The following table lists the interfaces for using privileges.
Descriptions of some major privilege interfaces are provided after the table.
Table 2-1 Interfaces for Using Privileges
Getting and setting privilege sets
setppriv() and getppriv() are
system calls. priv_ineffect() and priv_set() are
wrappers for convenience.
Identifying and translating privileges
These functions map the specified privilege or privilege set to a name
or a number.
Manipulating privilege sets
These functions are concerned with privilege memory allocation, testing,
and various set operations.
Getting and setting process flags
The PRIV_AWARE process flag indicates whether the process understands
privileges or runs under the superuser model. PRIV_DEBUG is used for privilege
Low-level credential manipulation
These routines are used for debugging, low-level system calls, and kernel
setppriv(): for Setting Privileges
The main function for setting privileges is setppriv(),
which has the following syntax:
int setppriv(priv_op_t op, priv_ptype_t which, \
const priv_set_t *set);
op represents the privilege operation that
is to be performed. The op parameter has one of
three possible values:
PRIV_ON – Adds the privileges that
are specified by the set variable to the set type
that is specified by which
PRIV_OFF – Removes the privileges
that are specified by the set variable from the
set type that is specified by which
PRIV_SET – Uses the privileges that
are specified by the set variable to replace privileges
in the set type that is specified by which
which specifies the type of privilege set
to be changed, as follows:
set specifies the privileges to be used in
the change operation.
In addition, a convenience function is provided: priv_set().
priv_str_to_set() for Mapping
These functions are convenient for mapping privilege names with
their numeric values. priv_str_to_set() is a typical function
in this family. priv_str_to_set() has the following syntax:
priv_set_t *priv_str_to_set(const char *buf, const char *set, \
const char **endptr);
priv_str_to_set() takes a string of privilege names
that are specified in buf. priv_str_to_set() returns
a set of privilege values that can be combined with one of the four privilege
sets. **endptr can be used to debug parsing errors.
Note that the following keywords can be included in buf:
“all” indicates all defined
privileges. “all,!priv_name,...” enables you to specify all privileges except the indicated
Note - Constructions that use “priv_set, “!priv_name,...” subtract the specified privilege from the specified
set of privileges. Do not use “!priv_name,...” without first specifying a set because with no privilege
set to subtract from, the construction subtracts the specified privileges
from an empty set of privileges and effectively indicates no privileges.
“none” indicates no privileges.
“basic” indicates the set of
privileges that are required to perform operations that are traditionally
granted to all users on login to a standard UNIX operating system.