Administrative Differences on a System With Privileges

Language:

A system that has privileges has several visible differences from a system that does not have privileges. The following table lists some of the differences.

Table 1-2 Visible Differences Between a System With Privileges and a System Without Privileges

Feature	No Privileges	Privileges
Daemons	Daemons run as `root`.	Daemons run as the user `daemon`. For example, these daemons are assigned limited privileges and run as `daemon`: `lockd` and `rpcbind`.
Log file ownership	Log files are owned by `root`.	Log files are owned by `daemon`, who creates the log file. The `root` user does not own the file.
Error messages	Error messages refer to superuser. For example, `chroot: not superuser`.	Error messages reflect the use of privileges. For example, the equivalent error message for `chroot` failure is `chroot: exec failed`.
`setuid` programs	Programs use `setuid root` to complete tasks that regular users are not allowed to perform.	Many `setuid root` programs run with just the privileges they need. For example, the following commands use privileges: `audit`, `ikeadm`, `ipadm`, `ipsecconf`, `ping`, `traceroute`, and `newtask`.
File permissions	Device permissions are controlled by DAC. For example, members of the group `sys` can open `/dev/ip`.	File permissions (DAC) do not predict who can open a device. Devices are protected with DAC and device policy. For example, the `/dev/ip` file has `666` permissions, but the device can only be opened by a process with the appropriate privileges.
Audit events	Auditing the use of the `su` command covers many administrative functions.	Auditing the use of privileges covers most administrative functions. The `cusa` audit class includes audit events that monitor administrative functions.
Processes	Processes are protected by the rights of the process owner.	Processes are protected by privileges. Process privileges and process flags are visible as a new entry in the `/proc/<pid>/priv` directory.
Debugging	No reference to privileges in core dumps.	The ELF note section of core dumps includes information about process privileges and flags in the `NT_PRPRIV` and `NT_PRPRIVINFO` notes. The `ppriv` command and other commands show the proper number of properly sized sets. The commands correctly map the bits in the bit sets to privilege names.