Securing Users and Processes in Oracle® Solaris 11.2

Exit Print View

 
Updated: July 2014
 
 

Listing Privileges

  • man privileges – Lists privilege definitions and their names as they are used by developers

  • ppriv -vl – Lists privilege definitions and their names as they are used by administrators

  • ppriv -vl basic – Lists names and definitions of privileges in the basic set of privileges

  • ppriv $$ – Lists the privileges in the current shell ($$)

  • getent exec_attr – Lists all commands that have security attributes (setuid or privileges) by rights profile name

$ getent exec_attr | more
All:solaris:cmd:::*:
Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit
...
Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0
Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...
Example 6-12  Listing All Privileges and Their Definitions

The privilege format described in the privileges (5) man page is used by developers.

$ man privileges
Standards, Environments, and Macros                 privileges(5)

NAME
     privileges - process privilege model
...
     The defined privileges are:

     PRIV_CONTRACT_EVENT

         Allow a process to request reliable delivery  of  events
         to an event endpoint.

         Allow a process to include events in the critical  event
         set  term  of  a  template  which  could be generated in
         volume by the user.
...
Example 6-13  Listing Privileges That Are Used in Privilege Assignment

The ppriv command lists all privileges by name. For a definition, use the –v option.

This privilege format is used to assign privileges to users and roles with the useradd, roleadd, usermod, and rolemod commands, and to rights profiles with the profiles command.

$ ppriv -lv | more
contract_event
	Allows a process to request critical events without limitation.
	Allows a process to request reliable delivery of all events on
	any event queue.
...
win_upgrade_sl
        Allows a process to set the sensitivity label of a window
        resource to a sensitivity label that dominates the existing
        sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.
Example 6-14  Listing the Privileges in Your Current Shell

Every user is assigned the basic privilege set by default. The default limit set is all privileges.

The single letters in the output refer to the following privilege sets:

E

Effective privilege set

I

Inheritable privilege set

P

Permitted privilege set

L

Limit privilege set

$ ppriv $$
1200:   -bash
flags = <none>
        E: basic
        I: basic
        P: basic
        L: all
$ ppriv -v $$
1200:   -bash
flags = <none>
	E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
           proc_info,proc_session,sys_ib_info
	I: file_link_any,file_read,...,sys_ib_info
	P: file_link_any,file_read,...,sys_ib_info
	L: contract_event,contract_identity,...,sys_time

The double dollar sign ($$) passes the process number of the parent shell to the command. This listing does not include privileges that are restricted to commands in an assigned rights profile.

Example 6-15  Listing the Basic Privileges and Their Definitions 
$ ppriv -vl basic
file_link_any
	Allows a process to create hardlinks to files owned by a uid
	different from the process' effective uid.
file_read
	Allows a process to read objects in the filesystem.
file_write
	Allows a process to modify objects in the filesystem.
net_access
	Allows a process to open a TCP, UDP, SDP or SCTP network endpoint.
proc_exec
	Allows a process to call execve().
proc_fork
	Allows a process to call fork1()/forkall()/vfork()
proc_info
	Allows a process to examine the status of processes other
	than those it can send signals to.  Processes which cannot
	be examined cannot be seen in /proc and appear not to exist.
proc_session
	Allows a process to send signals or trace processes outside its
	session.
sys_ib_info
	Allows a process to perform read InfiniBand MAD (Management Datagram)
	operations.
Example 6-16  Listing the Commands With Security Attributes in Your Rights Profiles

The Basic Solaris User profile includes commands that enable users to read and write to CD-ROMs.

$ profiles -l
  Basic Solaris User
...
   /usr/bin/cdrecord.bin   privs=file_dac_read,sys_devices,
     proc_lock_memory,proc_priocntl,net_privaddr
   /usr/bin/readcd.bin     privs=file_dac_read,sys_devices,net_privaddr
   /usr/bin/cdda2wav.bin   privs=file_dac_read,sys_devices,
     proc_priocntl,net_privaddr
  All
   *
Copyright © 2002, 2014, Oracle and/or its affiliates. All rights reserved. Legal Notices
Previous
Next