privileges.5 (2011 09)
p
privileges(5) privileges(5)
To maintain backward compatibility, each string representation of
PRIV_SYSATTR, PRIV_MOUNT, and
PRIV_DEVOPS becomes a compound privilege. The numeric representation is redefined to one of the
new privileges, which now provides only a subset of the capabilities that the compound privileges used to
offer.
For example, if the HP-UX ContainmentPlus product (version B.11.31.02 or later) is not installed on the
system, the
PRIV_SYSATTR privilege is required to call functions
settimeofday() and
sethost-
name()
. Therefore, a process that has the
PRIV_SYSATTR privilege can call both functions. If the HP-
UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, the
PRIV_SYSATTR compound privilege is divided into two privileges:
PRIV_CORESYSATTR and
PRIV_HOSTATTR
. The PRIV_CORESYSATTR
privilege is required to call the settimeofday()
func-
tion while the
PRIV_HOSTATTR
privilege is required to call the sethostname()
function. Therefore,
if the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system, a process
that has the
PRIV_CORESYSATTR
privilege can call the settimofday()
function but cannot call the
sethostname()
function. At the same time, if the HP-UX ContainmentPlus product (version
B.11.31.02 or later) is not installed on the system, the numeric representation for the
PRIV_SYSATTR
privilege is 60. If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the
system, the numeric representation for the
PRIV_CORESYSATTR
privilege is also 60. Although they
have the same numeric representation, the new privilege
PRIV_CORESYSATTR
only offers a subset of
the capabilities (for example, call
settimeofday()
) than what PRIV_SYSATTR used to offer (for
example, call
settimeofday() and
sethostname()).
Policy Override Privileges
Policy override privileges override compartment rules. There are four policy override privileges:
PRIV_CHANGECMPT PRIV_CMPTREAD PRIV_CMPTWRITE PRIV_COMMALLOWED.
These privileges are not granted by default to processes with an effective user ID of zero. These
privileges only apply to compartments feature (see compartments (5) and cmpt_tune (1M) to determine if
this feature is enabled). These privileges comprise part of the set of privileges in the compound privilege
POLICY.
Policy Configuration Privileges
Policy configuration privileges control how privileges are configured. There are two such privileges,
PRIV_CHANGEFILEXSEC
and PRIV_RULESCONFIG. These privileges are not granted by default to
processes with an effective user ID of zero. These privileges comprise part of the set of privileges in the
compound privilege
POLICY.
Process Attribute Privileges
Process attribute privileges are privileges only in the sense that they are manipulated like other
privileges.
PRIV_TRIALMODE is the only member of this set. This privilege is not granted by default to
processes with an effective user ID of zero.
Compound Privileges
Compound privileges are a shorthand way of specifying a predefined set of simple privileges. These com-
pound privileges are subject to redefinition in future releases to allow for the creation of new privileges.
The compound privileges are defined as follows:
BASIC Refers to the Basic Privileges.
BASICROOT Refers to the union of Basic Privileges and Root Replacement Privileges.
POLICY Refers to the Policy Override Privileges and the Policy Configuration Privileges.
If the HP-UX ContainmentPlus product (version B.11.31.02 or later) is installed on the system,
SYSATTR, MOUNT, and DEVOPS becomes compound privileges defined as follows:
SYSATTR Refers to the union of the privilege controlling core system attributes and the
privilege controlling host-related attributes.
MOUNT Refers to the union of the privilege controlling file system mounting/unmounting
and the privilege controlling swap space.
DEVOPS Refers to the union of the privilege controlling devices and pseudo terminals.
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2011