filepriv(1M) filepriv(1M)
NAME
filepriv - set, delete, or display privilege information
associated with a file
SYNOPSIS
filepriv [-f priv[, . . .]] [-i priv[, . . .]] file . . .
filepriv -d file . . .
DESCRIPTION
filepriv is used to set, delete, or display the privilege
information associated with a file.
The following options are available:
-d used to delete the privileges associated with the named
file; also used to delete non-existent files from the
Privilege Data File (PDF).
-f priv,priv, . . .
used to specify the fixed privileges associated with the
named file.
-i priv,priv, . . .
used to specify the inheritable privileges associated
with the named file.
The following describes the privileges that may be specified:
priv [ +|-priv_name . . . ] set_name [ . . . ] For each
set_name, priv sets or displays the privileges contained in
that privilege set. set_name may be either max for the
maximum privilege set or work for the working set. priv_name
is the name of a privilege. If priv_names are supplied, priv
scans the list and turns off thoses privileges that are
preceded by a minus sign and turns on those that are preceded
by a plus sign in each of the sets listed. If no priv_names
are supplied, the priv command prints the current list of
privileges for each of the requested sets.
The values for priv_name are:
allprivs Represents all possible privileges.
audit Required to manipulate the security audit
mechanisms.
Copyright 1994 Novell, Inc. Page 1
filepriv(1M) filepriv(1M)
auditwr Required to write miscellaneous audit
records to the audit trail.
compat Overrides specific restrictions that are
imposed solely for the confinement of covert
channels.
core Required to dump a core image of a process
that is either privileged, setuid, or
setgid. This privilege is not required to
dump the core image of a process that does
not meet the above conditions.
dacread Overrides Discretionary Access Control (DAC)
restrictions but only for operations that do
not alter objects (that is, read and execute
permissions). See ``Access Permissions''
below.
dacwrite Overrides Discretionary Access Control
restrictions but only for operations that
alter objects (that is, write permission).
See ``Access Permissions'' below.
dev Required to set or get device security
attributes to change the device level when
it is in private state, and to access a
device when it is in private state. This
privilege is also used for special ioctl for
window management and to download trusted
software to a terminal driver.
driver Provides compatibility with device drivers
developed by third party vendors. It is
used when a sensitive operation needs to be
limited to a privileged process.
filesys Required for privileged operations on a file
system that have relatively low sensitivity,
including the creation of links to
directories, setting the effective root
directory, and making special files.
fsysrange Override file system range restrictions.
Copyright 1994 Novell, Inc. Page 2
filepriv(1M) filepriv(1M)
loadmod Required to perform selective operations
associated with loadable modules.
macread Overrides Mandatory Access Control (MAC)
restrictions but only for certain operations
that do not alter objects. See ``Access
Permissions'' below.
macwrite Overrides Mandatory Access Control
restrictions that involve the alteration of
objects or other MAC-related attributes.
See ``Access Permissions'' below.
macupgrade Allows processes to upgrade (change the
existing level to a new dominating level)
files.
mount Mount or unmount a file system or set and
get the ceiling level of a file system.
multidir Required for creation of multilevel
directories.
owner Required to change the attributes of a file
(that is, information kept in the file's
inode) that is not owned by the effective
uid of the calling process. See ``Access
Permissions'' below.
plock Required to lock a process in memory.
setflevel Required to change the security level of
objects (for block or character special
files that are in the public state only),
subject to some restrictions.
setplevel Required to change the security level of a
process (including the process's own level),
subject to some restrictions.
setspriv Administrative privilege required to set the
inheritable and fixed privileges on files.
This privilege overrides access and
ownership restrictions.
Copyright 1994 Novell, Inc. Page 3
filepriv(1M) filepriv(1M)
setuid Required in order to set the real and
effective user and group IDs of a process.
setupriv Privilege required for an otherwise
unprivileged process to set the inheritable
and fixed privileges on a file. This
privilege does not override access or
ownership restrictions.
sysops Required to perform several general system
operations that have only minor security
implications.
tshar Required to raise the priority of a time
sharing process or to set the user priority
limit to a value greater than 0.
rtime Required by processes that do real-time
operations.
Access Permissions:
Access permissions are associated with the priv_name
entries.
Access checking is performed whenever a subject (such as
a process) tries to access an object (such as a file or
directory). Permission to access an object is granted
or denied on the basis of mode bits.
The mode bits are known as Discretionary Access Control
(DAC). Mandatory Access Control (MAC) privileges are
defined; however, they may not be supported on the
system you are using.
The standard file access permission bit checks are
performed to determine if the process requesting access
to the object has permission to access it in the manner
(read, write, and/or execute/search) requested. Each
access mode requested is checked separately using the
following algorithm:
If the effective user ID of the process is equal to the
user ID of the owner of the file, and the requested
access mode bit is set in the ``owner'' bits of the
mode, access is granted; otherwise access checking
Copyright 1994 Novell, Inc. Page 4
filepriv(1M) filepriv(1M)
continues.
If the effective group ID (or any of the supplementary
group IDs of the process) matches the owning group of
the file and the requested access mode bit is set in the
``group'' bits of the mode, access is granted;
otherwise, access checking continues.
If the above checks fail, and the requested access mode
bit is set in the ``other'' bits of the mode, access is
granted; otherwise, access is denied (EACCES is
returned).
These checks are performed on every component of the
pathname, including the object itself. If any of the
checks fail, the privileges of the calling process are
examined to determine if the calling process has the
appropriate privilege for the mode requested (dacread
for read and execute/search access, dacwrite for write
access).
Example:
This example adds owner and audit privileges and deletes
dacread privilege from the working set:
priv +owner +audit -dacread work
Privilege information is stored in the Privilege Data File
(PDF) located in /etc/security/tcb/privs.
filepriv must have the P_SETSPRIV and P_SETUPRIV privileges
when setting or deleting file privileges, otherwise permission
is denied.
The argument priv is defined as a process privilege name [see
intro(2)]. The argument allprivs can be used to set or delete
all the process privileges available. The file argument must
be an absolute pathname of an executable file when setting or
deleting file privileges. There must be at least one file
argument specified; otherwise, filepriv exits with an error.
filepriv calls the realpath routine to resolve symbolic links.
In this way, when new privileges are entered into the
Privilege Data File for a symbolic link on a file that already
exists in the PDF, the privileges are associated correctly.
Copyright 1994 Novell, Inc. Page 5
filepriv(1M) filepriv(1M)
When setting file privileges, all fixed and inheritable
privileges on the specified file are removed before those
privileges specified by the -f and -i options are applied.
Also, filepriv will set only privileges allowed by the maximum
set of privileges on the process calling filepriv(2) as
defined by the Privilege Data File.
The filepriv command exits with an error if the -f and -i
options are specified and the same privilege exists in both.
When deleting privilege information from a file, the -d option
is used. However, the -d option is also used to remove a
non-existent file from the privilege database. If the file
exists, then the -d option deletes privileges. If the file
does not exist because it is a spurious file or has been
removed from the system without the knowledge of the privilege
administrator, then the -d option removes this file from the
privilege database.
When no options are specified, filepriv displays the
privileges associated with the named file(s).
Defaults
The file /etc/default/privcmds contains the following
parameter:
GEN_CKSUM
If the value of this parameter is No, then the
filepriv command will not generate a check sum value
for the Privilege Data File (PDF) located in
/etc/security/tcb/privs; this results in faster
performance compared to generating the check sum value
each time the command is run. If the value of this
parameter is anything other than No (including NULL,
the default), then the filepriv command generates a
check sum each time it is run.
EXAMPLES
The following is an example of the output when filepriv is
executed with one file:
fixed priv,priv, . . .
inher priv,priv, . . .
Copyright 1994 Novell, Inc. Page 6
filepriv(1M) filepriv(1M)
If no fixed privileges exist on the file, the fixed privilege
line is not displayed. If no inheritable privileges exist on
the file, the inher privilege line is not displayed. The
space between the privilege type and privileges is a single
tab (\t) character.
If more than one file is specified, then the file name
followed by a colon (:) and space character is printed before
the privileges as follows:
file1: fixed priv,priv, . . .
file1: inher priv,priv, . . .
file2: fixed priv,priv, . . .
file2: inher priv,priv, . . .
file3: fixed priv,priv, . . .
file3: inher priv,priv, . . .
FILES
/etc/security/tcb/privs
Privilege Data File
/etc/default/privcmds
Default file.
REFERENCES
filepriv(2),
initprivs(1M)
intro(2) for a list of the available privileges and their meanings
DIAGNOSTICS
filepriv exits with a return code of 0 upon successful
completion.
If filepriv detects errors, the following messages may be
displayed:
undefined process privilege ``priv''
cannot use ``priv'' as both fixed and inheritable
privilege
cannot access file ``file''
``file'' is not an executable file
Copyright 1994 Novell, Inc. Page 7
filepriv(1M) filepriv(1M)
permission denied
``file'' is not an absolute pathname
incompatible options specified
no such file or directory for file ``file''
``filepriv'' system call not in operation
Bad entry found in ``/etc/security/tcb/privs''
the file ``file'' was not found in the privilege data
file
cannot create lock for ``/etc/security/tcb/privs''
Copyright 1994 Novell, Inc. Page 8