privileges.5 (2011 09)
p
privileges(5) privileges(5)
PRIV_TRIALMODE (TRIALMODE)
Allows a process to log trial mode information to the
syslog file. See Trial Mode below.
Programming with Privileges
When programming with privileges, the name associated with each privilege is the same as the name
presented here with the string
PRIV_ prefixed (that is, use the symbolic constant
PRIV_ACCOUNTING
in the source code). In commands associated with privileges, the names are used without the
PRIV_
prefix, although most commands may also recognize the names with the prefix.
The compound privileges
BASIC, BASICROOT, and
POLICY are designed to ease development of appli-
cations that retain their functionality even though the underlying privileges changes. An application that
requires compatibility--even when the underlying set of privileges changes--ought to ensure that it does
not accidentally drop a new privilege that was added since it was developed. For example, this can be
done by dropping specific privileges from the effective set using
priv_remove()
(see priv_remove (3)) or
by ensuring that the compound privileges are used as argument to
priv_set_effective()
(see
priv_set_effective (3)).
Associating Privileges with Binaries
Applications that depend on the use of privileges must be registered using the
setfilexsec command
(see setfilexsec (1M)). For an alternate method of granting privileges, see privrun (1M)).
Depending on what kind of restricted tasks an application performs, the application can raise the
corresponding privilege needed before doing the task and then lower the privilege after completing the
task. This practice is called privilege bracketing . It is recommended that a process run with the smallest
possible privilege set at any given time.
Associating Privileges with Processes
Each process has three privilege sets associated with it. These sets are as follows:
Permitted Privilege Set
The maximum set of privileges that a process can raise. The process can remove any privilege
from this set, but cannot add a privilege to this set. The privileges from this set can be added
to the effective privilege set of the process. This set is also often referred to as the Potential
Privilege Set.
Effective Privilege Set
The set of privileges that are currently active for the process. A process can modify this set to
keep only the necessary privileges in this set at any given time. Any privilege in this set can
be removed, but only privileges in the process’ permitted privilege set can be added. A process’
Effective Privilege Set is always a subset of its Permitted Privilege Set.
Retained Privilege Set
The set of privileges retained when a process calls execve() (see execve (2)). The process can
remove any privilege from this set, but cannot add any privilege to this set. A process’
Retained Privilege Set is always a subset of the Permitted Privilege Set.
These sets can be managed using library calls specified in functions
priv_add_effective(),
priv_remove(), and priv_get(). (See priv_add_effective (3), priv_remove (3), and priv_get (3)).
Discretionary Restrictions
Discretionary restrictions are the restrictions imposed by the traditional file mode access permissions.
Thus, the privileges
PRIV_DACREAD and PRIV_DACWRITE allow read, search, execute, and write
operations to proceed even if the file mode permissions forbid it. The PRIV_OWNER privilege allows a
process that is not the owner of a file or directory to remove the file or directory whose parent directory
has the sticky bit set. The PRIV_OWNER privilege also allows a process that is not the owner of a System
V IPC message queue, semaphore set, or shared memory segment, to remove, change ownership of, or
change permission bits for that object.
Trial Mode
This is a facility provided by the system to aid in reporting the list of privileges that a process has used
during its lifetime. A developer can use this feature to verify what privileges an application needs to
operate. When a process with this privilege attempts to use any privilege (by making a system call that
uses that privilege), an entry is logged to
syslog, which, when taken together, is a list of privileges
used.
6 Hewlett-Packard Company − 6 − HP-UX 11i Version 3: September 2011