privileges.5 (2010 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

privileges(5) privileges(5)

POLICY.

Policy Conﬁguration Privileges

Policy conﬁguration privileges control how privileges are conﬁgured. There are two such privileges,

PRIV_CHANGEFILEXSEC

and PRIV_RULESCONFIG

. These privileges are not granted by default to

processes with an effective user ID of zero. These privileges comprise part of the set of privileges in the

compound privilege

POLICY.

Process Attribute Privileges

Process attribute privileges are privileges only in the sense that they are manipulated like other

privileges.

PRIV_TRIALMODE

is the only member of this set. This privilege is not granted by default to

processes with an effective user ID of zero.

Compound Privileges

Compound privileges are a shorthand way of specifying a predeﬁned set of simple privileges. These com-

pound privileges are subject to redeﬁnition in future releases to allow for the creation of new privileges.

The compound privileges are deﬁned as follows:

BASIC Refers to the Basic Privileges.

BASICROOT Refers to the union of Basic Privileges and Root Replacement Privileges.

POLICY Refers to the Policy Override Privileges and the Policy Conﬁguration Privileges.

Privilege Descriptions

The following list speciﬁes privilege names and their primary purpose.

PRIV_ACCOUNTING (ACCOUNTING)

Allows a process to control the process accounting system (see acct (2)).

PRIV_AUDCONTROL (AUDCONTROL)

Allows a process to start, modify, and stop the auditing system.

PRIV_CHANGECMPT (CHANGECMPT)

Grants a process the ability to change its compartment. (See compartments (5) and

cmpt_tune (1M) to determine if this extended feature is enabled.)

PRIV_CHANGEFILEXSEC (CHANGEFILEXSEC)

Allows a process to grant privileges to binaries.

PRIV_CHOWN (CHOWN)

Allows access to the chown() system calls (see chown(2)).

PRIV_CHROOT (CHROOT)

Allows a process to change its root directory.

PRIV_CHSUBJIDENT (CHSUBJIDENT)

Allows a process to change it UIDs, GIDs, and group lists. Also allows a process to chown a

ﬁle and leave the suid or sgid bits set on the ﬁle, if present.

PRIV_CMPTREAD (CMPTREAD)

Allows a process to open a ﬁle or directory for reading, executing (in the case of a ﬁle), or

searching (in the case of a directory), bypassing compartment rules that would otherwise not

permit the operation. (See compartments (5) and cmpt_tune (1M) to determine if this extended

feature is enabled.)

PRIV_CMPTWRITE (CMPTWRITE)

Allows a process to write into a ﬁle or directory, bypassing compartment rules that would oth-

erwise not permit the operation. (See compartments (5) and cmpt_tune (1M) to determine if

this extended feature is enabled.)

PRIV_COMMALLOWED (COMMALLOWED)

Allows a process to override compartment rules in the IPC and networking subsystems. (See

compartments (5) and cmpt_tune (1M) to determine if this extended feature is enabled.)

PRIV_DACREAD (DACREAD)

Allows the process to override all discretionary read, execute, and search access restrictions.

See Discretionary Restrictions for more information.

2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010