System Administration Guide: Security Services

ProcedureHow to Limit a User's or Role's Privileges

You can limit the privileges that are available to a user or role by reducing the basic set, or by reducing the limit set. You should have good reason to limit the user's privileges in this way, because such limitations can have unintended side effects.


Caution – Caution –

You should thoroughly test any user's capabilities where the basic set or the limit set has been modified for a user.


  1. Determine the privileges in a user's basic set and limit set.

    For the procedure, see How to Determine the Privileges on a Process.

  2. (Optional) Remove one of the privileges from the basic set.


    $ usermod -K defaultpriv=basic,!priv-name username
    

    By removing the proc_session privilege, you prevent the user from examining any processes outside the user's current session. By removing the file_link_any privilege, you prevent the user from making hard links to files that are not owned by the user.


    Caution – Caution –

    Do not remove the proc_fork or the proc_exec privilege. Without these privileges, the user would not be able to use the system. In fact, these two privileges are only reasonably removed from daemons that should not fork() or exec() other processes.


  3. (Optional) Remove one of the privileges from the limit set.


    $ usermod -K limitpriv=all,!priv-name username
    
  4. Test the capabilities of username.

    Log in as username and try to perform the tasks that username must perform on the system.


Example 11–7 Removing Privileges From a User's Limit Set

In the following example, all sessions that originate from jdoe's initial login are prevented from using the sys_linkdir privilege. That is, the user cannot make hard links to directories, nor can the user unlink directories, even after the user runs the su command.


$ usermod -K limitpriv=all,!sys_linkdir jdoe
$ grep jdoe /etc/user_attr
jdoe::::type=normal;defaultpriv=basic;limitpriv=all,!sys_linkdir


Example 11–8 Removing Privileges From a User's Basic Set

In the following example, all sessions that originate from jdoe's initial login are prevented from using the proc_session privilege. That is, the user cannot examine any processes outside the user's session, even after the user runs the su command.


$ usermod -K defaultpriv=basic,!proc_session jdoe

$ grep jdoe /etc/user_attr
jdoe::::type=normal;defaultpriv=basic,!proc_session;limitpriv=all