Transitioning From Oracle® Solaris 10 to Oracle Solaris 11.2

Exit Print View

Updated: December 2014
 
 

Viewing Privileges and Authorizations

When a user is directly assigned privileges, in effect, the privileges are in every shell. When a user is not directly assigned privileges, then the user must open a profile shell. For example, when commands with assigned privileges are in a rights profile that is in the user's list of rights profiles, then the user must execute the command in a profile shell.

To view privileges online, see privileges(5). The privilege format that is displayed is used by developers.

$ man privileges
Standards, Environments, and Macros                 privileges(5)

NAME
privileges - process privilege model
...
The defined privileges are:

PRIV_CONTRACT_EVENT

Allow a process to request reliable delivery  of  events
to an event endpoint.

Allow a process to include events in the critical  event
set  term  of  a  template  which  could be generated in
volume by the user.
...
Example 9-2  Viewing Directly-Assigned Privileges

If you have been directly assigned privileges, then your basic set contains more than the default basic set. In the following example, the user always has access to the proc_clock_highres privilege.

$ /usr/bin/whoami
jdoe
$ ppriv -v $$
1800:   pfksh
flags = <none>
E: file_link_any,…,proc_clock_highres,proc_session
I: file_link_any,…,proc_clock_highres,proc_session
P: file_link_any,…,proc_clock_highres,proc_session
L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
$ ppriv -vl proc_clock_highres
Allows a process to use high resolution timers.

To view authorizations, use the auths command:

$ auths list

The output of this command produces a more readable summary (one per line) of the authorizations that are assigned to a user. Starting with Oracle Solaris 11.1, several new options have been added to the auths command. For example, the check option is useful for scripting. Other new options provide the ability to add, modify, and remove authorizations to and from files or LDAP. See auths(1).