HP-UX 11i Security Containment Administrator's Guide for HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX 11i Security Containment Software

Manpages

Table 4-2 “Fine-Grained Privileges Manpages” briefly describes the fine-grained privileges

manpages.

Table 4-2 Fine-Grained Privileges Manpages

DescriptionManpage

Overview of HP-UX privileges.privileges(5)

Describes fine-grained privileges interfaces.privileges(3)

Describes setfilexsec functionality and syntax.

setfilexsec(1M)

Describes getfilexsec functionality and syntax.

getfilexsec(1M)

Describes getprocxsec funtionality and syntax.

getprocxsec(1M)

Available Privileges

Table 4-3 “Available Privileges” describes each of the available privileges with the fine-grained

privileges feature.

Table 4-3 Available Privileges

DescriptionPrivilege

Allows a process to control the process accounting system.

PRIV_ACCOUNTING

Allows a process to start, modify, and stop the auditing system.

PRIV_AUDCONTROL

Grants a process the ability to change its compartment.

PRIV_CHANGECMPT

Allows a process to grant privileges to binaries.

PRIV_CHANGEFILEXSEC

Allows a process to access chown system calls.PRIV_CHOWN

Allows a process to change its root directory.

PRIV_CHROOT

Allows a process to change its UIDs, GIDs, and group lists. Also allows a

process to leave the suid or sgid bits set on the file when the chown

system call is used.

PRIV_CHSUBJIDENT

Allows a process to open a file or directory for reading, executing, or

searching, bypassing compartment rules that otherwise would not allow

these operations.

PRIV_CMPTREAD

Allows a process to write to a file or directory, bypassing compartment

rules that otherwise would not allow this operation.

PRIV_CMPTWRITE

Allows a process to override compartment rules in the IPC and networking

subsystems.

PRIV_COMMALLOWED

Allows a process to override all discretionary read, execute, and search

access restrictions.

PRIV_DACREAD

Allows a process to override all discretionary write access restrictions.

PRIV_DACWRITE

Allows a process to do device-specific administrative operations, such as

tape or disk formatting.

PRIV_DEVOPS

Allows a process to load a kernel module, get information about a loaded

kernel module, and change global search paths for a dynamically loadable

kernel module.

PRIV_DLKM

Allows a process to perform disk operations such as removing or

modifying the size or boundaries of disk partitions, or to import and export

an LVM volume group across the system.

PRIV_FSINTEGRITY

52 Fine-Grained Privileges