Sponsored Content
Operating Systems Solaris Assigning proc_owner privilege to particular user in RBAC Post 303036222 by sb200 on Wednesday 19th of June 2019 01:42:49 PM
Old 06-19-2019
Hi Jim

Its a new setup where app team need to monitor the processes running by different app users from specific user id to whom I have to give proc_owner priviledge

As per my testing on my VM machine proc_info privilege by default is given to every user so I think we need to give proc_owner priviledge.

Note: User1 and user2 created before running these commands only

Code:
root@sol11:~# usermod -K 'defaultpriv=basic,proc_owner' user1
user2@sol11:/proc$ ppriv -v $$
1020:   -bash
flags = <none>
        E: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
        I: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
        P: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_session,sys_ib_info
        L: contract_event,contract_identity,contract_observer,cpc_cpu,dax_access,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
user2@sol11:/proc$
user2@sol11:/proc$
user2@sol11:/proc$ ppriv  $$
1020:   -bash
flags = <none>
        E: basic
        I: basic
        P: basic
        L: all
user2@sol11:/proc$
user1@sol11:/proc$ ppriv $$
1030:   -bash
flags = <none>
        E: basic,proc_owner
        I: basic,proc_owner
        P: basic,proc_owner
        L: all
user1@sol11:/proc$
user1@sol11:/proc$ ppriv -v $$
1030:   -bash
flags = <none>
        E: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
        I: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
        P: dax_access,file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,proc_info,proc_owner,proc_session,sys_ib_info
        L: contract_event,contract_identity,contract_observer,cpc_cpu,dax_access,dtrace_kernel,dtrace_proc,dtrace_user,file_chown,file_chown_self,file_dac_execute,file_dac_read,file_dac_search,file_dac_write,file_downgrade_sl,file_flag_set,file_link_any,file_owner,file_read,file_setid,file_upgrade_sl,file_write,graphics_access,graphics_map,ipc_dac_read,ipc_dac_write,ipc_owner,net_access,net_bindmlp,net_icmpaccess,net_mac_aware,net_mac_implicit,net_observability,net_privaddr,net_rawaccess,proc_audit,proc_chroot,proc_clock_highres,proc_exec,proc_fork,proc_info,proc_lock_memory,proc_owner,proc_priocntl,proc_session,proc_setid,proc_taskid,proc_zone,sys_acct,sys_admin,sys_audit,sys_config,sys_devices,sys_dl_config,sys_flow_config,sys_ib_config,sys_ib_info,sys_ip_config,sys_ipc_config,sys_iptun_config,sys_linkdir,sys_mount,sys_net_config,sys_nfs,sys_ppp_config,sys_res_bind,sys_res_config,sys_resource,sys_share,sys_smb,sys_suser_compat,sys_time,sys_trans_label,win_colormap,win_config,win_dac_read,win_dac_write,win_devices,win_dga,win_downgrade_sl,win_fontpath,win_mac_read,win_mac_write,win_selection,win_upgrade_sl
user1@sol11:/proc$

--- Post updated at 12:12 AM ---

Hi Jim

My only concern is that proc_owner doesn't pose any risk other than seeing the process running by other user. If I can restrict that specific user to see only processes related to specific users on the system then it would be great.
 

9 More Discussions You Might Find Interesting

1. UNIX for Dummies Questions & Answers

Write privilege for user

Is it possible to grant write privileges to a user on a directory with out having to add the user to a group or make the user the owner of the directory? My background is in Windows and in Windows you can grant specific privileges to a user without having to put the user in a group or making the... (3 Replies)
Discussion started by: here2learn
3 Replies

2. UNIX for Advanced & Expert Users

RBAC: create a user to shut the server

Hi, I have created a user to shutdown the server using RBAC. Here are my steps: 1. roleadd -u 1000 -g 10 -d /home/stopsys -m stopsys 2. passwd stopsys 3. edit /etc/security/prof_attr to include: Shut:::able to shut the server: 4. modrole -P Shut stopsys 5. useradd -u 1001 -g 10 -d... (2 Replies)
Discussion started by: chaandana
2 Replies

3. AIX

[Help] Give privilege to an ordinary user

I'm trying to give a non-root user the right to start IBM HTTP Server, the web server is listening on port 80, but for AIX, ports under 1024 are privilege ports which can be used only by root. /usr/IBMIHS/bin# ./apachectl start (13)Permission denied: make_sock: could not bind to address :::80... (1 Reply)
Discussion started by: ibmer414
1 Replies

4. Linux

Sudo user vs RBAC

Hi all, What the difference between the sudo users & RBAC when the talk of effects after doing the above comes??? any differences between them ,kindly list ?? (1 Reply)
Discussion started by: saurabh84g
1 Replies

5. Solaris

Root privilege for user

Can anyone please tell how to give root privilege to a normal user in solaris 10? (5 Replies)
Discussion started by: nicktrix
5 Replies

6. UNIX for Dummies Questions & Answers

How to create/restrict a user with to have no privilege from other group

Hello experts I am new to Unix. Env : HPUX I need to create a user say testuser such that it does not have access to file/directories from the other group i.e the last 3 digits . How do I do that. Reason for such a request :- I have an existing user oracle which has default umask... (3 Replies)
Discussion started by: simonsimon
3 Replies

7. AIX

User Privilege

How to assign superuser privilege to an ordinary user temporarily (1 Reply)
Discussion started by: udtyuvaraj
1 Replies

8. AIX

sudo - User privilege specification

I am planning to implement sudo for users. Under , it looks I have to put the users who need to have sudo access: What are the recommended for users? I don't think I need to give the ALL privilege (i.e ) to AIX users. I'd like to know the commonly used privilege specification for sudo... (9 Replies)
Discussion started by: Daniel Gate
9 Replies

9. Shell Programming and Scripting

Create user with different privilege

Hi , I want to create 3 different user with below privilege in Solaris and Linux. 1) Read Only 2)Read and Write Only 3) Admin user Can you guys help me on this . (3 Replies)
Discussion started by: Naveen Pathak
3 Replies
All times are GMT -4. The time now is 05:57 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy