The following procedure shows how to determine if you have been directly assigned privileges.
Inappropriate use of directly assigned privileges can result in unintentional breaches of security. For a discussion, see Security Considerations When Directly Assigning Security Attributes.
List the privileges that your processes can use.
See How to Determine the Privileges on a Process for the procedure.
Invoke actions and run commands in any shell.
The privileges that are listed in the effective set are in effect throughout your session. If you have been directly assigned privileges in addition to the basic set, the privileges are listed in the effective set.
If you have been directly assigned privileges, then your basic set contains more than the default basic set. In this example, the user always has access to the proc_clock_highres privilege.
% /usr/ucb/whoami jdoe % ppriv -v $$ 1800: pfksh flags = <none> E: file_link_any,…,proc_clock_highres,proc_session I: file_link_any,…,proc_clock_highres,proc_session P: file_link_any,…,proc_clock_highres,proc_session L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time % ppriv -vl proc_clock_highres Allows a process to use high resolution timers. |
Roles use an administrative shell, or profile shell. Users who assume a role can use the role's shell to list the privileges that have been directly assigned to the role. In the following example, the role realtime has been directly assigned privileges to handle date and time programs.
% su - realtime Password: <Type realtime password> $ /usr/ucb/whoami realtime $ ppriv -v $$ 1600: pfksh flags = <none> E: file_link_any,…,proc_clock_highres,proc_session,sys_time I: file_link_any,…,proc_clock_highres,proc_session,sys_time P: file_link_any,…,proc_clock_highres,proc_session,sys_time L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time |