1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
|
.TH PRIVS 5
.SH NAME
privs \- privilege file
.SH DESCRIPTION
The file
.F /etc/privs
expresses the rules whereby
.IR priv (1)
grants privilege.
It consists of a list of statements,
each terminated by a semicolon.
One or more comments, each extending from
.L #
to newline, may precede each statement.
.SS Rights
Rights are defined thus:
.IP
.BI DEFINE " rights-list" ;
.LP
Each right in the comma-separated rights-list
has a name, and optionally a parenthesized parameter type.
The types are
.TP
.B LAB
Label, ordered by lattice value.
.TP
.B RE
Regular expression ordered by language inclusion.
Regular expressions are in the form of
.IR regexp (3),
with enclosing
.L ^(
and
.L )$
understood.
.TP
.B PRIV
Set of privileges in
.I atopriv
form, ordered by inclusion; see
.IR labtoa (3).
.LP
Examples:
.IP
.L
DEFINE ceiling(LAB), filename(RE), privinstall;
.PP
Rights are identifiers
used solely by
.IR priv ;
they have no other manifestation in the system.
In the example, the
.L ceiling
right involves label comparisons, but has no necessary
connection to process ceilings.
The name could be changed globally to, say,
.L floor
without affecting the interpretation of
.FR /etc/privs .
.SS Authorization
Authorization is expressed by a tree.
Nodes of the authorization tree are named, like
files in the file system, by full pathnames starting
from the root,
.LR / .
Associated with each node are statements to grant rights,
and statements to admit access to the node.
Rights are monotone in the tree:
the rights at a node must be a subset of the rights at its
parent.
Access to a node implies access to its children.
.PP
Right-granting statements have the form
.IP
.BI RIGHTS " nodename rights-list" ;
.LP
A
.I rights-list
is as in a rights
definition, but with explicit values for parameters.
White space or one of the metacharacters
.L ;,()
may be included in a value by placing double
quotes around it.
Examples:
.IP
.EX
.ta \w'RIGHTS 'u +\w'/admin/operations 'u
RIGHTS /admin priv(upxnl), ceiling(ffff...);
RIGHTS /admin/security priv(p), ceiling("ffff ...");
RIGHTS /admin/operations priv(xn)
.EE
.DT
.PP
Access statements have the form
.IP
.BI ACCESS " nodename pred-list" ;
.LP
Access to the named node is granted when the comma-separated
.I pred-list
is nonempty and all the predicates in the list are satisfied.
A node may have more than one
.B ACCESS
statement.
Legal predicates are
.TP
.BI ID( lognames )
A regular expression for login names
that have access to this node.
.TP
.BI PW( name\ ... )
The password associated with one of the
.I names
in
.IR pwfile (5)
must be presented.
.TP
.BI SRC( source )
A regular expression for the stream identifier of
the standard input.
.SS Rules
Rules give patterns for
requests and show the prerequisite rights for
and the actions to carry out each request:
.IP
.BI REQUEST( arguments ") NEEDS" " rights " DOES " actions \fB;"
.LP
The request part shows
.I arguments
supplied to
.IR priv (1);
normally the arguments spell out the prefix of a
.SM UNIX
command.
The
.B NEEDS
part tells what rights are needed to perform the request.
The rights are as in a rights statement, with substituted parameters;
see `Parameter values'.
.PP
If the process has access to a node that grants
the needed rights (with the parameter in each grant dominating
the parameter of the corresponding need), then the
.I actions
for the request are performed.
Otherwise the request is denied.
Legal actions are
.TP
.B PRIV(gunxlp)
Set one or more process licenses, abbreviated as in
.IR labtoa (3).
.TP
.BI EXEC( args )
Execute a program given by the
.I args.
Members of the
.I args
list are separated by white space and may specify
substitutions; see `Parameter values'.
.B EXEC
does not do a
.IR sh (1)-like
.B $PATH
search.
.TP
.BI DAEMON( args )
Same as
.BR EXEC ,
but do not wait for the command to complete.
.TP
.BI CEILING( label )
Set the process ceiling.
.TP
.BI PRIVEDIT( "node file" )
Read editing commands from the named
.IR file .
Only the subtree at
.I node
is editable; nodes closer to the root cannot be touched.
.TP
.B ANYSRC
Skip the normal check for a trusted source; see
.IR priv (1).
.PP
The order in which nodes of the authorization tree are
visited in evaluating a
.B NEEDS
clause is undefined, however at each node the predicates of the
request are evaluated in order.
The actions of a granted request are also performed in order,
with effects such as privilege settings persisting
until the end of the
.I priv
command or until overridden by a later action.
.SS Parameter values
Parameter values appear in members of
.B NEEDS
and
.B DOES
lists.
A value may be surrounded by double quotes, in which case the
value may contain white space or one of the metacharacters
.LR ,;() .
A value may contain substitution marks,
.BR $0 ,
.BR $1 ,
\&...
Each such mark is replaced from the
.I priv
invocation,
.B $0
standing for the match to the first
.I argument
of the
.B REQUEST
and so on.
If a star is appended to the mark (e.g.
.BR $0* ,
.BR $1* ),
the argument and all following ones are copied
into the parameter list.
Nothing can follow a star mark in a parameter.
.SS Editing
Statements of the above forms may be used with action
.B PRIVEDIT
to augment a
.I privs
file.
Further types of statements exist for editing only:
.TP
.BI RMDEFINE " rights-list " ;
Remove all occurrences of the listed rights from the file.
.TP
.BI RMACCESS " nodename pred-list " ;
.PD 0
.TP
.BI RMRIGHTS " nodename rights-list " ;
Remove the given access list or the given rights
from the named node.
If the list is empty, remove all access lists or rights.
.PD
.TP
.BI RMREQUEST( arguments ) ;
Remove the
.B REQUEST
with identical
.I arguments.
.TP
.BI RMNODE " path-list" ;
Remove the listed subtrees.
.PP
.BR DEFINE ,
.BR RMDEFINE ,
.BR REQUEST ,
and
.BR RMREQUEST
are understood to modify the root.
.SH EXAMPLES
.EX
REQUEST(session -l)
NEEDS ceiling($2)
DOES PRIV(nx) EXEC(/bin/session -l $2);
REQUEST(/etc/downgrade -l)
NEEDS downgrade($2)
DOES PRIV(nx) EXEC($*);
.EE
.SH FILES
.F /etc/privs
.SH SEE ALSO
.IR priv (1),
.IR privserv (8)
.SH BUGS
There is no way to quote a newline or an initial
double quote in parameters.
.br
If an
.B ACCESS
or
.B RMACCESS
statement contains duplicate predicates,
.B RMACCESS
may remove an unintended list.
|
