How do group privileges work? Updated: 07/11/01
HP-UX 9.0 and later allows special attributes to be associated with
groups, which allows some superuser-like capabilities to be controlled by
defining which groups they are accessible from. In this way it becomes
possible to distribute superuser accessible commands to other users
without allowing them full access to all other superuser capabilities.
Implicitly, the super-user is a member of ALL groups.
This allows some (slight) relaxing of UNIX's 'all or nothing' approach to
distributing privileged capabilities. Privileged groups are an HP-UX-
specific feature.
Here is a list of group privileges available in various releases of
HP-UX,
along with a brief description of the system capabilities that they
control:
9.0 and later
=============
o PRIV_RTPRIO - can use rtprio() to set real-time priorities (see
rtprio(1) and rtprio(2))
o PRIV_MLOCK - can use plock() to lock process text and data into
memory, and the shmctl() SHM_LOCK function to lock
shared
memory segments (see plock(2) and shmctl(2))
o PRIV_CHOWN - can use chown() to change file ownerships (see chown(1)
and chown(2))
o PRIV_LOCKRDONLY - can use lockf() to set locks on files that are open
for reading only (see lockf(2))
o PRIV_SETRUGID - can use setuid() and setgid() to change,
respectively,
the real user ID and real group ID of a process (see
setuid(2) and setgid(2))
10.0 and later
==============
o PRIV_MPCTL - can use mpctl() to change the processor assignment,
locality domain assignment, or launch policy of another
process (see mpctl(2))
o PRIV_RTSCHED - can use sched_setparam() and sched_setscheduler() to
set POSIX.4 real-time priorities (see rtsched(1) and
rtsched(2))
o PRIV_SERIALIZE - can use serialize() to force the target process to
run serially with other processes that are also
marked by this system call (see serialize(1),
serialize(2))
11.0 and later
==============
o PRIV_SPUCTL - can use spuctl() (undocumented) to control SPU
allocation (see /usr/include/sys/spuctl.h)
11i and later
=============
o PRIV_FSSTHREAD - can use fss() (undocumented) to control fair share
scheduler (see /usr/include/sys/fss.h)
o PRIV_PSET - can use pset_*() (undocumented) to control processor set
(see /usr/include/sys/pset.h)
Group privileges can be granted to individual groups, or globally (ie -
to
all groups, and hence, all users).
Although this doesn't appear to be covered by any HP documentation, it
appears that users are assigned the group privileges associated with
their primary group ID, and of all secondary groups defined within file
/etc/logingroup.
By default, the setprivgrp command changes are no longer effective once
you reboot your system. However, you can execute the command
'/sbin/init.d/set_prvgrp start' to ensure that the privilege group
changes
are permanent. /sbin/init.d/set_prvgrp runs '/usr/sbin/setprivgrp -f
/etc/privgroup'. The /etc/privgrp file should contain one or more lines
in the following format:
groupname [privileges]
-g [privileges]
-n [privileges]
Each line in privgrp must end with a newline character. The syntax for
'groupname' and 'privileges' is described in the "Options and Arguments"
section of setprivgrp(1M).
If the /etc/privgrp is not found when the system boots, the PRIV_CHOWN
privilege is automatically enabled globally (as if '-g CHOWN' was
specified). Furthermore, by default, /etc/privgrp does NOT exist.
The group privilege feature is often used to secure the chown command,
which has the potential to be misused. The chown command may be used to
change the owner ID of a file (or files) to another specified owner. As
mentioned above, by default, PRIV_CHOWN is granted globally. Hence, the
chown command may be used by any user to assign ownership of their own
files to any other user, including root.
For example, HP-UX's disk-space accounting facility may be used to report
the total disk usage of all users. It's possible for users to conceal
their total disk usage by using the chown command to assign the ownership
of their own files to other users.
On BSD-derived UNIX implementations, chown usage is limited to super-
users only. By removing the global group privilege PRIV_CHOWN using the
setprivgrp command, it's also possible to close this loophole on HP-UX,
by limiting usage of the chown command to users who are members of
specified groups only. This can be achieved as follows:
# echo "-n CHOWN" >>/etc/privgrp
# /sbin/init.d/set_prvgrp start
HP-UX documentation recommends that you not rely on the privileged group
mechanism to restrict access to the setuid and setgid system calls.
They do not guarantee that group privileges will be supported by future
releases of HP-UX.
For more information, see getprivgrp(1), setprivgrp(1M), getprivgrp(2),
setprivgrp(2), and privgrp(4).
| Home | FAQ |
XML Feeds