man privileges-列出开发者使用的特权的定义及其名称
ppriv -vl-列出管理员使用的特权的定义及其名称
ppriv -vl basic-列出基本特权集合中特权的名称和定义
ppriv $$-列出当前 shell ($$) 中的特权
$ getent exec_attr | more All:solaris:cmd:::*: Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit ... Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0 Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...示例 6-12 列出所有特权及其定义
privileges(5) 手册页中说明的特权格式由开发者使用。
$ man privileges
Standards, Environments, and Macros privileges(5)
NAME
privileges - process privilege model
...
The defined privileges are:
PRIV_CONTRACT_EVENT
Allow a process to request reliable delivery of events
to an event endpoint.
Allow a process to include events in the critical event
set term of a template which could be generated in
volume by the user.
...
示例 6-13 列出特权指定中使用的特权
ppriv 命令按照名称列出所有特权。有关定义,请使用 –v 选项。
此特权格式用于通过使用 useradd、roleadd、usermod 和 rolemod 命令将特权指定给用户和角色,以及使用 profiles 命令将特权指定给权限配置文件。
$ ppriv -lv | more
contract_event
Allows a process to request critical events without limitation.
Allows a process to request reliable delivery of all events on
any event queue.
...
win_upgrade_sl
Allows a process to set the sensitivity label of a window
resource to a sensitivity label that dominates the existing
sensitivity label.
This privilege is interpreted only if the system is configured
with Trusted Extensions.
示例 6-14 列出当前 shell 中的特权
缺省情况下,将为每个用户指定基本的特权集合。缺省限制特权集合为所有特权。
输出中的单个字母指代以下特权集合:
有效特权集合
可继承特权集合
允许特权集合
有限特权集合
$ ppriv $$
1200: -bash
flags = <none>
E: basic
I: basic
P: basic
L: all
$ ppriv -v $$
1200: -bash
flags = <none>
E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
proc_info,proc_session,sys_ib_info
I: file_link_any,file_read,...,sys_ib_info
P: file_link_any,file_read,...,sys_ib_info
L: contract_event,contract_identity,...,sys_time
双美元符号 ($$) 可将父 shell 的进程号传递给命令。此列表不包括在指定的权限配置文件中为命令限定的特权。
示例 6-15 列出基本特权及其定义$ ppriv -vl basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. file_read Allows a process to read objects in the filesystem. file_write Allows a process to modify objects in the filesystem. net_access Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. proc_exec Allows a process to call execve(). proc_fork Allows a process to call fork1()/forkall()/vfork() proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_session Allows a process to send signals or trace processes outside its session. sys_ib_info Allows a process to perform read InfiniBand MAD (Management Datagram) operations.示例 6-16 列出权限配置文件中具有安全属性的命令
基本 Solaris 用户配置文件包括允许用户读取和写入 CD-ROM 的命令。
$ profiles -l
Basic Solaris User
...
/usr/bin/cdrecord.bin privs=file_dac_read,sys_devices,
proc_lock_memory,proc_priocntl,net_privaddr
/usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr
/usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices,
proc_priocntl,net_privaddr
All
*