3923 Users should be able to lower nice value of processes within a zone

[illumos-gate.git] / usr / src / man / man5 / privileges.5

'\" te
.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
.\" Copyright 2013, Joyent, Inc. All Rights Reserved.
.\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
.\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
.\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
.TH PRIVILEGES 5 "May 29, 2009"
.SH NAME
privileges \- process privilege model
.SH DESCRIPTION
.sp
.LP
Solaris software implements a set of privileges that provide fine-grained
control over the actions of processes. The possession of a certain privilege
allows a process to perform a specific set of restricted operations.
.sp
.LP
The change to a primarily privilege-based security model in the Solaris
operating system gives developers an opportunity to restrict processes to those
privileged operations actually needed instead of all (super-user) or no
privileges (non-zero UIDs). Additionally, a set of previously unrestricted
operations now requires a privilege; these privileges are dubbed the "basic"
privileges and are by default given to all processes.
.sp
.LP
Taken together, all defined privileges with the exception of the "basic"
privileges compose the set of privileges that are traditionally associated with
the root user. The "basic" privileges are "privileges" unprivileged processes
were accustomed to having.
.sp
.LP
The defined privileges are:
.sp
.ne 2
.na
\fB\fBPRIV_CONTRACT_EVENT\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to request reliable delivery of events to an event endpoint.
.sp
Allow a process to include events in the critical event set term of a template
which could be generated in volume by the user.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_CONTRACT_IDENTITY\fR\fR
.ad
.sp .6
.RS 4n
Allows a process to set the service FMRI value of a process contract template.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_CONTRACT_OBSERVER\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to observe contract events generated by contracts created and
owned by users other than the process's effective user ID.
.sp
Allow a process to open contract event endpoints belonging to contracts created
and owned by users other than the process's effective user ID.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_CPC_CPU\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to access per-CPU hardware performance counters.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_DTRACE_KERNEL\fR\fR
.ad
.sp .6
.RS 4n
Allow DTrace kernel-level tracing.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_DTRACE_PROC\fR\fR
.ad
.sp .6
.RS 4n
Allow DTrace process-level tracing. Allow process-level tracing probes to be
placed and enabled in processes to which the user has permissions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_DTRACE_USER\fR\fR
.ad
.sp .6
.RS 4n
Allow DTrace user-level tracing. Allow use of the syscall and profile DTrace
providers to examine processes to which the user has permissions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_CHOWN\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to change a file's owner user ID. Allow a process to change a
file's group ID to one other than the process's effective group ID or one of
the process's supplemental group IDs.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_CHOWN_SELF\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to give away its files. A process with this privilege runs as
if {\fB_POSIX_CHOWN_RESTRICTED\fR} is not in effect.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_DAC_EXECUTE\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to execute an executable file whose permission bits or ACL
would otherwise disallow the process execute permission.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_DAC_READ\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to read a file or directory whose permission bits or ACL would
otherwise disallow the process read permission.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_DAC_SEARCH\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to search a directory whose permission bits or ACL would not
otherwise allow the process search permission.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_DAC_WRITE\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to write a file or directory whose permission bits or ACL do
not allow the process write permission. All privileges are required to write
files owned by UID 0 in the absence of an effective UID of 0.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_DOWNGRADE_SL\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to set the sensitivity label of a file or directory to a
sensitivity label that does not dominate the existing sensitivity label.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_LINK_ANY\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to create hardlinks to files owned by a UID different from the
process's effective UID.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_OWNER\fR\fR
.ad
.sp .6
.RS 4n
Allow a process that is not the owner of a file to modify that file's access
and modification times. Allow a process that is not the owner of a directory to
modify that directory's access and modification times. Allow a process that is
not the owner of a file or directory to remove or rename a file or directory
whose parent directory has the "save text image after execution" (sticky) bit
set. Allow a process that is not the owner of a file to mount a \fBnamefs\fR
upon that file. Allow a process that is not the owner of a file or directory to
modify that file's or directory's permission bits or ACL.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_SETID\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to change the ownership of a file or write to a file without
the set-user-ID and set-group-ID bits being cleared. Allow a process to set the
set-group-ID bit on a file or directory whose group is not the process's
effective group or one of the process's supplemental groups. Allow a process to
set the set-user-ID bit on a file with different ownership in the presence of
\fBPRIV_FILE_OWNER\fR. Additional restrictions apply when creating or modifying
a setuid 0 file.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_UPGRADE_SL\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to set the sensitivity label of a file or directory to a
sensitivity label that dominates the existing sensitivity label.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_FILE_FLAG_SET\fR\fR
.ad
.sp .6
.RS 4n
Allows a process to set immutable, nounlink or appendonly file attributes.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_GRAPHICS_ACCESS\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to make privileged ioctls to graphics devices. Typically only
an xserver process needs to have this privilege. A process with this privilege
is also allowed to perform privileged graphics device mappings.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_GRAPHICS_MAP\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to perform privileged mappings through a graphics device.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_IPC_DAC_READ\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared
Memory Segment whose permission bits would not otherwise allow the process read
permission.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_IPC_DAC_WRITE\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared
Memory Segment whose permission bits would not otherwise allow the process
write permission.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_IPC_OWNER\fR\fR
.ad
.sp .6
.RS 4n
Allow a process that is not the owner of a System V IPC Message Queue,
Semaphore Set, or Shared Memory Segment to remove, change ownership of, or
change permission bits of the Message Queue, Semaphore Set, or Shared Memory
Segment.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_NET_BINDMLP\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to bind to a port that is configured as a multi-level port
(MLP) for the process's zone. This privilege applies to both shared address and
zone-specific address MLPs. See \fBtnzonecfg\fR(\fB4\fR) from the Trusted
Extensions manual pages for information on configuring MLP ports.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_NET_ICMPACCESS\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to send and receive ICMP packets.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_NET_MAC_AWARE\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to set the \fBNET_MAC_AWARE\fR process flag by using
\fBsetpflags\fR(2). This privilege also allows a process to set the
\fBSO_MAC_EXEMPT\fR socket option by using \fBsetsockopt\fR(3SOCKET). The
\fBNET_MAC_AWARE\fR process flag and the \fBSO_MAC_EXEMPT\fR socket option both
allow a local process to communicate with an unlabeled peer if the local
process's label dominates the peer's default label, or if the local process
runs in the global zone.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_NET_OBSERVABILITY\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to open a device for just receiving network traffic, sending
traffic is disallowed.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_NET_PRIVADDR\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to bind to a privileged port number. The privilege port numbers
are 1-1023 (the traditional UNIX privileged ports) as well as those ports
marked as "\fBudp/tcp_extra_priv_ports\fR" with the exception of the ports
reserved for use by NFS and SMB.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_NET_RAWACCESS\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to have direct access to the network layer.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_AUDIT\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to generate audit records. Allow a process to get its own audit
pre-selection information.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_CHROOT\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to change its root directory.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_CLOCK_HIGHRES\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to use high resolution timers.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_EXEC\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to call \fBexec\fR(2).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_FORK\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to call \fBfork\fR(2), \fBfork1\fR(2), or \fBvfork\fR(2).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_INFO\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to examine the status of processes other than those to which it
can send signals. Processes that cannot be examined cannot be seen in
\fB/proc\fR and appear not to exist.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_LOCK_MEMORY\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to lock pages in physical memory.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_OWNER\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to send signals to other processes and inspect and modify the
process state in other processes, regardless of ownership. When modifying
another process, additional restrictions apply: the effective privilege set of
the attaching process must be a superset of the target process's effective,
permitted, and inheritable sets; the limit set must be a superset of the
target's limit set; if the target process has any UID set to 0 all privilege
must be asserted unless the effective UID is 0. Allow a process to bind
arbitrary processes to CPUs.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_PRIOUP\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to elevate its priority above its current level.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_PRIOCNTL\fR\fR
.ad
.sp .6
.RS 4n
Allows all that PRIV_PROC_PRIOUP allows.
Allow a process to change its scheduling class to any scheduling class,
including the RT class.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_SESSION\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to send signals or trace processes outside its session.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_SETID\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to set its UIDs at will, assuming UID 0 requires all privileges
to be asserted.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_TASKID\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to assign a new task ID to the calling process.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_PROC_ZONE\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to trace or send signals to processes in other zones. See
\fBzones\fR(5).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_ACCT\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to enable and disable and manage accounting through
\fBacct\fR(2).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_ADMIN\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to perform system administration tasks such as setting node and
domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_AUDIT\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to start the (kernel) audit daemon. Allow a process to view and
set audit state (audit user ID, audit terminal ID, audit sessions ID, audit
pre-selection mask). Allow a process to turn off and on auditing. Allow a
process to configure the audit parameters (cache and queue sizes, event to
class mappings, and policy options).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_CONFIG\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to perform various system configuration tasks. Allow
filesystem-specific administrative procedures, such as filesystem configuration
ioctls, quota calls, creation and deletion of snapshots, and manipulating the
PCFS bootsector.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_DEVICES\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to create device special files. Allow a process to successfully
call a kernel module that calls the kernel \fBdrv_priv\fR(9F) function to check
for allowed access. Allow a process to open the real console device directly.
Allow a process to open devices that have been exclusively opened.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_DL_CONFIG\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to configure a system's datalink interfaces.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_IP_CONFIG\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to configure a system's IP interfaces and routes. Allow a
process to configure network parameters for \fBTCP/IP\fR using \fBndd\fR. Allow
a process access to otherwise restricted \fBTCP/IP\fR information using
\fBndd\fR. Allow a process to configure \fBIPsec\fR. Allow a process to pop
anchored \fBSTREAM\fRs modules with matching \fBzoneid\fR.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_IPC_CONFIG\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to increase the size of a System V IPC Message Queue buffer.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_LINKDIR\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to unlink and link directories.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_MOUNT\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to mount and unmount filesystems that would otherwise be
restricted (that is, most filesystems except \fBnamefs\fR). Allow a process to
add and remove swap devices.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_NET_CONFIG\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to do all that \fBPRIV_SYS_IP_CONFIG\fR,
\fBPRIV_SYS_DL_CONFIG\fR, and \fBPRIV_SYS_PPP_CONFIG\fR allow, plus the
following: use the \fBrpcmod\fR STREAMS module and insert/remove STREAMS
modules on locations other than the top of the module stack.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_NFS\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to provide NFS service: start NFS kernel threads, perform NFS
locking operations, bind to NFS reserved ports: ports 2049 (\fBnfs\fR) and port
4045 (\fBlockd\fR).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_PPP_CONFIG\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to create, configure, and destroy PPP instances with pppd(1M)
\fBpppd\fR(1M) and control PPPoE plumbing with \fBsppptun\fR(1M)sppptun(1M).
This privilege is granted by default to exclusive IP stack instance zones.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_RES_BIND\fR\fR
.ad
.sp .6
.RS 4n
Allows a process to bind processes to processor sets.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_RES_CONFIG\fR\fR
.ad
.sp .6
.RS 4n
Allows all that PRIV_SYS_RES_BIND allows.
Allow a process to create and delete processor sets, assign CPUs to processor
sets and override the \fBPSET_NOESCAPE\fR property. Allow a process to change
the operational status of CPUs in the system using \fBp_online\fR(2). Allow a
process to configure filesystem quotas. Allow a process to configure resource
pools and bind processes to pools.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_RESOURCE\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to exceed the resource limits imposed on it by
\fBsetrlimit\fR(2) and \fBsetrctl\fR(2).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_SMB\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
(SMB).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_SUSER_COMPAT\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to successfully call a third party loadable module that calls
the kernel \fBsuser()\fR function to check for allowed access. This privilege
exists only for third party loadable module compatibility and is not used by
Solaris proper.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_TIME\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to manipulate system time using any of the appropriate system
calls: \fBstime\fR(2), \fBadjtime\fR(2), and \fBntp_adjtime\fR(2).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_SYS_TRANS_LABEL\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to translate labels that are not dominated by the process's
sensitivity label to and from an external string form.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_VIRT_MANAGE\fR\fR
.ad
.sp .6
.RS 4n
Allows a process to manage virtualized environments such as \fBxVM\fR(5).
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_COLORMAP\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to override colormap restrictions.
.sp
Allow a process to install or remove colormaps.
.sp
Allow a process to retrieve colormap cell entries allocated by other processes.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_CONFIG\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to configure or destroy resources that are permanently retained
by the X server.
.sp
Allow a process to use SetScreenSaver to set the screen saver timeout value
.sp
Allow a process to use ChangeHosts to modify the display access control list.
.sp
Allow a process to use GrabServer.
.sp
Allow a process to use the SetCloseDownMode request that can retain window,
pixmap, colormap, property, cursor, font, or graphic context resources.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_DAC_READ\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to read from a window resource that it does not own (has a
different user ID).
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_DAC_WRITE\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to write to or create a window resource that it does not own
(has a different user ID). A newly created window property is created with the
window's user ID.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_DEVICES\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to perform operations on window input devices.
.sp
Allow a process to get and set keyboard and pointer controls.
.sp
Allow a process to modify pointer button and key mappings.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_DGA\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to use the direct graphics access (DGA) X protocol extensions.
Direct process access to the frame buffer is still required. Thus the process
must have MAC and DAC privileges that allow access to the frame buffer, or the
frame buffer must be allocated to the process.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_DOWNGRADE_SL\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to set the sensitivity label of a window resource to a
sensitivity label that does not dominate the existing sensitivity label.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_FONTPATH\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to set a font path.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_MAC_READ\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to read from a window resource whose sensitivity label is not
equal to the process sensitivity label.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_MAC_WRITE\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to create a window resource whose sensitivity label is not
equal to the process sensitivity label. A newly created window property is
created with the window's sensitivity label.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_SELECTION\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to request inter-window data moves without the intervention of
the selection confirmer.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_WIN_UPGRADE_SL\fR\fR
.ad
.sp .6
.RS 4n
Allow a process to set the sensitivity label of a window resource to a
sensitivity label that dominates the existing sensitivity label.
.sp
This privilege is interpreted only if the system is configured with Trusted
Extensions.
.RE

.sp
.ne 2
.na
\fB\fBPRIV_XVM_CONTROL\fR\fR
.ad
.sp .6
.RS 4n
Allows a process access to the \fBxVM\fR(5) control devices for managing guest
domains and the hypervisor. This privilege is used only if booted into xVM on
x86 platforms.
.RE

.sp
.LP
Of the privileges listed above, the privileges \fBPRIV_FILE_LINK_ANY\fR,
\fBPRIV_PROC_INFO\fR, \fBPRIV_PROC_SESSION\fR, \fBPRIV_PROC_FORK\fR and
\fBPRIV_PROC_EXEC\fR are considered "basic" privileges. These are privileges
that used to be always available to unprivileged processes. By default,
processes still have the basic privileges.
.sp
.LP
The privileges \fBPRIV_PROC_SETID\fR and \fBPRIV_PROC_AUDIT\fR must be present
in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
to be successful, that is, get an effective UID of 0 and additional privileges.
.sp
.LP
The privilege implementation in Solaris extends the process credential with
four privilege sets:
.sp
.ne 2
.na
\fBI, the inheritable set\fR
.ad
.RS 26n
The privileges inherited on \fBexec\fR.
.RE

.sp
.ne 2
.na
\fBP, the permitted set\fR
.ad
.RS 26n
The maximum set of privileges for the process.
.RE

.sp
.ne 2
.na
\fBE, the effective set\fR
.ad
.RS 26n
The privileges currently in effect.
.RE

.sp
.ne 2
.na
\fBL, the limit set\fR
.ad
.RS 26n
The upper bound of the privileges a process and its offspring can obtain.
Changes to L take effect on the next \fBexec\fR.
.RE

.sp
.LP
The sets I, P and E are typically identical to the basic set of privileges for
unprivileged processes. The limit set is typically the full set of privileges.
.sp
.LP
Each process has a Privilege Awareness State (PAS) that can take the value PA
(privilege-aware) and NPA (not-PA). PAS is a transitional mechanism that allows
a choice between full compatibility with the old superuser model and completely
ignoring the effective UID.
.sp
.LP
To facilitate the discussion, we introduce the notion of "observed effective
set" (oE) and "observed permitted set" (oP) and the implementation sets iE and
iP.
.sp
.LP
A process becomes privilege-aware either by manipulating the effective,
permitted, or limit privilege sets through \fBsetppriv\fR(2) or by using
\fBsetpflags\fR(2). In all cases, oE and oP are invariant in the process of
becoming privilege-aware. In the process of becoming privilege-aware, the
following assignments take place:
.sp
.in +2
.nf
iE = oE
iP = oP
.fi
.in -2

.sp
.LP
When a process is privilege-aware, oE and oP are invariant under UID changes.
When a process is not privilege-aware, oE and oP are observed as follows:
.sp
.in +2
.nf
oE = euid == 0 ? L : iE
oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
.fi
.in -2

.sp
.LP
When a non-privilege-aware process has an effective UID of 0, it can exercise
the privileges contained in its limit set, the upper bound of its privileges.
If a non-privilege-aware process has any of the UIDs 0, it appears to be
capable of potentially exercising all privileges in L.
.sp
.LP
It is possible for a process to return to the non-privilege aware state using
\fBsetpflags()\fR. The kernel always attempts this on \fBexec\fR(2). This
operation is permitted only if the following conditions are met:
.RS +4
.TP
.ie t \(bu
.el o
If any of the UIDs is equal to 0, P must be equal to L.
.RE
.RS +4
.TP
.ie t \(bu
.el o
If the effective UID is equal to 0, E must be equal to L.
.RE
.sp
.LP
When a process gives up privilege awareness, the following assignments take
place:
.sp
.in +2
.nf
if (euid == 0) iE = L & I
if (any uid == 0) iP = L & I
.fi
.in -2

.sp
.LP
The privileges obtained when not having a UID of \fB0\fR are the inheritable
set of the process restricted by the limit set.
.sp
.LP
Only privileges in the process's (observed) effective privilege set allow the
process to perform restricted operations. A process can use any of the
privilege manipulation functions to add or remove privileges from the privilege
sets. Privileges can be removed always. Only privileges found in the permitted
set can be added to the effective and inheritable set. The limit set cannot
grow. The inheritable set can be larger than the permitted set.
.sp
.LP
When a process performs an \fBexec\fR(2), the kernel first tries to relinquish
privilege awareness before making the following privilege set modifications:
.sp
.in +2
.nf
E' = P' = I' = L & I
L is unchanged
.fi
.in -2

.sp
.LP
If a process has not manipulated its privileges, the privilege sets effectively
remain the same, as E, P and I are already identical.
.sp
.LP
The limit set is enforced at \fBexec\fR time.
.sp
.LP
To run a non-privilege-aware application in a backward-compatible manner, a
privilege-aware application should start the non-privilege-aware application
with I=basic.
.sp
.LP
For most privileges, absence of the privilege simply results in a failure. In
some instances, the absense of a privilege can cause system calls to behave
differently. In other instances, the removal of a privilege can force a set-uid
application to seriously malfunction. Privileges of this type are considered
"unsafe". When a process is lacking any of the unsafe privileges from its limit
set, the system does not honor the set-uid bit of set-uid root applications.
The following unsafe privileges have been identified: \fBproc_setid\fR,
\fBsys_resource\fR and \fBproc_audit\fR.
.SS "Privilege Escalation"
.sp
.LP
In certain circumstances, a single privilege could lead to a process gaining
one or more additional privileges that were not explicitly granted to that
process. To prevent such an escalation of privileges, the security policy
requires explicit permission for those additional privileges.
.sp
.LP
Common examples of escalation are those mechanisms that allow modification of
system resources through "raw'' interfaces; for example, changing kernel data
structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
Escalation also occurs when a process controls processes with more privileges
than the controlling process. A special case of this is manipulating or
creating objects owned by UID 0 or trying to obtain UID 0 using
\fBsetuid\fR(2). The special treatment of UID 0 is needed because the UID 0
owns all system configuration files and ordinary file protection mechanisms
allow processes with UID 0 to modify the system configuration. With appropriate
file modifications, a given process running with an effective UID of 0 can gain
all privileges.
.sp
.LP
In situations where a process might obtain UID 0, the security policy requires
additional privileges, up to the full set of privileges. Such restrictions
could be relaxed or removed at such time as additional mechanisms for
protection of system files became available. There are no such mechanisms in
the current Solaris release.
.sp
.LP
The use of UID 0 processes should be limited as much as possible. They should
be replaced with programs running under a different UID but with exactly the
privileges they need.
.sp
.LP
Daemons that never need to \fBexec\fR subprocesses should remove the
\fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
.SS "Assigned Privileges and Safeguards"
.sp
.LP
When privileges are assigned to a user, the system administrator could give
that user more powers than intended. The administrator should consider whether
safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
privilege is given to a user, the administrator should consider setting the
\fBproject.max-locked-memory\fR resource control as well, to prevent that user
from locking all memory.
.SS "Privilege Debugging"
.sp
.LP
When a system call fails with a permission error, it is not always immediately
obvious what caused the problem. To debug such a problem, you can use a tool
called \fBprivilege debugging\fR. When privilege debugging is enabled for a
process, the kernel reports missing privileges on the controlling terminal of
the process. (Enable debugging for a process with the \fB-D\fR option of
\fBppriv\fR(1).) Additionally, the administrator can enable system-wide
privilege debugging by setting the \fBsystem\fR(4) variable \fBpriv_debug\fR
using:
.sp
.in +2
.nf
set priv_debug = 1
.fi
.in -2

.sp
.LP
On a running system, you can use \fBmdb\fR(1) to change this variable.
.SS "Privilege Administration"
.sp
.LP
The Solaris Management Console (see \fBsmc\fR(1M)) is the preferred method of
modifying privileges for a command. Use \fBusermod\fR(1M) or \fBsmrole\fR(1M)
to assign privileges to or modify privileges for, respectively, a user or a
role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
\fBtruss\fR(1) to determine which privileges a program requires.
.SH SEE ALSO
.sp
.LP
\fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
\fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
\fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),
\fBaccess\fR(2), \fBacct\fR(2), \fBacl\fR(2), \fBadjtime\fR(2), \fBaudit\fR(2),
\fBauditon\fR(2), \fBchmod\fR(2), \fBchown\fR(2), \fBchroot\fR(2),
\fBcreat\fR(2), \fBexec\fR(2), \fBfcntl\fR(2), \fBfork\fR(2),
\fBfpathconf\fR(2), \fBgetacct\fR(2), \fBgetpflags\fR(2), \fBgetppriv\fR(2),
\fBgetsid\fR(2), \fBkill\fR(2), \fBlink\fR(2), \fBmemcntl\fR(2),
\fBmknod\fR(2), \fBmount\fR(2), \fBmsgctl\fR(2), \fBnice\fR(2),
\fBntp_adjtime\fR(2), \fBopen\fR(2), \fBp_online\fR(2), \fBpriocntl\fR(2),
\fBpriocntlset\fR(2), \fBprocessor_bind\fR(2), \fBpset_bind\fR(2),
\fBpset_create\fR(2), \fBreadlink\fR(2), \fBresolvepath\fR(2), \fBrmdir\fR(2),
\fBsemctl\fR(2), \fBsetauid\fR(2), \fBsetegid\fR(2), \fBseteuid\fR(2),
\fBsetgid\fR(2), \fBsetgroups\fR(2), \fBsetpflags\fR(2), \fBsetppriv\fR(2),
\fBsetrctl\fR(2), \fBsetregid\fR(2), \fBsetreuid\fR(2), \fBsetrlimit\fR(2),
\fBsettaskid\fR(2), \fBsetuid\fR(2), \fBshmctl\fR(2), \fBshmget\fR(2),
\fBshmop\fR(2), \fBsigsend\fR(2), \fBstat\fR(2), \fBstatvfs\fR(2),
\fBstime\fR(2), \fBswapctl\fR(2), \fBsysinfo\fR(2), \fBuadmin\fR(2),
\fBulimit\fR(2), \fBumount\fR(2), \fBunlink\fR(2), \fButime\fR(2),
\fButimes\fR(2), \fBbind\fR(3SOCKET), \fBdoor_ucred\fR(3C),
\fBpriv_addset\fR(3C), \fBpriv_set\fR(3C), \fBpriv_getbyname\fR(3C),
\fBpriv_getbynum\fR(3C), \fBpriv_set_to_str\fR(3C), \fBpriv_str_to_set\fR(3C),
\fBsocket\fR(3SOCKET), \fBt_bind\fR(3NSL), \fBtimer_create\fR(3C),
\fBucred_get\fR(3C), \fBexec_attr\fR(4), \fBproc\fR(4), \fBsystem\fR(4),
\fBuser_attr\fR(4), \fBxVM\fR(5), \fBddi_cred\fR(9F), \fBdrv_priv\fR(9F),
\fBpriv_getbyname\fR(9F), \fBpriv_policy\fR(9F), \fBpriv_policy_choice\fR(9F),
\fBpriv_policy_only\fR(9F)
.sp
.LP
\fISystem Administration Guide: Security Services\fR