How to Restrict a User's Set of Privileges
Site security might require that users be permitted fewer privileges than users are assigned by default. For example, at a site that uses Trusted Extensions on Sun Ray systems, you might want to prevent users from viewing other users' processes on the Sun Ray server.
Before You Begin
You must be in the Security Administrator role in the global zone.
- Remove one or more of the privileges in the basic set.
Caution - Do not remove the proc_fork or the proc_exec privilege. Without these privileges, a user cannot use the system.
# usermod -K defaultpriv=basic,!proc_info,!proc_session,!file_link_any
By removing the proc_info privilege, you prevent the user from examining any processes that do not originate from the user. By removing the proc_session privilege, you prevent the user from examining any processes outside the user's current session. By removing the file_link_any privilege, you prevent the user from making hard links to files that are not owned by the user.
See Also
For an example of collecting the privilege restrictions in a rights profile, see the examples following How to Create a Rights Profile in Securing Users and Processes in Oracle Solaris 11.3.
To restrict the privileges of all users on a system, see Example 13, Modifying Every User's Basic Privilege Set.