'\" te .\" Copyright (c) 2008, 2013, Oracle and/or its affiliates. All rights reserved. .TH ppriv 1 "21 Feb 2012" "SunOS 5.11" "User Commands" .SH NAME ppriv \- inspect or modify process privilege sets and attributes .SH SYNOPSIS .LP .nf \fB/usr/bin/ppriv\fR \fB-e\fR [\fB-f\fR {\fB+-}{ADMPTUX\fR}] [\fB-s\fR \fIspec\fR] [\fB-r\fR \fIrule\fR] \fIcommand\fR [\fIarg\fR]... .fi .LP .nf \fB/usr/bin/ppriv\fR [\fB-vn\fR] [ \fB-f\fR {\fB+-}{ADMPTUX\fR}] [\fB-S\fR] [\fB-s\fR \fIspec\fR] [\fB-r\fR \fIrule\fR] [\fIpid\fR | \fIcore\fR]... .fi .LP .nf \fB/usr/bin/ppriv\fR \fB-l\fR [\fB-vn\fR] [\fIprivilege-specification\fR | \fIextended-policy\fR]... .fi .LP .nf \fB/usr/bin/ppriv\fR \fB-q\fR [\fB-f\fR {\fB+-}{ADMPTUX\fR}] [\fIprivilege-specification\fR] .fi .SH DESCRIPTION .sp .LP The first invocation of the \fBppriv\fR command runs the \fIcommand\fR specified with the privilege sets and flags modified according to the arguments on the command line. .sp .LP The second invocation examines or changes the privilege state of running process and core files. .sp .LP The third invocation lists the privileges defined and information about specified privileges or privileges set specifications. .SH OPTIONS .sp .LP The following options are supported: .sp .ne 2 .mk .na \fB\fB-D\fR\fR .ad .RS 20n .rt Obsolete. Same as \fB-f\fR \fB+D\fR. .RE .sp .ne 2 .mk .na \fB\fB-e\fR\fR .ad .RS 20n .rt Interprets the remainder of the arguments as a command line and runs the command line with specified privilege attributes and sets. .RE .sp .ne 2 .mk .na \fB\fB-f\fR {\fB+-}{ADMPTUX\fR}\fR .ad .RS 20n .rt Sets or unsets process flags (see \fBsetpflags\fR(2)) for the processes or the command supplied. .sp .ne 2 .mk .na \fBD\fR .ad .RS 5n .rt PRIV_DEBUG .RE .sp .ne 2 .mk .na \fBM\fR .ad .RS 5n .rt NET_MAC_AWARE, NET_MAC_AWARE_INHERIT .RE .sp .ne 2 .mk .na \fBP\fR .ad .RS 5n .rt PRIV_PFEXEC .RE .sp .ne 2 .mk .na \fBA\fR .ad .RS 5n .rt PRIV_PFEXEC_AUTH .RE .sp .ne 2 .mk .na \fBT\fR .ad .RS 5n .rt PRIV_PROC_TPD .RE .sp .ne 2 .mk .na \fBU\fR .ad .RS 5n .rt PRIV_TPD_UNSAFE .RE .sp .ne 2 .mk .na \fBX\fR .ad .RS 5n .rt PRIV_XPOLICY .RE .RE .sp .ne 2 .mk .na \fB\fB-l\fR\fR .ad .RS 20n .rt Lists all currently defined privileges on \fBstdout\fR. .RE .sp .ne 2 .mk .na \fB\fB-M\fR\fR .ad .RS 20n .rt Obsolete. Same as \fB-f\fR \fB+M\fR. .RE .sp .ne 2 .mk .na \fB\fB-n\fR\fR .ad .RS 20n .rt Show port numbers and users as numbers. Normally, \fBppriv\fR shows port numbers and users as symbols. This option is only applicable when displaying Extended Policies. .RE .sp .ne 2 .mk .na \fB\fB-N\fR\fR .ad .RS 20n .rt Obsolete. Same as \fB-f\fR \fB-D\fR. .RE .sp .ne 2 .mk .na \fB\fB-s\fR \fIspec\fR\fR .ad .RS 20n .rt Modifies a process's privilege sets according to \fIspec\fR, a specification with the format \fB[AEILP][+-=]\fR\fIprivsetspec\fR, containing no spaces, where: .sp .ne 2 .mk .na \fB\fBAEILP\fR\fR .ad .RS 15n .rt Indicates one or more letters indicating which privilege sets to change. These are case insensitive, for example, either \fBa\fR or \fBA\fR indicates all privilege sets. .sp For definitions of the single letter abbreviations for privilege sets, see \fBprivileges\fR(5). .RE .sp .ne 2 .mk .na \fB\fB+-=\fR\fR .ad .RS 15n .rt Indicates a modifier to respectively add (\fB+\fR), remove (\fB-\fR), or assign (\fB=\fR) the listed privileges to the specified set(s) in \fIprivsetspec\fR. .RE .sp .ne 2 .mk .na \fB\fIprivsetspec\fR\fR .ad .RS 15n .rt Indicates a comma-separated privilege set specification (\fBpriv1\fR,\fBpriv2\fR, and so on), as described in \fBpriv_str_to_set\fR(3C). .RE Modifying the same set with multiple \fB-s\fR options is possible as long as there is either precisely one assignment to an individual set or any number of additions and removals. That is, assignment and addition or removal for one set are mutually exclusive. .RE .sp .ne 2 .mk .na \fB\fB-q\fR\fR .ad .RS 20n .rt Tests whether privileges are in the effective set and whether flags are set or non-set. The programs exits successfully when all tests are fullfilled. .RE .sp .ne 2 .mk .na \fB\fB-r\fR \fIrule\fR\fR .ad .RS 20n .rt Install an Extended Policy. See \fBprivileges\fR(5). .sp Multiple rules can be specified. The new rules are added to the existing policy. To replace an existing policy, first remove it with \fB-X\fR, and then add the new policy with \fB-r\fR. .RE .sp .ne 2 .mk .na \fB\fB-S\fR\fR .ad .RS 20n .rt Short. Reports the shortest possible output strings for sets. The default is portable output. See \fBpriv_str_to_set\fR(3C). .RE .sp .ne 2 .mk .na \fB\fB-X\fR\fR .ad .RS 20n .rt Obsolete. Same as \fB-f\fR \fB-X\fR. .RE .sp .ne 2 .mk .na \fB\fB-v\fR\fR .ad .RS 20n .rt Verbose. Reports privilege sets using privilege names. .RE .SH USAGE .sp .LP The \fBppriv\fR utility examines processes and core files and prints or changes their privilege sets. .sp .LP \fBppriv\fR can run commands with privilege debugging on or off or with fewer privileges than the invoking process. .sp .LP When executing a sub process, the only sets that can be modified are \fBL\fR and \fBI\fR. Privileges can only be removed from \fBL\fR and \fBI\fR as \fBppriv\fR starts with \fBP=E=I\fR. .sp .LP \fBppriv\fR can also be used to remove privileges from processes or to convey privileges to other processes. In order to control a process, the effective set of the \fBppriv\fR utility must be a super set of the controlled process's \fBE\fR, \fBI\fR, and \fBP\fR. The utility's limit set must be a super set of the target's limit set. If the target's process uids do not match, the \fB{PRIV_PROC_OWNER}\fR privilege must be asserted in the utility's effective set. If the controlled processes have any uid with the value \fB0\fR, more restrictions might exist. See \fBprivileges\fR(5). .SH EXAMPLES .LP \fBExample 1 \fRObtaining the Process Privileges of the Current Shell .sp .LP The following example obtains the process privileges of the current shell: .sp .in +2 .nf example$ ppriv $$ 387: -sh flags = E: basic I: basic P: basic L: all .fi .in -2 .sp .LP \fBExample 2 \fRRemoving a Privilege From Your Shell's Inheritable and Effective Set .sp .LP The following example removes a privilege from your shell's inheritable and effective set. .sp .in +2 .nf example$ ppriv -s EI-proc_session $$ .fi .in -2 .sp .sp .LP The subprocess can still inspect the parent shell but it can no longer influence the parent because the parent has more privileges in its Permitted set than the \fBppriv\fR child process: .sp .in +2 .nf example$ truss -p $$ truss: permission denied: 387 example$ ppriv $$ 387: -sh flags = E: basic,!proc_session I: basic,!proc_session P: basic L: all .fi .in -2 .sp .LP \fBExample 3 \fRRunning a Process with Privilege Debugging .sp .LP The following example runs a process with privilege debugging: .sp .in +2 .nf example$ ppriv -e -f +D cat /etc/shadow cat[418]: missing privilege "file_dac_read" (euid = 21782), needed at ufs_access+0x3c cat: cannot open /etc/shadow .fi .in -2 .sp .sp .LP The privilege debugging error messages are sent to the controlling terminal of the current process. The \fBneeded at\fR address specification is an artifact of the kernel implementation and it can be changed at any time after a software update. .sp .LP The system call number can be mapped to a system call using \fB/etc/name_to_sysnum\fR. .LP \fBExample 4 \fRListing the Privileges Available in the Current Zone .sp .LP The following example lists the privileges available in the current zone (see \fBzones\fR(5)). When run in the global zone, all defined privileges are listed. .sp .in +2 .nf example$ ppriv -l zone ... listing of all privileges elided ... .fi .in -2 .sp .LP \fBExample 5 \fRExamining a Privilege Aware Process .sp .LP The following example examines a privilege aware process: .sp .in +2 .nf example$ ppriv -S `pgrep rpcbind` 928: /usr/sbin/rpcbind flags = PRIV_AWARE E: net_privaddr,proc_fork,sys_nfs I: none P: net_privaddr,proc_fork,sys_nfs L: none .fi .in -2 .sp .sp .LP See \fBsetpflags\fR(2) for explanations of the flags. .LP \fBExample 6 \fRRunning a Process Under an Extended Policy .sp .LP The following example runs a process under an extended policy: .sp .in +2 .nf example$ ppriv -r '{file_write}:/home/casper/.mozilla/*' \e -r '{file_write}:/tmp/*,{proc_exec}:/usr/*' -e firefox .fi .in -2 .sp .sp .LP See \fBprivileges\fR(5). .LP \fBExample 7 \fRExamining a Process that Has been Started .sp .LP The following example examines the process that was started in example 6: .sp .in +2 .nf example$ ppriv 101272 101272: /usr/lib/firefox/firefox-bin flags = PRIV_XPOLICY Extended policies: {file_write}:/home/casper/.mozilla/* {file_write}:/tmp/* {proc_exec}:/usr/* E: basic,!file_write,!proc_exec I: basic,!file_write,!proc_exec P: basic,!file_write,!proc_exec L: all .fi .in -2 .sp .LP \fBExample 8 \fRTesting for Flags and Privileges. .sp .LP The following example tests for flags and privileges. .sp .in +2 .nf example$ if ppriv -q -f +D file_read; then echo Privilege debugging is enabled echo and file_read privilege detected .fi .in -2 .sp .SH EXIT STATUS .sp .LP The following exit values are returned: .sp .ne 2 .mk .na \fB\fB0\fR\fR .ad .RS 12n .rt Successful operation. .RE .sp .ne 2 .mk .na \fBnon-zero\fR .ad .RS 12n .rt An error has occurred. .RE .SH FILES .sp .ne 2 .mk .na \fB\fB/proc/*\fR\fR .ad .RS 23n .rt Process files .RE .sp .ne 2 .mk .na \fB\fB/etc/name_to_sysnum\fR\fR .ad .RS 23n .rt system call name to number mapping .RE .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilitySee below. .TE .sp .LP The invocation is Committed. The output is Uncommitted. .SH SEE ALSO .sp .LP \fBgcore\fR(1), \fBtruss\fR(1), \fBsetpflags\fR(2), \fBpriv_str_to_set\fR(3C), \fBproc\fR(4), \fBattributes\fR(5), \fBprivileges\fR(5), \fBtpd\fR(5), \fBzones\fR(5)