Oracle® Solaris 11 Security Guidelines

Exit Print View

Updated: August 2014

How to Remove Unneeded Basic Privileges From Users

Under particular circumstances, some basic privileges can be removed from a regular or guest user's basic set. For example, Sun Ray users might be prevented from examining the status of processes that they do not own.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.2 .

  1. List a full definition of the basic privilege set.

    The following three basic privileges are likely candidates for removal.

    % ppriv -lv basic
    	Allows a process to create hardlinks to files owned by a uid
    	different from the process' effective uid.
    	Allows a process to examine the status of processes other
    	than those it can send signals to.  Processes which cannot
    	be examined cannot be seen in /proc and appear not to exist.
    	Allows a process to send signals or trace processes outside its
  2. Choose the scope of the privilege removal.
    • Set system-wide.

      Any user who attempts to use the system is denied these privileges. This method of privilege removal might be appropriate for a publicly available computer.

      # pfedit /etc/security/policy.conf
    • Remove privileges from individual users.
      • Prevent a user from linking to a file that the user does not own.
        # usermod -K 'defaultpriv=basic,!file_link_any' user
      • Prevent a user from examining processes that the user does not own.
        # usermod -K 'defaultpriv=basic,!proc_info' user
      • Prevent a user from starting a second session, such as starting an ssh session from the user's current session.
        # usermod -K 'defaultpriv=basic,!proc_session' user
      • Remove all three privileges from a user's basic set.
        # usermod -K 'defaultpriv=basic,!file_link_any,!proc_info,!proc_session' user
    • Create and assign a rights profile.

      This protection applies to any user or system where you assign this rights profile.

      1. Create the rights profile.
        # profiles -p shared-profile -S ldap
        shared-profile: set defaultpriv=basic,!file_link_any,!proc_info,!proc_session

        For more information on creating rights profiles, see Creating Rights Profiles and Authorizations in Securing Users and Processes in Oracle Solaris 11.2 .

      2. Assign the rights profile to users or system-wide.

        If you have many users that share a rights profile, such as Sun Ray or remote users, setting this value in a rights profile can be a scalable solution.

        # usermod -P shared-profile username

        You can also assign the profile per system in the policy.conf file.

        # pfedit /etc/security/policy.conf
        #PROFS_GRANTED=Basic Solaris User
        PROFS_GRANTED=shared-profile,Basic Solaris User

See also

For more information, see Chapter 1, About Using Rights to Control Users and Processes, in Securing Users and Processes in Oracle Solaris 11.2 and the privileges(5) man page.