privileges(5)

NAME

privileges — description of HP-UX privileges

DESCRIPTION

The UNIX® operating system has traditionally used an "all or nothing" privilege model, where root users (those with effective UID 0, such as the user named root) have virtually unlimited power, and other users have few or no special privileges.

System administrators often need to delegate limited powers to other users. HP-UX provides several ways to do this. Because these mechanisms permit users other than root users to perform certain privileged operations, HP-UX documentation often uses terms such as "privileged user" or "user who has appropriate privileges" instead of "root user" when describing who is permitted to perform an operation.

In the absence of a more specific description of the privileges necessary to perform an operation (typically available in the man page for that operation), you can generally assume that root users are suitably privileged.

Legacy Delegation Methods

HP-UX has used several methods of delegating limited powers, including restricted sam, the privilege groups described in privgrp(5), the shutdown.allow file described in shutdown(1M), and the cron.allow file described in crontab(1).

Fine-Grained Privileges

The HP-UX fine-grained privilege model splits the powers of root users into a set of privileges. Each privilege grants a process that possesses that privilege the right to a certain set of restricted services provided by the kernel. Privileges can be managed internally by a process with "privilege bracketing". Privilege bracketing is the practice of enabling, or "raising", a privilege only while the privilege is needed, then disabling, or "lowering", the privilege. The privileges that a process has raised determine which sensitive system call services the process can invoke.

Legacy Privileges

Legacy privileges are those privileges originally defined in privgrp(5). All of the privileges from that set except PRIV_SETRUGID have been incorporated into fine-grained privileges:

PRIV_CHOWN           PRIV_FSSTHREAD     PRIV_LOCKRDONLY  PRIV_MLOCK
PRIV_MPCTL           PRIV_PSET          PRIV_RTPRIO      PRIV_RTSCHED
PRIV_SERIALIZE       PRIV_SPUCTL

Basic Privileges

Basic privileges are granted by default to all processes. The basic privileges are the set of the following:

PRIV_EXEC            PRIV_FORK          PRIV_LINKANY     PRIV_SESSION

Root Replacement Privileges

Root replacement privileges are the privileges that provide the powers associated with a process that has an effective user ID of zero. The root replacement privileges are the following:

PRIV_ACCOUNTING      PRIV_AUDCONTROL    PRIV_CHOWN       PRIV_CHROOT
PRIV_CHSUBJIDENT     PRIV_DACREAD       PRIV_DACWRITE    PRIV_DEVOPS
PRIV_DLKM            PRIV_FSINTEGRITY   PRIV_FSS         PRIV_FSSTHREAD
PRIV_LIMIT           PRIV_LOCKRDONLY    PRIV_MKNOD       PRIV_MLOCK
PRIV_MOUNT           PRIV_MPCTL         PRIV_NETADMIN    PRIV_NETPRIVPORT
PRIV_NETPROMISCUOUS  PRIV_NETRAWACCESS  PRIV_OBJSUID     PRIV_OWNER
PRIV_PSET            PRIV_REBOOT        PRIV_RTPRIO      PRIV_RTSCHED
PRIV_RTPSET          PRIV_SELFAUDIT     PRIV_SERIALIZE   PRIV_SPUCTL
PRIV_SYSATTR         PRIV_SYSNFS

These privileges are granted by default to any process with an effective user ID of zero.

Policy Override Privileges

Policy override privileges override compartment rules. There are four policy override privileges:

PRIV_CHANGECMPT      PRIV_CMPTREAD      PRIV_CMPTWRITE   PRIV_COMMALLOWED.

These privileges are not granted by default to processes with an effective user ID of zero. These privileges only apply to compartments feature (see compartments(5) and cmpt_tune(1M) to determine if this feature is enabled). These privileges comprise part of the set of privileges in the compound privilege POLICY.

Policy Configuration Privileges

Policy configuration privileges control how privileges are configured. There are two such privileges, PRIV_CHANGEFILEXSEC and PRIV_RULESCONFIG. These privileges are not granted by default to processes with an effective user ID of zero. These privileges comprise part of the set of privileges in the compound privilege POLICY.

Process Attribute Privileges

Process attribute privileges are privileges only in the sense that they are manipulated like other privileges. PRIV_TRIALMODE is the only member of this set. This privilege is not granted by default to processes with an effective user ID of zero.

Compound Privileges

Compound privileges are a shorthand way of specifying a predefined set of simple privileges. These compound privileges are subject to redefinition in future releases to allow for the creation of new privileges. The compound privileges are defined as follows:

BASIC: Refers to the Basic Privileges.
BASICROOT: Refers to the union of Basic Privileges and Root Replacement Privileges.
POLICY: Refers to the Policy Override Privileges and the Policy Configuration Privileges.

Privilege Descriptions

The following list specifies privilege names and their primary purpose.

PRIV_ACCOUNTING (ACCOUNTING): Allows a process to control the process accounting system (see acct(2)).
PRIV_AUDCONTROL (AUDCONTROL): Allows a process to start, modify, and stop the auditing system.
PRIV_CHANGECMPT (CHANGECMPT): Grants a process the ability to change its compartment. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
PRIV_CHANGEFILEXSEC (CHANGEFILEXSEC): Allows a process to grant privileges to binaries.
PRIV_CHOWN (CHOWN): Allows access to the chown() system calls (see chown(2)).
PRIV_CHROOT (CHROOT): Allows a process to change its root directory.
PRIV_CHSUBJIDENT (CHSUBJIDENT): Allows a process to change it UIDs, GIDs, and group lists. Also allows a process to chown a file and leave the suid or sgid bits set on the file, if present.
PRIV_CMPTREAD (CMPTREAD): Allows a process to open a file or directory for reading, executing (in the case of a file), or searching (in the case of a directory), bypassing compartment rules that would otherwise not permit the operation. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
PRIV_CMPTWRITE (CMPTWRITE): Allows a process to write into a file or directory, bypassing compartment rules that would otherwise not permit the operation. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
PRIV_COMMALLOWED (COMMALLOWED): Allows a process to override compartment rules in the IPC and networking subsystems. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
PRIV_DACREAD (DACREAD): Allows the process to override all discretionary read, execute, and search access restrictions. See Discretionary Restrictions for more information.
PRIV_DACWRITE (DACWRITE): Allows the process to override all discretionary write access restrictions. See Discretionary Restrictions for more information.
PRIV_DEVOPS (DEVOPS): Allows the process to do device specific administrative operations, such as tape or disk formatting.
PRIV_DLKM (DLKM): Allows a process to load a kernel module (see modload(2)), get information about a loaded kernel module (see modstat(2)), and change the global search path for dynamically loadable kernel modules (see modpath(2)).
PRIV_EXEC (EXEC): Allows a process to call exec() (see exec(2)) family calls.
PRIV_FORK (FORK): Allows a process to create additional processes (using fork() and vfork()).
PRIV_FSINTEGRITY (FSINTEGRITY): Allows a process to perform disk operations such as removing or modifying the size or boundaries of disk partitions, or to import and export an LVM volume group across the system.
PRIV_FSSTHREAD (FSSTHREAD): Reserved.
PRIV_FSS (FSS): Reserved.
PRIV_LIMIT (LIMIT): Allows a process to set resource and priority limits beyond the maximum limit values (see setrlimit(2) or nice(2)).
PRIV_LINKANY (LINKANY): Reserved.
PRIV_LOCKRDONLY (LOCKRDONLY): Permits the use of the lockf() system call for setting locks on files open for reading only (see lockf(2)).
PRIV_MKNOD (MKNOD): Allows a process to create character or block special files using the mknod() system call (see mknod(2)).
PRIV_MLOCK (MLOCK): Allows access to the plock() system call (see plock(2)).
PRIV_MOUNT (MOUNT): Allows a process to mount and unmount a file system using the mount() and umount() system calls. See mount(2) and umount(2).
PRIV_MPCTL (MPCTL): Permits the use of the mpctl() system call for changing processor binding, locality domain binding or launch policy of a process (see mpctl(2)).
PRIV_NETADMIN (NETADMIN): Allows a process to perform network administrative operations including configuring the network routing tables and querying interface information.
PRIV_NETPRIVPORT (NETPRIVPORT): Allows a process to bind to a privileged port. By default, port numbers 0-1023 are privileged ports.
PRIV_NETPROMISCUOUS (NETPROMISCUOUS): Enables a process to configure an interface to listen in promiscuous mode.
PRIV_NETRAWACCESS (NETRAWACCESS): Allows a process to access the raw internet network protocols.
PRIV_OBJSUID (OBJSUID): Allows a process to set the suid or sgid bits on any file if they also have the OWNER privilege. Additionally, allows a process to change the ownership of a file without clearing the suid or sgid bits, provided that the process is allowed to change the ownership of the file.
PRIV_OWNER (OWNER): Allows a process to override all restrictions with respect to UID matching the owner of the file or resource. See Discretionary Restrictions for more information.
PRIV_PSET (PSET): Allows change to the system pset configuration (see pset_create(2)).
PRIV_REBOOT (REBOOT): Allows a process to perform reboot operations.
PRIV_RTPRIO (RTPRIO): Allows access to the rtprio() system call (see rtprio(2)).
PRIV_RTPSET (RTPSET): Allows a process to control RTE psets (see __pset_rtctl(2)).
PRIV_RTSCHED (RTSCHED): Allows access to the sched_setparam() and sched_setscheduler() to set POSIX.4 real-time priorities (see rtsched(2)).
PRIV_RULESCONFIG (RULESCONFIG): Allows a process to add and modify compartment rules on the system. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
PRIV_SELFAUDIT (SELFAUDIT): Allows a process to generate auditing records for itself using the audwrite() system call (see audwrite(2)).
PRIV_SERIALIZE (SERIALIZE): Permits the use of serialize() for forcing the target process to run serially with other processes that are also marked by this system call (see serialize(2)).
PRIV_SESSION (SESSION): Permits creation of a new session (see setsid(2)), and setpgrp(2)).
PRIV_SPUCTL: Permits certain administrative operations in the Instant Capacity product for deactivation and reactivation of processors. See the Instant Capacity documentation for more information.
PRIV_SYSATTR (SYSATTR): Enables a process to manage system attributes including the setting of tunables, and modifying the host name, domain name, and user quotas.
PRIV_SYSNFS (SYSNFS): Allows a process to perform NFS operations like exporting a file system, the getfh() system call (see getfh(2)), NFS file locking, revoking NFS authentication, and creating an NFS kernel daemon thread.
PRIV_TRIALMODE (TRIALMODE): Allows a process to log trial mode information to the syslog file. See Trial Mode below.

Programming with Privileges

When programming with privileges, the name associated with each privilege is the same as the name presented here with the string PRIV_ prefixed (that is, use the symbolic constant PRIV_ACCOUNTING in the source code). In commands associated with privileges, the names are used without the PRIV_ prefix, although most commands may also recognize the names with the prefix.

The compound privileges BASIC, BASICROOT, and POLICY are designed to ease development of applications that retain their functionality even though the underlying privileges changes. An application that requires compatibility--even when the underlying set of privileges changes--ought to ensure that it does not accidentally drop a new privilege that was added since it was developed. For example, this can be done by dropping specific privileges from the effective set using priv_remove() (see priv_remove(3)) or by ensuring that the compound privileges are used as argument to priv_set_effective() (see priv_set_effective(3)).

Associating Privileges with Binaries

Applications that depend on the use of privileges must be registered using the setfilexsec command (see setfilexsec(1M)). For an alternate method of granting privileges, see privrun(1M)).

Depending on what kind of restricted tasks an application performs, the application can raise the corresponding privilege needed before doing the task and then lower the privilege after completing the task. This practice is called privilege bracketing. It is recommended that a process run with the smallest possible privilege set at any given time.

Associating Privileges with Processes

Each process has three privilege sets associated with it. These sets are as follows:

Permitted Privilege Set: The maximum set of privileges that a process can raise. The process can remove any privilege from this set, but cannot add a privilege to this set. The privileges from this set can be added to the effective privilege set of the process. This set is also often referred to as the Potential Privilege Set.
Effective Privilege Set: The set of privileges that are currently active for the process. A process can modify this set to keep only the necessary privileges in this set at any given time. Any privilege in this set can be removed, but only privileges in the process' permitted privilege set can be added. A process' Effective Privilege Set is always a subset of its Permitted Privilege Set.
Retained Privilege Set: The set of privileges retained when a process calls execve() (see execve(2)). The process can remove any privilege from this set, but cannot add any privilege to this set. A process' Retained Privilege Set is always a subset of the Permitted Privilege Set.

These sets can be managed using library calls specified in functions priv_add_effective(), priv_remove(), and priv_get(). (See priv_add_effective(3), priv_remove(3), and priv_get(3)).

Discretionary Restrictions

Discretionary restrictions are the restrictions imposed by the traditional file mode access permissions. Thus, the privileges PRIV_DACREAD and PRIV_DACWRITE allow read, search, execute, and write operations to proceed even if the file mode permissions forbid it. The PRIV_OWNER privilege allows a process that is not the owner of a file or directory to remove the file or directory whose parent directory has the sticky bit set. The PRIV_OWNER privilege also allows a process that is not the owner of a System V IPC message queue, semaphore set, or shared memory segment, to remove, change ownership of, or change permission bits for that object.

Trial Mode

This is a facility provided by the system to aid in reporting the list of privileges that a process has used during its lifetime. A developer can use this feature to verify what privileges an application needs to operate. When a process with this privilege attempts to use any privilege (by making a system call that uses that privilege), an entry is logged to syslog, which, when taken together, is a list of privileges used.

Compatibility

A process with an effective user ID of zero is, by default, treated as possessing root replacement privileges. The compartmentalization feature may further restrict this interpretation of effective user ID such that the process is treated as though it has only a specified subset of root replacement privileges. For more details, see the description of "Process Limitation Rules" in compartments(4).

More formally, a process is said to observe a privilege if and only if one or more of the following conditions hold:

The privilege is present in its effective privilege set, or
The privilege is a root replacement privilege, effective uid of the process is zero, and compartmentalization is not enabled, or
The privilege is a root replacement privilege, effective uid of the process is zero, compartmentalization is enabled, and the privilege is not a disallowed privilege in the process's compartment.

SYSTEM PRIVILEGE REQUIREMENTS

This section provides tables that list the privileges that may be required where the corresponding man pages specifies "appropriate privileges" to perform certain operations or to operate in certain conditions. For each system call, the table lists what privileges can potentially affect system call's behavior,

The subsections also include other functions and areas of interest. These tables list the privileges that may be required where the individual man pages specifies "appropriate privileges" to perform certain operations or to operate in certain conditions.

Several system calls are accessible by privileged and unprivileged applications. For example, the kill() system call (see kill(2)), when used by a process without the PRIV_OWNER privilege, can send a signal only to processes whose UIDs match the sending process' own UID.

Some general guidelines apply to working with hardware-related system calls.

Many hardware devices need the PRIV_DEVOPS privilege in addition to any privileges needed by the specific system calls used.
Networking and streams may need the PRIV_NETADMIN, PRIV_NETRAWACCESS, and/or PRIV_NETPROMISCUOUS privileges in addition to other privileges, depending on what you are attempting to do. For example, the exportfs command requires the PRIV_SYSNFS privilege (see exportfs(1M)). The fdetach() and fattach() library calls require the PRIV_MOUNT privilege (possibly in addition to other privileges). (See fdetach(3) and fattach(3C)).

Privileges for the pstat System Call

The pstat() system call typically needs the PRIV_COMMALLOWED privilege when operating on processes outside the calling process's compartment (see pstat(2)). However, because this system call works in so many areas, some of the functions of this call may require other privileges. The following is a list of those functions and the privileges they require:

pstat_getcommandline(): PRIV_COMMALLOWED
pstat_getfile()/pstat_getfile2(): PRIV_COMMALLOWED
pstat_getfiledetails(): PRIV_COMMALLOWED, PRIV_OWNER
pstat_getlwp(): PRIV_COMMALLOWED
pstat_getmsg(): PRIV_COMMALLOWED
pstat_getpmq(): PRIV_COMMALLOWED
pstat_getproc(): PRIV_COMMALLOWED
pstat_getpsem(): PRIV_COMMALLOWED
pstat_getsem(): PRIV_COMMALLOWED
pstat_pathname(): PRIV_COMMALLOWED, PRIV_OWNER
pstat_proc_locality(): PRIV_COMMALLOWED
pstat_proc_vm(): PRIV_COMMALLOWED
pstat_procwindow(): PRIV_COMMALLOWED
pstat_shminfo(): PRIV_COMMALLOWED
pstat_socket(): PRIV_COMMALLOWED, PRIV_OWNER
pstat_stream(): PRIV_COMMALLOWED, PRIV_OWNER

Privileges for Security Containment

Some commands related to Security Containment make use of certain privileges that are not used in other contexts:

setfilexsec: PRIV_CHANGEFILEXSEC, PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
setrules: PRIV_RULESCONFIG

Additionally, some library calls related to Security Containment make use of security specific privileges:

cmpt_change(): PRIV_CHANGECMPT
cmpt_get(): PRIV_COMMALLOWED
cmpt_get_addrcid(): PRIV_RULESCONFIG
cmpt_get_ifcid(): PRIV_RULESCONFIG
priv_get(): PRIV_COMMALLOWED
privset_get(): PRIV_COMMALLOWED

Privileges for System Calls

The following table lists system calls and the privileges they may need. Some of these are dependent on what system object they are acting on (for example, files in another compartment), the state of the system (for example, if the maximum number of open files has been reached), or other conditions.

__pset_rtctl(): PRIV_PSET, PRIV_RTPSET
accept(): PRIV_LIMIT
access(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
acct(): PRIV_ACCOUNTING
acl(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER
adjtime(): PRIV_SYSATTR
audctl(): PRIV_AUDCONTROL
audswitch(): PRIV_SELFAUDIT
audtag(): PRIV_SELFAUDIT
audwrite(): PRIV_SELFAUDIT
bind(): PRIV_NETPRIVPORT
chdir(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
chmod(): PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER
chown(): PRIV_CHOWN, PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER
chroot(): PRIV_CHROOT, PRIV_CMPTREAD, PRIV_DACREAD
clock_settime(): PRIV_SYSATTR
connect(): PRIV_COMMALLOWED
crashconf(): PRIV_DEVOPS
creat(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_OBJSUID, PRIV_OWNER
dup(): PRIV_LIMIT
dup2(): PRIV_LIMIT
exec(): PRIV_CMPTREAD, PRIV_DACREAD, PRIV_EXEC
execve(): PRIV_CMPTREAD, PRIV_DACREAD
fchmod(): PRIV_OBJSUID, PRIV_OWNER
fchown(): PRIV_CHOWN, PRIV_OWNER
fork(): PRIV_FORK, PRIV_LIMIT
fpathconf(): PRIV_CMPTREAD, PRIV_DACREAD
fsetacl(): PRIV_OWNER
ftruncate(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OBJSUID, PRIV_OWNER
getaccess(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
getacl(): PRIV_CMPTREAD, PRIV_DACREAD
getaudid(): PRIV_SELFAUDIT
getaudproc(): PRIV_SELFAUDIT
getevent(): PRIV_AUDCONTROL
getfh(): PRIV_SYSNFS
getpgrp2(): PRIV_COMMALLOWED
getpriority(): PRIV_COMMALLOWED
getprivgrp(): PRIV_SYSATTR
getsid(): PRIV_COMMALLOWED
ioctl(): PRIV_FSINTEGRITY, PRIV_SYSATTR, PRIV_DEVOPS, PRIV_NETADMIN, PRIV_NETPROMISCUOUS, PRIV_NETRAWACCESS and more. Generally the privileges required for an ioctl depend on the driver and type of ioctl.
kill(): PRIV_COMMALLOWED, PRIV_OWNER, PRIV_REBOOT
lchown(): PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER
link(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_FSINTEGRITY
lockf(): PRIV_LOCKRDONLY
lstat(): PRIV_CMPTREAD, PRIV_DACREAD
mem_res_grp(): PRIV_SYSATTR
mkdir(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT
mknod(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_MKNOD
mlock(): PRIV_MLOCK
mlockall(): PRIV_MLOCK
mmap(): PRIV_DEVOPS
modload(): PRIV_CMPTREAD, PRIV_DACREAD, PRIV_DLKM
modpath(): PRIV_DLKM
modstat(): PRIV_DLKM
moduload(): PRIV_DLKM
mount(): PRIV_CMPTREAD, PRIV_DACREAD, PRIV_MOUNT, PRIV_OWNER
mpctl(): PRIV_COMMALLOWED, PRIV_MPCTL
mq_open(): PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
mq_unlink(): PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
msgctl(): PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_OWNER
msgget(): PRIV_COMMALLOWED
msgrcv(): PRIV_COMMALLOWED, PRIV_DACREAD
msgsnd(): PRIV_COMMALLOWED, PRIV_DACWRITE
munlock(): PRIV_MLOCK
munlockall(): PRIV_MLOCK
nice(): PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER
open(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT
pipe(): PRIV_LIMIT
plock(): PRIV_MLOCK
pset_assign(): PRIV_PSET, PRIV_RTPSET
pset_bind(): PRIV_PSET, PRIV_RTPSET
pset_create(): PRIV_PSET, PRIV_RTPSET
pset_ctl(): PRIV_PSET, PRIV_RTPSET
pset_destroy(): PRIV_PSET, PRIV_RTPSET
pset_getattr(): PRIV_PSET, PRIV_RTPSET
pset_setattr(): PRIV_PSET, PRIV_RTPSET
pstat(): PRIV_COMMALLOWED, [PRIV_OWNER]; see Privileges for the pstat System Call for more information.
ptrace(): PRIV_COMMALLOWED, PRIV_OWNER
quotactl(): PRIV_CMPTREAD, PRIV_DACREAD, PRIV_SYSATTR
readlink(): PRIV_CMPTREAD, PRIV_DACREAD
reboot(): PRIV_REBOOT
rename(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER
rmdir(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER
rtprio(): PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTPRIO
sched_getparam(): PRIV_COMMALLOWED
sched_getscheduler(): PRIV_COMMALLOWED
sched_rr_get_interval(): PRIV_COMMALLOWED
sched_setparam(): PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED
sched_setscheduler(): PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED
sem_open(): PCIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
sem_unlink(): PRIV_COMMALLOWED, PRIV_DACWRITE
semctl(): PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER
semget(): PRIV_COMMALLOWED
semop(): PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED
semtimedop(): PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED
serialize(): PRIV_SERIALIZE
setacl(): PRIV_CMPTREAD, PRIV_DACREAD
setaudid(): PRIV_SELFAUDIT
setaudproc(): PRIV_SELFAUDIT
setdomainname(): PRIV_SYSATTR
setevent(): PRIV_AUDCONTROL
setgid(): PRIV_CHSUBJIDENT
setgroups(): PRIV_CHSUBJIDENT
sethostname(): PRIV_SYSATTR
setpgrp(): PRIV_SESSION
setpgrp2(): PRIV_COMMALLOWED
setpriority(): PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER
setprivgrp(): PRIV_SYSATTR
setregid(): PRIV_CHSUBJIDENT
setresgid(): PRIV_CHSUBJIDENT
setresuid(): PRIV_CHSUBJIDENT
setrlimit(): PRIV_LIMIT
setsid(): PRIV_SESSION
setsockopt(): PRIV_NETBROADCAST; varies depending on the option used.
settimeofday(): PRIV_SYSATTR
settune(): PRIV_SYSATTR
settune_txn(): PRIV_SYSATTR
setuid(): PRIV_CHSUBJIDENT
setuname(): PRIV_SYSATTR
shm_open(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
shm_unlink(): PRIV_CMPTWRITE, PRIV_DACWRITE, PRIV_OWNER
shmat(): PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
shmctl(): PRIV_COMMALLOWED, PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_MLOCK, PRIV_OWNER
shmget(): PRIV_COMMALLOWED
sigqueue(): PRIV_COMMALLOWED, PRIV_OWNER
socket(): PRIV_LIMIT
socketpair(): PRIV_LIMIT
stat(): PRIV_CMPTREAD, PRIV_DACREAD
statfs(): PRIV_CMPTREAD, PRIV_DACREAD
statfvfs(): PRIV_CMPTREAD, PRIV_DACREAD
stime(): PRIV_SYSATTR
swapon(): PRIV_MOUNT
symlink(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT
truncate(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OBJSUID, PRIV_OWNER
ttrace(): PRIV_COMMALLOWED, PRIV_OWNER
ulimit(): PRIV_LIMIT
umount(): PRIV_MOUNT, PRIV_OWNER
unlink(): PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_FSINTEGRITY, PRIV_OWNER
ustat(): PRIV_SYSATTR
utime(): PRIV_OWNER
vfsmount(): PRIV_MOUNT
write(): PRIV_LIMIT

WARNINGS

Product documentation, as discussed above, describes alternate ways that programs or users can obtain sufficient privileges to perform restricted operations.

Network Issues

Privileges are not propagated across distributed systems. They are applied only on the local system. For example, a process with PRIV_DACREAD or PRIV_DACWRITE cannot access a file on another system if it is necessary to override discretionary restrictions to do so.

For example, if the system's NFS subsystem is configured to translate the user ID zero to the user ID UID_NOBODY, it still does so. Also, some system daemons check to see if a connection originates from a privileged port (typically 0-1023) to determine whether to allow or deny the connection. This behavior is not and should not be altered.

Privilege Escalation

In certain situations, a single privilege or set of privileges can lead to a process gaining additional privileges that were not explicitly granted. This is known as privilege escalation.

For example, a user with the privilege PRIV_DACWRITE alone may overwrite critical operating system files and, in the process, may grant himself additional privileges beyond PRIV_DACWRITE.