Assigning Privileges

Privileges can be forced on an object, or can be inherited by child processes. Therefore, the Security Administrator role has two ways to assign privilege:

By giving forced privileges to the executable file itself (for commands only).
By assigning inheritable privileges to a command or action in a rights profile.

When the command is executed in one of the shells that understands profiles (either the profile shells described in the pfexec(1) man page or the system shell, as described on the sysh(1M) man page, it executes with privilege. When an action is launched by a trusted process in the window system, it executes with privilege.

Previous: Trusted Libraries
Next: Giving Forced Privileges to an Executable File