Go to main content

Oracle® Solaris 11.3 Security and Hardening Guidelines

Exit Print View

Updated: March 2018
 
 

How to Remove Unneeded Basic Privileges From Users

Under particular circumstances, some basic privileges can be removed from a regular or guest user's basic set. For example, Sun Ray users might be prevented from examining the status of processes that they do not own.

Before You Begin

You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.

  1. List a full definition of the basic privilege set.

    The following three basic privileges are likely candidates for removal.

    % ppriv -lv basic
file_link_any
	Allows a process to create hardlinks to files owned by a uid
	different from the process' effective uid.
...
proc_info
	Allows a process to examine the status of processes other
	than those it can send signals to.  Processes which cannot
	be examined cannot be seen in /proc and appear not to exist.
proc_session
	Allows a process to send signals or trace processes outside its
	session.
...
  2. Choose the scope of the privilege removal.
    • Set system-wide.

      Any user who attempts to use the system is denied these privileges. This method of privilege removal might be appropriate for a publicly available computer.

      # pfedit /etc/security/policy.conf
...
#PRIV_DEFAULT=basic
PRIV_DEFAULT=basic,!file_link_any,!proc_info,!proc_session
    • Remove privileges from individual users.
      • Prevent a user from linking to a file that the user does not own. 
        # usermod -K 'defaultpriv=basic,!file_link_any' user
      • Prevent a user from examining processes that the user does not own. 
        # usermod -K 'defaultpriv=basic,!proc_info' user
      • Prevent a user from starting a second session, such as starting an ssh session from the user's current session. 
        # usermod -K 'defaultpriv=basic,!proc_session' user
      • Remove all three privileges from a user's basic set. 
        # usermod -K 'defaultpriv=basic,!file_link_any,!proc_info,!proc_session' user
    • Create and assign a rights profile.

      This protection applies to any user or system where you assign this rights profile.

      1. Create the rights profile. 
        # profiles -p shared-profile -S ldap
shared-profile: set defaultpriv=basic,!file_link_any,!proc_info,!proc_session
...

        For more information on creating rights profiles, see Creating Rights Profiles and Authorizations in Securing Users and Processes in Oracle Solaris 11.3.

      2. Assign the rights profile to users or system-wide.

        If you have many users that share a rights profile, such as Sun Ray or remote users, setting this value in a rights profile can be a scalable solution.

        # usermod -P shared-profile username

        You can also assign the profile per system in the policy.conf file.

        # pfedit /etc/security/policy.conf
...
#PROFS_GRANTED=Basic Solaris User
PROFS_GRANTED=shared-profile,Basic Solaris User

See Also

For more information, see Chapter 1, About Using Rights to Control Users and Processes in Securing Users and Processes in Oracle Solaris 11.3 and the privileges(5) man page.

Copyright © 2011, 2018, Oracle and/or its affiliates. All rights reserved. 
Previous
Next