privileges.5 (2010 09)
p
privileges(5) privileges(5)
sgid bits, provided that the process is allowed to change the ownership of the file.
PRIV_OWNER (OWNER)
Allows a process to override all restrictions with respect to UID matching the owner of the file
or resource. See Discretionary Restrictions for more information.
PRIV_PSET (PSET)
Allows change to the system pset configuration (see pset_create (2)).
PRIV_REBOOT (REBOOT)
Allows a process to perform reboot operations.
PRIV_RTPRIO (RTPRIO)
Allows access to the rtprio() system call (see rtprio (2)).
PRIV_RTPSET (RTPSET)
Allows a process to control RTE psets (see __pset_rtctl (2)).
PRIV_RTSCHED (RTSCHED)
Allows access to the sched_setparam()
and sched_setscheduler()
to set POSIX.4
real-time priorities (see rtsched (2)).
PRIV_RULESCONFIG (RULESCONFIG)
Allows a process to add and modify compartment rules on the system. (See compartments (5)
and cmpt_tune (1M) to determine if this extended feature is enabled.)
PRIV_SELFAUDIT (SELFAUDIT)
Allows a process to generate auditing records for itself using the audwrite() system call
(see audwrite (2)).
PRIV_SERIALIZE (SERIALIZE)
Permits the use of serialize() for forcing the target process to run serially with other
processes that are also marked by this system call (see serialize (2)).
PRIV_SESSION (SESSION)
Permits creation of a new session (see setsid (2)), and setpgrp(2)).
PRIV_SPUCTL
Permits certain administrative operations in the Instant Capacity product for deactivation and
reactivation of processors. See the Instant Capacity documentation for more information.
PRIV_SYSATTR (SYSATTR)
Enables a process to manage system attributes including the setting of tunables, and modify-
ing the host name, domain name, and user quotas.
PRIV_SYSNFS (SYSNFS)
Allows a process to perform NFS operations like exporting a file system, the getfh() system
call (see getfh (2)), NFS file locking, revoking NFS authentication, and creating an NFS kernel
daemon thread.
PRIV_TRIALMODE (TRIALMODE)
Allows a process to log trial mode information to the syslog file. See Trial Mode below.
Programming with Privileges
When programming with privileges, the name associated with each privilege is the same as the name
presented here with the string
PRIV_ prefixed (that is, use the symbolic constant PRIV_ACCOUNTING
in the source code). In commands associated with privileges, the names are used without the PRIV_
prefix, although most commands may also recognize the names with the prefix.
The compound privileges
BASIC, BASICROOT, and POLICY are designed to ease development of appli-
cations that retain their functionality even though the underlying privileges changes. An application that
requires compatibility--even when the underlying set of privileges changes--ought to ensure that it does
not accidentally drop a new privilege that was added since it was developed. For example, this can be
done by dropping specific privileges from the effective set using priv_remove() (see priv_remove (3)) or
by ensuring that the compound privileges are used as argument to priv_set_effective() (see
priv_set_effective (3)).
Associating Privileges with Binaries
Applications that depend on the use of privileges must be registered using the
setfilexsec command
(see setfilexsec (1M)). For an alternate method of granting privileges, see privrun (1M)).
4 Hewlett-Packard Company − 4 − HP-UX 11i Version 3: September 2010