privileges(5) File Formats Manual privileges(5)
NAME
privileges - description of HP-UX privileges
DESCRIPTION
The operating system has traditionally used an "all or nothing" privilege model, where root users (those with effective such as the user
named have virtually unlimited power, and other users have few or no special privileges.
System administrators often need to delegate limited powers to other users. HP-UX provides several ways to do this. Because these mecha-
nisms permit users other than root users to perform certain privileged operations, HP-UX documentation often uses terms such as "privileged
user" or "user who has appropriate privileges" instead of "root user" when describing who is permitted to perform an operation.
In the absence of a more specific description of the privileges necessary to perform an operation (typically available in the man page for
that operation), you can generally assume that root users are suitably privileged.
Legacy Delegation Methods
HP-UX has used several methods of delegating limited powers, including restricted the privilege groups described in privgrp(5), the file
described in shutdown(1M), and the file described in crontab(1).
Fine-Grained Privileges
The HP-UX fine-grained privilege model splits the powers of root users into a set of privileges. Each privilege grants a process that pos-
sesses that privilege the right to a certain set of restricted services provided by the kernel. Privileges can be managed internally by a
process with "privilege bracketing". Privilege bracketing is the practice of enabling, or "raising", a privilege only while the privilege
is needed, then disabling, or "lowering", the privilege. The privileges that a process has raised determine which sensitive system call
services the process can invoke.
Legacy Privileges
Legacy privileges are those privileges originally defined in privgrp(5). All of the privileges from that set except have been incorporated
into fine-grained privileges:
PRIV_CHOWN PRIV_FSSTHREAD PRIV_LOCKRDONLY PRIV_MLOCK
PRIV_MPCTL PRIV_PSET PRIV_RTPRIO PRIV_RTSCHED
PRIV_SERIALIZE PRIV_SPUCTL
Basic Privileges
Basic privileges are granted by default to all processes. The basic privileges are the set of the following:
PRIV_EXEC PRIV_FORK PRIV_LINKANY PRIV_SESSION
Root Replacement Privileges
Root replacement privileges are the privileges that provide the powers associated with a process that has an effective user ID of zero.
The root replacement privileges are the following:
PRIV_ACCOUNTING PRIV_AUDCONTROL PRIV_CHOWN PRIV_CHROOT
PRIV_CHSUBJIDENT PRIV_DACREAD PRIV_DACWRITE PRIV_DEVOPS
PRIV_DLKM PRIV_FSINTEGRITY PRIV_FSS PRIV_FSSTHREAD
PRIV_LIMIT PRIV_LOCKRDONLY PRIV_MKNOD PRIV_MLOCK
PRIV_MOUNT PRIV_MPCTL PRIV_NETADMIN PRIV_NETPRIVPORT
PRIV_NETPROMISCUOUS PRIV_NETRAWACCESS PRIV_OBJSUID PRIV_OWNER
PRIV_PSET PRIV_REBOOT PRIV_RTPRIO PRIV_RTSCHED
PRIV_RTPSET PRIV_SELFAUDIT PRIV_SERIALIZE PRIV_SPUCTL
PRIV_SYSATTR PRIV_SYSNFS
These privileges are granted by default to any process with an effective user ID of zero.
Policy Override Privileges
Policy override privileges override compartment rules. There are four policy override privileges:
PRIV_CHANGECMPT PRIV_CMPTREAD PRIV_CMPTWRITE PRIV_COMMALLOWED.
These privileges are not granted by default to processes with an effective user ID of zero. These privileges only apply to compartments
feature (see compartments(5) and cmpt_tune(1M) to determine if this feature is enabled). These privileges comprise part of the set of
privileges in the compound privilege
Policy Configuration Privileges
Policy configuration privileges control how privileges are configured. There are two such privileges, and These privileges are not granted
by default to processes with an effective user ID of zero. These privileges comprise part of the set of privileges in the compound privi-
lege
Process Attribute Privileges
Process attribute privileges are privileges only in the sense that they are manipulated like other privileges. is the only member of this
set. This privilege is not granted by default to processes with an effective user ID of zero.
Compound Privileges
Compound privileges are a shorthand way of specifying a predefined set of simple privileges. These compound privileges are subject to
redefinition in future releases to allow for the creation of new privileges. The compound privileges are defined as follows:
Refers to the Basic Privileges.
Refers to the union of Basic Privileges and Root Replacement Privileges.
Refers to the Policy Override Privileges and the Policy
Configuration Privileges.
Privilege Descriptions
The following list specifies privilege names and their primary purpose.
Allows a process to control the process accounting system (see
acct(2)).
Allows a process to start, modify, and stop the auditing system.
Grants a process the ability to change its compartment.
(See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
Allows a process to grant privileges to binaries.
Allows access to the
system calls (see chown(2)).
Allows a process to change its root directory.
Allows a process to change it UIDs, GIDs, and group lists.
Also allows a process to a file and leave the suid or sgid bits set on the file, if present.
Allows a process to open a file or directory for reading, executing
(in the case of a file), or searching (in the case of a directory), bypassing compartment rules that would otherwise not per-
mit the operation. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
Allows a process to write into a file or directory,
bypassing compartment rules that would otherwise not permit the operation. (See compartments(5) and cmpt_tune(1M) to deter-
mine if this extended feature is enabled.)
Allows a process to override compartment rules in the IPC and networking
subsystems. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
Allows the process to override all discretionary read, execute, and
search access restrictions. See for more information.
Allows the process to override all discretionary write access restrictions.
See for more information.
Allows the process to do device specific administrative operations, such as
tape or disk formatting.
Allows a process to load a kernel module (see
modload(2)), get information about a loaded kernel module (see modstat(2)), and change the global search path for dynamically
loadable kernel modules (see modpath(2)).
Allows a process to call
(see exec(2)) family calls.
Allows a process to create additional processes (using
and
Allows a process to perform disk operations such as removing or modifying the
size or boundaries of disk partitions, or to import and export an LVM volume group across the system.
Reserved.
Reserved.
Allows a process to set resource and priority limits beyond the maximum
limit values (see setrlimit(2) or nice(2)).
Reserved.
Permits the use of the
system call for setting locks on files open for reading only (see lockf(2)).
Allows a process to create character or block special files using the
system call (see mknod(2)).
Allows access to the
system call (see plock(2)).
Allows a process to mount and unmount a file system using the
and system calls. See mount(2) and umount(2).
Permits the use of the
system call for changing processor binding, locality domain binding or launch policy of a process (see mpctl(2)).
Allows a process to perform network administrative operations including
configuring the network routing tables and querying interface information.
Allows a process to bind to a privileged port.
By default, port numbers are privileged ports.
Enables a process to configure an interface to listen in
promiscuous mode.
Allows a process to access the raw internet network protocols.
Allows a process to set the suid or sgid bits on any file if they also
have the privilege. Additionally, allows a process to change the ownership of a file without clearing the suid or sgid bits,
provided that the process is allowed to change the ownership of the file.
Allows a process to override all restrictions with respect to UID matching
the owner of the file or resource. See for more information.
Allows change to the system pset configuration
(see pset_create(2)).
Allows a process to perform reboot operations.
Allows access to the
system call (see rtprio(2)).
Allows a process to control RTE psets
(see __pset_rtctl(2)).
Allows access to the
and to set POSIX.4 real-time priorities (see rtsched(2)).
Allows a process to add and modify compartment rules on the system.
(See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
Allows a process to generate auditing records for itself using the
system call (see audwrite(2)).
Permits the use of
for forcing the target process to run serially with other processes that are also marked by this system call (see serial-
ize(2)).
Permits creation of a new session (see
setsid(2)), and setpgrp(2)).
Permits certain administrative operations in the
Instant Capacity product for deactivation and reactivation of processors. See the Instant Capacity documentation for more
information.
Enables a process to manage system attributes including the
setting of tunables, and modifying the host name, domain name, and user quotas.
Allows a process to perform NFS operations like exporting a file system, the
system call (see getfh(2)), NFS file locking, revoking NFS authentication, and creating an NFS kernel daemon thread.
Allows a process to log trial mode information to the
file. See below.
Programming with Privileges
When programming with privileges, the name associated with each privilege is the same as the name presented here with the string prefixed
(that is, use the symbolic constant in the source code). In commands associated with privileges, the names are used without the prefix,
although most commands may also recognize the names with the prefix.
The compound privileges and are designed to ease development of applications that retain their functionality even though the underlying
privileges changes. An application that requires compatibility--even when the underlying set of privileges changes--ought to ensure that
it does not accidentally drop a new privilege that was added since it was developed. For example, this can be done by dropping specific
privileges from the effective set using (see priv_remove(3)) or by ensuring that the compound privileges are used as argument to (see
priv_set_effective(3)).
Associating Privileges with Binaries
Applications that depend on the use of privileges must be registered using the command (see setfilexsec(1M)). For an alternate method of
granting privileges, see privrun(1M)).
Depending on what kind of restricted tasks an application performs, the application can raise the corresponding privilege needed before
doing the task and then lower the privilege after completing the task. This practice is called privilege bracketing. It is recommended
that a process run with the smallest possible privilege set at any given time.
Associating Privileges with Processes
Each process has three privilege sets associated with it. These sets are as follows:
The maximum set of privileges that a process can raise.
The process can remove any privilege from this set, but cannot add a privilege to this set. The privileges from this set can
be added to the effective privilege set of the process. This set is also often referred to as the Potential Privilege Set.
The set of privileges that are currently active for the process.
A process can modify this set to keep only the necessary privileges in this set at any given time. Any privilege in this set
can be removed, but only privileges in the process' permitted privilege set can be added. A process' Effective Privilege Set
is always a subset of its Permitted Privilege Set.
The set of privileges retained when a process calls
(see execve(2)). The process can remove any privilege from this set, but cannot add any privilege to this set. A process'
Retained Privilege Set is always a subset of the Permitted Privilege Set.
These sets can be managed using library calls specified in functions and (See priv_add_effective(3), priv_remove(3), and priv_get(3)).
Discretionary Restrictions
Discretionary restrictions are the restrictions imposed by the traditional file mode access permissions. Thus, the privileges and allow
read, search, execute, and write operations to proceed even if the file mode permissions forbid it. The privilege allows a process that is
not the owner of a file or directory to remove the file or directory whose parent directory has the sticky bit set. The privilege also
allows a process that is not the owner of a System V IPC message queue, semaphore set, or shared memory segment, to remove, change owner-
ship of, or change permission bits for that object.
Trial Mode
This is a facility provided by the system to aid in reporting the list of privileges that a process has used during its lifetime. A devel-
oper can use this feature to verify what privileges an application needs to operate. When a process with this privilege attempts to use
any privilege (by making a system call that uses that privilege), an entry is logged to which, when taken together, is a list of privileges
used.
Compatibility
A process with an effective user ID of zero is, by default, treated as possessing root replacement privileges. The compartmentalization
feature may further restrict this interpretation of effective user ID such that the process is treated as though it has only a specified
subset of root replacement privileges. For more details, see the description of "Process Limitation Rules" in compartments(4).
More formally, a process is said to observe a privilege if and only if one or more of the following conditions hold:
o The privilege is present in its effective privilege set, or
o The privilege is a root replacement privilege, effective uid of the process is zero, and compartmentalization is not enabled, or
o The privilege is a root replacement privilege, effective uid of the process is zero, compartmentalization is enabled, and the
privilege is not a disallowed privilege in the process's compartment.
SYSTEM PRIVILEGE REQUIREMENTS
This section provides tables that list the privileges that may be required where the corresponding man pages specifies "appropriate privi-
leges" to perform certain operations or to operate in certain conditions. For each system call, the table lists what privileges can poten-
tially affect system call's behavior,
The subsections also include other functions and areas of interest. These tables list the privileges that may be required where the indi-
vidual man pages specifies "appropriate privileges" to perform certain operations or to operate in certain conditions.
Several system calls are accessible by privileged and unprivileged applications. For example, the system call (see kill(2)), when used by
a process without the privilege, can send a signal only to processes whose UIDs match the sending process' own UID.
Some general guidelines apply to working with hardware-related system calls.
o Many hardware devices need the privilege in addition to any privileges needed by the specific system calls used.
o Networking and streams may need the and/or privileges in addition to other privileges, depending on what you are attempting to
do. For example, the command requires the privilege (see exportfs(1M)). The and library calls require the privilege (possibly
in addition to other privileges). (See fdetach(3) and fattach(3C)).
Privileges for the pstat System Call
The system call typically needs the privilege when operating on processes outside the calling process's compartment (see pstat(2)). How-
ever, because this system call works in so many areas, some of the functions of this call may require other privileges. The following is a
list of those functions and the privileges they require:
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_COMMALLOWED, PRIV_OWNER
Privileges for Security Containment
Some commands related to Security Containment make use of certain privileges that are not used in other contexts:
PRIV_CHANGEFILEXSEC, PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
PRIV_RULESCONFIG
Additionally, some library calls related to Security Containment make use of security specific privileges:
PRIV_CHANGECMPT
PRIV_COMMALLOWED
PRIV_RULESCONFIG
PRIV_RULESCONFIG
PRIV_COMMALLOWED
PRIV_COMMALLOWED
Privileges for System Calls
The following table lists system calls and the privileges they may need. Some of these are dependent on what system object they are acting
on (for example, files in another compartment), the state of the system (for example, if the maximum number of open files has been
reached), or other conditions.
PRIV_PSET, PRIV_RTPSET
PRIV_LIMIT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
PRIV_ACCOUNTING
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER
PRIV_SYSATTR
PRIV_AUDCONTROL
PRIV_SELFAUDIT
PRIV_SELFAUDIT
PRIV_SELFAUDIT
PRIV_NETPRIVPORT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER
PRIV_CHOWN, PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER
PRIV_CHROOT, PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SYSATTR
PRIV_COMMALLOWED
PRIV_DEVOPS
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_OBJSUID, PRIV_OWNER
PRIV_LIMIT
PRIV_LIMIT
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_EXEC
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_OBJSUID, PRIV_OWNER
PRIV_CHOWN, PRIV_OWNER
PRIV_FORK, PRIV_LIMIT
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OBJSUID, PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SELFAUDIT
PRIV_SELFAUDIT
PRIV_AUDCONTROL
PRIV_SYSNFS
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_SYSATTR
PRIV_COMMALLOWED
PRIV_FSINTEGRITY, PRIV_SYSATTR, PRIV_DEVOPS, PRIV_NETADMIN,
PRIV_NETPROMISCUOUS, PRIV_NETRAWACCESS and more. Generally the privileges required for an depend on the
driver and type of
PRIV_COMMALLOWED, PRIV_OWNER, PRIV_REBOOT
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_FSINTEGRITY
PRIV_LOCKRDONLY
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SYSATTR
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD,
PRIV_DACWRITE, PRIV_LIMIT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT,
PRIV_MKNOD
PRIV_MLOCK
PRIV_MLOCK
PRIV_DEVOPS
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_DLKM
PRIV_DLKM
PRIV_DLKM
PRIV_DLKM
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_MOUNT, PRIV_OWNER
PRIV_COMMALLOWED, PRIV_MPCTL
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_OWNER
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_DACREAD
PRIV_COMMALLOWED, PRIV_DACWRITE
PRIV_MLOCK
PRIV_MLOCK
PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT
PRIV_LIMIT
PRIV_MLOCK
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_PSET, PRIV_RTPSET
PRIV_COMMALLOWED, [PRIV_OWNER]; see
for more information.
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_CMPTREAD, PRIV_DACREAD, PRIV_SYSATTR
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_REBOOT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER
PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTPRIO
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED
PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED
PCIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER
PRIV_COMMALLOWED
PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED
PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED
PRIV_SERIALIZE
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SELFAUDIT
PRIV_SELFAUDIT
PRIV_SYSATTR
PRIV_AUDCONTROL
PRIV_CHSUBJIDENT
PRIV_CHSUBJIDENT
PRIV_SYSATTR
PRIV_SESSION
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER
PRIV_SYSATTR
PRIV_CHSUBJIDENT
PRIV_CHSUBJIDENT
PRIV_CHSUBJIDENT
PRIV_LIMIT
PRIV_SESSION
PRIV_NETBROADCAST; varies depending on the option used.
PRIV_SYSATTR
PRIV_SYSATTR
PRIV_SYSATTR
PRIV_CHSUBJIDENT
PRIV_SYSATTR
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE
PRIV_CMPTWRITE, PRIV_DACWRITE, PRIV_OWNER
PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE
PRIV_COMMALLOWED, PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_MLOCK, PRIV_OWNER
PRIV_COMMALLOWED
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_LIMIT
PRIV_LIMIT
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_CMPTREAD, PRIV_DACREAD
PRIV_SYSATTR
PRIV_MOUNT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OBJSUID,
PRIV_OWNER
PRIV_COMMALLOWED, PRIV_OWNER
PRIV_LIMIT
PRIV_MOUNT, PRIV_OWNER
PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE,
PRIV_FSINTEGRITY, PRIV_OWNER
PRIV_SYSATTR
PRIV_OWNER
PRIV_MOUNT
PRIV_LIMIT
WARNINGS
Product documentation, as discussed above, describes alternate ways that programs or users can obtain sufficient privileges to perform
restricted operations.
Network Issues
Privileges are not propagated across distributed systems. They are applied only on the local system. For example, a process with or can-
not access a file on another system if it is necessary to override discretionary restrictions to do so.
For example, if the system's NFS subsystem is configured to translate the user ID zero to the user ID it still does so. Also, some system
daemons check to see if a connection originates from a privileged port (typically to determine whether to allow or deny the connection.
This behavior is not and should not be altered.
Privilege Escalation
In certain situations, a single privilege or set of privileges can lead to a process gaining additional privileges that were not explicitly
granted. This is known as privilege escalation.
For example, a user with the privilege alone may overwrite critical operating system files and, in the process, may grant himself addi-
tional privileges beyond
SEE ALSO
crontab(1), sam(1M), setfilexsec(1M), setrules(1M), shutdown(1M), acct(2), audwrite(2), execve(2), getfh(2), mknod(2), modload(2), mod-
path(2), modstat(2), mount(2), nice(2), setrlimit(2), priv_add_effective(3), priv_remove(3), privileges(3), compartments(4), compart-
ments(5), privgrp(5), glossary(9).
privileges(5)