Linux and UNIX Man Pages

Linux & Unix Commands - Search Man Pages

privileges(5) [hpux man page]

privileges(5)							File Formats Manual						     privileges(5)

NAME
privileges - description of HP-UX privileges DESCRIPTION
The operating system has traditionally used an "all or nothing" privilege model, where root users (those with effective such as the user named have virtually unlimited power, and other users have few or no special privileges. System administrators often need to delegate limited powers to other users. HP-UX provides several ways to do this. Because these mecha- nisms permit users other than root users to perform certain privileged operations, HP-UX documentation often uses terms such as "privileged user" or "user who has appropriate privileges" instead of "root user" when describing who is permitted to perform an operation. In the absence of a more specific description of the privileges necessary to perform an operation (typically available in the man page for that operation), you can generally assume that root users are suitably privileged. Legacy Delegation Methods HP-UX has used several methods of delegating limited powers, including restricted the privilege groups described in privgrp(5), the file described in shutdown(1M), and the file described in crontab(1). Fine-Grained Privileges The HP-UX fine-grained privilege model splits the powers of root users into a set of privileges. Each privilege grants a process that pos- sesses that privilege the right to a certain set of restricted services provided by the kernel. Privileges can be managed internally by a process with "privilege bracketing". Privilege bracketing is the practice of enabling, or "raising", a privilege only while the privilege is needed, then disabling, or "lowering", the privilege. The privileges that a process has raised determine which sensitive system call services the process can invoke. Legacy Privileges Legacy privileges are those privileges originally defined in privgrp(5). All of the privileges from that set except have been incorporated into fine-grained privileges: PRIV_CHOWN PRIV_FSSTHREAD PRIV_LOCKRDONLY PRIV_MLOCK PRIV_MPCTL PRIV_PSET PRIV_RTPRIO PRIV_RTSCHED PRIV_SERIALIZE PRIV_SPUCTL Basic Privileges Basic privileges are granted by default to all processes. The basic privileges are the set of the following: PRIV_EXEC PRIV_FORK PRIV_LINKANY PRIV_SESSION Root Replacement Privileges Root replacement privileges are the privileges that provide the powers associated with a process that has an effective user ID of zero. The root replacement privileges are the following: PRIV_ACCOUNTING PRIV_AUDCONTROL PRIV_CHOWN PRIV_CHROOT PRIV_CHSUBJIDENT PRIV_DACREAD PRIV_DACWRITE PRIV_DEVOPS PRIV_DLKM PRIV_FSINTEGRITY PRIV_FSS PRIV_FSSTHREAD PRIV_LIMIT PRIV_LOCKRDONLY PRIV_MKNOD PRIV_MLOCK PRIV_MOUNT PRIV_MPCTL PRIV_NETADMIN PRIV_NETPRIVPORT PRIV_NETPROMISCUOUS PRIV_NETRAWACCESS PRIV_OBJSUID PRIV_OWNER PRIV_PSET PRIV_REBOOT PRIV_RTPRIO PRIV_RTSCHED PRIV_RTPSET PRIV_SELFAUDIT PRIV_SERIALIZE PRIV_SPUCTL PRIV_SYSATTR PRIV_SYSNFS These privileges are granted by default to any process with an effective user ID of zero. Policy Override Privileges Policy override privileges override compartment rules. There are four policy override privileges: PRIV_CHANGECMPT PRIV_CMPTREAD PRIV_CMPTWRITE PRIV_COMMALLOWED. These privileges are not granted by default to processes with an effective user ID of zero. These privileges only apply to compartments feature (see compartments(5) and cmpt_tune(1M) to determine if this feature is enabled). These privileges comprise part of the set of privileges in the compound privilege Policy Configuration Privileges Policy configuration privileges control how privileges are configured. There are two such privileges, and These privileges are not granted by default to processes with an effective user ID of zero. These privileges comprise part of the set of privileges in the compound privi- lege Process Attribute Privileges Process attribute privileges are privileges only in the sense that they are manipulated like other privileges. is the only member of this set. This privilege is not granted by default to processes with an effective user ID of zero. Compound Privileges Compound privileges are a shorthand way of specifying a predefined set of simple privileges. These compound privileges are subject to redefinition in future releases to allow for the creation of new privileges. The compound privileges are defined as follows: Refers to the Basic Privileges. Refers to the union of Basic Privileges and Root Replacement Privileges. Refers to the Policy Override Privileges and the Policy Configuration Privileges. Privilege Descriptions The following list specifies privilege names and their primary purpose. Allows a process to control the process accounting system (see acct(2)). Allows a process to start, modify, and stop the auditing system. Grants a process the ability to change its compartment. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.) Allows a process to grant privileges to binaries. Allows access to the system calls (see chown(2)). Allows a process to change its root directory. Allows a process to change it UIDs, GIDs, and group lists. Also allows a process to a file and leave the suid or sgid bits set on the file, if present. Allows a process to open a file or directory for reading, executing (in the case of a file), or searching (in the case of a directory), bypassing compartment rules that would otherwise not per- mit the operation. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.) Allows a process to write into a file or directory, bypassing compartment rules that would otherwise not permit the operation. (See compartments(5) and cmpt_tune(1M) to deter- mine if this extended feature is enabled.) Allows a process to override compartment rules in the IPC and networking subsystems. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.) Allows the process to override all discretionary read, execute, and search access restrictions. See for more information. Allows the process to override all discretionary write access restrictions. See for more information. Allows the process to do device specific administrative operations, such as tape or disk formatting. Allows a process to load a kernel module (see modload(2)), get information about a loaded kernel module (see modstat(2)), and change the global search path for dynamically loadable kernel modules (see modpath(2)). Allows a process to call (see exec(2)) family calls. Allows a process to create additional processes (using and Allows a process to perform disk operations such as removing or modifying the size or boundaries of disk partitions, or to import and export an LVM volume group across the system. Reserved. Reserved. Allows a process to set resource and priority limits beyond the maximum limit values (see setrlimit(2) or nice(2)). Reserved. Permits the use of the system call for setting locks on files open for reading only (see lockf(2)). Allows a process to create character or block special files using the system call (see mknod(2)). Allows access to the system call (see plock(2)). Allows a process to mount and unmount a file system using the and system calls. See mount(2) and umount(2). Permits the use of the system call for changing processor binding, locality domain binding or launch policy of a process (see mpctl(2)). Allows a process to perform network administrative operations including configuring the network routing tables and querying interface information. Allows a process to bind to a privileged port. By default, port numbers are privileged ports. Enables a process to configure an interface to listen in promiscuous mode. Allows a process to access the raw internet network protocols. Allows a process to set the suid or sgid bits on any file if they also have the privilege. Additionally, allows a process to change the ownership of a file without clearing the suid or sgid bits, provided that the process is allowed to change the ownership of the file. Allows a process to override all restrictions with respect to UID matching the owner of the file or resource. See for more information. Allows change to the system pset configuration (see pset_create(2)). Allows a process to perform reboot operations. Allows access to the system call (see rtprio(2)). Allows a process to control RTE psets (see __pset_rtctl(2)). Allows access to the and to set POSIX.4 real-time priorities (see rtsched(2)). Allows a process to add and modify compartment rules on the system. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.) Allows a process to generate auditing records for itself using the system call (see audwrite(2)). Permits the use of for forcing the target process to run serially with other processes that are also marked by this system call (see serial- ize(2)). Permits creation of a new session (see setsid(2)), and setpgrp(2)). Permits certain administrative operations in the Instant Capacity product for deactivation and reactivation of processors. See the Instant Capacity documentation for more information. Enables a process to manage system attributes including the setting of tunables, and modifying the host name, domain name, and user quotas. Allows a process to perform NFS operations like exporting a file system, the system call (see getfh(2)), NFS file locking, revoking NFS authentication, and creating an NFS kernel daemon thread. Allows a process to log trial mode information to the file. See below. Programming with Privileges When programming with privileges, the name associated with each privilege is the same as the name presented here with the string prefixed (that is, use the symbolic constant in the source code). In commands associated with privileges, the names are used without the prefix, although most commands may also recognize the names with the prefix. The compound privileges and are designed to ease development of applications that retain their functionality even though the underlying privileges changes. An application that requires compatibility--even when the underlying set of privileges changes--ought to ensure that it does not accidentally drop a new privilege that was added since it was developed. For example, this can be done by dropping specific privileges from the effective set using (see priv_remove(3)) or by ensuring that the compound privileges are used as argument to (see priv_set_effective(3)). Associating Privileges with Binaries Applications that depend on the use of privileges must be registered using the command (see setfilexsec(1M)). For an alternate method of granting privileges, see privrun(1M)). Depending on what kind of restricted tasks an application performs, the application can raise the corresponding privilege needed before doing the task and then lower the privilege after completing the task. This practice is called privilege bracketing. It is recommended that a process run with the smallest possible privilege set at any given time. Associating Privileges with Processes Each process has three privilege sets associated with it. These sets are as follows: The maximum set of privileges that a process can raise. The process can remove any privilege from this set, but cannot add a privilege to this set. The privileges from this set can be added to the effective privilege set of the process. This set is also often referred to as the Potential Privilege Set. The set of privileges that are currently active for the process. A process can modify this set to keep only the necessary privileges in this set at any given time. Any privilege in this set can be removed, but only privileges in the process' permitted privilege set can be added. A process' Effective Privilege Set is always a subset of its Permitted Privilege Set. The set of privileges retained when a process calls (see execve(2)). The process can remove any privilege from this set, but cannot add any privilege to this set. A process' Retained Privilege Set is always a subset of the Permitted Privilege Set. These sets can be managed using library calls specified in functions and (See priv_add_effective(3), priv_remove(3), and priv_get(3)). Discretionary Restrictions Discretionary restrictions are the restrictions imposed by the traditional file mode access permissions. Thus, the privileges and allow read, search, execute, and write operations to proceed even if the file mode permissions forbid it. The privilege allows a process that is not the owner of a file or directory to remove the file or directory whose parent directory has the sticky bit set. The privilege also allows a process that is not the owner of a System V IPC message queue, semaphore set, or shared memory segment, to remove, change owner- ship of, or change permission bits for that object. Trial Mode This is a facility provided by the system to aid in reporting the list of privileges that a process has used during its lifetime. A devel- oper can use this feature to verify what privileges an application needs to operate. When a process with this privilege attempts to use any privilege (by making a system call that uses that privilege), an entry is logged to which, when taken together, is a list of privileges used. Compatibility A process with an effective user ID of zero is, by default, treated as possessing root replacement privileges. The compartmentalization feature may further restrict this interpretation of effective user ID such that the process is treated as though it has only a specified subset of root replacement privileges. For more details, see the description of "Process Limitation Rules" in compartments(4). More formally, a process is said to observe a privilege if and only if one or more of the following conditions hold: o The privilege is present in its effective privilege set, or o The privilege is a root replacement privilege, effective uid of the process is zero, and compartmentalization is not enabled, or o The privilege is a root replacement privilege, effective uid of the process is zero, compartmentalization is enabled, and the privilege is not a disallowed privilege in the process's compartment. SYSTEM PRIVILEGE REQUIREMENTS
This section provides tables that list the privileges that may be required where the corresponding man pages specifies "appropriate privi- leges" to perform certain operations or to operate in certain conditions. For each system call, the table lists what privileges can poten- tially affect system call's behavior, The subsections also include other functions and areas of interest. These tables list the privileges that may be required where the indi- vidual man pages specifies "appropriate privileges" to perform certain operations or to operate in certain conditions. Several system calls are accessible by privileged and unprivileged applications. For example, the system call (see kill(2)), when used by a process without the privilege, can send a signal only to processes whose UIDs match the sending process' own UID. Some general guidelines apply to working with hardware-related system calls. o Many hardware devices need the privilege in addition to any privileges needed by the specific system calls used. o Networking and streams may need the and/or privileges in addition to other privileges, depending on what you are attempting to do. For example, the command requires the privilege (see exportfs(1M)). The and library calls require the privilege (possibly in addition to other privileges). (See fdetach(3) and fattach(3C)). Privileges for the pstat System Call The system call typically needs the privilege when operating on processes outside the calling process's compartment (see pstat(2)). How- ever, because this system call works in so many areas, some of the functions of this call may require other privileges. The following is a list of those functions and the privileges they require: PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED, PRIV_OWNER PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED, PRIV_OWNER PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED, PRIV_OWNER PRIV_COMMALLOWED, PRIV_OWNER Privileges for Security Containment Some commands related to Security Containment make use of certain privileges that are not used in other contexts: PRIV_CHANGEFILEXSEC, PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE PRIV_RULESCONFIG Additionally, some library calls related to Security Containment make use of security specific privileges: PRIV_CHANGECMPT PRIV_COMMALLOWED PRIV_RULESCONFIG PRIV_RULESCONFIG PRIV_COMMALLOWED PRIV_COMMALLOWED Privileges for System Calls The following table lists system calls and the privileges they may need. Some of these are dependent on what system object they are acting on (for example, files in another compartment), the state of the system (for example, if the maximum number of open files has been reached), or other conditions. PRIV_PSET, PRIV_RTPSET PRIV_LIMIT PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE PRIV_ACCOUNTING PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER PRIV_SYSATTR PRIV_AUDCONTROL PRIV_SELFAUDIT PRIV_SELFAUDIT PRIV_SELFAUDIT PRIV_NETPRIVPORT PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER PRIV_CHOWN, PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER PRIV_CHROOT, PRIV_CMPTREAD, PRIV_DACREAD PRIV_SYSATTR PRIV_COMMALLOWED PRIV_DEVOPS PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_OBJSUID, PRIV_OWNER PRIV_LIMIT PRIV_LIMIT PRIV_CMPTREAD, PRIV_DACREAD, PRIV_EXEC PRIV_CMPTREAD, PRIV_DACREAD PRIV_OBJSUID, PRIV_OWNER PRIV_CHOWN, PRIV_OWNER PRIV_FORK, PRIV_LIMIT PRIV_CMPTREAD, PRIV_DACREAD PRIV_OWNER PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OBJSUID, PRIV_OWNER PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE PRIV_CMPTREAD, PRIV_DACREAD PRIV_SELFAUDIT PRIV_SELFAUDIT PRIV_AUDCONTROL PRIV_SYSNFS PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_SYSATTR PRIV_COMMALLOWED PRIV_FSINTEGRITY, PRIV_SYSATTR, PRIV_DEVOPS, PRIV_NETADMIN, PRIV_NETPROMISCUOUS, PRIV_NETRAWACCESS and more. Generally the privileges required for an depend on the driver and type of PRIV_COMMALLOWED, PRIV_OWNER, PRIV_REBOOT PRIV_CMPTREAD, PRIV_DACREAD, PRIV_OWNER PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_FSINTEGRITY PRIV_LOCKRDONLY PRIV_CMPTREAD, PRIV_DACREAD PRIV_SYSATTR PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_MKNOD PRIV_MLOCK PRIV_MLOCK PRIV_DEVOPS PRIV_CMPTREAD, PRIV_DACREAD, PRIV_DLKM PRIV_DLKM PRIV_DLKM PRIV_DLKM PRIV_CMPTREAD, PRIV_DACREAD, PRIV_MOUNT, PRIV_OWNER PRIV_COMMALLOWED, PRIV_MPCTL PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT, PRIV_OWNER PRIV_COMMALLOWED PRIV_COMMALLOWED, PRIV_DACREAD PRIV_COMMALLOWED, PRIV_DACWRITE PRIV_MLOCK PRIV_MLOCK PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT PRIV_LIMIT PRIV_MLOCK PRIV_PSET, PRIV_RTPSET PRIV_PSET, PRIV_RTPSET PRIV_PSET, PRIV_RTPSET PRIV_PSET, PRIV_RTPSET PRIV_PSET, PRIV_RTPSET PRIV_PSET, PRIV_RTPSET PRIV_PSET, PRIV_RTPSET PRIV_COMMALLOWED, [PRIV_OWNER]; see for more information. PRIV_COMMALLOWED, PRIV_OWNER PRIV_CMPTREAD, PRIV_DACREAD, PRIV_SYSATTR PRIV_CMPTREAD, PRIV_DACREAD PRIV_REBOOT PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTPRIO PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED PRIV_COMMALLOWED, PRIV_OWNER, PRIV_RTSCHED PCIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE PRIV_COMMALLOWED, PRIV_DACWRITE PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OWNER PRIV_COMMALLOWED PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED PRIV_DACREAD, PRIV_DACWRITE, PRIV_COMMALLOWED PRIV_SERIALIZE PRIV_CMPTREAD, PRIV_DACREAD PRIV_SELFAUDIT PRIV_SELFAUDIT PRIV_SYSATTR PRIV_AUDCONTROL PRIV_CHSUBJIDENT PRIV_CHSUBJIDENT PRIV_SYSATTR PRIV_SESSION PRIV_COMMALLOWED PRIV_COMMALLOWED, PRIV_LIMIT, PRIV_OWNER PRIV_SYSATTR PRIV_CHSUBJIDENT PRIV_CHSUBJIDENT PRIV_CHSUBJIDENT PRIV_LIMIT PRIV_SESSION PRIV_NETBROADCAST; varies depending on the option used. PRIV_SYSATTR PRIV_SYSATTR PRIV_SYSATTR PRIV_CHSUBJIDENT PRIV_SYSATTR PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE PRIV_CMPTWRITE, PRIV_DACWRITE, PRIV_OWNER PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_DACWRITE PRIV_COMMALLOWED, PRIV_COMMALLOWED, PRIV_DACREAD, PRIV_MLOCK, PRIV_OWNER PRIV_COMMALLOWED PRIV_COMMALLOWED, PRIV_OWNER PRIV_LIMIT PRIV_LIMIT PRIV_CMPTREAD, PRIV_DACREAD PRIV_CMPTREAD, PRIV_DACREAD PRIV_CMPTREAD, PRIV_DACREAD PRIV_SYSATTR PRIV_MOUNT PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_LIMIT PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_OBJSUID, PRIV_OWNER PRIV_COMMALLOWED, PRIV_OWNER PRIV_LIMIT PRIV_MOUNT, PRIV_OWNER PRIV_CMPTREAD, PRIV_CMPTWRITE, PRIV_DACREAD, PRIV_DACWRITE, PRIV_FSINTEGRITY, PRIV_OWNER PRIV_SYSATTR PRIV_OWNER PRIV_MOUNT PRIV_LIMIT WARNINGS
Product documentation, as discussed above, describes alternate ways that programs or users can obtain sufficient privileges to perform restricted operations. Network Issues Privileges are not propagated across distributed systems. They are applied only on the local system. For example, a process with or can- not access a file on another system if it is necessary to override discretionary restrictions to do so. For example, if the system's NFS subsystem is configured to translate the user ID zero to the user ID it still does so. Also, some system daemons check to see if a connection originates from a privileged port (typically to determine whether to allow or deny the connection. This behavior is not and should not be altered. Privilege Escalation In certain situations, a single privilege or set of privileges can lead to a process gaining additional privileges that were not explicitly granted. This is known as privilege escalation. For example, a user with the privilege alone may overwrite critical operating system files and, in the process, may grant himself addi- tional privileges beyond SEE ALSO
crontab(1), sam(1M), setfilexsec(1M), setrules(1M), shutdown(1M), acct(2), audwrite(2), execve(2), getfh(2), mknod(2), modload(2), mod- path(2), modstat(2), mount(2), nice(2), setrlimit(2), priv_add_effective(3), priv_remove(3), privileges(3), compartments(4), compart- ments(5), privgrp(5), glossary(9). privileges(5)
Man Page

Featured Tech Videos