man privileges-列出开发者使用的特权的定义及其名称
ppriv -vl-列出管理员使用的特权的定义及其名称
ppriv -vl basic-列出基本特权集合中特权的名称和定义
ppriv $$-列出当前 shell ($$) 中的特权
$ getent exec_attr | more All:solaris:cmd:::*: Audit Configuration:solaris:cmd:::/usr/sbin/auditconfig:privs=sys_audit ... Zone Security:solaris:cmd:::/usr/sbin/txzonemgr:uid=0 Zone Security:solaris:cmd:::/usr/sbin/zonecfg:uid=0 ...示例 6-12 列出所有特权及其定义
privileges(5) 手册页中说明的特权格式由开发者使用。
$ man privileges Standards, Environments, and Macros privileges(5) NAME privileges - process privilege model ... The defined privileges are: PRIV_CONTRACT_EVENT Allow a process to request reliable delivery of events to an event endpoint. Allow a process to include events in the critical event set term of a template which could be generated in volume by the user. ...示例 6-13 列出特权指定中使用的特权
ppriv 命令按照名称列出所有特权。有关定义,请使用 –v 选项。
此特权格式用于通过使用 useradd、roleadd、usermod 和 rolemod 命令将特权指定给用户和角色,以及使用 profiles 命令将特权指定给权限配置文件。
$ ppriv -lv | more contract_event Allows a process to request critical events without limitation. Allows a process to request reliable delivery of all events on any event queue. ... win_upgrade_sl Allows a process to set the sensitivity label of a window resource to a sensitivity label that dominates the existing sensitivity label. This privilege is interpreted only if the system is configured with Trusted Extensions.示例 6-14 列出当前 shell 中的特权
缺省情况下,将为每个用户指定基本的特权集合。缺省限制特权集合为所有特权。
输出中的单个字母指代以下特权集合:
有效特权集合
可继承特权集合
允许特权集合
有限特权集合
$ ppriv $$ 1200: -bash flags = <none> E: basic I: basic P: basic L: all $ ppriv -v $$ 1200: -bash flags = <none> E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork, proc_info,proc_session,sys_ib_info I: file_link_any,file_read,...,sys_ib_info P: file_link_any,file_read,...,sys_ib_info L: contract_event,contract_identity,...,sys_time
双美元符号 ($$) 可将父 shell 的进程号传递给命令。此列表不包括在指定的权限配置文件中为命令限定的特权。
示例 6-15 列出基本特权及其定义$ ppriv -vl basic file_link_any Allows a process to create hardlinks to files owned by a uid different from the process' effective uid. file_read Allows a process to read objects in the filesystem. file_write Allows a process to modify objects in the filesystem. net_access Allows a process to open a TCP, UDP, SDP or SCTP network endpoint. proc_exec Allows a process to call execve(). proc_fork Allows a process to call fork1()/forkall()/vfork() proc_info Allows a process to examine the status of processes other than those it can send signals to. Processes which cannot be examined cannot be seen in /proc and appear not to exist. proc_session Allows a process to send signals or trace processes outside its session. sys_ib_info Allows a process to perform read InfiniBand MAD (Management Datagram) operations.示例 6-16 列出权限配置文件中具有安全属性的命令
基本 Solaris 用户配置文件包括允许用户读取和写入 CD-ROM 的命令。
$ profiles -l Basic Solaris User ... /usr/bin/cdrecord.bin privs=file_dac_read,sys_devices, proc_lock_memory,proc_priocntl,net_privaddr /usr/bin/readcd.bin privs=file_dac_read,sys_devices,net_privaddr /usr/bin/cdda2wav.bin privs=file_dac_read,sys_devices, proc_priocntl,net_privaddr All *