man privileges – Lists privilege definitions and their names as they are used by developers
ppriv -vl – Lists privilege definitions and their names as they are used by administrators
ppriv -vl basic – Lists names and definitions of privileges in the basic set of privileges
ppriv $$ – Lists the privileges in the current shell ($$)
getent exec_attr – Lists all commands that have security attributes (setuid or privileges) by rights profile name
$ getent exec_attr | more All:solaris:cmd:::*: Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit ... Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0 Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...Example 6-12 Listing All Privileges and Their Definitions
The privilege format described in the privileges (5) man page is used by developers.
$ man privileges Standards, Environments, and Macros privileges(5) NAME privileges - process privilege model ... The defined privileges are: PRIV_CONTRACT_EVENT Allow a process to request reliable delivery of events to an event endpoint. Allow a process to include events in the critical event set term of a template which could be generated in volume by the user. ...Example 6-13 Listing Privileges That Are Used in Privilege Assignment
The ppriv command lists all privileges by name. For a definition, use the –v option.
This privilege format is used to assign privileges to users and roles with the useradd, roleadd, usermod, and rolemod commands, and to rights profiles with the profiles command.
$ ppriv -lv | more contract_event Allows a process to request critical events without limitation. Allows a process to request reliable delivery of all events on any event queue. ... win_upgrade_sl Allows a process to set the sensitivity label of a window resource to a sensitivity label that dominates the existing sensitivity label. This privilege is interpreted only if the system is configured with Trusted Extensions.Example 6-14 Listing the Privileges in Your Current Shell
Every user is assigned the basic privilege set by default. The default limit set is all privileges.
The single letters in the output refer to the following privilege sets:
Effective privilege set
Inheritable privilege set
Permitted privilege set
Limit privilege set
$ ppriv $$ 1200: -bash flags = <none> E: basic I: basic P: basic L: all $ ppriv -v $$ 1200: -bash flags = <none> E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork, proc_info,proc_session,sys_ib_info I: file_link_any,file_read,...,sys_ib_info P: file_link_any,file_read,...,sys_ib_info L: contract_event,contract_identity,...,sys_time
The double dollar sign ($$) passes the process number of the parent shell to the command. This listing does not include privileges that are restricted to commands in an assigned rights profile.
Example 6-15 Listing the Basic Privileges and Their Definitions$ ppriv -vl basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. file_read Allows a process to read objects in the filesystem. file_write Allows a process to modify objects in the filesystem. net_access Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. proc_exec Allows a process to call execve(). proc_fork Allows a process to call fork1()/forkall()/vfork() proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_session Allows a process to send signals or trace processes outside its session. sys_ib_info Allows a process to perform read InfiniBand MAD (Management Datagram) operations.Example 6-16 Listing the Commands With Security Attributes in Your Rights Profiles
The Basic Solaris User profile includes commands that enable users to read and write to CD-ROMs.
$ profiles -l Basic Solaris User ... /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr All *