HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)
p
privileges(5) privileges(5)
bits, provided that the process is allowed to change the ownership of the file.
PRIV_OWNER (OWNER)
Allows a process to override all restrictions with respect to UID matching the owner of the file or
resource. See Discretionary Restrictions for more information.
PRIV_PSET (PSET)
Allows change to the system pset configuration (see pset_create(2)).
PRIV_REBOOT (REBOOT)
Allows a process to perform reboot operations.
PRIV_RTPRIO (RTPRIO)
Allows access to the rtprio() system call (see rtprio(2)).
PRIV_RTPSET (RTPSET)
Allows a process to control RTE psets (see __pset_rtctl (2)).
PRIV_RTSCHED (RTSCHED)
Allows access to the sched_setparam()
and sched_setscheduler()
to set POSIX.4
real-time priorities (see rtsched(2)).
PRIV_RULESCONFIG (RULESCONFIG)
Allows a process to add and modify compartment rules on the system. (See compartments(5)
and cmpt_tune(1M) to determine if this extended feature is enabled.)
PRIV_SELFAUDIT (SELFAUDIT)
Allows a process to generate auditing records for itself using the audwrite() system call (see
audwrite(2)).
PRIV_SERIALIZE (SERIALIZE)
Permits the use of serialize() for forcing the target process to run serially with other
processes that are also marked by this system call (see serialize(2)).
PRIV_SESSION (SESSION)
Permits creation of a new session (see setsid(2)), and setpgrp(2)).
PRIV_SPUCTL
Permits certain administrative operations in the Instant Capacity product for deactivation and
reactivation of processors. See the Instant Capacity documentation for more information.
PRIV_SYSATTR (SYSATTR)
Enables a process to manage system attributes including the setting of tunables, and modifying
the host name, domain name, and user quotas.
PRIV_SYSNFS (SYSNFS)
Allows a process to perform NFS operations like exporting a file system, the getfh() system
call (see getfh(2)), NFS file locking, revoking NFS authentication, and creating an NFS kernel
daemon thread.
PRIV_TRIALMODE (TRIALMODE)
Allows a process to log trial mode information to the syslog file. See Trial Mode below.
Programming with Privileges
When programming with privileges, the name associated with each privilege is the same as the name
presented here with the string
PRIV_ prefixed (that is, use the symbolic constant PRIV_ACCOUNTING in
the source code). In commands associated with privileges, the names are used without the
PRIV_ prefix,
although most commands may also recognize the names with the prefix.
The compound privileges BASIC, BASICROOT , and POLICY are designed to ease development of applica-
tions that retain their functionality even though the underlying privileges changes. An application that
requires compatibility--even when the underlying set of privileges changes--ought to ensure that it does not
accidentally drop a new privilege that was added since it was developed. For example, this can be done by
dropping specific privileges from the effective set using priv_remove() (see priv_remove (3)) or by
ensuring that the compound privileges are used as argument to priv_set_effective() (see
priv_set_effective(3)).
Associating Privileges with Binaries
Applications that depend on the use of privileges must be registered using the
setfilexsec command
(see setfilexsec(1M)). For an alternate method of granting privileges, see privrun(1M)).
HP-UX 11i Version 3: February 2007 − 4 − Hewlett-Packard Company 369