Developer's Guide to Oracle® Solaris 11 Security

Exit Print View

Updated: July 2014

Privileged Applications

A privileged application is an application that can override system controls and check for specific user IDs (UIDs), group IDs (GIDs), authorizations, or privileges. These access control elements are assigned by system administrators. For a general discussion of how administrators use these access control elements, see Assigning Rights to Users and Roles in Securing Users and Processes in Oracle Solaris 11.2 .

    The Oracle Solaris operating system provides developers with two elements that enable a finer-grained delegation of privileges:

  • Privileges - A privilege is a discrete right that can be granted to an application. With a privilege, a process can perform an operation that would otherwise be prohibited by the Oracle Solaris OS. For example, processes cannot normally open data files without the proper file permission. The file_dac_read privilege provides a process with the ability to override the UNIX file permissions for reading a file. Privileges are enforced at the kernel level.

  • Authorizations - An authorization is a permission for performing a class of actions that are otherwise prohibited by security policy. An authorization can be assigned to a role or user. Authorizations are enforced at the user level.

The difference between authorizations and privileges has to do with the level at which the policy of who can do what is enforced. Privileges are enforced at the kernel level. Without the proper privilege, a process cannot perform specific operations in a privileged application. Authorizations enforce policy at the user application level. An authorization might be required for access to a privileged application or for specific operations within a privileged application.