Using Privileges (Tasks)

Privileges can enable users to perform specific tasks with administrative rights. Privileges can also be used to limit users to just those tasks that they are permitted to perform.

The following task map points to step-by-step instructions for viewing, managing, and using privileges on your system.

Task	Description	For Instructions
View the defined privileges.	Lists the privileges and their definitions in Oracle Solaris.	How to List the Privileges on the System
View your privileges as a user in any shell.	Shows your directly assigned privileges. All of your processes run with these privileges.	How to Determine the Privileges That You Have Been Directly Assigned
View your privileged commands in a profile shell.	Shows the privileged commands that you can run through an assigned rights profile.	How to Determine the Privileged Commands That You Can Run
Limit attacker access to a system when an attack on an application is successful.	Protects a system from attacks by applying extended privilege policy to the NTP port.	How to Apply Extended Privilege Policy to a Port
Determine which privileges are in a process.	Lists the effective, inheritable, permitted, and limit privilege sets for a process.	How to Determine the Privileges on a Process
Determine which privileges are missing from a process.	Lists the privileges that a failed process requires to succeed.	How to Determine Which Privileges a Program Requires
Limit attacker access to a system when an attack on an application is successful.	Creates an extended policy for the NTP service.	How to Apply Extended Privilege Policy to a Port
Add privileges to a command.	Adds privileges to a command in a rights profile. Users or roles can be assigned the rights profile. The users can then run the command with the assigned privileges in a profile shell.	Example 9-18
Assign privileges to a user or role.	Expands a user's or role's inheritable set of privileges. Use this procedure with caution.	Example 9-9
Restrict a user's privileges.	Limits the user's basic set of privileges. Use this procedure with caution.	Example 9-16
Run a privileged shell script.	Adds privilege to a shell script and to the commands in the shell script. Then, runs the script in a profile shell.	How to Run a Shell Script With Privileged Commands

How to List the Privileges on the System

The following procedure shows how to view the privilege names and definitions.

In a terminal window, you can view privileges online.

List all privileges by viewing the privileges(5) man page.

% man privileges
Standards, Environments, and Macros                 privileges(5)

NAME
     privileges - process privilege model
...
     The defined privileges are:

     PRIV_CONTRACT_EVENT

         Allow a process to request reliable delivery  of  events
         to an event endpoint.

         Allow a process to include events in the critical  event
         set  term  of  a  template  which  could be generated in
         volume by the user.
...

This privilege format is used by developers.

List the privileges by using the ppriv command.

% ppriv -lv | more
contract_event
    Allows a process to request critical events without limitation.
    Allows a process to request reliable delivery of all events on
    any event queue.
...
win_upgrade_sl
        Allows a process to set the sensitivity label of a window
        resource to a sensitivity label that dominates the existing
        sensitivity label.
        This privilege is interpreted only if the system is configured
        with Trusted Extensions.

This privilege format is used to assign privileges to users and roles with the useradd, roleadd, usermod, and rolemod commands, and to rights profiles with the profiles command.

How to Determine the Privileges That You Have Been Directly Assigned

The following procedure shows how to determine if you have been directly assigned privileges.

Caution - Inappropriate use of directly assigned privileges can result in unintentional breaches of security. For a discussion, see Security Considerations When Directly Assigning Security Attributes.

List the privileges that your processes can use.
See How to Determine the Privileges on a Process for the procedure.
Invoke actions and run commands in any shell.
The privileges that are listed in the effective set are in effect throughout your session. If you have been directly assigned privileges in addition to the basic set, the privileges are listed in the effective set.

Example 9-33 Determining Your Directly Assigned Privileges

In this example, the user is directly assigned the proc_clock_highres privilege, so the privilege is available in every process that the user owns.

% ppriv -v $$
1800:   pfksh
flags = <none>
        E: file_link_any,…,proc_clock_highres,proc_session
        I: file_link_any,…,proc_clock_highres,proc_session
        P: file_link_any,…,proc_clock_highres,proc_session
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time
% ppriv -vl proc_clock_highres
        Allows a process to use high resolution timers.

Example 9-34 Determining a Role's Directly Assigned Privileges

In the following example, the role realtime has been directly assigned privileges to handle date and time programs.

% su - realtime
Password: <Type realtime password>
$ ppriv -v $$
1600:   pfksh
flags = <none>
        E: file_link_any,…,proc_clock_highres,proc_session,sys_time
        I: file_link_any,…,proc_clock_highres,proc_session,sys_time
        P: file_link_any,…,proc_clock_highres,proc_session,sys_time
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time

How to Determine the Privileged Commands That You Can Run

Typically, users and roles get access to privileged commands through a rights profile. Commands in a rights profile must be executed in a profile shell.

Determine the rights profiles that you have been assigned.
In the following example, the user is assigned several rights profiles. The system reads the rights profiles and their contents in order. For all attributes except authorizations, the first explicitly set attribute value is the one that is used. For more information, see Order of Search for Assigned Security Attributes.
```
% profiles
Audit Review
Console User
Suspend To RAM
Suspend To Disk
Brightness
CPU Power Management
Network Autoconf
Desktop Print Management
Network Wifi Info
Desktop Removable Media User
Basic Solaris User
All
```
Determine your rights from the Audit Review profile.
```
profiles -l
Audit Review

  solaris.audit.read
  
  /usr/sbin/auditreduce  euid=0
  /usr/sbin/auditstat    euid=0
  /usr/sbin/praudit      euid=0
```
The Audit Review rights profile enables you to run the auditreduce, auditstat, and praudit commands with the effective UID of 0, and assigns you the solaris.audit.read authorization.

Example 9-35 Determining the Privileged Commands of a Role

In this example, a user assumes an assigned role and lists the commands that are included in one of the rights profiles.

% roles
devadmin
% su - devadmin
Password: Type devadmin password
$ profiles -l
Device Security
          /usr/bin/kbd        uid=0;gid=sys
          /usr/sbin/add_allocatable    euid=0
          /usr/sbin/add_drv        uid=0
          /usr/sbin/devfsadm        uid=0
          /usr/sbin/eeprom        uid=0
          /usr/sbin/list_devices        euid=0
          /usr/sbin/rem_drv        uid=0
          /usr/sbin/remove_allocatable    euid=0
          /usr/sbin/strace        euid=0
          /usr/sbin/update_drv        uid=0

Example 9-36 Running the Privileged Commands in Your Role

In the following example, the admin role can change the permissions on the useful.script file.

% whoami
jdoe
% ls -l useful.script
-rwxr-xr-- 1 elsee eng 262 Apr 2 10:52 useful.script
% chgrp admin useful.script
chgrp: useful.script: Not owner
% su - admin
Password: <Type admin password>
$ chgrp admin useful.script
$ chown admin useful.script
$ ls -l useful.script
-rwxr-xr-- 1 admin admin 262 Apr 2 10:53 useful.script

How to Determine the Privileges on a Process

This procedure shows how to determine which privileges are available to your processes. The listing does not include privileges that have been assigned to particular commands.

List the privileges that are available to your shell's process.
```
% ppriv [-v] pid
```
pid

Is the process number. Use a double dollar sign ($$) to pass the process number of the parent shell to the command.

-v

Provides a verbose listing of the privilege names.

Example 9-37 Determining the Privileges in Your Current Shell

In the following example, the privileges in the parent process of the user's shell process are listed. In the second example, the full names of the privileges are listed. The single letters in the output refer to the following privilege sets:

E: Is the effective privilege set.
I: Is the inheritable privilege set.
P: Is the permitted privilege set.
L: Is the limit privilege set.

% ppriv $$
1200:   -csh
flags = <none>
        E: basic
        I: basic
        P: basic
        L: all
% ppriv -v $$
1200:   -csh
flags = <none>
        E: file_link_any,net_access,proc_exec,proc_fork,proc_info,proc_session
        I: file_link_any,net_access,proc_exec,proc_fork,proc_info,proc_session
        P: file_link_any,net_access,proc_exec,proc_fork,proc_info,proc_session
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time

Example 9-38 Determining the Privileges of a Role That You Can Assume

In the following example, the role sysadmin has no directly assigned privileges.

% su - sysadmin
Password: <Type sysadmin password>
$ /usr/bin/whoami
sysadmin
$ ppriv -v $$
1400:   pfksh
flags = <none>
        E: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
           proc_info,proc_session
        I: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
           proc_info,proc_session
        P: file_link_any,file_read,file_write,net_access,proc_exec,proc_fork,
           proc_info,proc_session
        L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,win_upgrade_sl

How to Determine Which Privileges a Program Requires

Before You Begin

The command or process must fail for this debugging procedure to work.

Type the command that is failing as an argument to the ppriv debugging command.

% ppriv -eD touch /etc/acct/yearly
touch[5245]: missing privilege "file_dac_write"
     (euid = 130, syscall = 224) needed at zfs_zaccess+0x258
touch: cannot create /etc/acct/yearly: Permission denied

Determine which system call is failing by finding the syscall number in the /etc/name_to_sysnum file.
```
% grep 224 /etc/name_to_sysnum
creat64                 224
```

Example 9-39 Using the truss Command to Examine Privilege Use

The truss command can debug privilege use in a regular shell. For example, the following command debugs the failing touch process:

% truss -t creat touch /etc/acct/yearly
creat64("/etc/acct/yearly", 0666)            
                       Err#13 EACCES [file_dac_write]
touch: /etc/acct/yearly cannot create

The extended /proc interfaces report the missing privilege after the error code in truss output.

Example 9-40 Using the ppriv Command to Examine Privilege Use in a Profile Shell

In this example, the jdoe user can assume the role objadmin. The objadmin role includes the Object Access Management rights profile. This rights profile allows the objadmin role to change permissions on files that objadmin does not own.

In the following excerpt, jdoe fails to change the permissions on the useful.script file:

jdoe% ls -l useful.script
-rw-r--r--  1 aloe  staff  2303 Apr 10 10:10 useful.script
jdoe% chown objadmin useful.script
chown: useful.script: Not owner
jdoe% ppriv -eD chown objadmin useful.script
chown[11444]: missing privilege "file_chown" 
            (euid = 130, syscall = 16) needed at zfs_zaccess+0x258
chown: useful.script: Not owner

When jdoe assumes the objadmin role, the permissions on the file are changed:

jdoe% su - objadmin
Password: <Type objadmin password>
$ ls -l useful.script
-rw-r--r--  1 aloe  staff  2303 Apr 10 10:10 useful.script
$ chown objadmin useful.script
$ ls -l useful.script
-rw-r--r--  1 objadmin  staff  2303 Apr 10 10:10 useful.script
$ chgrp admin useful.script
$ ls -l objadmin.script
-rw-r--r--  1 objadmin  admin  2303 Apr 10 10:11 useful.script

Example 9-41 Changing a File Owned by the root User

This example illustrates the protections against privilege escalation. For a discussion, see Prevention of Privilege Escalation. The file is owned by the root user. The less powerful role, objadmin role needs all privileges to change the file's ownership, so the operation fails.

jdoe% su - objadmin
Password: <Type objadmin password>
$ cd /etc; ls -l system
-rw-r--r--  1 root  sys   1883 Oct 10 10:20 system
$ chown objadmin system
chown: system: Not owner
$ ppriv -eD chown objadmin system
chown[11481]: missing privilege "ALL" 
     (euid = 101, syscall = 16) needed at zfs_zaccess+0x258
chown: system: Not owner

How to Apply Extended Privilege Policy to a Port

The service for the Network Time Protocol (NTP) uses the privileged port 123 for udp traffic. This procedure protects other ports from being accessed by a malicious user who might gain the privileges that are assigned to this port.

Read the default service manifest entry for the port.
From the following /lib/svc/manifest/network/ntp.xml entry, the net_privaddr, proc_lock_memory, and sys_time privileges could be used on other processes:
```
privileges='basic,!file_link_any,!proc_info,!proc_session,
net_privaddr,proc_lock_memory,sys_time'
```
The removed privileges prevent the service from signaling or observing any other processes, and from creating hard links as a way of renaming files.
That is, the process that is started by the service is only able to bind to the specific port 123, not to any of the other privileged ports. If a hacker could exploit the service to start another process, then the child process would also not be able to bind to any other privileged port.
Limit the net_privaddr privilege to this port only.
The extended privilege policy that is highlighted in the following excerpt prevents access from this service to other privileged ports:
```
privileges='basic,!file_link_any,!proc_info,!proc_session,
{net_privaddr}:123/udp,proc_lock_memory,sys_time'
```

How to Run a Shell Script With Privileged Commands

When you create a shell script that runs commands that require privilege, the appropriate rights profile must contain the commands with privileges assigned to them.

Before You Begin

You must assume the root role. For more information, see How to Use Your Assigned Administrative Rights.

Start the script with /bin/pfsh, or any other profile shell, on the first line.
```
#!/bin/pfsh
# Copyright (c) 2012 by Oracle
```
Determine the privileges that the commands in the script need.
```
% ppriv -eD script-full-path
```
Become an administrator with the required security attributes.
For more information, see How to Use Your Assigned Administrative Rights.
Create or modify a rights profile for the script.
Add the shell script, and the commands in the shell script, with their required security attributes to the rights profile. For the steps, see How to Create a Rights Profile.
Add the rights profile to a role and assign the role to a user.
To run the script, the user assumes the role and runs the script in the role's profile shell.
- To add the rights profile to a role, see How to Change the Security Attributes of a Role.
- To assign the role to a user, see How to Change the Security Attributes of a User.

Skip Navigation Links
Exit Print View
	Oracle Solaris 11.1 Administration: Security Services Oracle Solaris 11.1 Information Library