filepriv(1M)
filepriv --
set, delete, or display privilege information associated with a file
Synopsis
filepriv
[-f priv[, . . .]]
[-i priv[, . . .]] file . . .
filepriv -d file . . .
Description
filepriv is used to set, delete, or display
the privilege information associated
with a file.
Command options
- -d
-
used to delete the privileges associated with the named file;
also used to delete non-existent files from
the Privilege Data File (PDF).
- -f priv,priv, . . .
-
used to specify the fixed privileges associated with the
named file.
- -i priv,priv, . . .
-
used to specify the inheritable privileges associated with the
named file.
The following describes the privileges that may be specified:
priv [ +|-priv_name . . . ] set_name [ . . . ]
For each set_name,
priv sets or displays the privileges
contained in that privilege set.
set_name may be either max for the
maximum privilege set or work for the working set.
priv_name is the name of a privilege.
If priv_names are
supplied, priv scans the list and turns off thoses
privileges
that are preceded by a minus sign and turns on those that are
preceded
by a plus sign in each of the sets listed.
If no priv_names are supplied, the priv command
prints
the current list of privileges for each of the requested sets.
The values for priv_name are:
- allprivs
-
Represents all possible privileges.
- audit
-
Required to manipulate the security audit mechanisms.
- auditwr
-
Required to write miscellaneous audit records to the audit trail.
- compat
-
Overrides specific restrictions that are imposed solely for the
confinement of covert channels.
- core
-
Required to dump a core image of a process that is either privileged,
setuid, or setgid.
This privilege is not required to dump the core image of a process that
does not meet the above conditions.
- dacread
-
Overrides Discretionary Access Control (DAC) restrictions but only for
operations that do not alter objects (that is, read and execute
permissions).
See ``Access permissions''.
- dacwrite
-
Overrides Discretionary Access Control restrictions but only for
operations that alter objects (that is, write permission).
See ``Access Permissions''.
- dev
-
Required to set or get device security attributes to change the device
level when it is in private state, and to access a device when it is in
private state.
This privilege is also used for special ioctl
for window management and to download trusted software to a terminal driver.
- driver
-
Provides compatibility with device drivers developed by third party vendors.
It is used when a sensitive operation needs to be limited to
a privileged process.
- filesys
-
Required for privileged operations on a filesystem that have relatively
low sensitivity, including the creation of links to directories, setting
the effective root directory, and making special files.
- fsysrange
-
Override filesystem range restrictions.
- loadmod
-
Required to perform selective operations associated with loadable modules.
- macread
-
Overrides Mandatory Access Control (MAC) restrictions but only for certain
operations that do not alter objects.
See ``Access permissions''.
- macwrite
-
Overrides Mandatory Access Control restrictions that involve the
alteration of objects or other MAC-related attributes.
See ``Access permissions''.
- macupgrade
-
Allows processes to upgrade (change the existing level to a new
dominating level) files.
- mount
-
Mount or unmount a filesystem or set and get the ceiling level of a
filesystem.
- multidir
-
Required for creation of multilevel directories.
- owner
-
Required to change the attributes of a file (that is, information kept
in the file's inode)
that is not owned by the effective uid of the calling process.
See ``Access permissions''.
- plock
-
Required to lock a process in memory.
- rtime
-
Required by processes that do real-time operations.
- setflevel
-
Required to change the security level of objects
(for block or character special files that are in the public state only),
subject to some restrictions.
- setplevel
-
Required to change the security level of a process (including the
process's own level), subject to some restrictions.
- setspriv
-
Administrative privilege required to set the inheritable and fixed
privileges on files.
This privilege overrides access and ownership restrictions.
- setuid
-
Required in order to set the real and effective user and group
IDs of a process.
- setupriv
-
Privilege required for an otherwise unprivileged process to set the
inheritable and fixed privileges on a file.
This privilege does not override
access or ownership restrictions.
- sysops
-
Required to perform several general system operations that have only
minor security implications.
- tshar
-
Required to raise the priority of a time sharing process or to set
the user priority limit to a value greater than 0.
Access permissions
Access permissions are associated with the priv_name entries.
Access checking is performed whenever a subject (such as a process)
tries to access an object (such as a file or directory).
Permission to access an object is granted or denied on the basis of
mode bits.
The mode bits are known as Discretionary Access Control (DAC).
Mandatory Access Control (MAC) privileges are defined; however, they may not be supported on the system you are using.
The
standard file access permission bit checks are performed to determine if the
process requesting access to the object has permission to access it
in the manner (read, write, and/or execute/search) requested.
Each access mode requested is checked separately using the following
algorithm:
-
If the effective
user
ID
of the process is equal to the user
ID
of the owner of the
file, and the requested access mode bit is set in the
``owner''
bits of the mode, access is granted;
otherwise access checking continues.
-
If the effective group
ID
(or any of the supplementary
group
IDs
of the process) matches the
owning group of the file
and the requested access mode bit is set in the
``group''
bits of the
mode,
access is granted;
otherwise, access checking continues.
-
If the above checks fail, and the requested access mode bit is set
in the
``other''
bits of the mode, access is granted;
otherwise, access is denied
(EACCES is returned).
-
These checks are performed
on every component of the pathname, including the object itself.
If any of the checks fail,
the privileges of the calling process are examined to determine
if the calling process has the
appropriate privilege for the mode requested
(dacread for read and execute/search access,
dacwrite for write access).
The following example adds owner and audit privileges
and deletes dacread privilege from the working set:
priv +owner +audit -dacread work
Privilege information is stored in the Privilege Data File
(PDF) located in /etc/security/tcb/privs.
filepriv must have the P_SETSPRIV and P_SETUPRIV
privileges when setting or deleting file
privileges, otherwise permission is denied.
The argument priv is defined as a process privilege name
(see
Intro(2)).
The argument allprivs can be used to set or delete
all the process privileges available.
The file argument must be an absolute pathname of an executable
file when setting or deleting file privileges.
There must be at least one file argument specified;
otherwise, filepriv exits with an error.
filepriv calls the realpath routine
to resolve symbolic links.
In this way,
when new privileges are entered into the Privilege
Data File for a symbolic link on a file
that already exists in the PDF,
the privileges are associated correctly.
When setting file privileges,
all fixed and inheritable privileges on the
specified file are removed before those privileges specified
by the -f and -i options are applied.
Also,
filepriv will set only
privileges allowed
by the maximum set of privileges
on the process calling
filepriv(2)
as defined by the Privilege Data File.
The filepriv command exits with an error if the
-f and -i options are specified and the same
privilege exists in both.
When deleting privilege information from a file,
the -d option is used.
However,
the -d option is also used to remove a non-existent
file from the privilege database.
If the file exists,
then the -d option deletes privileges.
If the file does not exist
because it is a spurious file or has been removed from the system
without the knowledge of the privilege administrator,
then the -d option removes this file from the privilege
database.
When no options are specified,
filepriv
displays the privileges associated with the named file(s).
Defaults
The file /etc/default/privcmds
contains the parameter GEN_CKSUM.
If the value of GEN_CKSUM is ``No'', filepriv
will not generate a check sum value for the Privilege Data File (PDF)
located in /etc/security/tcb/privs;
this results in faster
performance compared to generating the check sum value each time the
command is run.
If the value of this parameter is anything other than ``No''
(including NULL, the default), filepriv
generates a check sum each time it is run.
Examples
The following is an example of the output when filepriv
is executed with one file:
fixed priv,priv, . . .
inher priv,priv, . . .
If no fixed privileges exist on the file, the fixed
privilege line is not displayed.
If no inheritable privileges exist on the file, the inher
privilege line is not displayed.
The space between the privilege type and privileges is a
single tab (\t) character.
If more than one file is specified, then the file name
followed by a colon (``:'') and space character
is printed before the privileges as follows:
file1: fixed priv,priv, . . .
file1: inher priv,priv, . . .
file2: fixed priv,priv, . . .
file2: inher priv,priv, . . .
file3: fixed priv,priv, . . .
file3: inher priv,priv, . . .
Files
- /etc/security/tcb/privs
-
Privilege Data File
- /etc/default/privcmds
-
defaults file
Diagnostics
filepriv exits with a return code of 0 upon successful completion.
If filepriv detects errors,
the following messages may be displayed:
-
undefined process privilege
priv
-
cannot use
priv as both fixed and inheritable privilege
-
cannot access file
file
-
file
is not an executable file
-
permission denied
-
file
is not an absolute pathname
-
incompatible options specified
-
no such file or directory for file
file
-
filepriv system call not in operation
-
Bad entry found in /etc/security/tcb/privs
-
the file
file was not found in the privilege data file
-
cannot create lock for /etc/security/tcb/privs
References
filepriv(2),
initprivs(1M),
Intro(2)
30 January 1998
© 1998 The Santa Cruz Operation, Inc. All rights reserved.