Manualshelf

HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Role-based Access Control (RBAC) Software
51525354555657585960
The following are compound privileges:
BASIC
Basic privileges available to all processes.
BASICROOT
Privileges that provide powers usually associated with UID=0. These privileges together
replace the power of root.
POLICY
Policy override privileges and policy configuration privileges. Policy override privileges
override compartment rules. Policy configuration privileges control the configuration of
fine-grained privileges.
For a complete list of the privileges in each of the sets described above, refer to privileges(5).
Security Implications of Fine-Grained Privileges
Fine-grained privileges are not propagated across distributed systems; they are applied only on
the local system. For example a process on one system that has PRIV_DACREAD and
PRIV_DACWRITE cannot override discretionary restrictions on another system to read or write
to a file.
Privilege Escalation
In certain situations, if you grant a process a certain privilege or set of privileges, that process
can gain additional privileges that were not explicitly granted to it. This is called privilege
escalation. For example, a process with the PRIV_DACWRITE privilege can overwrite critical
operating system files and, in the process, can grant itself additional fine-grained privileges.
Fine-Grained Privileges in HP Serviceguard Clusters
Privilege-aware applications can be monitored by HP Serviceguard. There are no changes to
Serviceguard package configuration files or Serviceguard package management to support
fine-grained privileges. No changes were made in Serviceguard scripts to facilitate the use of
fine-grained privileges.
To maintain proper Serviceguard operations when deploying HP-UX 11i Security Containment
features to Serviceguard nodes or packages:
Ensure root (UID=0) has full privileges in the INIT compartment.
Ensure fine-grained privileges implementations do not create security risks for Serviceguard
clusters.
Troubleshooting Fine-Grained Privileges
If something is not working on your system and you suspect the problem is occurring because
of fine-grained privileges, you can check your fine-grained privileges configuration as follows.
Problem 1: Even though fine-grained privileges are assigned to a binary file, processes that use
exec() to access the binary are not receiving the assigned fine-grained privileges. Solution:
Check for one of the following situations.
Is the file in question a script?
Any fine-grained privileges assigned to shell scripts are ignored.
Has the file changed since the fine-grained privileges were assigned?
When a file is modified, its fine-grained privilege attributes are lost. Run the following
command either before or after you modify the file:
# setfilexsec -d filename
Security Implications of Fine-Grained Privileges 55