Trusted Solaris Administration Overview

Understanding Privileges

A privilege is a discrete right granted to a process to perform an operation that would otherwise be prohibited by the Trusted Solaris environment. For example, processes cannot normally open data files unless they have the proper file permission. In the Trusted Solaris environment, the file_dac_read privilege gives a process the ability to override the UNIX file permissions for reading a file.

How a Process Acquires Privileges

The Trusted Solaris environment determines which privileges a process can make effective based on the allowed and forced privilege sets assigned to the executable file and the inheritable privileges inherited by the process.

The allowed privilege attribute satisfies one condition necessary for that privilege to be effective. If an allowed privilege for an application is not set, the privilege cannot be effective under any condition. The forced privilege attribute makes the privilege effective to all users running that application. Both types of attributes are assigned using either the File Manager or the setfpriv(1) command. The command getfpriv(1) lists the privileges that are set on the executable file. Note that if an executable file is modified, all allowed and forced privileges are removed.

The inheritable privilege attribute is assigned to the application within a rights profile. Only users who have been assigned that rights profile are granted the privilege for that application. Inheritable privilege attributes are assigned to an application inside a rights profile using either the Rights Manager or the -add option of the smexec(1) command. An inheritable privilege is made effective when the process is launched by one of the trusted launchers. For the terminal environment, the Trusted Solaris environment provides three profile shells corresponding to the Bourne, Korn and C shells. For the desktop, the Workspace Menu, Front Panel, and Application Manager interpret profiles for actions. For remote environments, the Solaris Management Console legacy application tool interprets profiles. A process can also pass inheritable privileges to any program it executes, provided that the particular privilege is allowed by the program.

Note -

In contrast to inheritable privileges, forced privileges cannot be inherited by child processes except in applications that have been customized especially for the Trusted Solaris environment to have that specific capability. To provide privileges to a shell script, one should thus use inheritable privileges, not forced privileges.

Default Privileges Supplied by the Trusted Solaris Environment

The Trusted Solaris environment provides more than 80 privileges that you can apply to applications to override security policy. For a complete list of privileges, see the priv_desc(4) man page. The privileges provided fall into the categories shown in the following table.

Table 1-4 Privilege Categories


Privilege Category	Summary	Example Privileges in the Category
File system security	For overriding file system restrictions on user and group IDs, access permissions, labeling, ownership, and file privilege sets	`file_dac_chown` - Lets a process change the owner user ID of a file.
System V Interprocess Communication (IPC) security	For overriding restrictions on message queues, semaphore sets, or shared memory regions	`ipc_dac_read` - Lets a process read a System V IPC message queue, semaphore set, or shared memory region whose permission bits do not allow process read permission
Network security	For overriding restrictions on reserved port binding or binding to a multilevel port, sending broadcast messages, or specifying security attributes (such as labels, privileges on a message, or network endpoint defaults)	`net_broadcast` - Lets a process send a broadcast packet on a specified network
Process security	For overriding restrictions on auditing, labeling, covert channel delays, ownership, clearance, user IDs, or group IDs	`proc_mac_read` - Lets a process read another process where the reading process label is dominated by the other process label
System security	For overriding restrictions on auditing, system booting, system configuration management, console output redirection, device management, file systems, creating hard links to directories, increasing message queue size, increasing the number of processes, system network configuration, third-party loadable modules, or label translation	`sys_boot` - Lets a process halt or reboot a Trusted Solaris computer
Window security	For overriding restrictions on colormaps, reading to and writing from windows, input devices, labeling, font paths, moving data between windows, X server resource management, or direct graphics access (DGA) X protocol extensions	`win_selection` - Allows a process to request inter-window data moves without the intervention of selection arbitrator