System Administration Guide: Virtualization Using the Solaris Operating System
Previous Next

Privileges in a Non-Global Zone

Processes are restricted to a subset of privileges. Privilege restriction prevents a zone from performing operations that might affect other zones. The set of privileges limits the capabilities of privileged users within the zone. To display the list of privileges available from within a given zone, use the ppriv utility.

The following table lists all of the Solaris privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property. Required privileges must be included in the resulting privilege set. Prohibited privileges cannot be included in the resulting privilege set.

Table 26-1 Status of Privileges in Zones

Privilege

Status

Notes

cpc_cpu

Optional

Access to certain cpc(3CPC) counters

dtrace_proc

Optional

fasttrap and pid providers; plockstat(1M)

dtrace_user

Optional

profile and syscall providers

gart_access

Optional

ioctl(2) access to agpgart_io(7I)

gart_map

Optional

mmap(2) access to agpgart_io(7I)

net_rawaccess

Optional in shared-IP zones.

Default in exclusive-IP zones.

Raw PF_INET/PF_INET6 packet access

proc_clock_highres

Optional

Use of high resolution timers

proc_priocntl

Optional

Scheduling control; priocntl(1)

sys_ipc_config

Optional

Raising IPC message queue buffer size

sys_time

Optional

System time manipulation; xntp(1M)

dtrace_kernel

Prohibited

Currently unsupported

proc_zone

Prohibited

Currently unsupported

sys_config

Prohibited

Currently unsupported

sys_devices

Prohibited

Currently unsupported

sys_linkdir

Prohibited

Currently unsupported

sys_net_config

Prohibited

Currently unsupported

sys_res_config

Prohibited

Currently unsupported

sys_suser_compat

Prohibited

Currently unsupported

proc_exec

Required, Default

Used to start init(1M)

proc_fork

Required, Default

Used to start init(1M)

sys_mount

Required, Default

Needed to mount required file systems

sys_ip_config

Required, Default in exclusive-IP zones

Prohibited in shared-IP zones

Required to boot zone and initialize IP networking in exclusive-IP zone

contract_event

Default

Used by contract file system

contract_observer

Default

Contract observation regardless of UID

file_chown

Default

File ownership changes

file_chown_self

Default

Owner/group changes for own files

file_dac_execute

Default

Execute access regardless of mode/ACL

file_dac_read

Default

Read access regardless of mode/ACL

file_dac_search

Default

Search access regardless of mode/ACL

file_dac_write

Default

Write access regardless of mode/ACL

file_link_any

Default

Link access regardless of owner

file_owner

Default

Other access regardless of owner

file_setid

Default

Permission changes for setid, setgid, setuid files

ipc_dac_read

Default

IPC read access regardless of mode

ipc_dac_owner

Default

IPC write access regardless of mode

ipc_owner

Default

IPC other access regardless of mode

net_icmpaccess

Default

ICMP packet access: ping(1M)

net_privaddr

Default

Binding to privileged ports

proc_audit

Default

Generation of audit records

proc_chroot

Default

Changing of root directory

proc_info

Default

Process examination

proc_lock_memory

Default

Locking memory; shmctl(2)and mlock(3C)

If this privilege is assigned to a non-global zone by the system administrator, consider also setting the zone.max-locked-memory resource control to prevent the zone from locking all memory.

proc_owner

Default

Process control regardless of owner

proc_session

Default

Process control regardless of session

proc_setid

Default

Setting of user/group IDs at will

proc_taskid

Default

Assigning of task IDs to caller

sys_acct

Default

Management of accounting

sys_admin

Default

Simple system administration tasks

sys_audit

Default

Management of auditing

sys_nfs

Default

NFS client support

sys_resource

Default

Resource limit manipulation

The following table lists all of the Solaris Trusted Extensions privileges and the status of each privilege with respect to zones. Optional privileges are not part of the default set of privileges but can be specified through the limitpriv property.


Note - Trusted Solaris privileges are interpreted only if the system is configured with Trusted Extensions.


Table 26-2 Status of Solaris Trusted Extensions Privileges in Zones

Solaris Trusted Extensions Privilege

Status

Notes

sys_trans_label

Optional

Translate labels not dominated by sensitivity label

win_colormap

Optional

Colormap restrictions override

win_config

Optional

Configure or destroy resources that are permanently retained by the X server

win_dac_read

Optional

Read from window resource not owned by client's user ID

win_dac_write

Optional

Write to or create window resource not owned by client's user ID

win_devices

Optional

Perform operations on input devices.

win_dga

Optional

Use direct graphics access X protocol extensions; frame buffer privileges needed

win_downgrade_sl

Optional

Change sensitivity label of window resource to new label dominated by existing label

win_fontpath

Optional

Add an additional font path

win_mac_read

Optional

Read from window resource with a label that dominates the client's label

win_mac_write

Optional

Write to window resource with a label not equal to the client's label

win_selection

Optional

Request data moves without confirmer intervention

win_upgrade_sl

Optional

Change sensitivity label of window resource to a new label not dominated by existing label

net_bindmlp

Default

Allows binding to a multilevel port (MLP)

net_mac_aware

Default

Allows reading down through NFS

To alter privileges in a non-global zone configuration, see Configuring, Verifying, and Committing a Zone

To inspect privilege sets, see Using the ppriv Utility. For more information about privileges, see the ppriv(1) man page and System Administration Guide: Security Services.

Previous Next