unixdev.net


Switch to SpeakEasy.net DSL

The Modular Manual Browser

Home Page
Manual: (SunOS-5.10)
Page:
Section:
Apropos / Subsearch:
optional field

privileges(5)         Standards, Environments, and Macros        privileges(5)



NAME
       privileges - process privilege model

DESCRIPTION
       Solaris  software  implements  a  set  of privileges that provide fine-
       grained control over the actions of processes. The possession of a cer-
       tain privilege allows a process to perform a specific set of restricted
       operations.

       The change to a primarily privilege-based security model in the Solaris
       operating  system gives developers an opportunity to restrict processes
       to those privileged operations actually needed instead of  all  (super-
       user)  or  no privileges (non-zero uids). Additionally, a set of previ-
       ously unrestricted operations now requires a  privilege;  these  privi-
       leges are dubbed the "basic" privileges and are by default given to all
       processes.

       Taken together, all  defined  privileges  with  the  exception  of  the
       "basic" privileges compose the set of privileges that are traditionally
       associated with the root user. The "basic" privileges are  "privileges"
       unprivileged processes were accustomed to having.

       The defined privileges are:

       PRIV_CONTRACT_EVENT

           Allows a process to request reliable delivery of events to an event
           endpoint. Allows a process to include events in the critical  event
           set  term  of  a template which could be generated in volume by the
           user.



       PRIV_CONTRACT_OBSERVER

           Allows a process to observe contract events generated by  contracts
           created  and owned by users other than the process's effective user
           ID. Allows a process to open contract event endpoints belonging  to
           contracts  created  and  owned  by  users  other than the process's
           effective user ID.



       PRIV_CPC_CPU

           Allow a process to access per-CPU hardware performance counters.



       PRIV_DTRACE_PROC

           Allow DTrace process-level  tracing.  Allow  process-level  tracing
           probes  to be placed and enabled in processes to which the user has
           permissions.



       PRIV_DTRACE_USER

           Allow DTrace user-level tracing. Allow use of the syscall and  pro-
           file  DTrace  providers  to examine processes to which the user has
           permissions.



       PRIV_DTRACE_KERNEL

           Allow DTrace kernel-level tracing.



       PRIV_FILE_CHOWN

           Allow a process to change a file's owner user ID. Allow  a  process
           to  change a file's group ID to one other than the process's effec-
           tive group ID or one of the process's supplemental group IDs.



       PRIV_FILE_CHOWN_SELF

           Allow a process to give away its files. A process with this  privi-
           lege will run as if {_POSIX_CHOWN_RESTRICTED} is not in effect.



       PRIV_FILE_DAC_EXECUTE

           Allow a process to execute an executable file whose permission bits
           or ACL would otherwise disallow the process execute permission.



       PRIV_FILE_DAC_READ

           Allow a process to read a file or directory whose  permission  bits
           or ACL would otherwise disallow the process read permission.



       PRIV_FILE_DAC_SEARCH

           Allow  a process to search a directory whose permission bits or ACL
           would not otherwise allow the process search permission.



       PRIV_FILE_DAC_WRITE

           Allow a process to write a file or directory whose permission  bits
           or  ACL  do  not allow the process write permission. All privileges
           are required to write files owned by UID 0 in  the  absence  of  an
           effective UID of 0.



       PRIV_FILE_LINK_ANY

           Allow a process to create hardlinks to files owned by a UID differ-
           ent from the process's effective UID.



       PRIV_FILE_OWNER

           Allow a process that is not the owner of  a  file  to  modify  that
           file's  access  and modification times. Allow a process that is not
           the owner of a directory to modify that directory's access and mod-
           ification times. Allow a process that is not the owner of a file or
           directory to remove or rename a  file  or  directory  whose  parent
           directory  has  the  "save text image after execution" (sticky) bit
           set. Allow a process that is not the owner of a  file  to  mount  a
           namefs  upon  that file. Allow a process that is not the owner of a
           file or directory to modify that file's or  directory's  permission
           bits or ACL.



       PRIV_FILE_SETID

           Allow  a  process  to  change the ownership of a file or write to a
           file without the set-user-ID and set-group-ID bits  being  cleared.
           Allow  a process to set the set-group-ID bit on a file or directory
           whose group is not the process'  effective  group  or  one  of  the
           process'  supplemental groups. Allow a process to set the set-user-
           ID bit on a file  with  different  ownership  in  the  presence  of
           PRIV_FILE_OWNER.  Additional  restrictions  apply  when creating or
           modifying a setuid 0 file.



       PRIV_IPC_DAC_READ

           Allow a process to read a System V  IPC  Message  Queue,  Semaphore
           Set,  or Shared Memory Segment whose permission bits would not oth-
           erwise allow the process read permission.



       PRIV_IPC_DAC_WRITE

           Allow a process to write a System V IPC  Message  Queue,  Semaphore
           Set,  or Shared Memory Segment whose permission bits would not oth-
           erwise allow the process write permission.



       PRIV_IPC_OWNER

           Allow a process that is not the owner of a  System  V  IPC  Message
           Queue,  Semaphore  Set,  or Shared Memory Segment to remove, change
           ownership of, or change permission bits of the Message Queue, Sema-
           phore Set, or Shared Memory Segment.



       PRIV_NET_ICMPACCESS

           Allow a process to send and receive ICMP packets.



       PRIV_NET_PRIVADDR

           Allow  a process to bind to a privileged port number. The privilege
           port numbers are 1-1023 (the traditional UNIX privileged ports)  as
           well  as  those ports marked as "udp/tcp_extra_priv_ports" with the
           exception of the ports reserved for use by NFS.



       PRIV_NET_RAWACCESS

           Allow a process to have direct access to the network layer.



       PRIV_PROC_CHROOT

           Allow a process to change its root directory.



       PRIV_PROC_CLOCK_HIGHRES

           Allow a process to use high resolution timers.



       PRIV_PROC_AUDIT

           Allow a process to generate audit records. Allow a process  to  get
           its own audit pre-selection information.



       PRIV_PROC_EXEC

           Allow a process to call execve(2).



       PRIV_PROC_FORK

           Allow a process to call fork(2), fork1(2), or vfork(2).



       PRIV_PROC_INFO

           Allow a process to examine the status of processes other than those
           to which it can send signals. Processes  that  cannot  be  examined
           cannot be seen in /proc and appear not to exist.



       PRIV_PROC_LOCK_MEMORY

           Allow a process to lock pages in physical memory.



       PRIV_PROC_OWNER

           Allow  a process to send signals to other processes and inspect and
           modify the process state in other processes, regardless  of  owner-
           ship.  When  modifying  another  process,  additional  restrictions
           apply: the effective privilege set of the attaching process must be
           a superset of the target process's effective, permitted, and inher-
           itable sets; the limit set must be a superset of the target's limit
           set;  if the target process has any UID set to 0 all privilege must
           be asserted unless the effective UID is 0. Allow a process to  bind
           arbitrary processes to CPUs.



       PRIV_PROC_PRIOCNTL

           Allow  a  process  to elevate its priority above its current level.
           Allow a process to change its scheduling class  to  any  scheduling
           class, including the RT class.



       PRIV_PROC_SESSION

           Allow a process to send signals or trace processes outside its ses-
           sion.



       PRIV_PROC_SETID

           Allow a process to set its UIDs at will, assuming  UID  0  requires
           all privileges to be asserted.



       PRIV_PROC_TASKID

           Allow a process to assign a new task ID to the calling process.



       PRIV_PROC_ZONE

           Allow  a  process  to  trace  or send signals to processes in other
           zones. See zones(5).



       PRIV_SYS_ACCT

           Allow a process to enable and disable and manage accounting through
           acct(2).



       PRIV_SYS_ADMIN

           Allow a process to perform system administration tasks such as set-
           ting node and domain name and specifying coreadm(1M)  and  nscd(1M)
           settings



       PRIV_SYS_AUDIT

           Allow a process to start the (kernel) audit daemon. Allow a process
           to view and set audit state (audit  user  ID,  audit  terminal  ID,
           audit  sessions  ID,  audit pre-selection mask). Allow a process to
           turn off and on auditing. Allow a process to  configure  the  audit
           parameters  (cache  and  queue  sizes, event to class mappings, and
           policy options).



       PRIV_SYS_CONFIG

           Allow a process to  perform  various  system  configuration  tasks.
           Allow   filesystem-specific   administrative  procedures,  such  as
           filesystem configuration ioctls, quota calls, creation and deletion
           of snapshots, and manipulating the PCFS bootsector.



       PRIV_SYS_DEVICES

           Allow  a process to create device special files. Allow a process to
           successfully  call  a  kernel  module   that   calls   the   kernel
           drv_priv(9F)  function to check for allowed access. Allow a process
           to open the real console device directly. Allow a process  to  open
           devices that have been exclusively opened.



       PRIV_SYS_IPC_CONFIG

           Allow  a  process  to  increase  the size of a System V IPC Message
           Queue buffer.



       PRIV_SYS_LINKDIR

           Allow a process to unlink and link directories.



       PRIV_SYS_MOUNT

           Allow a process to mount and unmount filesystems that would  other-
           wise be restricted (that is, most filesystems except namefs). Allow
           a process to add and remove swap devices.



       PRIV_SYS_NET_CONFIG

           Allow a process to configure  a  system's  network  interfaces  and
           routes.  Allow a process to configure network parameters using ndd.
           Allow a process access to otherwise  restricted  information  using
           ndd.



       PRIV_SYS_NFS

           Allow  a  process to provide NFS service: start NFS kernel threads,
           perform NFS locking operations, bind to NFS reserved  ports:  ports
           2049 (nfs) and port 4045 (lockd).



       PRIV_SYS_RES_CONFIG

           Allow a process to create and delete processor sets, assign CPUs to
           processor sets and override the  PSET_NOESCAPE  property.  Allow  a
           process  to  change  the  operational  status of CPUs in the system
           using p_online(2). Allow a process to configure filesystem  quotas.
           Allow  a  process to configure resource pools and bind processes to
           pools.



       PRIV_SYS_RESOURCE

           Allow a process to exceed the resource  limits  imposed  on  it  by
           setrlimit(2) and setrctl(2).



       PRIV_SYS_SUSER_COMPAT

           Allow  a process to successfully call a third party loadable module
           that calls the kernel suser() function to check for allowed access.
           This privilege exists only for third party loadable module compati-
           bility and is not used by Solaris proper.



       PRIV_SYS_TIME

           Allow a process to manipulate system time using any of  the  appro-
           priate system calls: stime(2), adjtime(2), and ntp_adjtime(2).



       Of  the  privileges  listed  above,  the privileges PRIV_FILE_LINK_ANY,
       PRIV_PROC_INFO, PRIV_PROC_SESSION,  PRIV_PROC_FORK  and  PRIV_PROC_EXEC
       are considered "basic" privileges. These are privileges that used to be
       always available to unprivileged processes. By default, processes still
       have the basic privileges.

       The  privileges  PRIV_PROC_SETID and PRIV_PROC_AUDIT must be present in
       the Limit set (see below) of a process in order for set-uid root  execs
       to  be  successful,  that  is, get an effective UID of 0 and additional
       privileges.

       The privilege implementation in Solaris extends the process  credential
       with four privilege sets:

       I, the inheritable set

           The privileges inherited on exec.



       P, the permitted set

           The maximum set of privileges for the process.



       E, the effective set

           The privileges currently in effect.



       L, the limit set

           The  upper  bound of the privileges a process and its offspring can
           obtain. Changes to L take effect on the next exec.



       The sets I, P and E are typically identical to the basic set of  privi-
       leges  for  unprivileged processes. The limit set is typically the full
       set of privileges.

       Additionally, each process has a Privilege Awareness State (PAS)  which
       can  take  the  value  PA  (Privilege Aware) and NPA (Not-PA). PAS is a
       transitional mechanism which allows a choice between full compatibility
       with  the  old  super-user  model and completely ignoring the effective
       UID.

       In order to facilitate the  discussion,  we  introduce  the  notion  of
       "observed effective set" (oE) and "observed permitted set" (oP) and the
       implementation sets iE and iP.

       When a process is Privilege Aware, oE and oP are  invariant  under  UID
       changes;  when a process is not privilege aware, oE and oP are observed
       as follows:

       oE = euid == 0 ? L : iE
       oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP


       That is, when a non-privilege-aware process has an effective UID of  0,
       it  can  exercise  the privileges contained in its limit set, the upper
       bound of its privileges. If a non-privilege-aware process  has  any  of
       the uids 0, it will appear to be able to potentially exercise all priv-
       ileges in L.

       A process can attempt to become NPA using setpflags(2); the kernel will
       always attempt this on exec(2).

       Only  privileges  in  the  process's (observed) effective privilege set
       allow the process to perform restricted operations. A process  may  use
       any of the privilege manipulation functions to add or remove privileges
       from the privilege sets. Privileges can be removed always; only  privi-
       leges  found  in  the  permitted  set can be added to the effective and
       inheritable set. The limit set cannot grow. The inheritable set can  be
       larger than the permitted set.

       When a process performs an exec(2), the kernel will first try to relin-
       quish privilege awareness and then the following privilege set  modifi-
       cations take place:

       E' = P' = I' = L & I
       L is unchanged


       If  a  process  has  not manipulated its privileges, then the privilege
       sets effectively remain the same, as E, P and I are already identical.

       To run a non-privilege-aware application in a backward-compatible  man-
       ner, a privilege-aware application should start the non-privilege-aware
       application with I=basic.

       For most privileges, absence of the privilege simply results in a fail-
       ure.  In  some  instances,  the absense of a privilege can cause system
       calls to behave differently. In other instances, the removal of a priv-
       ilege  can force a set-uid application to seriously malfunction. Privi-
       leges of this type are considered "unsafe". When a process  is  lacking
       any  of  the  unsafe privileges from its limit set, the system will not
       honor the set-uid bit  of  set-uid  root  applications.  The  following
       unsafe  privileges  have  been identified: proc_setid, sys_resource and
       proc_audit.

   Privilege Escalation
       In certain circumstances, a single privilege could lead  to  a  process
       gaining  one  or  more  additional  privileges that were not explicitly
       granted to that process. To prevent such an escalation  of  privileges,
       the  security  policy  will require explicit permission for those addi-
       tional privileges.

       Common examples of escalation are those mechanisms that allow modifica-
       tion of system resources through "raw'' interfaces; for example, chang-
       ing kernel data structures through /dev/kmem or changing files  through
       /dev/dsk/*.  Escalation  also  occurs when a process controls processes
       with more privileges than the controlling process. A  special  case  of
       this  is  manipulating  or creating objects owned by UID 0 or trying to
       obtain UID 0 using setuid(2). The special treatment of UID 0 is  needed
       because the UID 0 owns all system configuration files and ordinary file
       protection mechanisms allow processes with UID 0 to modify  the  system
       configuration.  With  appropriate  file  modifications, a given process
       running with an effective UID of 0 can gain all privileges.

       In situations where a process might obtain UID 0, the  security  policy
       requires  additional privileges, up to the full set of privileges. Such
       restrictions could be relaxed or removed at  such  time  as  additional
       mechanisms  for  protection of system files became available. There are
       no such mechanisms in the current Solaris release.

       The use of UID 0 processes should be limited as much as possible.  They
       should be replaced with programs running under a different UID but with
       exactly the privileges they need.

       Daemons  that  never  need  to  exec  subprocesses  should  remove  the
       PRIV_PROC_EXEC privilege from their permitted and limit sets.

   Privilege Debugging
       When  a  system  call  fails  with a permission error, it is not always
       immediately obvious what caused the problem. To debug such  a  problem,
       you can use a tool called privilege debugging. When privilege debugging
       is enabled for a process, the kernel reports missing privileges on  the
       controlling  terminal  of  the process. (Enable debugging for a process
       with the -D option of ppriv(1).) Additionally,  the  administrator  can
       enable  system-wide  privilege debugging by setting the system(4) vari-
       able priv_debug using:

       set priv_debug = 1


       On a running system, you can use mdb(1) to change this variable.

SEE ALSO
       mdb(1),  ppriv(1),  add_drv(1M),  ifconfig(1M),  lockd(1M),   nfsd(1M),
       rem_drv(1M), update_drv(1M), Intro(2), access(2), acct(2), acl(2), adj-
       time(2),  audit(2),  auditon(2),   auditsvc(2),   chmod(2),   chown(2),
       chroot(2),   creat(2),   exec(2),   fcntl(2),   fork(2),  fpathconf(2),
       getacct(2), getpflags(2),  getppriv(2),  getsid(2),  kill(2),  link(2),
       memcntl(2),  mknod(2),  mount(2),  msgctl(2),  nice(2), ntp_adjtime(2),
       open(2), p_online(2), priocntl(2),  priocntlset(2),  processor_bind(2),
       pset_bind(2),  pset_create(2),  readlink(2),  resolvepath(2), rmdir(2),
       semctl(2), setauid(2), setegid(2), seteuid(2), setgid(2), setgroups(2),
       setpflags(2),  setppriv(2), setrctl(2), setregid(2), setreuid(2), setr-
       limit(2),  settaskid(2),  setuid(2),  shmctl(2),  shmget(2),  shmop(2),
       sigsend(2), stat(2), statvfs(2), stime(2), swapctl(2), sysinfo(2), uad-
       min(2),   ulimit(2),   umount(2),   unlink(2),   utime(2),   utimes(2),
       bind(3SOCKET),    door_ucred(3DOOR),   priv_addset(3C),   priv_set(3C),
       priv_getbyname(3C),       priv_getbynum(3C),       priv_set_to_str(3C),
       priv_str_to_set(3C),  socket(3SOCKET), t_bind(3NSL), timer_create(3RT),
       ucred_get(3C),   exec_attr(4),   proc(4),   system(4),    user_attr(4),
       ddi_cred(9F),    drv_priv(9F),   priv_getbyname(9F),   priv_policy(9F),
       priv_policy_choice(9F), priv_policy_only(9F)



SunOS 5.10                        19 Jul 2004                    privileges(5)