Troubleshooting Fine-Grained Privileges

If something is not working on the system and you suspect the problem is occurring because of fine-grained privileges, you can check the fine-grained privileges configuration as follows.

Problem 1: Even though fine-grained privileges are assigned to a binary file, processes that use exec() to access the binary are not receiving the assigned fine-grained privileges. Solution: Check for one of the following situations.

Is the file in question a script?
Any fine-grained privileges assigned to shell scripts are ignored.
Has the file changed since the fine-grained privileges were assigned?
When a file is modified, its fine-grained privilege attributes are lost. Run the following command either before or after you modify the file:
# setfilexsec -d filename
Next, add the privilege attributes you want assigned to the file.

See setfilexsec(1M) for more information about troubleshooting fine-grained privileges.

Problem 2: A process has privileges it should not have, or does not have privileges it should have. Solution: Use the getprocxsec command to determine what privileges a process has:

# getprocxsec -per pid

This command displays the permitted, effective, and retained privilege sets for the process. For more information, see getprocxsec(1M)

If the process does not have the correct privileges, configure the binary file that created this process with the correct privileges. See “Configuring Applications with Fine-Grained Privileges” for more information.

Troubleshooting Fine-Grained Privileges

Technical documentation

» Table of Contents

» Glossary

» Index