|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
User Commands ppriv(1)
NAME
ppriv - inspect or modify process privilege sets and attri-
butes
SYNOPSIS
/usr/bin/ppriv -e [-D | -N] [-s spec] command [arg...]
/usr/bin/ppriv [-v] [-S] [-D | -N] [-s spec] [pid | core]
...
/usr/bin/ppriv -l [-v] [privilege-specification...]
DESCRIPTION
The first invocation of the ppriv command runs the command
specified with the privilege sets and flags modified accord-
ing to the arguments on the command line.
The second invocation examines or changes the privilege
state of running process and core files.
The third invocation lists the privileges defined and infor-
mation about specified privileges or privileges set specifi-
cations.
OPTIONS
The following options are supported:
-D Turns on privilege debugging for the processes or
command supplied.
-e Interprets the remainder of the arguments as a com-
mand line and runs the command line with specified
privilege attributes and sets.
-l Lists all currently defined privileges on stdout.
-N Turns off privilege debugging for the processes or
command supplied.
-s spec Modifies a process's privilege sets according to
spec, a specification with the format [AEILP][+-
=]privsetspec, containing no spaces, where:
SunOS 5.10 Last change: 15 Mar 2005 1
User Commands ppriv(1)
AEILP Indicates one or more letters indi-
cating which privilege sets to
change. These are case insensitive,
for example, either a or A indi-
cates all privilege sets.
+-= Indicates a modifier to respec-
tively add (+), remove (-), or
assign (=) the listed privileges to
the specified set(s) in
privsetspec.
privsetspec Indicates a comma-separated
privilege set specification
(priv1,priv2, and so on), as
described in priv_str_to_set(3C).
Modifying the same set with multiple -s options is
possible as long as there is either precisely one
assignment to an individual set or any number of
additions and removals. That is, assignment and
addition or removal for one set are mutually
exclusive.
-S Short. Reports the shortest possible output strings
for sets. The default is portable output. See
priv_str_to_set(3C).
-v Verbose. Reports privilege sets using privilege
names.
USAGE
The ppriv utility examines processes and core files and
prints or changes their privilege sets.
ppriv can run commands with privilege debugging on or off or
with fewer privileges than the invoking process.
When executing a sub process, the only sets that can be
modified are L and I. Privileges can only be removed from L
and I as ppriv starts with P=E=I.
SunOS 5.10 Last change: 15 Mar 2005 2
User Commands ppriv(1)
ppriv can also be used to remove privileges from processes
or to convey privileges to other processes. In order to con-
trol a process, the effective set of the ppriv utility must
be a super set of the controlled process's E, I, and P. The
utility's limit set must be a super set of the target's
limit set. If the target's process uids do not match, the
{PRIV_PROC_OWNER} privilege must be asserted in the
utility's effective set. If the controlled processes have
any uid with the value 0, more restrictions may exist. See
privileges(5).
EXAMPLES
Example 1: Obtaining the Process Privileges of the Current
Shell
example$ ppriv $$
387: -sh
flags = <none>
E: basic
I: basic
P: basic
L: all
Example 2: Removing a Privilege From Your Shell's Inherit-
able and Effective set
example$ ppriv -s EI-proc_session $$
The subprocess can still inspect the parent shell but it can
no longer influence the parent because the parent has more
privileges in its Permitted set than the ppriv child pro-
cess:
example$ truss -p $$
truss: permission denied: 387
example$ ppriv $$
387: -sh
flags = <none>
E: basic,!proc_session
I: basic,!proc_session
P: basic
L: all
Example 3: Running a Process with Privilege Debugging
example$ ppriv -e -D cat /etc/shadow
cat[418]: missing privilege "file_dac_read" (euid = 21782),
needed at ufs_access+0x3c
cat: cannot open /etc/shadow
SunOS 5.10 Last change: 15 Mar 2005 3
User Commands ppriv(1)
The privilege debugging error messages are sent to the con-
trolling terminal of the current process. The "needed at"
address specification is an artifact of the kernel implemen-
tation and it can be changed at any time after a software
update.
The system call number can be mapped to a system call using
/etc/name_to_sysnum.
Example 4: Listing the Privileges Available in the Current
Zone
This example lists the privileges available in the current
zone (see zones(5)). When run in the global zone, all
defined privileges are listed.
example$ ppriv -l zone
... listing of all privileges elided ...
Example 5: Examining a Privilege Aware Process
The following example examines a privilege aware process:
example$ ppriv -S `pgrep rpcbind`
928: /usr/sbin/rpcbind
flags = PRIV_AWARE
E: net_privaddr,proc_fork,sys_nfs
I: none
P: net_privaddr,proc_fork,sys_nfs
L: none
See setpflags(2) for explanations of the flags.
EXIT STATUS
The following exit values are returned:
0 Successful operation.
non-zero An error has occurred.
FILES
/proc/* Process files
SunOS 5.10 Last change: 15 Mar 2005 4
User Commands ppriv(1)
/etc/name_to_sysnum system call name to number mapping
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWesu |
|_____________________________|_____________________________|
| Interface Stability | See below. |
|_____________________________|_____________________________|
The invocation is Evolving. The output is Unstable.
SEE ALSO
gcore(1), truss(1), setpflags(2), priv_str_to_set(3C),
proc(4), attributes(5), privileges(5), zones(5)
SunOS 5.10 Last change: 15 Mar 2005 5
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:25:16 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5334 hits)
(openSUSE 10.2)
svn man page (5208 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2874 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2487 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2406 hits)
(Suse Linux 10.1)
|
Man Pages 
