This chapter provides step-by-step instructions for managing privileges and using privileges on your system. The following is a list of the information in this chapter.Managing and Using Privileges (Task Map) Managing Privileges (Task Map) Determining Your Privileges (Task Map) For an overview of privileges, see Privileges (Overview). For reference information, see Chapter 12, Privileges (Reference). privilegestask maptask mapsmanaging and using privilegesThe following task map points to task maps for managing privileges and for using privileges.Task Description For Instructions Use privileges at your site Involves assigning, removing, adding, and debugging the use of privileges. Managing Privileges (Task Map) Use privileges when you run a command Involves using the privileges that have been assigned to you. Determining Your Privileges (Task Map) administeringprivilegesmanagingprivileges task mapprivilegesadministeringThe following task map points to procedures for viewing privileges, assigning privileges, and running a script that contains privileged commands.Task Description For Instructions Determine what privileges are in a process Lists the effective, inheritable, permitted, and limit privilege sets for a process. How to Determine the Privileges on a Process Determine what privileges are missing from a process Lists the privileges that a failed process requires to succeed. How to Determine Which Privileges a Program Requires Add privileges to a command Adds privileges to a command in a rights profile. Users or roles can be assigned the rights profile. The users can then run the command with the assigned privileges in a profile shell. How to Add Privileges to a Command Assign privileges to a user Expands a user's or role's inheritable set of privileges. Use this procedure with caution. How to Assign Privileges to a User or Role Restrict a user's privileges Limits the user's basic set of privileges. Use this procedure with caution. How to Limit a User's or Role's Privileges Run a privileged shell script Adds privilege to a shell script and to the commands in the shell script. Then, runs the script in a profile shell. How to Run a Shell Script With Privileged Commands The most secure way to manage privileges for users and roles is to confine use of privilege to commands in a rights profile. The rights profile is then included in a role. The role is assigned to a user. When the user assumes the assigned role, the privileged commands are available to be run in a profile shell. The following procedures show how to assign privileges, remove privileges, and debug privilege use.privilegeslisting on a process determiningprivileges on a process obtainingprivileges on a process shell processlisting its privileges new featurescommandsppriv ppriv commandlisting privilegesThis procedure shows how to determine which privileges are available to your processes. The listing does not include privileges that have been assigned to particular commands. v optionppriv commandusingppriv commanddouble dollar sign ($$)parent shell process number$$ (double dollar sign)parent shell process numbershell commandspassing parent shell process numberusingppriv commandviewingprivileges on a processList the privileges that are available to your shell's process.% ppriv pid $ ppriv -v pidpidIs the process number. Use a double dollar sign ($$) to pass the process number of the parent shell to the command. vProvides a verbose listing of the privilege names. viewingprivileges in a shell In the following example, the privileges in the parent process of the user's shell process are listed. In the second example, the full names of the privileges are listed. The single letters in the output refer to the following privilege sets:EIs the effective privilege set. IIs the inheritable privilege set. PIs the permitted privilege set. LIs the limit privilege set. % ppriv $$ 1200: -csh flags = <none> E: basic I: basic P: basic L: all % ppriv -v $$ 1200: -csh flags = <none> E: file_link_any,proc_exec,proc_fork,proc_info,proc_session I: file_link_any,proc_exec,proc_fork,proc_info,proc_session P: file_link_any,proc_exec,proc_fork,proc_info,proc_session L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time Roles use an administrative shell, or profile shell. You must assume a role and use the role's shell to list the privileges that have been directly assigned to the role. In the following example, the role sysadmin has no directly assigned privileges.% su - sysadmin Password: <Type sysadmin password> $ /usr/ucb/whoami sysadmin $ ppriv -v $$ 1400: pfksh flags = <none> E: file_link_any,proc_exec,proc_fork,proc_info,proc_session I: file_link_any,proc_exec,proc_fork,proc_info,proc_session P: file_link_any,proc_exec,proc_fork,proc_info,proc_session L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time troubleshootingprivilege requirements troubleshootinglack of privilege debuggingprivilegesprivilegesdebuggingppriv commandfor debuggingThis procedure determines which privileges a command or process requires to succeed. The command or process must have failed for this procedure to work. e optionppriv commandD optionppriv commandType the command that is failing as an argument to the ppriv debugging command.% ppriv -eD touch /etc/acct/yearly touch[11365]: missing privilege "file_dac_write" (euid = 130, syscall = 224) needed at ufs_direnter_cm+0x27c touch: /etc/acct/yearly cannot create Determine which system call is failing by finding the syscall number in the /etc/name_to_sysnum file.% grep 224 /etc/name_to_sysnum creat64 224 truss commandfor privilege debugging usingtruss command The truss command can debug privilege use in a regular shell. For example, the following command debugs the failing touch process:% truss -t creat touch /etc/acct/yearly creat64("/etc/acct/yearly", 0666) Err#13 EACCES [file_dac_write] touch: /etc/acct/yearly cannot createThe extended /proc interfaces report the missing privilege after the error code in truss output. privilegesfinding missing The ppriv command can debug privilege use in a profile shell. If you assign a rights profile to a user, and the rights profile includes commands with privileges, the commands must be typed in a profile shell. When the privileged commands are typed in a regular shell, the commands do not execute with privilege. In this example, the jdoe user can assume the role objadmin. The objadmin role includes the Object Access Management rights profile. This rights profile allows the objadmin role to change permissions on files that objadmin does not own.In the following excerpt, jdoe fails to change the permissions on the useful.script file:jdoe% ls -l useful.script -rw-r--r-- 1 aloe staff 2303 Mar 11 05:29 useful.script jdoe% chown objadmin useful.script chown: useful.script: Not owner jdoe% ppriv -eD chown objadmin useful.script chown[11444]: missing privilege "file_chown" (euid = 130, syscall = 16) needed at ufs_setattr+0x258 chown: useful.script: Not ownerWhen jdoe assumes the objadmin role, the permissions on the file are changed:jdoe% su - objadmin Password: <Type objadmin password> $ ls -l useful.script -rw-r--r-- 1 aloe staff 2303 Mar 11 05:29 useful.script $ chown objadmin useful.script $ ls -l useful.script -rw-r--r-- 1 objadmin staff 2303 Mar 11 05:29 useful.script $ chgrp admin useful.script $ ls -l objadmin.script -rw-r--r-- 1 objadmin admin 2303 Mar 11 05:31 useful.script This example illustrates the protections against privilege escalation. For a discussion, see Prevention of Privilege Escalation. The file is owned by the root user. The less powerful role, objadmin role needs all privileges to change the file's ownership, so the operation fails.jdoe% su - objadmin Password: <Type objadmin password> $ cd /etc; ls -l system -rw-r--r-- 1 root sys 1883 Mar 20 14:04 system $ chown objadmin system chown: system: Not owner $ ppriv -eD chown objadmin system chown[11481]: missing privilege "ALL" (euid = 101, syscall = 16) needed at ufs_setattr+0x258 chown: system: Not owner privilegesadding to command addingprivileges to command assigningprivileges to commands in a rights profile You add privileges to a command when you are adding the command to a rights profile. The privileges enable the role that includes the rights profile to run the administrative command, while not gaining any other superuser capabilities. The command or program must be privilege-aware. For a fuller discussion, see How Processes Get Privileges. &rolestepA;Open the Solaris Management Console GUI.For instructions, see How to Assume a Role in the Solaris Management Console. Use the Rights tool to update an appropriate profile.Select the command to include. For each included command, add the privileges that the command requires.When you include commands in a rights profile and add privileges to the commands, the commands execute with those privileges when the commands are run in a profile shell.The order of profiles is important. The profile shell executes a command or action with the security attributes that are specified in the earliest profile in the account's list of profiles. For example, if the chgrp command is in the Object Access Management rights profile with privileges, and Object Access Management is the first profile in which the chgrp command is found, then the chgrp command executes with the privileges specified in the Object Access Management profile. privilegesassigning to user or role assigningprivileges to user or role addingprivileges directly to user or role obtainingprivileges rolesassigning privileges to usersassigning privileges to You might trust some users with a particular privilege all the time. Very specific privileges that affect a small part of the system are good candidates for assigning to a user. For a discussion of the implications of directly assigned privileges, see Security Considerations When Directly Assigning Security Attributes.The following procedure enables user jdoe to use high resolution timers. &rolePAstep;usingusermod commandK optionusermod commandAdd the privilege that affects high resolution times to the user's initial inheritable set of privileges.$ usermod -K defaultpriv=basic,proc_clock_highres jdoe Read the resulting user_attr entry.$ grep jdoe /etc/user_attr jdoe::::type=normal;defaultpriv=basic,proc_clock_highres usingsmrole commandIn this example, a role is created whose only task is to handle time on the system.$ /usr/sadm/bin/smrole -D nisplus:/examplehost/example.domain \ -r primaryadm -l <Type primaryadm password> \ add -- -n clockmgr \ -c "Role that sets system time" \ -F "Clock Manager" \ -s /bin/pfksh \ -u 108 \ -P <Type clockmgr password> \ -K defaultpriv=basic,proc_priocntl,sys_cpu_config, proc_clock_highres,sys_timeThe -K line is wrapped for display purposes.If the role was created locally, the user_attr entry for the role would appear similar to the following:clockmgr:::Role that sets system time: type=role;defaultpriv=basic,proc_priocntl,sys_cpu_config, proc_clock_highres,sys_time privilegeslimiting use by user or role limitinguse of privileges by user or role You can limit the privileges that are available to a user or role by reducing the basic set, or by reducing the limit set. You should have good reason to limit the user's privileges in this way, because such limitations can have unintended side effects.You should thoroughly test any user's capabilities where the basic set or the limit set has been modified for a user.When the basic set is less than the default, users can be prevented from using the system. When the limit set is less than all privileges, processes that need to run with an effective UID=0 might fail. Determine the privileges in a user's basic set and limit set.For the procedure, see How to Determine the Privileges on a Process. restrictinguser privilegesremovingprivileges from basic setprivilegesremoving from basic setusersrestricting basic privilegesRemove one of the privileges from the basic set.$ usermod -K defaultpriv=basic,!priv-name usernameBy removing the proc_session privilege, you prevent the user from examining any processes outside the user's current session. By removing the file_link_any privilege, you prevent the user from making hard links to files that are not owned by the user.Do not remove the proc_fork or the proc_exec privilege. Without these privileges, the user would not be able to use the system. In fact, these two privileges are only reasonably removed from daemons that should not fork or exec other processes. Remove one of the privileges from the limit set.$ usermod -K limitpriv=all,!priv-name username Test the capabilities of username.Log in as username and try to perform the tasks that username must perform on the system. removingprivileges from limit setprivilegesremoving from limit setIn the following example, all sessions that originate from jdoe's initial login are prevented from using the sys_linkdir privilege. That is, the user cannot make hard links to directories, nor can the user unlink directories, even after the user runs the su command.$ usermod -K limitpriv=all,!sys_linkdir jdoe $ grep jdoe /etc/user_attr jdoe::::type=normal;defaultpriv=basic;limitpriv=all,!sys_linkdir In the following example, all sessions that originate from jdoe's initial login are prevented from using the proc_session privilege. That is, the user cannot examine any processes outside the user's session, even after the user runs the su command.$ usermod -K defaultpriv=basic,!proc_session jdoe$ grep jdoe /etc/user_attr jdoe::::type=normal;defaultpriv=basic,!proc_session;limitpriv=all privilegesusing in shell script scriptsuse of privileges in assigningprivileges to commands in a script When you create a shell script that runs commands with inherited privileges, the appropriate rights profile must contain the commands with privileges assigned to them. shell scriptswriting privilegedStart the script with /bin/pfsh, or any other profile shell, on the first line.#!/bin/pfsh # Copyright (c) 2003 by Sun Microsystems, Inc. Determine the privileges that the commands in the script need.% ppriv -eD script-full-path Open the Solaris Management Console GUI.For instructions, see How to Assume a Role in the Solaris Management Console. Choose a role, such as Primary Administrator, that can create a rights profile. Use the Rights tool to create or update an appropriate profile.Select the script, and include in the rights profile each of the commands in the shell script that need privileges to run. For each included command, add the privileges that the command requires.The order of rights profiles is important. The profile shell executes the earliest instance of a command in the list of profiles. For example, if the chgrp command is in the Object Access Management rights profile, and Object Access Management is the first profile in which the chgrp command is found, then the chgrp command executes with the privileges that are specified in the Object Access Management profile. Add the rights profile to a role and assign the role to a user.To execute the profile, the user assumes the role and runs the script in the role's profile shell. privilegeshow to usedeterminingprivileges task mapusingprivileges task mapThe following task map points to procedures for using the privileges that have been assigned to you.Task Description For Instructions View your privileges as a user in any shell Shows the privileges that have been directly assigned to you. All of your processes run with these privileges. How to Determine the Privileges That You Have Been Directly Assigned Determine which commands you can run with privilege When privileges are assigned to executables in a rights profile, the executable must be typed in a profile shell. How to Determine the Privileged Commands That You Can Run Determine which commands a role can run with privileges Assumes the role to determine which commands the role can run with privileges. How to Determine the Privileged Commands That a Role Can Run usingprivilegesWhen a user is directly assigned privileges, the privileges are in effect in every shell. When a user is not directly assigned privileges, then the user must open a profile shell. For example, when commands with assigned privileges are in a rights profile that is in the user's list of rights profiles, then the user must execute the command in a profile shell.privilegesdetermining directly assigned ones usersdetermining directly assigned privileges The following procedure shows how to determine if you have been directly assigned privileges.Inappropriate use of directly assigned privileges can result in unintentional breaches of security. For a discussion, see Security Considerations When Directly Assigning Security Attributes. List the privileges that your processes can use.See How to Determine the Privileges on a Process for the procedure. Invoke actions and run commands in any shell.The privileges that are listed in the effective set are in effect throughout your session. If you have been directly assigned privileges in addition to the basic set, the privileges are listed in the effective set. viewingdirectly assigned privileges If you have been directly assigned privileges, then your basic set contains more than the default basic set. In this example, the user always has access to the proc_clock_highres privilege.% /usr/ucb/whoami jdoe % ppriv -v $$ 1800: pfksh flags = <none> E: file_link_any,…,proc_clock_highres,proc_session I: file_link_any,…,proc_clock_highres,proc_session P: file_link_any,…,proc_clock_highres,proc_session L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time % ppriv -vl proc_clock_highres Allows a process to use high resolution timers. rolesdetermining directly assigned privileges viewingprivileges in a shell Roles use an administrative shell, or profile shell. Users who assume a role can use the role's shell to list the privileges that have been directly assigned to the role. In the following example, the role realtime has been directly assigned privileges to handle date and time programs.% su - realtime Password: <Type realtime password> $ /usr/ucb/whoami realtime $ ppriv -v $$ 1600: pfksh flags = <none> E: file_link_any,…,proc_clock_highres,proc_session,sys_time I: file_link_any,…,proc_clock_highres,proc_session,sys_time P: file_link_any,…,proc_clock_highres,proc_session,sys_time L: cpc_cpu,dtrace_kernel,dtrace_proc,dtrace_user,…,sys_time usersdetermining own privileged commands commandsdetermining user's privileged commands When a user is not directly assigned privileges, then the user gets access to privileged commands through a rights profile. Commands in a rights profile must be executed in a profile shell. The user or role who authenticates to the Solaris Management Console must have the solaris.admin.usermgr.read authorization. The Basic Solaris User rights profile includes this authorization. Determine the rights profiles that you have been assigned.$ /usr/sadm/bin/smuser list -- -n username -l Authenticating as user: admin … Please enter a string value for: password :: … User name: username User ID (UID): 130 Primary group: staff Secondary groups: Comment: object mgt jobs Login Shell: /bin/sh Home dir server: system Home directory: /export/home/username AutoHome setup: True Mail server: system Rights: Object Access Management Assigned Roles: Locate the line that begins with “Rights:”.The “Rights” line lists the names of the rights profiles that have been directly assigned to you. Find the names of the rights profiles in the exec_attr database.$ cd /etc/security $ grep "Object Access Management" exec_attr Object Access Management:solaris:cmd:::/usr/bin/chgrp:privs=file_chown Object Access Management:solaris:cmd:::/usr/bin/chown:privs=file_chown Object Access Management:suser:cmd:::/usr/bin/chgrp:euid=0 Object Access Management:suser:cmd:::/usr/bin/chmod:euid=0 …The commands with added privileges are listed at the end of solaris policy entries. Type the commands that require privileges in a profile shell.When the commands are typed in a regular shell, the commands do not run with privilege, and do not succeed.% pfsh $ In the following example, the user jdoe cannot change the group permissions on a file from his regular shell. However, jdoe can change the permissions when typing the command in a profile shell.% whoami jdoe % ls -l useful.script -rwxr-xr-- 1 nodoe eng 262 Apr 2 10:52 useful.script chgrp staff useful.script chgrp: useful.script: Not owner % pfksh $ /usr/ucb/whoami jdoe $ chgrp staff useful.script $ chown jdoe useful.script $ ls -l useful.script -rwxr-xr-- 1 jdoe staff 262 Apr 2 10:53 useful.script rolesdetermining role's privileged commands A role gets access to privileged commands through a rights profile that contains commands with assigned privileges. The most secure way to provide a user with access to privileged commands is to assign a role to them. After assuming the role, the user can execute all the privileged commands that are included in the rights profiles for that role. The user or role who authenticates to the Solaris Management Console must have the solaris.admin.usermgr.read authorization. The Basic Solaris User rights profile includes this authorization. Determine the roles that you can assume.$ /usr/sadm/bin/smuser list -- -n username -l Authenticating as user: primadmin … User name: username User ID (UID): 110 Primary group: staff Secondary groups: Comment: Has admin roles Login Shell: /bin/sh … Rights: Assigned Roles: primadmin, admin Locate the line that begins with “Assigned Roles:”.The “Assigned Roles” line lists the roles that you can assume. Determine the rights profiles that are included in one of your roles.$ /usr/sadm/bin/smuser list -- -n admin -l Authenticating as user: primadmin … User name: admin User ID (UID): 101 Primary group: sysadmin Secondary groups: Comment: system administrator Login Shell: /bin/pfksh … Rights: System Administrator Assigned Roles: Locate the names of the rights profiles for the role in the “Rights:” line. Find the rights profiles in the prof_attr database.Because the System Administrator profile is a collection of profiles, you need to list the profiles in the System Administrator profile.$ cd /etc/security $ grep "System Administrator" prof_attr System Administrator:::Can perform most non-security administrative tasks:profiles=Audit Review,Printer Management,Cron Management, Device Management,File System Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore,Name Service Management,Network Management,Object Access Management,Process Management,Software Installation,User Management,All;help=RtSysAdmin.html For each rights profile, find the rights profiles in the exec_attr database.For example, the Network Management profile is a supplementary profile of the System Administrator profile. The Network Management profile includes a number of privileged commands.$ cd /etc/security $ grep "Network Management" exec_attr Network Management:solaris:cmd:::/usr/sbin/ifconfig:privs=sys_net_config Network Management:solaris:cmd:::/usr/sbin/route:privs=sys_net_config …The commands and their assigned privileges are the final two fields of solaris policy entries. You can run these commands in the profile shell of your role. When a user assumes a role, the shell becomes a profile shell. Therefore, the commands are executed with the privileges that were assigned to the commands. In the following example, the admin role can change the permissions on the useful.script file.% whoami jdoe % ls -l useful.script -rwxr-xr-- 1 elsee eng 262 Apr 2 10:52 useful.script chgrp admin useful.script chgrp: useful.script: Not owner % su - admin Password: <Type admin password> $ /usr/ucb/whoami admin $ chgrp admin useful.script $ chown admin useful.script $ ls -l useful.script -rwxr-xr-- 1 admin admin 262 Apr 2 10:53 useful.script