Go to main content

Securing Users and Processes in Oracle® Solaris 11.4

Exit Print View

Updated: September 2018
 
 

Removing Privileges From Users

Under particular circumstances, privileges can be removed from a regular or guest user. For example, you might prevent remote users from examining the status of processes that they do not own, individual users might do the same to highlight their own processes, and you might prevent guests from using too many resources.

How to Remove Unneeded Basic Privileges From Users

Under particular circumstances, some basic privileges can be removed from a regular or guest user's basic set. For example, remote users might be prevented from examining the status of processes that they do not own.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights.

  1. List a full definition of the basic privilege set.

    The following three basic privileges are likely candidates for removal.

    $ ppriv -lv basic
    file_link_any
    	Allows a process to create hardlinks to files owned by a uid
    	different from the process' effective uid.
    ...
    proc_info
    	Allows a process to examine the status of processes other
    	than those it can send signals to.  Processes which cannot
    	be examined cannot be seen in /proc and appear not to exist.
    proc_session
    	Allows a process to send signals or trace processes outside its
    	session.
    ...
  2. Choose the scope of the privilege removal.
    • Set system-wide.

      Any user who attempts to use the system is denied these privileges. This method of privilege removal might be appropriate for a publicly available computer.

      # pfedit /etc/security/policy.conf
      ...
      #PRIV_DEFAULT=basic
      PRIV_DEFAULT=basic,!file_link_any,!proc_info,!proc_session
    • Remove privileges from individual users.
      • Prevent a user from linking to a file that the user does not own.
        # usermod -K 'defaultpriv=basic,!file_link_any' user
      • Prevent a user from examining processes that the user does not own.
        # usermod -K 'defaultpriv=basic,!proc_info' user
      • Prevent a user from starting a second session, such as starting an ssh session from the user's current session.
        # usermod -K 'defaultpriv=basic,!proc_session' user
      • Remove all three privileges from a user's basic set.
        # usermod -K 'defaultpriv=basic,!file_link_any,!proc_info,!proc_session' user
    • Create and assign a rights profile.

      This protection applies to any user or system where you assign this rights profile.

      1. Create the rights profile.
        # profiles -p shared-profile -S ldap
        shared-profile: set defaultpriv=basic,!file_link_any,!proc_info,!proc_session
        ...

        For more information about creating rights profiles, see Creating Rights Profiles and Authorizations.

      2. Assign the rights profile to users or system-wide.

        If you have many users that share a rights profile, such as remote users, setting this value in a rights profile can be a scalable solution.

        # usermod -P shared-profile username

        You can also assign the profile per system in the policy.conf file.

        # pfedit /etc/security/policy.conf
        ...
        #PROFS_GRANTED=Basic Solaris User
        PROFS_GRANTED=shared-profile,Basic Solaris User
Example 24  Removing Privileges From a User's Limit Set

In the following example, all sessions that originate from jdoe's initial login are prevented from using the sys_linkdir privilege. The user cannot make hard links to directories or unlink directories even after running the su command.

# usermod -K 'limitpriv=all,!sys_linkdir' jdoe
# userattr limitpriv jdoe
all,!sys_linkdir
Example 25  Removing a Basic Privilege From Yourself

In the following example, a regular user modifies .bash_profile to remove the proc_info basic privilege. The output of programs like ps and prstat contain only the user's own processes, which can highlight useful information.

##  .bash_profile
## Remove proc_info privilege from my shell
##
ppriv -s EI-proc_info $$

The ppriv line removes the proc_info privilege from the user's effective and inheritable privilege sets (EI-) in the current shell process ($$).

In the following prstat output, the totals shrink from 74 to three processes:

## With all basic privileges
Total: 74 processes, 527 lwps, load averages: 0.01, 0.00, 0.00

## With proc_info removed from the effective and inheritable set
Total: 3 processes, 3 lwps, load averages: 0.00, 0.00, 0.00
Example 26  Preventing Guests From Spawning Editor Subprocesses

In this example, the administrator prevents users from creating subshells from one or more editors by removing the proc_exec basic privilege from the editor command.

  1. The administrator creates a rights profile that removes proc_exec from the limit privilege set of the vim editor.

    # profiles -p -S ldap "Editor Restrictions"
    profiles:Editor Restrictions> set desc="Site Editor Restrictions"
    ... Restrictions> add cmd=/usr/bin/vim
    ... Restrictions:vim> set limitprivs=all,!proc_exec
    ... Restrictions:vim> end
    ... Restrictions> commit
    ... Restrictions> exit
  2. The administrator adds other popular editors to the rights profile.

    # profiles -p "Editor Restrictions"
    profiles:Editor Restrictions> add cmd=/usr/bin/gedit
    ... Restrictions:gedit> set limitprivs=all,!proc_exec
    ... Restrictions:gedit> end
    ... Restrictions> add cmd=/usr/bin/vim
    ... Restrictions:vim> set limitprivs=all,!proc_exec
    ... Restrictions:vim> end
    ... Restrictions> add cmd=/usr/xpg4/ed
    ... Restrictions:ed> set limitprivs=all,!proc_exec
    ... Restrictions:ed> end
    ... Restrictions> add cmd=/usr/xpg4/ex
    ... Restrictions:ex> set limitprivs=all,!proc_exec
    ... Restrictions:ex> end
    ... Restrictions> add cmd=/usr/xpg4/vi
    ... Restrictions:vi> set limitprivs=all,!proc_exec
    ... Restrictions:vi> end
    ... Restrictions> commit
    ... Restrictions> exit
  3. The administrator reviews the rights profile entries for errors such as typographical errors, omissions, or repetition.

    # profiles -p "Editor Restrictions" info
    Found profile in files repository.
    name=Editor Restrictions
    desc=Site Editor Restrictions
    cmd=/usr/bin/vim
    limitprivs=all,!proc_exec
    ...
  4. The administrator assigns the Editor Restrictions rights profile to the guest user.

    # usermod -K profiles+="Editor Restrictions" guest

    By using profiles+, the administrator adds this rights profile to the account's current rights profiles.

  5. To verify that the editor privileges are limited, the administrator opens the editor and in a separate window, examines the privileges on the editor process.

    # ppriv -S $(pgrep vim)
    2805:   vim .bash_profile
    flags = PRIV_PFEXEC User is running a profile shell
            E: basic,!proc_info proc_info is removed from basic set
            I: basic,!proc_info
            P: basic,!proc_info
            L: all,!proc_exec proc_exec is removed from limit set
Example 27  Assigning the Editor Restrictions Rights Profile to All Users

In this example, the administrator adds the Editor Restrictions rights profile to the policy.conf file. The administrator ensures that this file is distributed to all public systems where guests can log in.

# cd /etc/security; cp policy.conf policy.conf.orig
# pfedit /etc/security/policy.conf
...
AUTHS_GRANTED=
AUTH_PROFS_GRANTED=
#PROFS_GRANTED=Basic Solaris User
PROFS_GRANTED=Editor Restrictions,Basic Solaris User

The User Security administrator has assigned a profile shell to every user. For the reasons and the procedure, see Assigning Rights to Users.

See Also

For more information, see the privileges(7) man page.