Privileged Operations
The system calls that get and set file privilege sets require mandatory access and discretionary access to the file and may require privilege if access is denied. See the fgetfpriv(2) man page for specific details.
Setting File Privilege Sets
The file_setpriv privilege is required to set file privilege sets with the setfpriv(1) and fsetfpriv(2) system calls.
Keeping File Privilege Sets on an Executable File
When a process writes information to an executable file, the file_setpriv privilege is needed to prevent the file's forced and allowed privilege sets being set to none.
Core Files
The proc_dumpcore privilege must be effective for a privileged process to create a core file because the core file from a privileged process is likely to contain sensitive information. If this privilege is not effective, the process will not create a core file when it dies. For debugging purposes (only), you could make this privilege effective at the beginning of execution and leave it effective until the process dies.
Setting IDs
The calling process needs the proc_setid privilege in its effective set to change its user ID, group ID, or supplemental group ID.
- © 2010, Oracle Corporation and/or its affiliates