HP-UX Reference (11i v3 07/02) - 5 Miscellaneous Topics (vol 9)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

361

362

363

364

365

366

367

368

369

370

privileges(5) privileges(5)

Depending on what kind of restricted tasks an application performs, the application can raise the

corresponding privilege needed before doing the task and then lower the privilege after completing the

task. This practice is called privilege bracketing. It is recommended that a process run with the smallest

possible privilege set at any given time.

Associating Privileges with Processes

Each process has three privilege sets associated with it. These sets are as follows:

Permitted Privilege Set

The maximum set of privileges that a process can raise. The process can remove any privilege

from this set, but cannot add a privilege to this set. The privileges from this set can be added to

the effective privilege set of the process. This set is also often referred to as the Potential

Privilege Set.

Effective Privilege Set

The set of privileges that are currently active for the process. A process can modify this set to

keep only the necessary privileges in this set at any given time. Any privilege in this set can be

removed, but only privileges in the process’ permitted privilege set can be added. A process’

Effective Privilege Set is always a subset of its Permitted Privilege Set.

Retained Privilege Set

The set of privileges retained when a process calls execve() (see execve(2)). The process can

remove any privilege from this set, but cannot add any privilege to this set. A process’ Retained

Privilege Set is always a subset of the Permitted Privilege Set.

These sets can be managed using library calls speciﬁed in functions priv_add_effective()

priv_remove(), and priv_get() . (See priv_add_effective(3), priv_remove (3), and priv_get(3)).

Discretionary Restrictions

Discretionary restrictions are the restrictions imposed by the traditional ﬁle mode access permissions.

Thus, the privileges

PRIV_DACREAD and PRIV_DACWRITE

allow read, search, execute, and write

operations to proceed even if the ﬁle mode permissions forbid it. The

PRIV_OWNER privilege allows a pro-

cess that is not the owner of a ﬁle or directory to remove the ﬁle or directory whose parent directory has

the sticky bit set. The PRIV_OWNER privilege also allows a process that is not the owner of a System V

IPC message queue, semaphore set, or shared memory segment, to remove, change ownership of, or change

permission bits for that object.

Trial Mode

This is a facility provided by the system to aid in reporting the list of privileges that a process has used dur-

ing its lifetime. A developer can use this feature to verify what privileges an application needs to operate.

When a process with this privilege attempts to use any privilege (by making a system call that uses that

privilege), an entry is logged to syslog, which, when taken together, is a list of privileges used.

Compatibility

A process with an effective user ID of zero is, by default, treated as possessing root replacement privileges.

The compartmentalization feature may further restrict this interpretation of effective user ID such that the

process is treated as though it has only a speciﬁed subset of root replacement privileges. For more details,

see the description of "Process Limitation Rules" in compartments(4).

More formally, a process is said to observe a privilege if and only if one or more of the following conditions

hold:

• The privilege is present in its effective privilege set, or

• The privilege is a root replacement privilege, effective uid of the process is zero, and compartmen-

talization is not enabled, or

• The privilege is a root replacement privilege, effective uid of the process is zero, compartmentaliza-

tion is enabled, and the privilege is not a disallowed privilege in the process’s compartment.

SYSTEM PRIVILEGE REQUIREMENTS

This section provides tables that list the privileges that may be required where the corresponding man

pages speciﬁes "appropriate privileges" to perform certain operations or to operate in certain conditions.

For each system call, the table lists what privileges can potentially affect system call’s behavior,

The subsections also include other functions and areas of interest. These tables list the privileges that may

be required where the individual man pages speciﬁes "appropriate privileges" to perform certain operations

370 Hewlett-Packard Company − 5 − HP-UX 11i Version 3: February 2007