HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software

Table 4-3 Available Privileges (continued)

DescriptionPrivilege

Allows a process to set resource and priority limits beyond the maximum

limit values.

PRIV_LIMIT

Allows a process to set the locks of files with read-only permissions.

PRIV_LOCKRDONLY

Allows a process to create character or block special files using mknod(2).

PRIV_MKNOD

Allows a process to access the plock system call.PRIV_MLOCK

Allows a process to mount and unmount a file system.

PRIV_MOUNT

Allows a process to change processor binding, locality domain binding,

or launch policy.

PRIV_MPCTL

Allows a process to perform network administrative operations including

configuring the network routing tables and querying interface information.

PRIV_NETADMIN

Allows a process to bind to a privileged port. By default, port numbers

0-1023 are privileged ports.

PRIV_NETPRIVPORT

Allows a process to configure an interface to listen in promiscuous mode.

PRIV_NETPROMISCUOUS

Allows a process to access the raw Internet network protocols.

PRIV_NETRAWACCESS

Allows a process to set the suid or sgid bits on a file.

PRIV_OBJSUID

Allows a process to override all restrictions with respect to UID matching

the owner of the file or resource.

PRIV_OWNER

Allows a process to change the system pset configuration.

PRIV_PSET

Allows a process to perform reboot operations.

PRIV_REBOOT

Allows a process to access the rtprio system call.

PRIV_RTPRIO

Allows a process to control RTP psets.

PRIV_RTPSET

Allows a process to set POSIX.4 real-time priorities.

PRIV_RTSCHED

Allows a process to add and modify compartment rules on the system.

PRIV_RULESCONFIG

Allows a process to generate auditing records for itself using audwrite(2).

PRIV_SELFAUDIT

Allows a process to force a target process to run serially with other

processes configured with the PRIV_SERIALIZE privilege.

PRIV_SERIALIZE

Allows a process to do certain administrative operations in the Instant

Capacity product.

PRIV_SPUCTL

Allows a process to manage system attributes, including the setting of

tunables, modifying the host name, domain name, and user quotas.

PRIV_SYSATTR

Allows a process to perform NFS operations like exporting a file system,

the getfh(2) system call, NFS file locking, revoking NFS authentication,

and creating an NFS kernel daemon thread.

PRIV_SYSNFS

Allows a process to log trial mode information to the syslog file.

PRIV_TRIALMODE

Configuring Applications with Fine-Grained Privileges

Applications that are written or modified to support fine-grained privileges are called

privilege-aware applications. You must register privilege-aware applications using the

setfilexsec command. Complete this registration process when you install and configure

privilege-aware applications using the SD-UX utilities.

Older HP-UX applications, or legacy applications, are not privilege-aware. You can configure

legacy applications that run with UID=0 to run with fine-grained privileges. To configure legacy

Configuring Applications with Fine-Grained Privileges 53