Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > P

privileges(5)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

privileges — description of HP-UX privileges

DESCRIPTION

The UNIX® operating system has traditionally used an "all or nothing" privilege model, where root users (those with effective UID 0, such as the user named root) have virtually unlimited power, and other users have few or no special privileges.

System administrators often need to delegate limited powers to other users. HP-UX provides several ways to do this. Because these mechanisms permit users other than root users to perform certain privileged operations, HP-UX documentation often uses terms such as "privileged user" or "user who has appropriate privileges" instead of "root user" when describing who is permitted to perform an operation.

In the absence of a more specific description of the privileges necessary to perform an operation (typically available in the man page for that operation), you can generally assume that root users are suitably privileged.

Legacy Delegation Methods

HP-UX has used several methods of delegating limited powers, including restricted sam, the privilege groups described in privgrp(5), the shutdown.allow file described in shutdown(1M), and the cron.allow file described in crontab(1).

Fine-Grained Privileges

The HP-UX fine-grained privilege model splits the powers of root users into a set of privileges. Each privilege grants a process that possesses that privilege the right to a certain set of restricted services provided by the kernel. Privileges can be managed internally by a process with "privilege bracketing". Privilege bracketing is the practice of enabling, or "raising", a privilege only while the privilege is needed, then disabling, or "lowering", the privilege. The privileges that a process has raised determine which sensitive system call services the process can invoke.

Legacy Privileges

Legacy privileges are those privileges originally defined in privgrp(5). All of the privileges from that set except PRIV_SETRUGID have been incorporated into fine-grained privileges:

PRIV_CHOWN PRIV_FSSTHREAD PRIV_LOCKRDONLY PRIV_MLOCK PRIV_MPCTL PRIV_PSET PRIV_RTPRIO PRIV_RTSCHED PRIV_SERIALIZE PRIV_SPUCTL

Basic Privileges

Basic privileges are granted by default to all processes. The basic privileges are the set of the following:

PRIV_EXEC PRIV_FORK PRIV_LINKANY PRIV_SESSION

Root Replacement Privileges

Root replacement privileges are the privileges that provide the powers associated with a process that has an effective user ID of zero. The root replacement privileges are the following:

PRIV_ACCOUNTING PRIV_AUDCONTROL PRIV_CHOWN PRIV_CHROOT PRIV_CHSUBJIDENT PRIV_DACREAD PRIV_DACWRITE PRIV_DEVOPS PRIV_DLKM PRIV_FSINTEGRITY PRIV_FSS PRIV_FSSTHREAD PRIV_LIMIT PRIV_LOCKRDONLY PRIV_MKNOD PRIV_MLOCK PRIV_MOUNT PRIV_MPCTL PRIV_NETADMIN PRIV_NETPRIVPORT PRIV_NETPROMISCUOUS PRIV_NETRAWACCESS PRIV_OBJSUID PRIV_OWNER PRIV_PSET PRIV_REBOOT PRIV_RTPRIO PRIV_RTSCHED PRIV_RTPSET PRIV_SELFAUDIT PRIV_SERIALIZE PRIV_SPUCTL PRIV_SYSATTR PRIV_SYSNFS

These privileges are granted by default to any process with an effective user ID of zero.

Policy Override Privileges

Policy override privileges override compartment rules. There are four policy override privileges:

PRIV_CHANGECMPT PRIV_CMPTREAD PRIV_CMPTWRITE PRIV_COMMALLOWED.

These privileges are not granted by default to processes with an effective user ID of zero. These privileges only apply to compartments feature (see compartments(5) and cmpt_tune(1M) to determine if this feature is enabled). These privileges comprise part of the set of privileges in the compound privilege POLICY.

Policy Configuration Privileges

Policy configuration privileges control how privileges are configured. There are two such privileges, PRIV_CHANGEFILEXSEC and PRIV_RULESCONFIG. These privileges are not granted by default to processes with an effective user ID of zero. These privileges comprise part of the set of privileges in the compound privilege POLICY.

Process Attribute Privileges

Process attribute privileges are privileges only in the sense that they are manipulated like other privileges. PRIV_TRIALMODE is the only member of this set. This privilege is not granted by default to processes with an effective user ID of zero.

Compound Privileges

Compound privileges are a shorthand way of specifying a predefined set of simple privileges. These compound privileges are subject to redefinition in future releases to allow for the creation of new privileges. The compound privileges are defined as follows:

BASIC

Refers to the Basic Privileges.

BASICROOT

Refers to the union of Basic Privileges and Root Replacement Privileges.

POLICY

Refers to the Policy Override Privileges and the Policy Configuration Privileges.

Privilege Descriptions

The following list specifies privilege names and their primary purpose.

PRIV_ACCOUNTING (ACCOUNTING)

Allows a process to control the process accounting system (see acct(2)).

PRIV_AUDCONTROL (AUDCONTROL)

Allows a process to start, modify, and stop the auditing system.

PRIV_CHANGECMPT (CHANGECMPT)

Grants a process the ability to change its compartment. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)

PRIV_CHANGEFILEXSEC (CHANGEFILEXSEC)

Allows a process to grant privileges to binaries.

PRIV_CHOWN (CHOWN)

Allows access to the chown() system calls (see chown(2)).

PRIV_CHROOT (CHROOT)

Allows a process to change its root directory.

PRIV_CHSUBJIDENT (CHSUBJIDENT)

Allows a process to change it UIDs, GIDs, and group lists. Also allows a process to chown a file and leave the suid or sgid bits set on the file, if present.

PRIV_CMPTREAD (CMPTREAD)

Allows a process to open a file or directory for reading, executing (in the case of a file), or searching (in the case of a directory), bypassing compartment rules that would otherwise not permit the operation. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)

PRIV_CMPTWRITE (CMPTWRITE)

Allows a process to write into a file or directory, bypassing compartment rules that would otherwise not permit the operation. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)

PRIV_COMMALLOWED (COMMALLOWED)

Allows a process to override compartment rules in the IPC and networking subsystems. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)

PRIV_DACREAD (DACREAD)

Allows the process to override all discretionary read, execute, and search access restrictions. See Discretionary Restrictions for more information.

PRIV_DACWRITE (DACWRITE)

Allows the process to override all discretionary write access restrictions. See Discretionary Restrictions for more information.

PRIV_DEVOPS (DEVOPS)

Allows the process to do device specific administrative operations, such as tape or disk formatting.

PRIV_DLKM (DLKM)

Allows a process to load a kernel module (see modload(2)), get information about a loaded kernel module (see modstat(2)), and change the global search path for dynamically loadable kernel modules (see modpath(2)).

PRIV_EXEC (EXEC)

Allows a process to call exec() (see exec(2)) family calls.

PRIV_FORK (FORK)

Allows a process to create additional processes (using fork() and vfork()).

PRIV_FSINTEGRITY (FSINTEGRITY)

Allows a process to perform disk operations such as removing or modifying the size or boundaries of disk partitions, or to import and export an LVM volume group across the system.

PRIV_FSSTHREAD (FSSTHREAD)

Reserved.

PRIV_FSS (FSS)

Reserved.

PRIV_LIMIT (LIMIT)

Allows a process to set resource and priority limits beyond the maximum limit values (see setrlimit(2) or nice(2)).

PRIV_LINKANY (LINKANY)

Reserved.

PRIV_LOCKRDONLY (LOCKRDONLY)

Permits the use of the lockf() system call for setting locks on files open for reading only (see lockf(2)).

PRIV_MKNOD (MKNOD)

Allows a process to create character or block special files using the mknod() system call (see mknod(2)).

PRIV_MLOCK (MLOCK)

Allows access to the plock() system call (see plock(2)).

PRIV_MOUNT (MOUNT)

Allows a process to mount and unmount a file system using the mount() and umount() system calls. See mount(2) and umount(2).

PRIV_MPCTL (MPCTL)

Permits the use of the mpctl() system call for changing processor binding, locality domain binding or launch policy of a process (see mpctl(2)).

PRIV_NETADMIN (NETADMIN)

Allows a process to perform network administrative operations including configuring the network routing tables and querying interface information.

PRIV_NETPRIVPORT (NETPRIVPORT)

Allows a process to bind to a privileged port. By default, port numbers 0-1023 are privileged ports.

PRIV_NETPROMISCUOUS (NETPROMISCUOUS)

Enables a process to configure an interface to listen in promiscuous mode.

PRIV_NETRAWACCESS (NETRAWACCESS)

Allows a process to access the raw internet network protocols.

PRIV_OBJSUID (OBJSUID)

Allows a process to set the suid or sgid bits on any file if they also have the OWNER privilege. Additionally, allows a process to change the ownership of a file without clearing the suid or sgid bits, provided that the process is allowed to change the ownership of the file.

PRIV_OWNER (OWNER)

Allows a process to override all restrictions with respect to UID matching the owner of the file or resource. See Discretionary Restrictions for more information.

PRIV_PSET (PSET)

Allows change to the system pset configuration (see pset_create(2)).

PRIV_REBOOT (REBOOT)

Allows a process to perform reboot operations.

PRIV_RTPRIO (RTPRIO)

Allows access to the rtprio() system call (see rtprio(2)).

PRIV_RTPSET (RTPSET)

Allows a process to control RTE psets (see __pset_rtctl(2)).

PRIV_RTSCHED (RTSCHED)

Allows access to the sched_setparam() and sched_setscheduler() to set POSIX.4 real-time priorities (see rtsched(2)).

PRIV_RULESCONFIG (RULESCONFIG)

Allows a process to add and modify compartment rules on the system. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)

PRIV_SELFAUDIT (SELFAUDIT)

Allows a process to generate auditing records for itself using the audwrite() system call (see audwrite(2)).

PRIV_SERIALIZE (SERIALIZE)

Permits the use of serialize() for forcing the target process to run serially with other processes that are also marked by this system call (see serialize(2)).

PRIV_SESSION (SESSION)

Permits creation of a new session (see setsid(2)), and setpgrp(2)).

PRIV_SPUCTL

Permits certain administrative operations in the Instant Capacity product for deactivation and reactivation of processors. See the Instant Capacity documentation for more information.

PRIV_SYSATTR (SYSATTR)

Enables a process to manage system attributes including the setting of tunables, and modifying the host name, domain name, and user quotas.

PRIV_SYSNFS (SYSNFS)

Allows a process to perform NFS operations like exporting a file system, the getfh() system call (see getfh(2)), NFS file locking, revoking NFS authentication, and creating an NFS kernel daemon thread.

PRIV_TRIALMODE (TRIALMODE)

Allows a process to log trial mode information to the syslog file. See Trial Mode below.

Programming with Privileges

When programming with privileges, the name associated with each privilege is the same as the name presented here with the string PRIV_ prefixed (that is, use the symbolic constant PRIV_ACCOUNTING in the source code). In commands associated with privileges, the names are used without the PRIV_ prefix, although most commands may also recognize the names with the prefix.

The compound privileges BASIC, BASICROOT, and POLICY are designed to ease development of applications that retain their functionality even though the underlying privileges changes. An application that requires compatibility--even when the underlying set of privileges changes--ought to ensure that it does not accidentally drop a new privilege that was added since it was developed. For example, this can be done by dropping specific privileges from the effective set using priv_remove() (see priv_remove(3)) or by ensuring that the compound privileges are used as argument to priv_set_effective() (see priv_set_effective(3)).

Associating Privileges with Binaries

Applications that depend on the use of privileges must be registered using the setfilexsec command (see setfilexsec(1M)). For an alternate method of granting privileges, see privrun(1M)).

Depending on what kind of restricted tasks an application performs, the application can raise the corresponding privilege needed before doing the task and then lower the privilege after completing the task. This practice is called privilege bracketing. It is recommended that a process run with the smallest possible privilege set at any given time.

Associating Privileges with Processes

Each process has three privilege sets associated with it. These sets are as follows:

Permitted Privilege Set

The maximum set of privileges that a process can raise. The process can remove any privilege from this set, but cannot add a privilege to this set. The privileges from this set can be added to the effective privilege set of the process. This set is also often referred to as the Potential Privilege Set.

Effective Privilege Set

The set of privileges that are currently active for the process. A process can modify this set to keep only the necessary privileges in this set at any given time. Any privilege in this set can be removed, but only privileges in the process' permitted privilege set can be added. A process' Effective Privilege Set is always a subset of its Permitted Privilege Set.

Retained Privilege Set

The set of privileges retained when a process calls execve() (see execve(2)). The process can remove any privilege from this set, but cannot add any privilege to this set. A process' Retained Privilege Set is always a subset of the Permitted Privilege Set.

These sets can be managed using library calls specified in functions priv_add_effective(), priv_remove(), and priv_get(). (See priv_add_effective(3), priv_remove(3), and priv_get(3)).

Discretionary Restrictions

Discretionary restrictions are the restrictions imposed by the traditional file mode access permissions. Thus, the privileges PRIV_DACREAD and PRIV_DACWRITE allow read, search, execute, and write operations to proceed even if the file mode permissions forbid it. The PRIV_OWNER privilege allows a process that is not the owner of a file or directory to remove the file or directory whose parent directory has the sticky bit set. The PRIV_OWNER privilege also allows a process that is not the owner of a System V IPC message queue, semaphore set, or shared memory segment, to remove, change ownership of, or change permission bits for that object.

Trial Mode

This is a facility provided by the system to aid in reporting the list of privileges that a process has used during its lifetime. A developer can use this feature to verify what privileges an application needs to operate. When a process with this privilege attempts to use any privilege (by making a system call that uses that privilege), an entry is logged to syslog, which, when taken together, is a list of privileges used.

Compatibility

A process with an effective user ID of zero is, by default, treated as possessing root replacement privileges. The compartmentalization feature may further restrict this interpretation of effective user ID such that the process is treated as though it has only a specified subset of root replacement privileges. For more details, see the description of "Process Limitation Rules" in compartments(4).

More formally, a process is said to observe a privilege if and only if one or more of the following conditions hold:

  • The privilege is present in its effective privilege set, or

  • The privilege is a root replacement privilege, effective uid of the process is zero, and compartmentalization is not enabled, or

  • The privilege is a root replacement privilege, effective uid of the process is zero, compartmentalization is enabled, and the privilege is not a disallowed privilege in the process's compartment.

SYSTEM PRIVILEGE REQUIREMENTS

This section provides tables that list the privileges that may be required where the corresponding man pages specifies "appropriate privileges" to perform certain operations or to operate in certain conditions. For each system call, the table lists what privileges can potentially affect system call's behavior,

The subsections also include other functions and areas of interest. These tables list the privileges that may be required where the individual man pages specifies "appropriate privileges" to perform certain operations or to operate in certain conditions.

Several system calls are accessible by privileged and unprivileged applications. For example, the kill() system call (see kill(2)), when used by a process without the PRIV_OWNER privilege, can send a signal only to processes whose UIDs match the sending process' own UID.

Some general guidelines apply to working with hardware-related system calls.

  • Many hardware devices need the PRIV_DEVOPS privilege in addition to any privileges needed by the specific system calls used.

  • Networking and streams may need the PRIV_NETADMIN, PRIV_NETRAWACCESS, and/or PRIV_NETPROMISCUOUS privileges in addition to other privileges, depending on what you are attempting to do. For example, the exportfs command requires the PRIV_SYSNFS privilege (see exportfs(1M)). The fdetach() and fattach() library calls require the PRIV_MOUNT privilege (possibly in addition to other privileges). (See fdetach(3) and fattach(3C)).

Privileges for the pstat System Call

The pstat() system call typically needs the PRIV_COMMALLOWED privilege when operating on processes outside the calling process's compartment (see pstat(2)). However, because this system call works in so many areas, some of the functions of this call may require other privileges. The following is a list of those functions and the privileges they require:

pstat_getcommandline()

PRIV_COMMALLOWED

pstat_getfile()/pstat_getfile2()

PRIV_COMMALLOWED

pstat_getfiledetails()

PRIV_COMMALLOWED, PRIV_OWNER

pstat_getlwp()

PRIV_COMMALLOWED

pstat_getmsg()

PRIV_COMMALLOWED

pstat_getpmq()

PRIV_COMMALLOWED

pstat_getproc()

PRIV_COMMALLOWED

pstat_getpsem()

PRIV_COMMALLOWED

pstat_getsem()

PRIV_COMMALLOWED

pstat_pathname()

PRIV_COMMALLOWED, PRIV_OWNER

pstat_proc_locality()

PRIV_COMMALLOWED

pstat_proc_vm()

PRIV_COMMALLOWED

pstat_procwindow()

PRIV_COMMALLOWED

pstat_shminfo()

PRIV_COMMALLOWED

pstat_socket()

PRIV_COMMALLOWED, PRIV_OWNER

pstat_stream()

PRIV_COMMALLOWED, PRIV_OWNER

Privileges for Security Containment

Some commands related to Security Containment make use of certain privileges that are not used in other contexts:

setfilexsec

PRIV_CHANGEFILEXSEC, PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE

setrules

PRIV_RULESCONFIG

Additionally, some library calls related to Security Containment make use of security specific privileges:

cmpt_change()

PRIV_CHANGECMPT

cmpt_get()

PRIV_COMMALLOWED

cmpt_get_addrcid()

PRIV_RULESCONFIG

cmpt_get_ifcid()

PRIV_RULESCONFIG

priv_get()

PRIV_COMMALLOWED

privset_get()

PRIV_COMMALLOWED

Privileges for System Calls

The following table lists system calls and the privileges they may need. Some of these are dependent on what system object they are acting on (for example, files in another compartment), the state of the system (for example, if the maximum number of open files has been reached), or other conditions.

__pset_rtctl()

PRIV_PSET, PRIV_RTPSET

accept()

PRIV_LIMIT

access()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE

acct()

PRIV_ACCOUNTING

acl()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER

adjtime()

PRIV_SYSATTR

audctl()

PRIV_AUDCONTROL

audswitch()

PRIV_SELFAUDIT

audtag()

PRIV_SELFAUDIT

audwrite()

PRIV_SELFAUDIT

bind()

PRIV_NETPRIVPORT

chdir()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE

chmod()

PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER

chown()

PRIV_CHOWN, PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER

chroot()

PRIV_CHROOT, PRIV_CMPTREAD, PRIV_DACREAD

clock_settime()

PRIV_SYSATTR

connect()

PRIV_COMMALLOWED

crashconf()

PRIV_DEVOPS

creat()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_OBJSUID, PRIV_OWNER

dup()

PRIV_LIMIT

dup2()

PRIV_LIMIT

exec()

PRIV_CMPTREAD, PRIV_DACREAD, PRIV_EXEC

execve()

PRIV_CMPTREAD, PRIV_DACREAD

fchmod()

PRIV_OBJSUID, PRIV_OWNER

fchown()

PRIV_CHOWN, PRIV_OWNER

fork()

PRIV_FORK, PRIV_LIMIT

fpathconf()

PRIV_CMPTREAD, PRIV_DACREAD

fsetacl()

PRIV_OWNER

ftruncate()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OBJSUID, PRIV_OWNER

getaccess()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE

getacl()

PRIV_CMPTREAD, PRIV_DACREAD

getaudid()

PRIV_SELFAUDIT

getaudproc()

PRIV_SELFAUDIT

getevent()

PRIV_AUDCONTROL

getfh()

PRIV_SYSNFS

getpgrp2()

PRIV_COMMALLOWED

getpriority()

PRIV_COMMALLOWED

getprivgrp()

PRIV_SYSATTR

getsid()

PRIV_COMMALLOWED

ioctl()

PRIV_FSINTEGRITY, PRIV_SYSATTR, PRIV_DEVOPS, PRIV_NETADMIN, PRIV_NETPROMISCUOUS, PRIV_NETRAWACCESS and more. Generally the privileges required for an ioctl depend on the driver and type of ioctl.

kill()

PRIV_COMMALLOWED, PRIV_OWNER, PRIV_REBOOT

lchown()

PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER

link()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_FSINTEGRITY

lockf()

PRIV_LOCKRDONLY

lstat()

PRIV_CMPTREAD, PRIV_DACREAD

mem_res_grp()

PRIV_SYSATTR

mkdir()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT

mknod()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_MKNOD

mlock()

PRIV_MLOCK

mlockall()

PRIV_MLOCK

mmap()

PRIV_DEVOPS

modload()

PRIV_CMPTREAD, PRIV_DACREAD, PRIV_DLKM

modpath()

PRIV_DLKM

modstat()

PRIV_DLKM

moduload()

PRIV_DLKM

mount()

PRIV_CMPTREAD, PRIV_DACREAD, PRIV_MOUNT, PRIV_OWNER

mpctl()

PRIV_COMMALLOWED, PRIV_MPCTL

mq_open()

PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE

mq_unlink()

PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE

msgctl()

PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_OWNER

msgget()

PRIV_COMMALLOWED

msgrcv()

PRIV_COMMALLOWED, PRIV_DACREAD

msgsnd()

PRIV_COMMALLOWED, PRIV_DACWRITE

munlock()

PRIV_MLOCK

munlockall()

PRIV_MLOCK

nice()

PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER

open()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT

pipe()

PRIV_LIMIT

plock()

PRIV_MLOCK

pset_assign()

PRIV_PSET, PRIV_RTPSET

pset_bind()

PRIV_PSET, PRIV_RTPSET

pset_create()

PRIV_PSET, PRIV_RTPSET

pset_ctl()

PRIV_PSET, PRIV_RTPSET

pset_destroy()

PRIV_PSET, PRIV_RTPSET

pset_getattr()

PRIV_PSET, PRIV_RTPSET

pset_setattr()

PRIV_PSET, PRIV_RTPSET

pstat()

PRIV_COMMALLOWED, [PRIV_OWNER]; see Privileges for the pstat System Call for more information.

ptrace()

PRIV_COMMALLOWED, PRIV_OWNER

quotactl()

PRIV_CMPTREAD, PRIV_DACREAD, PRIV_SYSATTR

readlink()

PRIV_CMPTREAD, PRIV_DACREAD

reboot()

PRIV_REBOOT

rename()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER

rmdir()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER

rtprio()

PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTPRIO

sched_getparam()

PRIV_COMMALLOWED

sched_getscheduler()

PRIV_COMMALLOWED

sched_rr_get_interval()

PRIV_COMMALLOWED

sched_setparam()

PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED

sched_setscheduler()

PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED

sem_open()

PCIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE

sem_unlink()

PRIV_COMMALLOWED, PRIV_DACWRITE

semctl()

PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER

semget()

PRIV_COMMALLOWED

semop()

PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED

semtimedop()

PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED

serialize()

PRIV_SERIALIZE

setacl()

PRIV_CMPTREAD, PRIV_DACREAD

setaudid()

PRIV_SELFAUDIT

setaudproc()

PRIV_SELFAUDIT

setdomainname()

PRIV_SYSATTR

setevent()

PRIV_AUDCONTROL

setgid()

PRIV_CHSUBJIDENT

setgroups()

PRIV_CHSUBJIDENT

sethostname()

PRIV_SYSATTR

setpgrp()

PRIV_SESSION

setpgrp2()

PRIV_COMMALLOWED

setpriority()

PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER

setprivgrp()

PRIV_SYSATTR

setregid()

PRIV_CHSUBJIDENT

setresgid()

PRIV_CHSUBJIDENT

setresuid()

PRIV_CHSUBJIDENT

setrlimit()

PRIV_LIMIT

setsid()

PRIV_SESSION

setsockopt()

PRIV_NETBROADCAST; varies depending on the option used.

settimeofday()

PRIV_SYSATTR

settune()

PRIV_SYSATTR

settune_txn()

PRIV_SYSATTR

setuid()

PRIV_CHSUBJIDENT

setuname()

PRIV_SYSATTR

shm_open()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE

shm_unlink()

PRIV_CMPTWRITE, PRIV_DACWRITE, PRIV_OWNER

shmat()

PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE

shmctl()

PRIV_COMMALLOWED, PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_MLOCK, PRIV_OWNER

shmget()

PRIV_COMMALLOWED

sigqueue()

PRIV_COMMALLOWED, PRIV_OWNER

socket()

PRIV_LIMIT

socketpair()

PRIV_LIMIT

stat()

PRIV_CMPTREAD, PRIV_DACREAD

statfs()

PRIV_CMPTREAD, PRIV_DACREAD

statfvfs()

PRIV_CMPTREAD, PRIV_DACREAD

stime()

PRIV_SYSATTR

swapon()

PRIV_MOUNT

symlink()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT

truncate()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OBJSUID, PRIV_OWNER

ttrace()

PRIV_COMMALLOWED, PRIV_OWNER

ulimit()

PRIV_LIMIT

umount()

PRIV_MOUNT, PRIV_OWNER

unlink()

PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_FSINTEGRITY, PRIV_OWNER

ustat()

PRIV_SYSATTR

utime()

PRIV_OWNER

vfsmount()

PRIV_MOUNT

write()

PRIV_LIMIT

WARNINGS

Product documentation, as discussed above, describes alternate ways that programs or users can obtain sufficient privileges to perform restricted operations.

Network Issues

Privileges are not propagated across distributed systems. They are applied only on the local system. For example, a process with PRIV_DACREAD or PRIV_DACWRITE cannot access a file on another system if it is necessary to override discretionary restrictions to do so.

For example, if the system's NFS subsystem is configured to translate the user ID zero to the user ID UID_NOBODY, it still does so. Also, some system daemons check to see if a connection originates from a privileged port (typically 0-1023) to determine whether to allow or deny the connection. This behavior is not and should not be altered.

Privilege Escalation

In certain situations, a single privilege or set of privileges can lead to a process gaining additional privileges that were not explicitly granted. This is known as privilege escalation.

For example, a user with the privilege PRIV_DACWRITE alone may overwrite critical operating system files and, in the process, may grant himself additional privileges beyond PRIV_DACWRITE.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.