|Skip Navigation Links|
|Exit Print View|
|Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library|
Privileges can enable users to perform specific tasks with administrative rights. Privileges can also be used to limit users to just those tasks that they are permitted to perform.
The following procedure shows how to view the privilege names and definitions.
% man privileges Standards, Environments, and Macros privileges(5) NAME privileges - process privilege model ... The defined privileges are: PRIV_CONTRACT_EVENT Allow a process to request reliable delivery of events to an event endpoint. Allow a process to include events in the critical event set term of a template which could be generated in volume by the user. ...
This privilege format is used by developers.
% ppriv -lv | more contract_event Allows a process to request critical events without limitation. Allows a process to request reliable delivery of all events on any event queue. ... win_upgrade_sl Allows a process to set the sensitivity label of a window resource to a sensitivity label that dominates the existing sensitivity label. This privilege is interpreted only if the system is configured with Trusted Extensions.
This privilege format is used to assign privileges to users and roles with the useradd, roleadd, usermod, and rolemod commands, and to rights profiles with the profiles command.
The following procedure shows how to determine if you have been directly assigned privileges.
Caution - Inappropriate use of directly assigned privileges can result in unintentional breaches of security. For a discussion, see Security Considerations When Directly Assigning Security Attributes.
See How to Determine the Privileges on a Process for the procedure.
The privileges that are listed in the effective set are in effect throughout your session. If you have been directly assigned privileges in addition to the basic set, the privileges are listed in the effective set.
Example 9-33 Determining Your Directly Assigned Privileges
In this example, the user is directly assigned the proc_clock_highres privilege, so the privilege is available in every process that the user owns.
% ppriv -v $$ 1800: pfksh flags = <none> E: file_link_any,…,proc_clock_highres,proc_session I: file_link_any,…,proc_clock_highres,proc_session P: file_link_any,…,proc_clock_highres,proc_session L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time % ppriv -vl proc_clock_highres Allows a process to use high resolution timers.
Example 9-34 Determining a Role's Directly Assigned Privileges
In the following example, the role realtime has been directly assigned privileges to handle date and time programs.
% su - realtime Password: <Type realtime password> $ ppriv -v $$ 1600: pfksh flags = <none> E: file_link_any,…,proc_clock_highres,proc_session,sys_time I: file_link_any,…,proc_clock_highres,proc_session,sys_time P: file_link_any,…,proc_clock_highres,proc_session,sys_time L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
Typically, users and roles get access to privileged commands through a rights profile. Commands in a rights profile must be executed in a profile shell.
In the following example, the user is assigned several rights profiles. The system reads the rights profiles and their contents in order. For all attributes except authorizations, the first explicitly set attribute value is the one that is used. For more information, see Order of Search for Assigned Security Attributes.
% profiles Audit Review Console User Suspend To RAM Suspend To Disk Brightness CPU Power Management Network Autoconf Desktop Print Management Network Wifi Info Desktop Removable Media User Basic Solaris User All
profiles -l Audit Review solaris.audit.read /usr/sbin/auditreduce euid=0 /usr/sbin/auditstat euid=0 /usr/sbin/praudit euid=0
The Audit Review rights profile enables you to run the auditreduce, auditstat, and praudit commands with the effective UID of 0, and assigns you the solaris.audit.read authorization.
Example 9-35 Determining the Privileged Commands of a Role
In this example, a user assumes an assigned role and lists the commands that are included in one of the rights profiles.
% roles devadmin % su - devadmin Password: Type devadmin password $ profiles -l Device Security /usr/bin/kbd uid=0;gid=sys /usr/sbin/add_allocatable euid=0 /usr/sbin/add_drv uid=0 /usr/sbin/devfsadm uid=0 /usr/sbin/eeprom uid=0 /usr/sbin/list_devices euid=0 /usr/sbin/rem_drv uid=0 /usr/sbin/remove_allocatable euid=0 /usr/sbin/strace euid=0 /usr/sbin/update_drv uid=0
Example 9-36 Running the Privileged Commands in Your Role
In the following example, the admin role can change the permissions on the useful.script file.
% whoami jdoe % ls -l useful.script -rwxr-xr-- 1 elsee eng 262 Apr 2 10:52 useful.script % chgrp admin useful.script chgrp: useful.script: Not owner % su - admin Password: <Type admin password> $ chgrp admin useful.script $ chown admin useful.script $ ls -l useful.script -rwxr-xr-- 1 admin admin 262 Apr 2 10:53 useful.script
% ppriv [-v] pid
Is the process number. Use a double dollar sign ($$) to pass the process number of the parent shell to the command.
Provides a verbose listing of the privilege names.
Example 9-37 Determining the Privileges in Your Current Shell
In the following example, the privileges in the parent process of the user's shell process are listed. In the second example, the full names of the privileges are listed. The single letters in the output refer to the following privilege sets:
Is the effective privilege set.
Is the inheritable privilege set.
Is the permitted privilege set.
Is the limit privilege set.
% ppriv $$ 1200: -csh flags = <none> E: basic I: basic P: basic L: all % ppriv -v $$ 1200: -csh flags = <none> E: file_link_any,net_access,proc_exec,proc_fork,proc_info,proc_session I: file_link_any,net_access,proc_exec,proc_fork,proc_info,proc_session P: file_link_any,net_access,proc_exec,proc_fork,proc_info,proc_session L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
Example 9-38 Determining the Privileges of a Role That You Can Assume
In the following example, the role sysadmin has no directly assigned privileges.
% su - sysadmin Password: <Type sysadmin password> $ /usr/bin/whoami sysadmin $ ppriv -v $$ 1400: pfksh flags = <none> E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork, proc_info,proc_session I: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork, proc_info,proc_session P: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork, proc_info,proc_session L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,win_upgrade_sl
Before You Begin
The command or process must fail for this debugging procedure to work.
% ppriv -eD touch /etc/acct/yearly touch: missing privilege "file_dac_write" (euid = 130, syscall = 224) needed at zfs_zaccess+0x258 touch: cannot create /etc/acct/yearly: Permission denied
% grep 224 /etc/name_to_sysnum creat64 224
Example 9-39 Using the truss Command to Examine Privilege Use
The truss command can debug privilege use in a regular shell. For example, the following command debugs the failing touch process:
% truss -t creat touch /etc/acct/yearly creat64("/etc/acct/yearly", 0666) Err#13 EACCES [file_dac_write] touch: /etc/acct/yearly cannot create
The extended /proc interfaces report the missing privilege after the error code in truss output.
Example 9-40 Using the ppriv Command to Examine Privilege Use in a Profile Shell
In this example, the jdoe user can assume the role objadmin. The objadmin role includes the Object Access Management rights profile. This rights profile allows the objadmin role to change permissions on files that objadmin does not own.
In the following excerpt, jdoe fails to change the permissions on the useful.script file:
jdoe% ls -l useful.script -rw-r--r-- 1 aloe staff 2303 Apr 10 10:10 useful.script jdoe% chown objadmin useful.script chown: useful.script: Not owner jdoe% ppriv -eD chown objadmin useful.script chown: missing privilege "file_chown" (euid = 130, syscall = 16) needed at zfs_zaccess+0x258 chown: useful.script: Not owner
When jdoe assumes the objadmin role, the permissions on the file are changed:
jdoe% su - objadmin Password: <Type objadmin password> $ ls -l useful.script -rw-r--r-- 1 aloe staff 2303 Apr 10 10:10 useful.script $ chown objadmin useful.script $ ls -l useful.script -rw-r--r-- 1 objadmin staff 2303 Apr 10 10:10 useful.script $ chgrp admin useful.script $ ls -l objadmin.script -rw-r--r-- 1 objadmin admin 2303 Apr 10 10:11 useful.script
Example 9-41 Changing a File Owned by the root User
This example illustrates the protections against privilege escalation. For a discussion, see Prevention of Privilege Escalation. The file is owned by the root user. The less powerful role, objadmin role needs all privileges to change the file's ownership, so the operation fails.
jdoe% su - objadmin Password: <Type objadmin password> $ cd /etc; ls -l system -rw-r--r-- 1 root sys 1883 Oct 10 10:20 system $ chown objadmin system chown: system: Not owner $ ppriv -eD chown objadmin system chown: missing privilege "ALL" (euid = 101, syscall = 16) needed at zfs_zaccess+0x258 chown: system: Not owner
The service for the Network Time Protocol (NTP) uses the privileged port 123 for udp traffic. This procedure protects other ports from being accessed by a malicious user who might gain the privileges that are assigned to this port.
From the following /lib/svc/manifest/network/ntp.xml entry, the net_privaddr, proc_lock_memory, and sys_time privileges could be used on other processes:
The removed privileges prevent the service from signaling or observing any other processes, and from creating hard links as a way of renaming files.
That is, the process that is started by the service is only able to bind to the specific port 123, not to any of the other privileged ports. If a hacker could exploit the service to start another process, then the child process would also not be able to bind to any other privileged port.
The extended privilege policy that is highlighted in the following excerpt prevents access from this service to other privileged ports:
When you create a shell script that runs commands that require privilege, the appropriate rights profile must contain the commands with privileges assigned to them.
Before You Begin
You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.
#!/bin/pfsh # Copyright (c) 2012 by Oracle
% ppriv -eD script-full-path
For more information, see How to Use Your Assigned Administrative Rights.
Add the shell script, and the commands in the shell script, with their required security attributes to the rights profile. For the steps, see How to Create a Rights Profile.
To run the script, the user assumes the role and runs the script in the role's profile shell.