PPRIV(1) | User Commands | PPRIV(1) |
ppriv
—
ppriv |
-e [-f {+-}{ADMPX}]
[-s spec]
command [arg...] |
ppriv |
[-vS ] [-f {+-}{ADMPX}]
[-s spec] {pid | core} |
ppriv |
-l [-v ]
[privilege-specification] |
ppriv
command runs the
provided command specified with the privilege sets and
flags modified according to the arguments on the command line.
The second invocation examines or changes the privilege state of running process and core files.
The third invocation lists the privileges defined and information about specified privileges or privileges set specifications.
-D
-f
+D
.-e
-f
{+-}{ADMPX}See setpflags(2) for more information on these flags.
-l
stdout
.-M
-f
+M
.
A process with these attributes and the net_mac_aware privilege can communicate with lower-level remote peers.
-N
-f
-N
-P
-f
+P
.-s
specAEILP
][+-=
]privsetspec,
containing no spaces, where:
AEILP
a
or A
indicates all
privilege sets.+-=
+
),
remove (-
), or assign
(=
) the listed privileges to the specified
set(s) in privsetspec.-s
options is possible as long as there is either precisely one
assignment to an individual set or any number of additions and
removals. That is, assignment and addition or removal for one set are
mutually exclusive.-S
-v
-x
-f
+X
.ppriv
utility examines processes and core files and
prints or changes their privilege sets.
ppriv
can run commands with privilege
debugging on or off or with fewer privileges than the invoking process.
When executing a sub process, the only sets that can be modified
are L and I. Privileges can only be
removed from L and I as
ppriv
starts with P=E=I.
ppriv
can also be used to remove
privileges from processes or to convey privileges to other processes. In
order to control a process, the effective set of the
ppriv
utility must be a super set of the controlled
process's E, I, and P.
The utility's limit set must be a super set of the target's limit set. If
the target's process uids do not match, the {PRIV_PROC_OWNER} privilege must
be asserted in the utility's effective set. If the controlled processes have
any uid with the value 0, more restrictions might exist.
See privileges(5).
The following example obtains the process privileges of the current shell:
$ ppriv $$ 387: -sh flags = <none> E: basic I: basic P: basic L: all
Example 2 Removing a Privilege From Your Shell's Inheritable and Effective Set
The following example removes a privilege from your shell's inheritable and effective set.
$ ppriv -s EI-proc_session $$
The subprocess can still inspect the parent shell but it can no
longer influence the parent because the parent has more privileges in its
Permitted set than the ppriv
child process:
$ truss -p $$ truss: permission denied: 387 $ ppriv $$ 387: -sh flags = <none> E: basic,!proc_session I: basic,!proc_session P: basic L: all
Example 3 Running a Process with Privilege Debugging
The following example runs a process with privilege debugging:
$ ppriv -e -D cat /etc/shadow cat[23505]: missing privilege "file_dac_read" (euid = 100, syscall = 225) needed at zfs_zaccess+0x176 cat: cannot open /etc/shadow: Permission denied
The privilege debugging error messages are sent to the controlling terminal of the current process. The needed at address specification is an artifact of the kernel implementation and it can be changed at any time after a software update.
The system call number can be mapped to a system call using /etc/name_to_sysnum.
Example 4 Listing the Privileges Available in the Current Zone
The following example lists the privileges available in the current zone (see zones(5)). When run in the global zone, all defined privileges are listed.
$ ppriv -l zone ... listing of all privileges elided ...
Example 5 Examining a Privilege Aware Process
The following example examines a privilege aware process:
$ ppriv -S `pgrep rpcbind` 928: /usr/sbin/rpcbind flags = PRIV_AWARE E: net_privaddr,proc_fork,sys_nfs I: none P: net_privaddr,proc_fork,sys_nfs L: none
See setpflags(2) for explanations of the flags.
ppriv
is
Committed. The output of ppriv
Not-An-Interface and may change at any time.
March 4, 2022 | OmniOS |