Directory and file management

Manipulating process privileges

Use the procpriv system call to add, put, remove, retrieve, or count privileges associated with the calling process. This system call has five command types:

``Adding and clearing process privileges'' shows a code fragment that does a setuid and uses procpriv to set and clear the appropriate privilege as needed.

#include <priv.h>

priv_t privd[2]; int uid;

privd[0] = pm_work(P_SETUID); privd[1] = pm_max(P_SETUID); /* * Add P_SETUID to the working set of the current process. P_SETUID * must be in the maximum working set to be successful. */ if (procpriv(SETPRV, privd, 1) == -1) { /* It failed, so display error and exit. */ perror("procpriv SETPRV error"); exit(1); } /* * Change to user id "uid" (previously initialized) */ if (setuid(uid) == -1) { /* * It failed, perhaps P_SETUID wasn't in our maximum working * set. Display error and exit. */ perror("setuid error"); exit(1); } /* * We don't need P_SETUID any more so remove it from the working * and maximum sets. */ if (procpriv(CLRPRV, privd, 2) == -1) { /* * It failed, so display error and exit. */ perror("procpriv CLRPRV error"); exit(1); }

Adding and clearing process privileges

The first call to procpriv sets the P_SETUID privilege in the process's working set. Note that the count of 1 in the system call indicates that only one (the first) element of the array privd is to be used. Once the privilege is in the working set, setuid is called. Since P_SETUID will not be required by the program any more, procpriv is again called, this time with the CLRPRV command.

Note in this case that the count of 2 indicates that both elements of array privd are to be used, thus removing the privilege from both the maximum and working sets. Note that if the privilege had only been removed from the maximum set, the system would have also removed it from the working set, since the working set must be a subset of the maximum set, that is, the working set can not contain privileges which are not in the maximum set.

Use the PUTPRV command for procpriv similarly to SETPRV, but remember that the setting is absolute, that is, the indicated privileges replace both the current working and maximum sets. The privileges you request must exist in the current maximum set.

``Setting process privileges using PUTPRV'' shows a code fragment that uses the PUTPRV command to set the maximum and working sets.

#include <priv.h>

priv_t privd[2];

privd[0] = pm_max(P_SETUID); /* * Set the maximum set to P_SETUID. The working set is empty since * it is not set here. */ if (procpriv(PUTPRV, privd, 1) == -1) { /* It failed, so display error and exit. */ perror("procpriv PUTPRV error"); exit(1); }

Setting process privileges using PUTPRV

In this example, the privilege descriptor is set to P_SETUID in the maximum set. If P_SETUID is already in the maximum set, procpriv causes the new maximum set to contain only P_SETUID. The new working set will be empty, since no privileges are defined for it.

The GETPRV and CNTPRV commands work in a manner similar to their counterparts in the filepriv system call. ``Retrieving process privileges'' shows a code fragment that will retrieve the privileges associated with a process.

#include <priv.h>

priv_t *privp; int cnt;

/* * Determine the number of privileges for this process. */ if ((cnt = procpriv(CNTPRV, (priv_t *)0, 0)) == -1) { /* procpriv failed; display error and exit. */ perror("procpriv CNTPRV error"); exit(1); } if (cnt > 0) { /* * malloc some memory and get the privileges. */ if ((privp = (priv_t *)malloc(cnt * sizeof(priv_t)) == NULL) { /* Couldn't malloc so exit. */ exit(1); } if (procpriv(GETPRV, privp, cnt) == -1) { /* procpriv failed; display error and exit. */ perror("procpriv GETPRV error"); exit(1); } }

Retrieving process privileges

In this example, the number of privileges returned by the CNTPRV command to procpriv is used to determine the amount of memory to request when calling malloc. procpriv is then called with the GETPRV command to retrieve the actual privileges.

With proper use, the privilege mechanism provides a way to restrict execution of sensitive system functions and improves the security of the system. See ``Guidelines for writing trusted software''.

Previous topic: Privileges associated with a process

© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 27 April 2004