Applications that are written or modified to support
fine-grained privileges are called privilege-aware applications. You
must register privilege-aware applications using the setfilexsec command. Once registered, the security attributes associated with
a binary file are stored in a configuration file and maintain persistence
across reboot. This is normally done for you when you install and
configure privilege-aware applications using the SD-UX utilities.
Older HP-UX applications, or legacy applications,
are not privilege-aware. You can configure legacy applications that
run with UID=0 to run with fine-grained
privileges. To configure legacy applications using HP-UX RBAC, see Section .
|TIP: HP recommends you use HP-UX RBAC to configure applications that
require variable privileges to run.|
To configure security attributes for a privilege-aware
application, use the setfilexsec command as follows:
# setfilexsec [options] filename
The setfilexsec command is
meant to assign privileges to binaries on a local file system. Binaries
that are obtained from a network file systems (NFS) should not be
assigned privileges because if the file is modified by a different
system (directly on the NFS server), the extended attributes set by setfilexsec are not removed.
The options for setfilexsec are
Deletes any security information
for this file from the configuration file and the kernel.
Deletes any security information
for this file from the configuration file only. Used to clear security
information for a deleted file.
Add or change minimum retained
Add or change maximum retained
Add or change minimum permitted
Add or change maximum permitted
Sets the security attribute
The getfilexsec command displays
the extended attributes of a binary file, set with the setfilexsec command.
Each process has three privilege sets associated
Permitted Privilege Set
The maximum set of privileges
a process can raise. The process can drop any privilege from this
set, but cannot add any privileges to this set. Privileges from this
set can be added to the effective privilege set of the process.
Effective Privilege Set
The set of currently active privileges for a process.
A privilege-aware process can modify effective privilege set to keep
only the necessary privileges in this set at any given time. The process
can remove any privilege from the effective privilege set, but can
only add privileges from the permitted privilege set.
The effective privilege set is always a subset
of the permitted privilege set.
Retained Privilege Set
The set of privileges retained when a process calls
the execve() system call. The process can remove
any privilege from this set, but cannot add privileges to this set.
The retained privilege set is always a subset of
the permitted privileges set.
The first process, init,
starts with a small set of privileges. It then creates other processes
that execute other binaries using exec family
calls (execv, execve, and
so on). During this exec call, the extended attributes
of the binary, the attributes set with setfilexsec command, may cause these processes to gain privileges that their
parent process do not have, or lose the privileges that the parent
process had. For instance, if a binary has a permitted minimum of DACREAD (setfilexsec –p DACREAD has been performed on the binary), the new process will have the DACREAD privilege whether or not the parent process had
that privilege. On the other hand, if process already has the DACREAD privilege, but if the binary it executes does
not have this privilege in permitted max (for example, setfilexsec
-P none …. has been performed on the file already),
it would lose the privilege as a side-effect of executing the binary.
Compound privileges are a shorthand way of specifying
a predefined set of simple privileges.
The following are compound privileges:
Basic privileges available to all processes
by default. Processes may drop one or more privileges from this set.
Basic and privileges and privileges that
provide powers usually associated with UID=0.
Policy override privileges and policy configuration
privileges. Policy override privileges override compartment rules.
Policy configuration privileges control how privileges are configured.
For a complete list of the privileges in each of
the compound privileges, see privileges(5).