test

Trusted Solaris Developer's Guide

Checking and Modifying Privileges

Applications can notify users that privileges are missing, and establish the privilege sets for a program.

Check Permitted Privileges

An application can check the permitted privilege set to be sure the application has all privileges it needs to function. This way, if an application is missing a privilege, it can issue an error message to that effect. Continuing without all the needed privileges typically produces error messages that are more difficult to interpret.

The following example gets the permitted set and checks for PRIV_FILE_MAC_WRITE, PRIV_PROC_SETID, and PRIV_FILE_SETPRIV. The PRIV_ISSUBSET macro provides another way (not shown) to check if one privilege set contains all the privileges in another privilege set from within your source code. 

/* Initialize privilege set data structure */
 PRIV_EMPTY(&permitted_privs);

/* Test for privileges in permitted set. */

 if (getppriv(PRIV_PERMITTED, &permitted_privs) == -1)
	perror("Cannot get list of permitted privileges\n");

 if (!PRIV_ISASSERT(&permitted_privs, PRIV_FILE_MAC_WRITE))
	fprintf(stderr, "Need: file_mac_write.\n");

 if (!PRIV_ISASSERT(&permitted_privs, PRIV_PROC_SETID))
	fprintf(stderr, "Need: proc_setid.\n");

 if (!PRIV_ISASSERT(&permitted_privs, PRIV_FILE_SETPRIV))
	fprintf(stderr, "Need: file_setpriv.\n");

Remove a Permitted Privilege

You can remove privileges from the permitted set, but once a privilege is removed it cannot be added back. Only privileges in the permitted set can be in the inheritable set so do not remove a permitted privilege that needs to be in the inheritable set. This example removes the file_mac_write privilege from the permitted set. The 1 indicates the parameter list has one privilege constant. 

if(set_permitted_priv(PRIV_OFF, 1, PRIV_FILE_MAC_WRITE) == -1)
	perror ("Cannot remove file_mac_write from permitted set");

Before this call the permitted set contains these privileges:


executable Permitted = file_mac_write,file_setpriv,proc_setid

After this call the permitted set contains these privileges:


executable Permitted = file_setpriv,proc_setid

Check Saved Privileges

An application can check the saved privilege set to determine the origin of a privilege to take action based on the findings. This example gets the saved set and checks for PRIV_PROC_SETID and PRIV_FILE_SETPRIV and finds that the file_setpriv privilege is not inherited, but the proc_setid privilege is inherited. 

PRIV_EMPTY(&saved_privs);

 if (getppriv(PRIV_SAVED, &saved_privs) == -1)
	perror("Cannot get list of saved privileges\n");
 if (!PRIV_ISASSERT(&saved_privs, PRIV_PROC_SETID))
	fprintf(stderr, "proc_setid not in saved set. \n");

 if (!PRIV_ISASSERT(&saved_privs, PRIV_FILE_SETPRIV))
	fprintf(stderr, "file_setpriv not in saved set.\n");

Clear and Set the Inheritable Set

To set the privileges that will be active after a new program is started using exec(2), first clear the inheritable set of the process, then initialize it with the privileges that you want the program to inherit.

This example clears the inheritable privilege set. The PRIV_SET parameter clears the inheritable privilege set, and the zero (0) parameter indicates there is no parameter list of privilege IDs.

if (set_inheritable_priv(PRIV_SET, 0) == -1)
	perror("Cannot clear inheritable privileges");

Before this call the inheritable set contains these privileges:


Inheritable = file_mac_write,file_setpriv,proc_setid

After this call the inheritable set contains this privilege:


Inheritable = none

The following example sets the proc_setid privilege in the inheritable privilege set. Any privilege in the permitted set can be placed in the inheritable set and placing any other privilege in the inheritable set results in an Invalid Argument error. Because the proc_setid privilege is in the permitted set for executable, it can be placed in the inheritable set. Because it is also in the allowed set for execfile, it can be used by the new program when execfile is exec'd in "Execute a File". 

if (set_inheritable_priv(PRIV_ON, 1, PRIV_PROC_SETID) == -1)
	perror("Cannot set proc_setid privilege in inheritable set");

After this call the inheritable set contains this privilege:


Inheritable = proc_setid