Museum

Home

Lab Overview

Retrotechnology Articles

Online Manuals

⇒ filepriv(1M) — UnixWare 2.01

Media Vault

Software Library

Restoration Projects

Artifacts Sought

Related Articles

filepriv(2)

initprivs(1M)

intro(2)






       filepriv(1M)                                            filepriv(1M)


       NAME
             filepriv - set, delete, or display privilege information
             associated with a file

       SYNOPSIS
             filepriv [-f priv[, . . .]] [-i priv[, . . .]] file . . .
             filepriv -d file . . .

       DESCRIPTION
             filepriv is used to set, delete, or display the privilege
             information associated with a file.

             The following options are available:

             -d    used to delete the privileges associated with the named
                   file; also used to delete non-existent files from the
                   Privilege Data File (PDF).

             -f priv,priv, . . .
                   used to specify the fixed privileges associated with the
                   named file.

             -i priv,priv, . . .
                   used to specify the inheritable privileges associated
                   with the named file.

             The following describes the privileges that may be specified:

             priv [ +|-priv_name . . . ] set_name  [ . . . ] For each
             set_name, priv sets or displays the privileges contained in
             that privilege set.  set_name may be either max for the
             maximum privilege set or work for the working set.  priv_name
             is the name of a privilege.  If priv_names are supplied, priv
             scans the list and turns off thoses privileges that are
             preceded by a minus sign and turns on those that are preceded
             by a plus sign in each of the sets listed.  If no priv_names
             are supplied, the priv command prints the current list of
             privileges for each of the requested sets.
             The values for priv_name are:

                   allprivs    Represents all possible privileges.

                   audit       Required to manipulate the security audit
                               mechanisms.




                           Copyright 1994 Novell, Inc.               Page 1













      filepriv(1M)                                            filepriv(1M)


                  auditwr     Required to write miscellaneous audit
                              records to the audit trail.

                  compat      Overrides specific restrictions that are
                              imposed solely for the confinement of covert
                              channels.

                  core        Required to dump a core image of a process
                              that is either privileged, setuid, or
                              setgid.  This privilege is not required to
                              dump the core image of a process that does
                              not meet the above conditions.

                  dacread     Overrides Discretionary Access Control (DAC)
                              restrictions but only for operations that do
                              not alter objects (that is, read and execute
                              permissions).  See ``Access Permissions''
                              below.

                  dacwrite    Overrides Discretionary Access Control
                              restrictions but only for operations that
                              alter objects (that is, write permission).
                              See ``Access Permissions'' below.

                  dev         Required to set or get device security
                              attributes to change the device level when
                              it is in private state, and to access a
                              device when it is in private state.  This
                              privilege is also used for special ioctl for
                              window management and to download trusted
                              software to a terminal driver.

                  driver      Provides compatibility with device drivers
                              developed by third party vendors.  It is
                              used when a sensitive operation needs to be
                              limited to a privileged process.

                  filesys     Required for privileged operations on a file
                              system that have relatively low sensitivity,
                              including the creation of links to
                              directories, setting the effective root
                              directory, and making special files.

                  fsysrange   Override file system range restrictions.




                          Copyright 1994 Novell, Inc.               Page 2













       filepriv(1M)                                            filepriv(1M)


                   loadmod     Required to perform selective operations
                               associated with loadable modules.

                   macread     Overrides Mandatory Access Control (MAC)
                               restrictions but only for certain operations
                               that do not alter objects.  See ``Access
                               Permissions'' below.

                   macwrite    Overrides Mandatory Access Control
                               restrictions that involve the alteration of
                               objects or other MAC-related attributes.
                               See ``Access Permissions'' below.

                   macupgrade  Allows processes to upgrade (change the
                               existing level to a new dominating level)
                               files.

                   mount       Mount or unmount a file system or set and
                               get the ceiling level of a file system.

                   multidir    Required for creation of multilevel
                               directories.

                   owner       Required to change the attributes of a file
                               (that is, information kept in the file's
                               inode) that is not owned by the effective
                               uid of the calling process.  See ``Access
                               Permissions'' below.

                   plock       Required to lock a process in memory.

                   setflevel   Required to change the security level of
                               objects (for block or character special
                               files that are in the public state only),
                               subject to some restrictions.

                   setplevel   Required to change the security level of a
                               process (including the process's own level),
                               subject to some restrictions.

                   setspriv    Administrative privilege required to set the
                               inheritable and fixed privileges on files.
                               This privilege overrides access and
                               ownership restrictions.




                           Copyright 1994 Novell, Inc.               Page 3













      filepriv(1M)                                            filepriv(1M)


                  setuid      Required in order to set the real and
                              effective user and group IDs of a process.

                  setupriv    Privilege required for an otherwise
                              unprivileged process to set the inheritable
                              and fixed privileges on a file.  This
                              privilege does not override access or
                              ownership restrictions.

                  sysops      Required to perform several general system
                              operations that have only minor security
                              implications.

                  tshar       Required to raise the priority of a time
                              sharing process or to set the user priority
                              limit to a value greater than 0.

                  rtime       Required by processes that do real-time
                              operations.

                  Access Permissions:

                  Access permissions are associated with the priv_name
                  entries.

                  Access checking is performed whenever a subject (such as
                  a process) tries to access an object (such as a file or
                  directory).  Permission to access an object is granted
                  or denied on the basis of mode bits.

                  The mode bits are known as Discretionary Access Control
                  (DAC).  Mandatory Access Control (MAC) privileges are
                  defined; however, they may not be supported on the
                  system you are using.

                  The standard file access permission bit checks are
                  performed to determine if the process requesting access
                  to the object has permission to access it in the manner
                  (read, write, and/or execute/search) requested.  Each
                  access mode requested is checked separately using the
                  following algorithm:

                  If the effective user ID of the process is equal to the
                  user ID of the owner of the file, and the requested
                  access mode bit is set in the ``owner'' bits of the
                  mode, access is granted; otherwise access checking


                          Copyright 1994 Novell, Inc.               Page 4













       filepriv(1M)                                            filepriv(1M)


                   continues.

                   If the effective group ID (or any of the supplementary
                   group IDs of the process) matches the owning group of
                   the file and the requested access mode bit is set in the
                   ``group'' bits of the mode, access is granted;
                   otherwise, access checking continues.

                   If the above checks fail, and the requested access mode
                   bit is set in the ``other'' bits of the mode, access is
                   granted; otherwise, access is denied (EACCES is
                   returned).

                   These checks are performed on every component of the
                   pathname, including the object itself.  If any of the
                   checks fail, the privileges of the calling process are
                   examined to determine if the calling process has the
                   appropriate privilege for the mode requested (dacread
                   for read and execute/search access, dacwrite for write
                   access).

                   Example:

                   This example adds owner and audit privileges and deletes
                   dacread privilege from the working set:

                         priv +owner +audit -dacread work
             Privilege information is stored in the Privilege Data File
             (PDF) located in /etc/security/tcb/privs.

             filepriv must have the P_SETSPRIV and P_SETUPRIV privileges
             when setting or deleting file privileges, otherwise permission
             is denied.

             The argument priv is defined as a process privilege name [see
             intro(2)].  The argument allprivs can be used to set or delete
             all the process privileges available.  The file argument must
             be an absolute pathname of an executable file when setting or
             deleting file privileges.  There must be at least one file
             argument specified; otherwise, filepriv exits with an error.

             filepriv calls the realpath routine to resolve symbolic links.
             In this way, when new privileges are entered into the
             Privilege Data File for a symbolic link on a file that already
             exists in the PDF, the privileges are associated correctly.



                           Copyright 1994 Novell, Inc.               Page 5













      filepriv(1M)                                            filepriv(1M)


            When setting file privileges, all fixed and inheritable
            privileges on the specified file are removed before those
            privileges specified by the -f and -i options are applied.
            Also, filepriv will set only privileges allowed by the maximum
            set of privileges on the process calling filepriv(2) as
            defined by the Privilege Data File.

            The filepriv command exits with an error if the -f and -i
            options are specified and the same privilege exists in both.

            When deleting privilege information from a file, the -d option
            is used.  However, the -d option is also used to remove a
            non-existent file from the privilege database.  If the file
            exists, then the -d option deletes privileges.  If the file
            does not exist because it is a spurious file or has been
            removed from the system without the knowledge of the privilege
            administrator, then the -d option removes this file from the
            privilege database.

            When no options are specified, filepriv displays the
            privileges associated with the named file(s).

         Defaults
            The file /etc/default/privcmds contains the following
            parameter:

            GEN_CKSUM
                    If the value of this parameter is No, then the
                    filepriv command will not generate a check sum value
                    for the Privilege Data File (PDF) located in
                    /etc/security/tcb/privs;  this results in faster
                    performance compared to generating the check sum value
                    each time the command is run.  If the value of this
                    parameter is anything other than No (including NULL,
                    the default), then the filepriv command generates a
                    check sum each time it is run.

      EXAMPLES
            The following is an example of the output when filepriv is
            executed with one file:

                  fixed     priv,priv, . . .
                  inher     priv,priv, . . .





                          Copyright 1994 Novell, Inc.               Page 6













       filepriv(1M)                                            filepriv(1M)


             If no fixed privileges exist on the file, the fixed privilege
             line is not displayed.  If no inheritable privileges exist on
             the file, the inher privilege line is not displayed.  The
             space between the privilege type and privileges is a single
             tab (\t) character.

             If more than one file is specified, then the file name
             followed by a colon (:) and space character is printed before
             the privileges as follows:

                   file1: fixed     priv,priv, . . .
                   file1: inher     priv,priv, . . .
                   file2: fixed     priv,priv, . . .
                   file2: inher     priv,priv, . . .
                   file3: fixed     priv,priv, . . .
                   file3: inher     priv,priv, . . .

       FILES
             /etc/security/tcb/privs
                               Privilege Data File

             /etc/default/privcmds
                               Default file.

       REFERENCES
             filepriv(2),
             initprivs(1M)
             intro(2) for a list of the available privileges and their meanings

       DIAGNOSTICS
             filepriv exits with a return code of 0 upon successful
             completion.

             If filepriv detects errors, the following messages may be
             displayed:

                   undefined process privilege ``priv''

                   cannot use ``priv'' as both fixed and inheritable
                   privilege

                   cannot access file ``file''

                   ``file'' is not an executable file




                           Copyright 1994 Novell, Inc.               Page 7













      filepriv(1M)                                            filepriv(1M)


                  permission denied

                  ``file'' is not an absolute pathname

                  incompatible options specified

                  no such file or directory for file ``file''

                  ``filepriv'' system call not in operation

                  Bad entry found in ``/etc/security/tcb/privs''

                  the file ``file'' was not found in the privilege data
                  file

                  cannot create lock for ``/etc/security/tcb/privs''
































                          Copyright 1994 Novell, Inc.               Page 8








Typewritten Software • bear@typewritten.org • Edmonds, WA 98026