privileges(5)privileges(5)NAMEprivileges - description of HP-UX privilegesDESCRIPTION
The operating system has traditionally used an "all or nothing" privi‐
lege model, where root users (those with effective such as the user
named have virtually unlimited power, and other users have few or no
special privileges.
System administrators often need to delegate limited powers to other
users. HP-UX provides several ways to do this. Because these mecha‐
nisms permit users other than root users to perform certain privileged
operations, HP-UX documentation often uses terms such as "privileged
user" or "user who has appropriate privileges" instead of "root user"
when describing who is permitted to perform an operation.
In the absence of a more specific description of the privileges neces‐
sary to perform an operation (typically available in the man page for
that operation), you can generally assume that root users are suitably
privileged.
Legacy Delegation Methods
HP-UX has used several methods of delegating limited powers, including
restricted the privilege groups described in privgrp(5), the file
described in shutdown(1M), and the file described in crontab(1).
Fine-Grained Privileges
The HP-UX fine-grained privilege model splits the powers of root users
into a set of privileges. Each privilege grants a process that pos‐
sesses that privilege the right to a certain set of restricted services
provided by the kernel. Privileges can be managed internally by a
process with "privilege bracketing". Privilege bracketing is the prac‐
tice of enabling, or "raising", a privilege only while the privilege is
needed, then disabling, or "lowering", the privilege. The privileges
that a process has raised determine which sensitive system call ser‐
vices the process can invoke.
Legacy Privileges
Legacy privileges are those privileges originally defined in priv‐
grp(5). All of the privileges from that set except have been incorpo‐
rated into fine-grained privileges:
PRIV_CHOWN PRIV_FSSTHREAD PRIV_LOCKRDONLY PRIV_MLOCK
PRIV_MPCTL PRIV_PSET PRIV_RTPRIO PRIV_RTSCHED
PRIV_SERIALIZE PRIV_SPUCTL
Basic Privileges
Basic privileges are granted by default to all processes. The basic
privileges are the set of the following:
PRIV_EXEC PRIV_FORK PRIV_LINKANY PRIV_SESSION
Root Replacement Privileges
Root replacement privileges are the privileges that provide the powers
associated with a process that has an effective user ID of zero. The
root replacement privileges are the following:
PRIV_ACCOUNTING PRIV_AUDCONTROL PRIV_CHOWN PRIV_CHROOT
PRIV_CHSUBJIDENT PRIV_DACREAD PRIV_DACWRITE PRIV_DEVOPS
PRIV_DLKM PRIV_FSINTEGRITY PRIV_FSS PRIV_FSSTHREAD
PRIV_LIMIT PRIV_LOCKRDONLY PRIV_MKNOD PRIV_MLOCK
PRIV_MOUNT PRIV_MPCTL PRIV_NETADMIN PRIV_NETPRIVPORT
PRIV_NETPROMISCUOUS PRIV_NETRAWACCESS PRIV_OBJSUID PRIV_OWNER
PRIV_PSET PRIV_REBOOT PRIV_RTPRIO PRIV_RTSCHED
PRIV_RTPSET PRIV_SELFAUDIT PRIV_SERIALIZE PRIV_SPUCTL
PRIV_SYSATTR PRIV_SYSNFS
These privileges are granted by default to any process with an effec‐
tive user ID of zero.
If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is
installed on the system, the and privileges are each divided into two
privileges. By using the new privileges, a process can now allow a sub‐
set of the operations while disallowing the other.
The privilege is divided into and The privilege is divided into and The
privilege is divided into and
To maintain backward compatibility, each string representation of and
becomes a compound privilege. The numeric representation is redefined
to one of the new privileges, which now provides only a subset of the
capabilities that the compound privileges used to offer.
For example, if the HP-UX ContainmentPlus product (version B.11.31.02
or later) is not installed on the system, the privilege is required to
call functions and Therefore, a process that has the privilege can call
both functions. If the HP-UX ContainmentPlus product (version
B.11.31.02 or later) is installed on the system, the compound privilege
is divided into two privileges: and The privilege is required to call
the function while the privilege is required to call the function.
Therefore, if the HP-UX ContainmentPlus product (version B.11.31.02 or
later) is installed on the system, a process that has the privilege can
call the function but cannot call the function. At the same time, if
the HP-UX ContainmentPlus product (version B.11.31.02 or later) is not
installed on the system, the numeric representation for the privilege
is 60. If the HP-UX ContainmentPlus product (version B.11.31.02 or
later) is installed on the system, the numeric representation for the
privilege is also 60. Although they have the same numeric representa‐
tion, the new privilege only offers a subset of the capabilities (for
example, call than what used to offer (for example, call and
Policy Override Privileges
Policy override privileges override compartment rules. There are four
policy override privileges:
PRIV_CHANGECMPT PRIV_CMPTREAD PRIV_CMPTWRITE PRIV_COMMALLOWED.
These privileges are not granted by default to processes with an effec‐
tive user ID of zero. These privileges only apply to compartments fea‐
ture (see compartments(5) and cmpt_tune(1M) to determine if this fea‐
ture is enabled). These privileges comprise part of the set of privi‐
leges in the compound privilege
Policy Configuration Privileges
Policy configuration privileges control how privileges are configured.
There are two such privileges, and These privileges are not granted by
default to processes with an effective user ID of zero. These privi‐
leges comprise part of the set of privileges in the compound privilege
Process Attribute Privileges
Process attribute privileges are privileges only in the sense that they
are manipulated like other privileges. is the only member of this set.
This privilege is not granted by default to processes with an effective
user ID of zero.
Compound Privileges
Compound privileges are a shorthand way of specifying a predefined set
of simple privileges. These compound privileges are subject to redefi‐
nition in future releases to allow for the creation of new privileges.
The compound privileges are defined as follows:
Refers to the Basic Privileges.
Refers to the union of Basic Privileges and Root Replacement
Privileges.
Refers to the Policy Override Privileges and the Policy
Configuration Privileges.
If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is
installed on the system, and becomes compound privileges defined as
follows:
Refers to the union of the privilege controlling core system
attributes
and the privilege controlling host-related
attributes.
Refers to the union of the privilege controlling file system
mounting/unmounting and the privilege controlling
swap space.
Refers to the union of the privilege controlling devices
and pseudo terminals.
Privilege Descriptions
The following list specifies privilege names and their primary purpose.
Allows a process to control the process accounting system (see
acct(2)).
Allows a process to start, modify, and stop the auditing system.
Grants a process the ability to change its compartment.
(See compartments(5) and cmpt_tune(1M) to determine if
this extended feature is enabled.)
Allows a process to grant privileges to binaries.
Allows access to the
system calls (see chown(2)).
Allows a process to change its root directory.
Allows a process to change it UIDs, GIDs, and group lists.
Also allows a process to a file and leave the suid or
sgid bits set on the file, if present.
Allows a process to open a file or directory for reading, exe‐
cuting
(in the case of a file), or searching (in the case of a
directory), bypassing compartment rules that would other‐
wise not permit the operation. (See compartments(5) and
cmpt_tune(1M) to determine if this extended feature is
enabled.)
Allows a process to write into a file or directory,
bypassing compartment rules that would otherwise not per‐
mit the operation. (See compartments(5) and
cmpt_tune(1M) to determine if this extended feature is
enabled.)
Allows a process to override compartment rules in the IPC and
networking
subsystems. (See compartments(5) and cmpt_tune(1M) to
determine if this extended feature is enabled.)
Enables a process to manage system attributes including the
setting of tunables, and modifying user quotas.
This privilege is valid only when the HP-UX Containment‐
Plus product (version B.11.31.02 or later) is installed
on the system.
Allows the process to override all discretionary read, execute,
and
search access restrictions. See for more information.
Allows the process to override all discretionary write access
restrictions.
See for more information.
Allows the process to do device specific administrative opera‐
tions, such as
tape or disk formatting.
If the HP-UX ContainmentPlus product (version B.11.31.02
or later) is installed on the system, becomes a compound
privilege, which includes and
Allows a process to load a kernel module (see
modload(2)), get information about a loaded kernel module
(see modstat(2)), and change the global search path for
dynamically loadable kernel modules (see modpath(2)).
Allows a process to call
(see exec(2)) family calls.
Allows a process to create additional processes (using
and
Allows a process to perform disk operations such as removing or
modifying the
size or boundaries of disk partitions, or to import and
export an LVM volume group across the system.
Allows a process to mount and unmount a file system using the
and system calls. See mount(2) and umount(2).
This privilege is valid only when the HP-UX Containment‐
Plus product (version B.11.31.02 or later) is installed
on the system.
Reserved.
Reserved.
Enables a process to modify the host name and domain name.
This privilege is valid only when the HP-UX Containment‐
Plus product (version B.11.31.02 or later) is installed
on the system.
Allows a process to set resource and priority limits beyond the
maximum
limit values (see setrlimit(2) or nice(2)).
Reserved.
Permits the use of the
system call for setting locks on files open for reading
only (see lockf(2)).
Allows a process to create character or block special files
using the
system call (see mknod(2)).
Allows access to the
system call (see plock(2)).
Allows a process to control swap space, mount, and unmount a
file system using the
and system calls. See mount(2) and umount(2).
If the HP-UX ContainmentPlus product (version B.11.31.02
or later) is installed on the system, becomes a compound
privilege, which includes and
Permits the use of the
system call for changing processor binding, locality
domain binding or launch policy of a process (see
mpctl(2)).
Allows a process to perform network administrative operations
including
configuring the network routing tables and querying
interface information.
Allows a process to bind to a privileged port.
By default, port numbers are privileged ports.
Enables a process to configure an interface to listen in
promiscuous mode.
Allows a process to access the raw internet network protocols.
Allows a process to set the suid or sgid bits on any file if
they also
have the privilege. Additionally, allows a process to
change the ownership of a file without clearing the suid
or sgid bits, provided that the process is allowed to
change the ownership of the file.
Allows a process to override all restrictions with respect to
UID matching
the owner of the file or resource. See for more informa‐
tion.
Allows change to the system pset configuration
(see pset_create(2)).
Allows the process to do administrative operations that are pse‐
duo terminal specific.
This privilege is valid only when the HP-UX Containment‐
Plus product (version B.11.31.02 or later) is installed
on the system.
Allows the process to do device administrative operations that
are non-pseudo terminal specific.
This privilege is valid only when the HP-UX Containment‐
Plus product (version B.11.31.02 or later) is installed
on the system.
Allows a process to perform reboot operations.
Allows access to the
system call (see rtprio(2)).
Allows a process to control RTE psets
(see __pset_rtctl(2)).
Allows access to the
and to set POSIX.4 real-time priorities (see rtsched(2)).
Allows a process to add and modify compartment rules on the sys‐
tem.
(See compartments(5) and cmpt_tune(1M) to determine if
this extended feature is enabled.)
Allows a process to generate auditing records for itself using
the
system call (see audwrite(2)).
Allows a process to manage swap space using the
system call (see swapctl(2)).
This privilege is valid only when the HP-UX Containment‐
Plus product (version B.11.31.02 or later) is installed
on the system.
Permits the use of
for forcing the target process to run serially with other
processes that are also marked by this system call (see
serialize(2)).
Permits creation of a new session (see
setsid(2)), and setpgrp(2)).
Permits certain administrative operations in the
Instant Capacity product for deactivation and reactiva‐
tion of processors. See the Instant Capacity documenta‐
tion for more information.
Enables a process to manage system attributes including the
setting of tunables, and modifying the host name, domain
name, and user quotas.
If the HP-UX ContainmentPlus product (version B.11.31.02
or later) is installed on the system, PRIV_SYSATTR
becomes a compound privilege, which includes and
Allows a process to perform NFS operations like exporting a file
system, the
system call (see getfh(2)), NFS file locking, revoking
NFS authentication, and creating an NFS kernel daemon
thread.
Allows a process to log trial mode information to the
file. See below.
Programming with Privileges
When programming with privileges, the name associated with each privi‐
lege is the same as the name presented here with the string prefixed
(that is, use the symbolic constant in the source code). In commands
associated with privileges, the names are used without the prefix,
although most commands may also recognize the names with the prefix.
The compound privileges and are designed to ease development of appli‐
cations that retain their functionality even though the underlying
privileges changes. An application that requires compatibility--even
when the underlying set of privileges changes--ought to ensure that it
does not accidentally drop a new privilege that was added since it was
developed. For example, this can be done by dropping specific privi‐
leges from the effective set using (see priv_remove(3)) or by ensuring
that the compound privileges are used as argument to (see
priv_set_effective(3)).
Associating Privileges with Binaries
Applications that depend on the use of privileges must be registered
using the command (see setfilexsec(1M)). For an alternate method of
granting privileges, see privrun(1M)).
Depending on what kind of restricted tasks an application performs, the
application can raise the corresponding privilege needed before doing
the task and then lower the privilege after completing the task. This
practice is called privilege bracketing. It is recommended that a
process run with the smallest possible privilege set at any given time.
Associating Privileges with Processes
Each process has three privilege sets associated with it. These sets
are as follows:
The maximum set of privileges that a process can raise.
The process can remove any privilege from this set, but
cannot add a privilege to this set. The privileges from
this set can be added to the effective privilege set of
the process. This set is also often referred to as the
Potential Privilege Set.
The set of privileges that are currently active for the process.
A process can modify this set to keep only the necessary
privileges in this set at any given time. Any privilege
in this set can be removed, but only privileges in the
process' permitted privilege set can be added. A
process' Effective Privilege Set is always a subset of
its Permitted Privilege Set.
The set of privileges retained when a process calls
(see execve(2)). The process can remove any privilege
from this set, but cannot add any privilege to this set.
A process' Retained Privilege Set is always a subset of
the Permitted Privilege Set.
These sets can be managed using library calls specified in functions
and (See priv_add_effective(3), priv_remove(3), and priv_get(3)).
Discretionary Restrictions
Discretionary restrictions are the restrictions imposed by the tradi‐
tional file mode access permissions. Thus, the privileges and allow
read, search, execute, and write operations to proceed even if the file
mode permissions forbid it. The privilege allows a process that is not
the owner of a file or directory to remove the file or directory whose
parent directory has the sticky bit set. The privilege also allows a
process that is not the owner of a System V IPC message queue, sema‐
phore set, or shared memory segment, to remove, change ownership of, or
change permission bits for that object.
Trial Mode
This is a facility provided by the system to aid in reporting the list
of privileges that a process has used during its lifetime. A developer
can use this feature to verify what privileges an application needs to
operate. When a process with this privilege attempts to use any privi‐
lege (by making a system call that uses that privilege), an entry is
logged to which, when taken together, is a list of privileges used.
Compatibility
A process with an effective user ID of zero is, by default, treated as
possessing root replacement privileges. The compartmentalization fea‐
ture may further restrict this interpretation of effective user ID such
that the process is treated as though it has only a specified subset of
root replacement privileges. For more details, see the description of
"Process Limitation Rules" in compartments(4).
More formally, a process is said to observe a privilege if and only if
one or more of the following conditions hold:
· The privilege is present in its effective privilege set, or
· The privilege is a root replacement privilege, effective uid
of the process is zero, and compartmentalization is not
enabled, or
· The privilege is a root replacement privilege, effective uid
of the process is zero, compartmentalization is enabled, and
the privilege is not a disallowed privilege in the process's
compartment.
SYSTEM PRIVILEGE REQUIREMENTS
This section provides tables that list the privileges that may be
required where the corresponding man pages specifies "appropriate priv‐
ileges" to perform certain operations or to operate in certain condi‐
tions. For each system call, the table lists what privileges can
potentially affect system call's behavior,
The subsections also include other functions and areas of interest.
These tables list the privileges that may be required where the indi‐
vidual man pages specifies "appropriate privileges" to perform certain
operations or to operate in certain conditions.
Several system calls are accessible by privileged and unprivileged
applications. For example, the system call (see kill(2)), when used by
a process without the privilege, can send a signal only to processes
whose UIDs match the sending process' own UID.
Some general guidelines apply to working with hardware-related system
calls.
· Many hardware devices need the privilege in addition to any
privileges needed by the specific system calls used.
· Networking and streams may need the and/or privileges in
addition to other privileges, depending on what you are
attempting to do. For example, the command requires the
privilege (see exportfs(1M)). The and library calls require
the privilege (possibly in addition to other privileges).
(See fdetach(3) and fattach(3C)).
Privileges for the pstat System Call
The system call typically needs the privilege when operating on pro‐
cesses outside the calling process's compartment (see pstat(2)). How‐
ever, because this system call works in so many areas, some of the
functions of this call may require other privileges. The following is
a list of those functions and the privileges they require:
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_COMMALLOWED, PRIV_OWNER
Privileges for Security Containment
Some commands related to Security Containment make use of certain priv‐
ileges that are not used in other contexts:
PRIV_CHANGEFILEXSEC, PRIV_CMPTREAD, PRIV_CMPTWRITE,
PRIV_DACREAD, PRIV_DACWRITE
PRIV_RULESCONFIG
Additionally, some library calls related to Security Containment make
use of security specific privileges:
PRIV_CHANGECMPT
PRIV_COMMALLOWED
PRIV_RULESCONFIG
PRIV_RULESCONFIG
PRIV_COMMALLOWED
PRIV_COMMALLOWED
Privileges for System Calls
The following table lists system calls and the privileges they may
need. Some of these are dependent on what system object they are act‐
ing on (for example, files in another compartment), the state of the
system (for example, if the maximum number of open files has been
reached), or other conditions.
PRIV_PSET, PRIV_RTPSET
PRIV_LIMIT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
PRIV_ACCOUNTING
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_OWNER
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_AUDCONTROL
PRIV_SELFAUDIT
PRIV_SELFAUDIT
PRIV_SELFAUDIT
PRIV_NETPRIVPORT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER
PRIV_CHOWN, PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER
PRIV_CHROOT, PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_COMMALLOWED
PRIV_DEVOPS
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_LIMIT, PRIV_OBJSUID, PRIV_OWNER
PRIV_LIMIT
PRIV_LIMIT
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_EXEC
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_OBJSUID, PRIV_OWNER
PRIV_CHOWN, PRIV_OWNER
PRIV_FORK, PRIV_LIMIT
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_OBJSUID, PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SELFAUDIT
PRIV_SELFAUDIT
PRIV_AUDCONTROL
PRIV_SYSNFS
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_COMMALLOWED
PRIV_FSINTEGRITY, PRIV_SYSATTR, PRIV_DEVOPS, PRIV_NETADMIN,
PRIV_NETPROMISCUOUS, PRIV_NETRAWACCESS
and more. Generally the privileges
required for an depend on the driver
and type of
PRIV_COMMALLOWED, PRIV_OWNER, PRIV_REBOOT
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_FSINTEGRITY
PRIV_LOCKRDONLY
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD,
PRIV_DACWRITE, PRIV_LIMIT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_LIMIT,
PRIV_MKNOD
PRIV_MLOCK
PRIV_MLOCK
PRIV_DEVOPS or PRIV_RDEVOPS
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_DLKM
PRIV_DLKM
PRIV_DLKM
PRIV_DLKM
PRIV_CMPTREAD, PRIV_DACREAD,
PRIV_MOUNT or PRIV_FSMOUNT, PRIV_OWNER
PRIV_COMMALLOWED, PRIV_MPCTL
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT,
PRIV_OWNER
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_DACREAD
PRIV_COMMALLOWED, PRIV_DACWRITE
PRIV_MLOCK
PRIV_MLOCK
PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_LIMIT
PRIV_LIMIT
PRIV_MLOCK
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_COMMALLOWED, [PRIV_OWNER]; see
for more information.
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_SYSATTR
or PRIV_CORESYSATTR
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_REBOOT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_OWNER
PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTPRIO
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED
PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED
PCIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER
PRIV_COMMALLOWED
PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED
PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED
PRIV_SERIALIZE
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SELFAUDIT
PRIV_SELFAUDIT
PRIV_SYSATTR or PRIV_HOSTATTR
PRIV_AUDCONTROL
PRIV_CHSUBJIDENT
PRIV_CHSUBJIDENT
PRIV_SYSATTR or PRIV_HOSTATTR
PRIV_SESSION
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_CHSUBJIDENT
PRIV_CHSUBJIDENT
PRIV_CHSUBJIDENT
PRIV_LIMIT
PRIV_SESSION
PRIV_NETBROADCAST; varies depending on the option used.
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_CHSUBJIDENT
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
PRIV_CMPTWRITE, PRIV_DACWRITE, PRIV_OWNER
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_MLOCK,
PRIV_OWNER
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_LIMIT
PRIV_LIMIT
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_MOUNT or PRIV_SWAPCTL
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_LIMIT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_OBJSUID,
PRIV_OWNER
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_LIMIT
PRIV_MOUNT or PRIV_FSMOUNT,
PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_FSINTEGRITY, PRIV_OWNER
PRIV_SYSATTR or PRIV_CORESYSATTR
PRIV_OWNER
PRIV_MOUNT or PRIV_FSMOUNT
PRIV_LIMIT
WARNINGS
Product documentation, as discussed above, describes alternate ways
that programs or users can obtain sufficient privileges to perform
restricted operations.
Network Issues
Privileges are not propagated across distributed systems. They are
applied only on the local system. For example, a process with or can‐
not access a file on another system if it is necessary to override dis‐
cretionary restrictions to do so.
For example, if the system's NFS subsystem is configured to translate
the user ID zero to the user ID it still does so. Also, some system
daemons check to see if a connection originates from a privileged port
(typically to determine whether to allow or deny the connection. This
behavior is not and should not be altered.
Privilege Escalation
In certain situations, a single privilege or set of privileges can lead
to a process gaining additional privileges that were not explicitly
granted. This is known as privilege escalation.
For example, a user with the privilege alone may overwrite critical
operating system files and, in the process, may grant himself addi‐
tional privileges beyond
SEE ALSOcrontab(1), sam(1M), setfilexsec(1M), setrules(1M), shutdown(1M),
acct(2), audwrite(2), execve(2), getfh(2), mknod(2), modload(2), mod‐
path(2), modstat(2), mount(2), nice(2), setrlimit(2), priv_add_effec‐
tive(3), priv_remove(3), privileges(3), compartments(4), compart‐
ments(5), privgrp(5), glossary(9).
privileges(5)
