Finding Which Privileges a Program Needs

The runpd(1M) command is the privilege debugging program for Trusted Solaris software. By default, the runpd command is in a rights profile assigned to the Security Administrator role. The environment for running the command is disabled by default.

The runpd command requires the trusted path attribute, which a command can only obtain when the command is executed by a role. Therefore, a user cannot use the runpd command to find out what privileges are required.

The root role should not be used to debug privilege use because the UID 0 may give the command more access than it would have with another UID. Similarly, the Primary Administrator role is not a good privilege tester. Executing runpd in any administrative role except root and primaryadmin logs the privileges needed by any normal user if the command is run at a label within the user accreditation range.

The procedure "To Find Out Which Privileges a Program Needs" describes enabling the runpd environment and optionally creating an administrative role exclusively for doing privilege debugging.

The assignment of privileges should not be automatic. A program that fails due to lack of privilege may be assigned privileges, or, the Security Administrator role may decide to assign an effective UID or GID to make the privilege unnecessary.

When software has been assigned privileges or an alternate UID or GID, the software becomes trusted by virtue of the fact that it can bypass aspects of the Trusted Solaris security policy. Be aware that you can make software trusted even though it might not be worthy of trust. The Security Administrator role should not give any privileges to software until convinced that the software can use the privileges in a trustworthy manner. Only when it has been scrutinized and found to be using its privileges within the system security policy, can a program be called a trustworthy program.