Passing Privileges to Child Processes

When a process executes a new program, the process's new inheritable set equals the process's old inheritable set before the new program was executed: I[new]=I[old]. The result is that the inheritable privileges available for one program to pass to another program are not affected by the forced or allowed privileges on the currently executing program.

The benefit of setting I[new]=I[old] without reference to allowed privileges is that privileges can be passed from a process executing a program that cannot use the privileges to one that can.

The benefit of setting I[new]=I[old] without reference to forced privileges is that forced privileges cannot be used by shell scripts.

Passing Privileges to Another Program

A process executing a program that has no allowed privileges cannot use any privileges because it cannot put any privileges into its effective set even if it inherits privileges from another trusted process. Such a process, however, can pass its inheritable privileges through to another program that it executes, one which might have allowed privileges and which therefore can use the inheritable privileges. The process executing the program without allowed privileges can pass privileges to another program because the inheritable set of the process is not affected by the lack of allowed privileges on the program. The following figure shows the inheritance mechanism.

Figure 13-1 How an Unprivileged Program Can Pass On Privileges

Not Passing Forced Privileges via Shell Scripts

The inheritable set of a process cannot be increased by the forced privileges on the program. Any forced privileges on a shell script are not passed to commands invoked in a forced-privilege shell script. The result is that privileges cannot be used by shell scripts executed in standard UNIX shells, sh(1), csh(1), and ksh(1). See the following figure.

Figure 13-2 How Forced Privilege Shell Scripts Are Prevented from Passing On Privileges