Under particular circumstances, some basic privileges can be removed from a regular or guest user's basic set. For example, Sun Ray users might be prevented from examining the status of processes that they do not own.
Before You Begin
You must assume the root role. For more information, see Using Your Assigned Administrative Rights in Securing Users and Processes in Oracle Solaris 11.3.
The following three basic privileges are likely candidates for removal.
% ppriv -lv basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. ... proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_session Allows a process to send signals or trace processes outside its session. ...
Any user who attempts to use the system is denied these privileges. This method of privilege removal might be appropriate for a publicly available computer.
# pfedit /etc/security/policy.conf ... #PRIV_DEFAULT=basic PRIV_DEFAULT=basic,!file_link_any,!proc_info,!proc_session
# usermod -K 'defaultpriv=basic,!file_link_any' user
# usermod -K 'defaultpriv=basic,!proc_info' user
# usermod -K 'defaultpriv=basic,!proc_session' user
# usermod -K 'defaultpriv=basic,!file_link_any,!proc_info,!proc_session' user
This protection applies to any user or system where you assign this rights profile.
# profiles -p shared-profile -S ldap shared-profile: set defaultpriv=basic,!file_link_any,!proc_info,!proc_session ...
For more information on creating rights profiles, see Creating Rights Profiles and Authorizations in Securing Users and Processes in Oracle Solaris 11.3.
If you have many users that share a rights profile, such as Sun Ray or remote users, setting this value in a rights profile can be a scalable solution.
# usermod -P shared-profile username
You can also assign the profile per system in the policy.conf file.
# pfedit /etc/security/policy.conf ... #PROFS_GRANTED=Basic Solaris User PROFS_GRANTED=shared-profile,Basic Solaris User
See Also
For more information, see Chapter 1, About Using Rights to Control Users and Processes in Securing Users and Processes in Oracle Solaris 11.3 and the privileges(5) man page.