HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)
p
privileges(5) privileges(5)
enabled). These privileges comprise part of the set of privileges in the compound privilege
POLICY.
Policy Configuration Privileges
Policy configuration privileges control how privileges are configured. There are two such privileges,
PRIV_CHANGEFILEXSEC
and PRIV_RULESCONFIG
. These privileges are not granted by default to
processes with an effective user ID of zero. These privileges comprise part of the set of privileges in the
compound privilege
POLICY.
Process Attribute Privileges
Process attribute privileges are privileges only in the sense that they are manipulated like other privileges.
PRIV_TRIALMODE
is the only member of this set. This privilege is not granted by default to processes
with an effective user ID of zero.
Compound Privileges
Compound privileges are a shorthand way of specifying a predefined set of simple privileges. These com-
pound privileges are subject to redefinition in future releases to allow for the creation of new privileges.
The compound privileges are defined as follows:
BASIC Refers to the Basic Privileges.
BASICROOT Refers to the union of Basic Privileges and Root Replacement Privileges.
POLICY Refers to the Policy Override Privileges and the Policy Configuration Privileges.
Privilege Descriptions
The following list specifies privilege names and their primary purpose.
PRIV_ACCOUNTING (ACCOUNTING)
Allows a process to control the process accounting system (see acct(2)).
PRIV_AUDCONTROL (AUDCONTROL)
Allows a process to start, modify, and stop the auditing system.
PRIV_CHANGECMPT (CHANGECMPT)
Grants a process the ability to change its compartment. (See compartments(5) and
cmpt_tune(1M) to determine if this extended feature is enabled.)
PRIV_CHANGEFILEXSEC (CHANGEFILEXSEC)
Allows a process to grant privileges to binaries.
PRIV_CHOWN (CHOWN)
Allows access to the chown() system calls (see chown(2)).
PRIV_CHROOT (CHROOT)
Allows a process to change its root directory.
PRIV_CHSUBJIDENT (CHSUBJIDENT)
Allows a process to change it UIDs, GIDs, and group lists. Also allows a process to
chown afile
and leave the suid or sgid bits set on the file, if present.
PRIV_CMPTREAD (CMPTREAD)
Allows a process to open a file or directory for reading, executing (in the case of a file), or search-
ing (in the case of a directory), bypassing compartment rules that would otherwise not permit
the operation. (See compartments(5) and cmpt_tune(1M) to determine if this extended feature is
enabled.)
PRIV_CMPTWRITE (CMPTWRITE)
Allows a process to write into a file or directory, bypassing compartment rules that would other-
wise not permit the operation. (See compartments(5) and cmpt_tune(1M) to determine if this
extended feature is enabled.)
PRIV_COMMALLOWED (COMMALLOWED)
Allows a process to override compartment rules in the IPC and networking subsystems. (See
compartments(5) and cmpt_tune(1M) to determine if this extended feature is enabled.)
PRIV_DACREAD (DACREAD)
Allows the process to override all discretionary read, execute, and search access restrictions. See
Discretionary Restrictions for more information.
HP-UX 11i Version 3: February 2007 − 2 − Hewlett-Packard Company 367