Oracle Solaris Trusted Extensions Administrator's Procedures

ProcedureHow to Restrict a User's Set of Privileges

Site security might require that users be permitted fewer privileges than users are assigned by default. For example, at a site that uses Trusted Extensions on Sun Ray systems, you might want to prevent users from viewing other users' processes on the Sun Ray server.

Before You Begin

You must be in the Security Administrator role in the global zone.

  1. Open a Trusted Extensions toolbox in the Solaris Management Console.

    Use a toolbox of the appropriate scope. For details, see Initialize the Solaris Management Console Server in Trusted Extensions in Oracle Solaris Trusted Extensions Configuration Guide.

  2. Under System Configuration, navigate to User Accounts.

    A password prompt might be displayed.

  3. Type the role password.

  4. Double–click the icon for the user.

  5. Remove one or more of the privileges in the basic set.

    1. Double-click the icon for the user.

    2. Click the Rights tab.

      Dialog box shows the contents of the Rights tab for a
regular user.
    3. Click the Edit button to the right of the basic set in the right_extended_attr field.

    4. Remove proc_session or file_link_any.

      By removing the proc_session privilege, you prevent the user from examining any processes outside the user's current session. By removing the file_link_any privilege, you prevent the user from making hard links to files that are not owned by the user.

      Caution – Caution –

      Do not remove the proc_fork or the proc_exec privilege. Without these privileges, the user would not be able to use the system.

      Dialog box shows the basic privilege set for a regular
  6. To save the changes, click OK.