoming privilege-aware.
In the process of becoming privilege-aware, the following
assignments take place:
iE = oE
iP = oP
When a process is privilege-aware, oE and oP are invariant
under UID changes. When a process is not privilege-aware, oE
SunOS 5.11 Last change: 3 Mar 2009 14
Standards, Environments, and Macros privileges(5)
and oP are observed as follows:
oE = euid == 0 ? L : iE
oP = (euid == 0 ruid == 0 suid == 0) ? L : iP
When a non-privilege-aware process has an effective UID of
0, it can exercise the privileges contained in its limit
set, the upper bound of its privileges. If a non-privilege-
aware process has any of the UIDs 0, it will appear to be
capable of potentially exercising all privileges in L.
It is possible for a process to return to the non-privilege
aware state using setpflags(). The kernel will always
attempt this on exec(2). This operation is permitted only if
the following conditions are met:
o If any of the UIDs is equal to 0, P must be equal
to L.
o If the effective UID is equal to 0, E must be equal
to L.
When a process gives up privilege awareness, the following
assignments take place:
if (euid == 0) iE = L & I
if (any uid == 0) iP = L & I
The privileges obtained when not having a UID of 0 are the
inheritable set of the process restricted by the limit set.
Only privileges in the process's (observed) effective
privilege set allow the process to perform restricted opera-
tions. A process can use any of the privilege manipulation
functions to add or remove privileges from the privilege
sets. Privileges can be removed always. Only privileges
found in the permitted set can be added to the effective and
inheritable set. The limit set cannot grow. The inheritable
set can be larger than the permitted set.
When a process performs an exec(2), the kernel will first
try to relinquish privilege awareness before making the fol-
lowing privilege set modifications:
SunOS 5.11 Last change: 3 Mar 2009 15
Standards, Environments, and Macros privileges(5)
E' = P' = I' = L & I
L is unchanged
If a process has not manipulated its privileges, the
privilege sets effectively remain the same, as E, P and I
are already identical.
The limit set is enforced at exec time.
To run a non-privilege-aware application in a backward-
compatible manner, a privilege-aware application should
start the non-privilege-aware application with I=basic.
For most privileges, absence of the privilege simply results
in a failure. In some instances, the absense of a privilege
can cause system calls to behave differently. In other
instances, the removal of a privilege can force a set-uid
application to seriously malfunction. Privileges of this
type are considered "unsafe". When a process is lacking any
of the unsafe privileges from its limit set, the system will
not honor the set-uid bit of set-uid root applications. The
following unsafe privileges have been identified:
procsetid, sysresource and procaudit.
Privilege Escalation
In certain circumstances, a single privilege could lead to a
process gaining one or more additional privileges that were
not explicitly granted to that process. To prevent such an
escalation of privileges, the security policy will require
explicit permission for those additional privileges.
Common examples of escalation are those mechanisms that
allow modification of system resources through "raw'' inter-
faces; for example, changing kernel data structures through
/dev/kmem or changing files through /dev/dsk/*. Escalation
also occurs when a process controls processes with more
privileges than the controlling process. A special case of
this is manipulating or creating objects owned by UID 0 or
trying to obtain UID 0 using setuid(2). The special treat-
ment of UID 0 is needed because the UID 0 owns all system
configuration files and ordinary file protection mechanisms
allow processes with UID 0 to modify the system configura-
tion. With appropriate file modifications, a given process
running with an effective UID of 0 can gain all privileges.
SunOS 5.11 Last change: 3 Mar 2009 16
Standards, Environments, and Macros privileges(5)
In situations where a process might obtain UID 0, the secu-
rity policy requires additional privileges, up to the full
set of privileges. Such restrictions could be relaxed or
removed at such time as additional mechanisms for protection
of system files became available. There are no such mechan-
isms in the current Solaris release.
The use of UID 0 processes should be limited as much as pos-
sible. They should be replaced with programs running under a
different UID but with exactly the privileges they need.
Daemons that never need to exec subprocesses should remove
the PRIVPROCEXEC privilege from their permitted and limit
sets.
Assigned Privileges and Safeguards
When privileges are assigned to a user, the system adminis-
trator could give that user more powers than intended. The
administrator should consider whether safeguards are needed.
For example, if the PRIVPROCLOCKMEMORY privilege is given
to a user, the administrator should consider setting the
project.max-locked-memory resource control as well, to
prevent that user from locking all memory.
Privilege Debugging
When a system call fails with a permission error, it is not
always immediately obvious what caused the problem. To debug
such a problem, you can use a tool called privilege debug-
ging. When privilege debugging is enabled for a process, the
kernel reports missing privileges on the controlling termi-
nal of the process. (Enable debugging for a process with the
-D option of ppriv(1).) Additionally, the administrator can
enable system-wide privilege debugging by setting the sys-
tem(4) variable privdebug using:
set privdebug = 1
On a running system, you can use mdb(1) to change this vari-
able.
Privilege Administration
The Solaris Management Console (see smc(1M)) is the pre-
ferred method of modifying privileges for a command. Use
usermod(1M) or smrole(1M) to assign privileges to or modify
privileges for, respectively, a user or a role. Use ppriv(1)
to enumerate the privileges supported on a system and
truss(1) to determine which privileges a program requires.
SunOS 5.11 Last change: 3 Mar 2009 17
Standards, Environments, and Macros privileges(5)
SEE ALSO
mdb(1), ppriv(1), adddrv(1M), ifconfig(1M), lockd(1M),
nfsd(1M), remdrv(1M), smbd(1M), updatedrv(1M), Intro(2),
access(2), acct(2), acl(2), adjtime(2), audit(2), audi-
ton(2), chmod(2), chown(2), chroot(2), creat(2), exec(2),
fcntl(2), fork(2), fpathconf(2), getacct(2), getpflags(2),
getppriv(2), getsid(2), kill(2), link(2), memcntl(2),
mknod(2), mount(2), msgctl(2), nice(2), ntpadjtime(2),
open(2), ponline(2), priocntl(2), priocntlset(2),
processorbind(2), psetbind(2), psetcreate(2),
readlink(2), resolvepath(2), rmdir(2), semctl(2),
setauid(2), setegid(2), seteuid(2), setgid(2), setgroups(2),
setpflags(2), setppriv(2), setrctl(2), setregid(2),
setreuid(2), setrlimit(2), settaskid(2), setuid(2),
shmctl(2), shmget(2), shmop(2), sigsend(2), stat(2),
statvfs(2), stime(2), swapctl(2), sysinfo(2), uadmin(2),
ulimit(2), umount(2), unlink(2), utime(2), utimes(2),
bind(3SOCKET), doorucred(3C), privaddset(3C),
privset(3C), privgetbyname(3C), privgetbynum(3C),
privsettostr(3C), privstrtoset(3C), socket(3SOCKET),
tbind(3NSL), timercreate(3C), ucredget(3C), execattr(4),
proc(4), system(4), userattr(4), xVM(5), ddicred(9F),
drvpriv(9F), privgetbyname(9F), privpolicy(9F),
privpolicychoice(9F), privpolicyonly(9F)
System Administration Guide: Security Services
SunOS 5.11 Last change: 3 Mar 2009 18
|
