Privileged Applications
A privileged application is an application that can override system controls and check for specific user IDs (UIDs), group IDs (GIDs), authorizations, or privileges. These access control elements are assigned by system administrators. For a general discussion of how administrators use these access control elements, see Chapter 8, Using Roles and Privileges (Overview), in System Administration Guide: Security Services.
The Solaris OS provides developers with two elements that enable a finer-grained delegation of privileges:
-
Privileges – A privilege is a discrete right that can be granted to an application. With a privilege, a process can perform an operation that would otherwise be prohibited by the Solaris OS. For example, processes cannot normally open data files without the proper file permission. The file_dac_read privilege provides a process with the ability to override the UNIX file permissions for reading a file. Privileges are enforced at the kernel level.
-
Authorizations – An authorization is a permission for performing a class of actions that are otherwise prohibited by security policy. An authorization can be assigned to a role or user. Authorizations are enforced at the user level.
The difference between authorizations and privileges has to do with the level at which the policy of who can do what is enforced. Privileges are enforced at the kernel level. Without the proper privilege, a process cannot perform specific operations in a privileged application. Authorizations enforce policy at the user application level. An authorization might be required for access to a privileged application or for specific operations within a privileged application.
- © 2010, Oracle Corporation and/or its affiliates