System Administration Guide: Security Services

ProcedureHow to Determine the Privileges That You Have Been Directly Assigned

The following procedure shows how to determine if you have been directly assigned privileges.

Caution – Caution –

Inappropriate use of directly assigned privileges can result in unintentional breaches of security. For a discussion, see Security Considerations When Directly Assigning Security Attributes.

  1. List the privileges that your processes can use.

    See How to Determine the Privileges on a Process for the procedure.

  2. Invoke actions and run commands in any shell.

    The privileges that are listed in the effective set are in effect throughout your session. If you have been directly assigned privileges in addition to the basic set, the privileges are listed in the effective set.

Example 11–9 Determining Your Directly-Assigned Privileges

If you have been directly assigned privileges, then your basic set contains more than the default basic set. In this example, the user always has access to the proc_clock_highres privilege.

% /usr/ucb/whoami
% ppriv -v $$
1800:   pfksh
flags = <none>
        E: file_link_any,…,proc_clock_highres,proc_session
        I: file_link_any,…,proc_clock_highres,proc_session
        P: file_link_any,…,proc_clock_highres,proc_session
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
% ppriv -vl proc_clock_highres
        Allows a process to use high resolution timers.

Example 11–10 Determining a Role's Directly-Assigned Privileges

Roles use an administrative shell, or profile shell. Users who assume a role can use the role's shell to list the privileges that have been directly assigned to the role. In the following example, the role realtime has been directly assigned privileges to handle date and time programs.

% su - realtime
Password: <Type realtime password>
$ /usr/ucb/whoami
$ ppriv -v $$
1600:   pfksh
flags = <none>
        E: file_link_any,…,proc_clock_highres,proc_session,sys_time
        I: file_link_any,…,proc_clock_highres,proc_session,sys_time
        P: file_link_any,…,proc_clock_highres,proc_session,sys_time
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time