Setting and Getting File Privilege Sets

The Trusted Solaris environment provides the user commands and programming interfaces described here for setting and getting the privilege sets of an executable file. If no forced and allowed privileges are set, by default the forced and allowed privilege sets contain none.

If you set file privilege sets prior to execution, the new privilege sets take effect immediately and are used to compute the process privilege sets for the current execution. If you set file privilege sets during execution, they do not take effect until the next execution and have no effect on the process privilege sets for the current execution.

Commands for File Sets

To set and get the file privilege sets from the command line, use setfpriv(1) and getfpriv(1). The file_setpriv privilege is required with setfpriv(1) so this command must be executed from the profile shell with this privilege. See "Assigning File Privileges using a Script" for information on using setfpriv(1) in a script.

This command line sets the file privilege sets on executable for the examples in this chapter. When you specify more than one privilege, the names are separated by commas with no spaces. If you want to use spaces, enclose the privilege names in double quotes ("privilege1, privilege2").

phoenix% setfpriv -s -f file_setpriv \
-a file_mac_write,proc_setid,file_setpriv executable

This command line produces output to verify the file privilege sets were set:

phoenix% getfpriv executable
executable FORCED: file_setpriv 
ALLOWED: file_mac_write,file_setpriv,proc_setid

Programming Interfaces for File Sets

The privilege macros and system calls described in this section get and set file privilege sets. The program below has the header files and variable declarations for the entire series of examples for this chapter. It also contains code to set and get the file privilege sets for execfile, which will be exec'd later to show what happens to process sets during an exec.

The setfpriv(1) system call sets the forced and allowed privilege sets on execfile and requires the file_setpriv privilege. The file_setpriv privilege is in the forced set for executable to make it available in the permitted set during execution. By default, the effective set equals the permitted set, and all effective privileges are on until explicitly turned off in preparation for privilege bracketing. The use of file_setpriv in this code does not follow security guidelines until privilege bracketing is put into effect as described in "Bracketing Effective Privileges".

/* cc priv.c -o executable -ltsol */

#include <tsol/priv.h>
#include <sys/types.h>
#include <errno.h>
#include <stdio.h>

/* Global Variables*/
extern int errno;
char buffer [3*1024];

main()
{
	char *priv_names = "file_mac_write,proc_setid";
	char *string;
	char *privilege;
	char *file = "/export/home/zelda/executable";
	char *execfile = "/export/home/zelda/execfile";
	priv_set_t priv_set, priv_get, permitted_privs, saved_privs;
	int length = sizeof(buffer);
	int retval;
	pid_t pid;

/* To use with exec() later */
	char *argv[8] = {"execfile"};

/* Initialize privilege set data structures */

	PRIV_EMPTY(&priv_get);
	PRIV_EMPTY(&priv_set);

/* Turn allowed privileges off. See text for discussion. */

	retval = setfpriv(execfile, PRIV_SET, PRIV_ALLOWED, &priv_get);

/* Assert the privileges in priv_names in a privilege set */
/* structure and assign to execfile. See text below for discussion */
/* on methods for asserting privileges */

	if((string = str_to_priv_set(priv_names, &priv_set, ",")) != NULL)
	printf("string = %s errno = %d\n", string, errno);
	retval = setfpriv(execfile,PRIV_ON, PRIV_ALLOWED, &priv_set);

/* Check that the allowed privilege set contains the privileges */

	retval = getfpriv(execfile, PRIV_ALLOWED, &priv_get);
	priv_set_to_str(&priv_get, ',', buffer, &length);
	printf("execfile Allowed = %s\n", buffer);

/* Initialize privilege set data structures */

	PRIV_EMPTY(&priv_set);
	PRIV_EMPTY(&priv_get);

/* Assert file_mac_write in a privilege set structure */

	PRIV_ASSERT(&priv_set, PRIV_FILE_MAC_WRITE);

/* Set the forced privilege set on execfile */

	retval = setfpriv(execfile, PRIV_ON, PRIV_FORCED, &priv_set);

/* Check that the forced privilege set contains the privilege */

	retval = getfpriv(execfile, PRIV_FORCED, &priv_get);
	priv_set_to_str(&priv_get, `,', buffer, &length);
	printf("execfile Forced =%s\n", buffer);
}

The printf statements print the file privilege sets for execfile as follows:

execfile Allowed = file_mac_write,proc_setid
execfile Forced = file_mac_write

The output uses a comma (",") to separate the allowed privileges. The separator is specified in the calls to priv_set_to_str(3TSOL). The separator is not used when there is only one privilege in the set.

Turn Allowed Privileges Off

The forced set is a subset of the allowed set. Any privileges in the forced set are cleared when the allowed set is cleared. The allowed set is none by default, but it is a good practice to clear it first so you know you are starting from zero. Always clear and set the allowed set before you set the forced set. After the following code executes, the allowed and forced sets are both none.

PRIV_EMPTY(&priv_set);
retval = setfpriv(execfile, PRIV_SET, PRIV_ALLOWED, &priv_set);

Assert Privileges in Privilege Set Structure

You can use the PRIV_ASSERT macro or the str_to_priv_set(3TSOL) routine to assert privileges in a privilege set structure. str_to_priv_set() works well when you have two or more privileges to assert because you can do it in one statement; whereas, PRIV_ASSERT must be called for each privilege asserted in the set. This code uses the str_to_priv_set() routine for the allowed set and PRIV_ASSERT for the forced set. The str_to_priv() routine returns NULL on success and the string passed to it in priv_names on failure.

if((string = str_to_priv_set(priv_names, &priv_set, ",")) != NULL)
	printf("string = %s errno = %d\n", string, errno);

 PRIV_EMPTY(&priv_set);
 PRIV_ASSERT(&priv_set, PRIV_FILE_MAC_WRITE);

Contents of Privilege Sets

The next examples operate on the process sets. It might be helpful to see the of file and process privilege sets before any operations. The process sets are calculated from the algorithms in "Process Privilege Sets".

executable Allowed = file_mac_write,file_setpriv,proc_setid
executable Forced = file_setpriv
Permitted = file_mac_write,file_setpriv,proc_setid
Effective = file_mac_write,file_setpriv,proc_setid
Saved = file_mac_write,proc_setid
Inheritable = file_mac_write&file_setpriv,proc_setid