privileges.5 (2010 09)

p
privileges(5) privileges(5)
Depending on what kind of restricted tasks an application performs, the application can raise the
corresponding privilege needed before doing the task and then lower the privilege after completing the
task. This practice is called privilege bracketing . It is recommended that a process run with the smallest
possible privilege set at any given time.
Associating Privileges with Processes
Each process has three privilege sets associated with it. These sets are as follows:
Permitted Privilege Set
The maximum set of privileges that a process can raise. The process can remove any privilege
from this set, but cannot add a privilege to this set. The privileges from this set can be added
to the effective privilege set of the process. This set is also often referred to as the Potential
Privilege Set.
Effective Privilege Set
The set of privileges that are currently active for the process. A process can modify this set to
keep only the necessary privileges in this set at any given time. Any privilege in this set can
be removed, but only privileges in the process permitted privilege set can be added. A process
Effective Privilege Set is always a subset of its Permitted Privilege Set.
Retained Privilege Set
The set of privileges retained when a process calls execve() (see execve (2)). The process can
remove any privilege from this set, but cannot add any privilege to this set. A process
Retained Privilege Set is always a subset of the Permitted Privilege Set.
These sets can be managed using library calls specified in functions
priv_add_effective()
,
priv_remove(), and priv_get(). (See priv_add_effective (3), priv_remove (3), and priv_get (3)).
Discretionary Restrictions
Discretionary restrictions are the restrictions imposed by the traditional file mode access permissions.
Thus, the privileges
PRIV_DACREAD and PRIV_DACWRITE
allow read, search, execute, and write
operations to proceed even if the file mode permissions forbid it. The
PRIV_OWNER privilege allows a
process that is not the owner of a le or directory to remove the file or directory whose parent directory
has the sticky bit set. The PRIV_OWNER privilege also allows a process that is not the owner of a System
V IPC message queue, semaphore set, or shared memory segment, to remove, change ownership of, or
change permission bits for that object.
Trial Mode
This is a facility provided by the system to aid in reporting the list of privileges that a process has used
during its lifetime. A developer can use this feature to verify what privileges an application needs to
operate. When a process with this privilege attempts to use any privilege (by making a system call that
uses that privilege), an entry is logged to
syslog, which, when taken together, is a list of privileges
used.
Compatibility
A process with an effective user ID of zero is, by default, treated as possessing root replacement
privileges. The compartmentalization feature may further restrict this interpretation of effective user ID
such that the process is treated as though it has only a specified subset of root replacement privileges.
For more details, see the description of "Process Limitation Rules" in compartments (4).
More formally, a process is said to observe a privilege if and only if one or more of the following condi-
tions hold:
The privilege is present in its effective privilege set, or
The privilege is a root replacement privilege, effective uid of the process is zero, and compart-
mentalization is not enabled, or
The privilege is a root replacement privilege, effective uid of the process is zero, compartmentali-
zation is enabled, and the privilege is not a disallowed privilege in the process’s compartment.
SYSTEM PRIVILEGE REQUIREMENTS
This section provides tables that list the privileges that may be required where the corresponding man
pages specifies "appropriate privileges" to perform certain operations or to operate in certain conditions.
For each system call, the table lists what privileges can potentially affect system call’s behavior,
HP-UX 11i Version 3: September 2010 5 Hewlett-Packard Company 5