Under particular circumstances, privileges can be removed from a regular or guest user. For example, you might prevent remote users from examining the status of processes that they do not own, individual users might do the same to highlight their own processes, and you might prevent guests from using too many resources.
Under particular circumstances, some basic privileges can be removed from a regular or guest user's basic set. For example, remote users might be prevented from examining the status of processes that they do not own.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights.
The following three basic privileges are likely candidates for removal.
$ ppriv -lv basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. ... proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_session Allows a process to send signals or trace processes outside its session. ...
Any user who attempts to use the system is denied these privileges. This method of privilege removal might be appropriate for a publicly available computer.
# pfedit /etc/security/policy.conf ... #PRIV_DEFAULT=basic PRIV_DEFAULT=basic,!file_link_any,!proc_info,!proc_session
# usermod -K 'defaultpriv=basic,!file_link_any' user
# usermod -K 'defaultpriv=basic,!proc_info' user
# usermod -K 'defaultpriv=basic,!proc_session' user
# usermod -K 'defaultpriv=basic,!file_link_any,!proc_info,!proc_session' user
This protection applies to any user or system where you assign this rights profile.
# profiles -p shared-profile -S ldap shared-profile: set defaultpriv=basic,!file_link_any,!proc_info,!proc_session ...
For more information about creating rights profiles, see Creating Rights Profiles and Authorizations.
If you have many users that share a rights profile, such as remote users, setting this value in a rights profile can be a scalable solution.
# usermod -P shared-profile username
# pfedit /etc/security/policy.conf ... #PROFS_GRANTED=Basic Solaris User PROFS_GRANTED=shared-profile,Basic Solaris User
In the following example, all sessions that originate from jdoe's initial login are prevented from using the sys_linkdir privilege. The user cannot make hard links to directories or unlink directories even after running the su command.
# usermod -K 'limitpriv=all,!sys_linkdir' jdoe # userattr limitpriv jdoe all,!sys_linkdirExample 25 Removing a Basic Privilege From Yourself
In the following example, a regular user modifies .bash_profile to remove the proc_info basic privilege. The output of programs like ps and prstat contain only the user's own processes, which can highlight useful information.
## .bash_profile ## Remove proc_info privilege from my shell ## ppriv -s EI-proc_info $$
The ppriv line removes the proc_info privilege from the user's effective and inheritable privilege sets (EI-) in the current shell process ($$).
In the following prstat output, the totals shrink from 74 to three processes:
## With all basic privileges Total: 74 processes, 527 lwps, load averages: 0.01, 0.00, 0.00 ## With proc_info removed from the effective and inheritable set Total: 3 processes, 3 lwps, load averages: 0.00, 0.00, 0.00Example 26 Preventing Guests From Spawning Editor Subprocesses
In this example, the administrator prevents users from creating subshells from one or more editors by removing the proc_exec basic privilege from the editor command.
The administrator creates a rights profile that removes proc_exec from the limit privilege set of the vim editor.
# profiles -p -S ldap "Editor Restrictions" profiles:Editor Restrictions> set desc="Site Editor Restrictions" ... Restrictions> add cmd=/usr/bin/vim ... Restrictions:vim> set limitprivs=all,!proc_exec ... Restrictions:vim> end ... Restrictions> commit ... Restrictions> exit
The administrator adds other popular editors to the rights profile.
# profiles -p "Editor Restrictions" profiles:Editor Restrictions> add cmd=/usr/bin/gedit ... Restrictions:gedit> set limitprivs=all,!proc_exec ... Restrictions:gedit> end ... Restrictions> add cmd=/usr/bin/vim ... Restrictions:vim> set limitprivs=all,!proc_exec ... Restrictions:vim> end ... Restrictions> add cmd=/usr/xpg4/ed ... Restrictions:ed> set limitprivs=all,!proc_exec ... Restrictions:ed> end ... Restrictions> add cmd=/usr/xpg4/ex ... Restrictions:ex> set limitprivs=all,!proc_exec ... Restrictions:ex> end ... Restrictions> add cmd=/usr/xpg4/vi ... Restrictions:vi> set limitprivs=all,!proc_exec ... Restrictions:vi> end ... Restrictions> commit ... Restrictions> exit
The administrator reviews the rights profile entries for errors such as typographical errors, omissions, or repetition.
# profiles -p "Editor Restrictions" info Found profile in files repository. name=Editor Restrictions desc=Site Editor Restrictions cmd=/usr/bin/vim limitprivs=all,!proc_exec ...
The administrator assigns the Editor Restrictions rights profile to the guest user.
# usermod -K profiles+="Editor Restrictions" guest
By using profiles+, the administrator adds this rights profile to the account's current rights profiles.
To verify that the editor privileges are limited, the administrator opens the editor and in a separate window, examines the privileges on the editor process.
# ppriv -S $(pgrep vim) 2805: vim .bash_profile flags = PRIV_PFEXEC User is running a profile shell E: basic,!proc_info proc_info is removed from basic set I: basic,!proc_info P: basic,!proc_info L: all,!proc_exec proc_exec is removed from limit set
In this example, the administrator adds the Editor Restrictions rights profile to the policy.conf file. The administrator ensures that this file is distributed to all public systems where guests can log in.
# cd /etc/security; cp policy.conf policy.conf.orig # pfedit /etc/security/policy.conf ... AUTHS_GRANTED= AUTH_PROFS_GRANTED= #PROFS_GRANTED=Basic Solaris User PROFS_GRANTED=Editor Restrictions,Basic Solaris User
For more information, see the privileges(7) man page.