1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
|
.TH PRIV 1
.CT 1 sa_nonmortals secur
.SH NAME
priv, privedit \- run a command with privileges
.SH SYNOPSIS
.B priv
[
.I option ...
] [
.I command
.I arg ...
]
.PP
.B priv privedit
.I node
.I changes
.SH DESCRIPTION
If a
.I command
is given,
.I priv
determines from the
.IR privs (5)
file the most specifically matching
.B REQUEST
for which the process has all the
.B NEEDS
and to which it has
.BR ACCESS
(terminology explained in
.IR privs (5)).
If a unique most specific match is found,
.I priv
asks for confirmation.
Then, if the confirmation is
.LR y ,
the request is executed.
Privileges and process ceiling are set according to
the pertinent entry in
.FR /etc/privs
and the current directory is set to a place with
security label
.BR L_NO ;
see
.IR getflab (2).
Thus relative pathnames won't work in the
.I command
until it executes
.IR chdir (2).
.PP
If no command is given, the contents of the
.I privs
file are printed on the standard output.
.PP
The options are
.TP
.B -n
Determine and report authorization and actions.
Do not execute them except, if
.B PRIVEDIT
is requested, place the edited privilege
file on the standard output.
.TP
.BI -f " servfile
Use
.I servfile
instead of
.FR /cs/priv ,
to use a non-standard privilege server.
.PP
One request is more specific than another
if the regular language for each argument
of the first request is contained in the corresponding
language for the second request,
and at least one containment is proper.
.PP
The standard error and standard input are used for confirmations.
Both must come from the same trusted source, either a pexable
stream with a stream identifier, or a pipe from a trusted
process; see
.IR pex (4)
and
.IR stream (4).
.PP
.I Privedit
applies to the
.I privs
file the modifications given in the
.I changes
file.
Only the part of the authorization tree rooted at the given
.I node
may be changed.
The form of
.I changes
is described in
.IR privs (5).
The changes are echoed and confirmation is requested.
.RI ( Privedit,
like any other
.I command,
is a conventional token defined by the
.I privs
file; it is not built in.)
.PP
.I Priv
clears the environment to prevent hidden corruption
by untrusted processes.
For the same reason it asks confirmation of the argument list.
What you see is what it will do.
.PP
The real work of
.I priv
is done by
.IR privserv (8).
.I Priv
communicates with
.I privserv
via a pipe that the latter mounts on
.BR /cs/priv .
.SH FILES
.F /etc/privs
.br
.F /cs/priv
.SH SEE ALSO
.IR privs (5),
.IR privserv (8),
.IR session (1)
.SH DIAGNOSTICS
If a
.I command
is performed,
.I priv
returns the result of the last constituent action; see
.IR privs (5).
.SH BUGS
Trailing null
.I args
are deleted.
.br
The standard input and standard error cannot freely be redirected.
.br
It is possible for a password to be demanded twice.
This would be mitigated if requests were assessed in
decreasing order of specificity instead of table order.
|
