Using Privileges (Tasks)

The following task maps point to step-by-step instructions for managing privileges and using privileges on your system.

Task	Description	For Instructions
Use privileges when you run a command.	Involves listing the privileges that have been assigned to you and the privileges that are available on the system.	Determining Your Privileges (Task Map)
Use privileges at your site.	Involves assigning, removing, adding, and debugging the use of privileges.	Managing Privileges (Task Map)

Determining Your Privileges (Task Map)

When a user is directly assigned privileges, the privileges are in effect in every shell. When a user is not directly assigned privileges, then the user must open a profile shell. For example, when commands with assigned privileges are in a rights profile that is in the user's list of rights profiles, then the user must execute the command in a profile shell.

The following task map points to procedures for viewing the privileges that have been assigned to you.

Task	Description	For Instructions
View the defined privileges.	List the Oracle Solaris privileges and their definitions.	How to List the Privileges on the System
View your privileges as a user in any shell.	Shows your directly assigned privileges. All of your processes run with these privileges.	How to Determine the Privileges That You Have Been Directly Assigned
View your privileged commands in a profile shell.	Shows the privileged commands that you can run through an assigned rights profile.	How to Determine the Privileged Commands That You Can Run
View your privileges as a role in any shell.	Shows the privileged commands that your role can run through an assigned rights profile.	How to Determine the Privileged Commands That You Can Run

How to List the Privileges on the System

The following procedure shows how to view the privilege names and definitions.

In a terminal window, you can view privileges online.

List the privileges by viewing the privileges(5) man page.

% man privileges
Standards, Environments, and Macros                 privileges(5)

NAME
     privileges - process privilege model
...
     The defined privileges are:

     PRIV_CONTRACT_EVENT

         Allow a process to request reliable delivery  of  events
         to an event endpoint.

         Allow a process to include events in the critical  event
         set  term  of  a  template  which  could be generated in
         volume by the user.
...

This privilege format is used by developers.

List the privileges by using the ppriv command.

% ppriv -lv | more
contract_event
    Allows a process to request critical events without limitation.
    Allows a process to request reliable delivery of all events on
    any event queue.
...
win_upgrade_sl
        Allows a process to set the sensitivity label of a window
        resource to a sensitivity label that dominates the existing
        sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

This privilege format is used to assign privileges to users and roles with the useradd, roleadd, usermod, and rolemod commands, and to rights profiles with the profiles command.

How to Determine the Privileges That You Have Been Directly Assigned

The following procedure shows how to determine if you have been directly assigned privileges.

Caution - Inappropriate use of directly assigned privileges can result in unintentional breaches of security. For a discussion, see Security Considerations When Directly Assigning Security Attributes.

List the privileges that your processes can use.
See How to Determine the Privileges on a Process for the procedure.
Invoke actions and run commands in any shell.
The privileges that are listed in the effective set are in effect throughout your session. If you have been directly assigned privileges in addition to the basic set, the privileges are listed in the effective set.

Example 9-30 Determining Your Directly Assigned Privileges

If you have been directly assigned privileges, then your basic set contains more than the default basic set. In this example, the user always has access to the proc_clock_highres privilege.

% /usr/bin/whoami
jdoe
% ppriv -v $$
1800:   pfksh
flags = <none>
        E: file_link_any,…,proc_clock_highres,proc_session
        I: file_link_any,…,proc_clock_highres,proc_session
        P: file_link_any,…,proc_clock_highres,proc_session
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
% ppriv -vl proc_clock_highres
        Allows a process to use high resolution timers.

Example 9-31 Determining a Role's Directly Assigned Privileges

Roles use an administrative shell, or profile shell. Users who assume a role can use the role's shell to list the privileges that have been directly assigned to the role. In the following example, the role realtime has been directly assigned privileges to handle date and time programs.

% su - realtime
Password: <Type realtime password>
$ /usr/bin/whoami
realtime
$ ppriv -v $$
1600:   pfksh
flags = <none>
        E: file_link_any,…,proc_clock_highres,proc_session,sys_time
        I: file_link_any,…,proc_clock_highres,proc_session,sys_time
        P: file_link_any,…,proc_clock_highres,proc_session,sys_time
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time

How to Determine the Privileged Commands That You Can Run

When a user is not directly assigned privileges, then the user gets access to privileged commands through a rights profile. Commands in a rights profile must be executed in a profile shell.

Determine the rights profiles that you have been assigned.

% profiles
Audit Review
Console User
Suspend To RAM
Suspend To Disk
Brightness
CPU Power Management
Network Autoconf
Desktop Print Management
Network Wifi Info
Desktop Removable Media User
Basic Solaris User
All

Determine your rights from the Audit Review profile.
```
profiles -l
Audit Review

  solaris.audit.read
  
  /usr/sbin/auditreduce  euid=0
  /usr/sbin/auditstat    euid=0
  /usr/sbin/praudit      euid=0
```
The Audit Review rights profile enables you to run the auditreduce, auditstat, and praudit commands with the effective UID of 0, and assigns you the solaris.audit.read authorization.

Example 9-32 Determining the Privileged Commands of a Role

In this example, a user assumes an assigned role and lists the commands that are included in one of the rights profiles.

% roles
devadmin
% su - devadmin
Password: Type devadmin password
$ profiles -l
Device Security
          /usr/bin/kbd        uid=0;gid=sys
          /usr/sbin/add_allocatable    euid=0
          /usr/sbin/add_drv        uid=0
          /usr/sbin/devfsadm        uid=0
          /usr/sbin/eeprom        uid=0
          /usr/sbin/list_devices        euid=0
          /usr/sbin/rem_drv        uid=0
          /usr/sbin/remove_allocatable    euid=0
          /usr/sbin/strace        euid=0
          /usr/sbin/update_drv        uid=0

Example 9-33 Running the Privileged Commands in Your Role

In the following example, the admin role can change the permissions on the useful.script file.

% whoami
jdoe
% ls -l useful.script
-rwxr-xr-- 1 elsee eng 262 Apr 2 10:52 useful.script
chgrp admin useful.script
chgrp: useful.script: Not owner
% su - admin
Password: <Type admin password>
$ /usr/bin/whoami
admin
$ chgrp admin useful.script
$ chown admin useful.script
$ ls -l useful.script
-rwxr-xr-- 1 admin admin 262 Apr 2 10:53 useful.script

Managing Privileges (Task Map)

The most secure way to manage privileges for users and roles is to confine use of privilege to commands in a rights profile. The rights profile is then included in a role. The role is assigned to a user. When the user assumes the assigned role, the privileged commands are available to be run in a profile shell. The following procedures show how to assign privileges, remove privileges, and debug privilege use.

The following task map points to procedures for assigning, removing and debugging privileges, and for running a script that contains privileged commands.

Task	Description	For Instructions
Determine which privileges are in a process.	Lists the effective, inheritable, permitted, and limit privilege sets for a process.	How to Determine the Privileges on a Process
Determine which privileges are missing from a process.	Lists the privileges that a failed process requires to succeed.	How to Determine Which Privileges a Program Requires
Add privileges to a command.	Adds privileges to a command in a rights profile. Users or roles can be assigned the rights profile. The users can then run the command with the assigned privileges in a profile shell.	Example 9-14
Assign privileges to a user or role.	Expands a user's or role's inheritable set of privileges. Use this procedure with caution.	Example 9-24
Restrict a user's privileges.	Limits the user's basic set of privileges. Use this procedure with caution.	Example 9-12
Run a privileged shell script.	Adds privilege to a shell script and to the commands in the shell script. Then, runs the script in a profile shell.	How to Run a Shell Script With Privileged Commands

How to Determine the Privileges on a Process

This procedure shows how to determine which privileges are available to your processes. The listing does not include privileges that have been assigned to particular commands.

List the privileges that are available to your shell's process.
```
% ppriv pid
$ ppriv -v pid
```
pid

Is the process number. Use a double dollar sign ($$) to pass the process number of the parent shell to the command.

-v

Provides a verbose listing of the privilege names.

Example 9-34 Determining the Privileges in Your Current Shell

In the following example, the privileges in the parent process of the user's shell process are listed. In the second example, the full names of the privileges are listed. The single letters in the output refer to the following privilege sets:

E: Is the effective privilege set.
I: Is the inheritable privilege set.
P: Is the permitted privilege set.
L: Is the limit privilege set.

% ppriv $$
1200:   -csh
flags = <none>
        E: basic
        I: basic
        P: basic
        L: all
% ppriv -v $$
1200:   -csh
flags = <none>
        E: file_link_any,net_access,proc_exec,proc_fork,proc_info,proc_session
        I: file_link_any,net_access,proc_exec,proc_fork,proc_info,proc_session
        P: file_link_any,net_access,proc_exec,proc_fork,proc_info,proc_session
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time

Example 9-35 Determining the Privileges of a Role That You Can Assume

Roles use an administrative shell, or profile shell. You must assume a role and use the role's shell to list the privileges that have been directly assigned to the role. In the following example, the role sysadmin has no directly assigned privileges.

% su - sysadmin
Password: <Type sysadmin password>
$ /usr/bin/whoami
sysadmin
$ ppriv -v $$
1400:   pfksh
flags = <none>
        E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
           proc_info,proc_session
        I: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
           proc_info,proc_session
        P: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
           proc_info,proc_session
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,win_upgrade_sl

How to Determine Which Privileges a Program Requires

This procedure determines which privileges a command or process requires to succeed.

Before You Begin

The command or process must fail for this debugging procedure to work.

Type the command that is failing as an argument to the ppriv debugging command.

% ppriv -eD touch /etc/acct/yearly
touch[5245]: missing privilege "file_dac_write"
     (euid = 130, syscall = 224) needed at zfs_zaccess+0x258
touch: cannot create /etc/acct/yearly: Permission denied

Determine which system call is failing by finding the syscall number in the /etc/name_to_sysnum file.
```
% grep 224 /etc/name_to_sysnum
creat64                 224
```

Example 9-36 Using the truss Command to Examine Privilege Use

The truss command can debug privilege use in a regular shell. For example, the following command debugs the failing touch process:

% truss -t creat touch /etc/acct/yearly
creat64("/etc/acct/yearly", 0666)            
                       Err#13 EACCES [file_dac_write]
touch: /etc/acct/yearly cannot create

The extended /proc interfaces report the missing privilege after the error code in truss output.

Example 9-37 Using the ppriv Command to Examine Privilege Use in a Profile Shell

The ppriv command can debug privilege use in a profile shell. If you assign a rights profile to a user, and the rights profile includes commands with privileges, the commands must be typed in a profile shell. When the privileged commands are typed in a regular shell, the commands do not execute with privilege.

In this example, the jdoe user can assume the role objadmin. The objadmin role includes the Object Access Management rights profile. This rights profile allows the objadmin role to change permissions on files that objadmin does not own.

In the following excerpt, jdoe fails to change the permissions on the useful.script file:

jdoe% ls -l useful.script
-rw-r--r--  1 aloe  staff  2303 Apr 10 10:10 useful.script
jdoe% chown objadmin useful.script
chown: useful.script: Not owner
jdoe% ppriv -eD chown objadmin useful.script
chown[11444]: missing privilege "file_chown" 
            (euid = 130, syscall = 16) needed at zfs_zaccess+0x258
chown: useful.script: Not owner

When jdoe assumes the objadmin role, the permissions on the file are changed:

jdoe% su - objadmin
Password: <Type objadmin password>
$ ls -l useful.script
-rw-r--r--  1 aloe  staff  2303 Apr 10 10:10 useful.script
$ chown objadmin useful.script
$ ls -l useful.script
-rw-r--r--  1 objadmin  staff  2303 Apr 10 10:10 useful.script
$ chgrp admin useful.script
$ ls -l objadmin.script
-rw-r--r--  1 objadmin  admin  2303 Apr 10 10:11 useful.script

Example 9-38 Changing a File Owned by the root User

This example illustrates the protections against privilege escalation. For a discussion, see Prevention of Privilege Escalation. The file is owned by the root user. The less powerful role, objadmin role needs all privileges to change the file's ownership, so the operation fails.

jdoe% su - objadmin
Password: <Type objadmin password>
$ cd /etc; ls -l system
-rw-r--r--  1 root  sys   1883 Oct 10 10:20 system
$ chown objadmin system
chown: system: Not owner
$ ppriv -eD chown objadmin system
chown[11481]: missing privilege "ALL" 
     (euid = 101, syscall = 16) needed at zfs_zaccess+0x258
chown: system: Not owner

How to Run a Shell Script With Privileged Commands

Note - When you create a shell script that runs commands that require privilege, the appropriate rights profile must contain the commands with privileges assigned to them.

Before You Begin

You must be in the root role.

Start the script with /bin/pfsh, or any other profile shell, on the first line.
```
#!/bin/pfsh
# Copyright (c) 2011 by Oracle
```
Determine the privileges that the commands in the script need.
```
% ppriv -eD script-full-path
```
Become an administrator with the required security attributes.
For more information, see How to Obtain Administrative Rights.
Create or modify a rights profile for the script.
You need to add the shell script, and the commands in the shell script, with their required security attributes to the rights profile. For the steps, see How to Create or Change a Rights Profile.
Add the rights profile to a role and assign the role to a user.
To run the script, the user assumes the role and runs the script in the role's profile shell.
- To add the rights profile to a role, see How to Change the Security Attributes of a Role.
- To assign the role to a user, see Example 9-20.

Skip Navigation Links
Exit Print View
	Oracle Solaris Administration: Security Services Oracle Solaris 11 Information Library