Go to main content

Securing Users and Processes in Oracle® Solaris 11.3

Exit Print View

Updated: September 2018
 
 

Privileges Reference

Privileges restrict processes are implemented in the kernel, and can restrict processes at the command, user, role, or system level.

Commands for Handling Privileges

The following table lists the commands that are available to handle privileges.

Table 5  Commands for Handling Privileges
Purpose
Command
Man Page
Debug privilege failure
ppriv -eD failed-operation
ppriv(1)
List the privileges on the system
ppriv -l
ppriv(1)
List a privilege and its description
ppriv -lv priv
ppriv(1)
List extended privilege policy on a UID, process, or port
ppriv -lv extended-policy
ppriv(1)
Examine process privileges
ppriv -v pid
ppriv(1)
Add extended privilege policy to a UID, process, or port
ppriv -r rule
privileges(5)
Set process privileges
ppriv -s spec
ppriv(1)
Remove an extended privilege policy rule
ppriv -X rule
privileges(5)
Assign privileges to a rights profile
profiles -p profile-name
profiles(1)
Assign privileges to a new role
roleadd -K defaultpriv=
roleadd(1M)
Add privileges to an existing role
rolemod -K defaultpriv+=
rolemod(1M)
Assign privileges to a new user
useradd -K defaultpriv=
useradd(1M)
Add privileges to an existing user
usermod -K defaultpriv+=
usermod(1M)
Add device policy to a device
add_drv -p policy driver
add_drv(1M)
Set device policy
devfsadm
devfsadm(1M)
View device policy
getdevpolicy
getdevpolicy(1M)
Update device policy on open devices
update_drv -p policy driver
update_drv(1M)

Files That Contain Privilege Information

    The policy.conf and syslog.conf files contain information about privileges.

  • /etc/security/policy.conf contains the following privilege information:

    • PRIV_DEFAULT – Inheritable set of privileges for the system

    • PRIV_LIMIT – Limit set of privileges for the system

    For more information, see the policy.conf(4) man page.

  • /etc/syslog.conf is the system log file for debug messages that are related to privilege debugging. The path for debug messages is set in the priv.debug entry.

    For more information, see the syslog.conf(4) man page.

Privileged Actions in the Audit Record

    Privilege use can be audited. Any time that a process uses a privilege, the use of privilege is recorded in the audit trail in the upriv audit token. When privilege names are part of the record, their textual representation is used. The following audit events record use of privilege:

  • AUE_SETPPRIV audit event – Generates an audit record when a privilege set is changed. The AUE_SETPPRIV audit event is in the pm class.

  • AUE_MODALLOCPRIV audit event – Generates an audit record when a privilege is added from outside the kernel. The AUE_MODALLOCPRIV audit event is in the ad class.

  • AUE_MODDEVPLCY audit event – Generates an audit record when the device policy is changed. The AUE_MODDEVPLCY audit event is in the ad class.

  • AUE_PFEXEC audit event – Generates an audit record when a call is made to execve() with pfexec() enabled. The AUE_PFEXEC audit event is in the as, ex, ps, and ua audit classes. The names of the privileges are included in the audit record.

The successful use of privileges that are in the basic set is not audited. An attempt to use a basic privilege that has been removed from a user's basic set is audited.

Copyright © 2002, 2018, Oracle and/or its affiliates. All rights reserved. 
Previous
Next