Go to main content

Trusted Extensions Configuration and Administration

Exit Print View

Updated: March 2019
 
 

How to Restrict a User's Set of Privileges

Site security might require that users be permitted fewer privileges than users are assigned by default. For example, at a site that uses Trusted Extensions on remote systems, you might want to prevent users from viewing other users' processes on the central server.

Before You Begin

You must be in the Security Administrator role in the global zone.

  • Remove one or more of the privileges in the basic set.

    Caution

    Caution  - Do not remove the proc_fork or the proc_exec privilege. Without these privileges, a user cannot use the system.


    # usermod -K defaultpriv=basic,!proc_info,!proc_session,!file_link_any

    By removing the proc_info privilege, you prevent the user from examining any processes that do not originate from the user. By removing the proc_session privilege, you prevent the user from examining any processes outside the user's current session. By removing the file_link_any privilege, you prevent the user from making hard links to files that are not owned by the user.

See Also

For an example of collecting the privilege restrictions in a rights profile, see the examples following How to Create a Rights Profile in Securing Users and Processes in Oracle Solaris 11.4.

To restrict the privileges of all users on a system, see Example 13, Modifying Every User's Basic Privilege Set.