Trusted Solaris Operating System - Technical FAQs

Question

I added privileges to a program in a rights profile, but the privileges are still not available when I execute the program in the profile shell. Why?

Answer

The most likely cause for privileges being not available at execution of a program is that the program's executable file does not have the allowed privileges it needs. Similar to how a program cannot be executed if it does not have executable permissions, a program cannot inherit any privileges if the program's file does not have allowed privileges.

Adding privileges is a two-step process:

1. The security administrator uses the user Rights tool (or, in previous releases, the Profile Manager) to assign the command to a profile and to assign inheritable privileges to the command.
2. The security administrator role assigns the same allowed privileges to the executable file for the command.

Procedure

1. Assume an administrative role that has the set file privileges authorization (the "secadmin" role in the default configuration).
2. In the File Manager, go to the directory where the executable file resides, and use the Privileges option in the Selected menu to set the allowed privileges.
   OR
3. Use the getfpriv/setfpriv(1TSOL) commands on the command line.
   
   The example shows the allowed privilege file_dac_read set on program file "sgreg."
   
   

   # getfpriv sgreg sgreg FORCED: none ALLOWED: none # setfpriv sgreg /usr/bin/setfpriv -s -a file_dac_read sgreg # getfpriv sgreg sgreg FORCED: none ALLOWED: file_dac_read

Related Documentation

• Trusted Solaris Administrator's Procedures
• Using the SMC User Manager to Manage Accounts and Profiles
• Adding Software in the Administrator's Procedures manual, especially To Give Forced Privileges to a Command, which incidentally describes how to give allowed privileges to a command
• Rights Properties Dialog Box in the Administration Overview
• Browse Documentation By Product

Applies to Trusted Solaris Release:

2.5, 2.5.1, 7, 8