PRIVILEGES(7) Standards, Environments, and Macros PRIVILEGES(7)
NAME
privileges - process privilege model
DESCRIPTION
In illumos, software implements a set of privileges that provide fine-
grained control over the actions of processes. The possession of a
certain privilege allows a process to perform a specific set of
restricted operations.
The change to a primarily privilege-based security model in the operating
system gives developers an opportunity to restrict processes to those
privileged operations actually needed instead of all (super-user) or no
privileges (non-zero UIDs). Additionally, a set of previously
unrestricted operations now requires a privilege; these privileges are
dubbed the "basic" privileges and are by default given to all processes.
Taken together, all defined privileges with the exception of the "basic"
privileges compose the set of privileges that are traditionally
associated with the root user. The "basic" privileges are "privileges"
unprivileged processes were accustomed to having.
The defined privileges are:
PRIV_CONTRACT_EVENT Allow a process to request reliable delivery of events to an event
endpoint.
Allow a process to include events in the critical event set term of a
template which could be generated in volume by the user.
PRIV_CONTRACT_IDENTITY Allows a process to set the service FMRI value of a process contract
template.
PRIV_CONTRACT_OBSERVER Allow a process to observe contract events generated by contracts
created and owned by users other than the process's effective user
ID.
Allow a process to open contract event endpoints belonging to
contracts created and owned by users other than the process's
effective user ID.
PRIV_CPC_CPU Allow a process to access per-CPU hardware performance counters.
PRIV_DTRACE_KERNEL Allow DTrace kernel-level tracing.
PRIV_DTRACE_PROC Allow DTrace process-level tracing. Allow process-level tracing
probes to be placed and enabled in processes to which the user has
permissions.
PRIV_DTRACE_USER Allow DTrace user-level tracing. Allow use of the syscall and profile
DTrace providers to examine processes to which the user has
permissions.
PRIV_FILE_CHOWN Allow a process to change a file's owner user ID. Allow a process to
change a file's group ID to one other than the process's effective
group ID or one of the process's supplemental group IDs.
PRIV_FILE_CHOWN_SELF Allow a process to give away its files. A process with this privilege
runs as if {
_POSIX_CHOWN_RESTRICTED} is not in effect.
PRIV_FILE_DAC_EXECUTE Allow a process to execute an executable file whose permission bits
or ACL would otherwise disallow the process execute permission.
PRIV_FILE_DAC_READ Allow a process to read a file or directory whose permission bits or
ACL would otherwise disallow the process read permission.
PRIV_FILE_DAC_SEARCH Allow a process to search a directory whose permission bits or ACL
would not otherwise allow the process search permission.
PRIV_FILE_DAC_WRITE Allow a process to write a file or directory whose permission bits or
ACL do not allow the process write permission. All privileges are
required to write files owned by UID 0 in the absence of an effective
UID of 0.
PRIV_FILE_DOWNGRADE_SL Allow a process to set the sensitivity label of a file or directory
to a sensitivity label that does not dominate the existing
sensitivity label.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_FILE_FLAG_SET Allows a process to set immutable, nounlink or appendonly file
attributes.
PRIV_FILE_LINK_ANY Allow a process to create hardlinks to files owned by a UID different
from the process's effective UID.
PRIV_FILE_OWNER Allow a process that is not the owner of a file to modify that file's
access and modification times. Allow a process that is not the owner
of a directory to modify that directory's access and modification
times. Allow a process that is not the owner of a file or directory
to remove or rename a file or directory whose parent directory has
the "save text image after execution" (sticky) bit set. Allow a
process that is not the owner of a file to mount a
namefs upon that
file. Allow a process that is not the owner of a file or directory to
modify that file's or directory's permission bits or ACL.
PRIV_FILE_READ Allow a process to open objects in the filesystem for reading. This
privilege is not necessary to read from an already open file which
was opened before dropping the
PRIV_FILE_READ privilege.
PRIV_FILE_SETID Allow a process to change the ownership of a file or write to a file
without the set-user-ID and set-group-ID bits being cleared. Allow a
process to set the set-group-ID bit on a file or directory whose
group is not the process's effective group or one of the process's
supplemental groups. Allow a process to set the set-user-ID bit on a
file with different ownership in the presence of
PRIV_FILE_OWNER.
Additional restrictions apply when creating or modifying a setuid 0
file.
PRIV_FILE_UPGRADE_SL Allow a process to set the sensitivity label of a file or directory
to a sensitivity label that dominates the existing sensitivity label.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_FILE_WRITE Allow a process to open objects in the filesystem for writing, or
otherwise modify them. This privilege is not necessary to write to an
already open file which was opened before dropping the
PRIV_FILE_WRITE privilege.
PRIV_GRAPHICS_ACCESS Allow a process to make privileged ioctls to graphics devices.
Typically only an xserver process needs to have this privilege. A
process with this privilege is also allowed to perform privileged
graphics device mappings.
PRIV_GRAPHICS_MAP Allow a process to perform privileged mappings through a graphics
device.
PRIV_HYPRLOFS_CONTROL Allow a process to perform hyprlofs name space management.
PRIV_IPC_DAC_READ Allow a process to read a System V IPC Message Queue, Semaphore Set,
or Shared Memory Segment whose permission bits would not otherwise
allow the process read permission.
PRIV_IPC_DAC_WRITE Allow a process to write a System V IPC Message Queue, Semaphore Set,
or Shared Memory Segment whose permission bits would not otherwise
allow the process write permission.
PRIV_IPC_OWNER Allow a process that is not the owner of a System V IPC Message
Queue, Semaphore Set, or Shared Memory Segment to remove, change
ownership of, or change permission bits of the Message Queue,
Semaphore Set, or Shared Memory Segment.
PRIV_NET_ACCESS Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint.
This privilege is not necessary to communicate using an existing
endpoint already opened before dropping the
PRIV_NET_ACCESS privilege.
PRIV_NET_BINDMLP Allow a process to bind to a port that is configured as a multi-level
port (MLP) for the process's zone. This privilege applies to both
shared address and zone-specific address MLPs. See
tnzonecfg(
4) from
the Trusted Extensions manual pages for information on configuring
MLP ports.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_NET_ICMPACCESS Allow a process to send and receive ICMP packets.
PRIV_NET_MAC_AWARE Allow a process to set the
NET_MAC_AWARE process flag by using
setpflags(2). This privilege also allows a process to set the
SO_MAC_EXEMPT socket option by using
setsockopt(3SOCKET). The
NET_MAC_AWARE process flag and the
SO_MAC_EXEMPT socket option both
allow a local process to communicate with an unlabeled peer if the
local process's label dominates the peer's default label, or if the
local process runs in the global zone.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_NET_MAC_IMPLICIT Allow a process to set
SO_MAC_IMPLICIT option by using
setsockopt(3SOCKET). This allows a privileged process to transmit
implicitly-labeled packets to a peer.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_NET_OBSERVABILITY Allow a process to open a device for just receiving network traffic,
sending traffic is disallowed.
PRIV_NET_PRIVADDR Allow a process to bind to a privileged port number. The privilege
port numbers are 1-1023 (the traditional UNIX privileged ports) as
well as those ports marked as "
udp/tcp_extra_priv_ports" with the
exception of the ports reserved for use by NFS and SMB.
PRIV_NET_RAWACCESS Allow a process to have direct access to the network layer.
PRIV_PROC_AUDIT Allow a process to generate audit records. Allow a process to get its
own audit pre-selection information.
PRIV_PROC_CHROOT Allow a process to change its root directory.
PRIV_PROC_CLOCK_HIGHRES Allow a process to use high resolution timers with very small time
values.
PRIV_PROC_EXEC Allow a process to call
exec(2).
PRIV_PROC_FORK Allow a process to call
fork(2),
fork1(2), or
vfork(2).
PRIV_PROC_INFO Allow a process to examine the status of processes other than those
to which it can send signals. Processes that cannot be examined
cannot be seen in
/proc and appear not to exist.
PRIV_PROC_LOCK_MEMORY Allow a process to lock pages in physical memory.
PRIV_PROC_MEMINFO Allow a process to access physical memory information.
PRIV_PROC_OWNER Allow a process to send signals to other processes and inspect and
modify the process state in other processes, regardless of ownership.
When modifying another process, additional restrictions apply: the
effective privilege set of the attaching process must be a superset
of the target process's effective, permitted, and inheritable sets;
the limit set must be a superset of the target's limit set; if the
target process has any UID set to 0 all privilege must be asserted
unless the effective UID is 0. Allow a process to bind arbitrary
processes to CPUs.
PRIV_PROC_PRIOUP Allow a process to elevate its priority above its current level.
PRIV_PROC_PRIOCNTL Allows all that PRIV_PROC_PRIOUP allows. Allow a process to change
its scheduling class to any scheduling class, including the RT class.
PRIV_PROC_SECFLAGS Allow a process to manipulate the secflags of processes (subject to,
additionally, the ability to signal that process).
PRIV_PROC_SESSION Allow a process to send signals or trace processes outside its
session.
PRIV_PROC_SETID Allow a process to set its UIDs at will, assuming UID 0 requires all
privileges to be asserted.
PRIV_PROC_TASKID Allow a process to assign a new task ID to the calling process.
PRIV_PROC_ZONE Allow a process to trace or send signals to processes in other zones.
See
zones(7).
PRIV_SYS_ACCT Allow a process to enable and disable and manage accounting through
acct(2).
PRIV_SYS_ADMIN Allow a process to perform system administration tasks such as
setting node and domain name and managing
fmd(8) and
nscd(8).
PRIV_SYS_AUDIT Allow a process to start the (kernel) audit daemon. Allow a process
to view and set audit state (audit user ID, audit terminal ID, audit
sessions ID, audit pre-selection mask). Allow a process to turn off
and on auditing. Allow a process to configure the audit parameters
(cache and queue sizes, event to class mappings, and policy options).
PRIV_SYS_CONFIG Allow a process to perform various system configuration tasks. Allow
filesystem-specific administrative procedures, such as filesystem
configuration ioctls, quota calls, creation and deletion of
snapshots, and manipulating the PCFS bootsector.
PRIV_SYS_DEVICES Allow a process to create device special files. Allow a process to
successfully call a kernel module that calls the kernel
drv_priv(9F) function to check for allowed access. Allow a process to open the
real console device directly. Allow a process to open devices that
have been exclusively opened.
PRIV_SYS_DL_CONFIG Allow a process to configure a system's datalink interfaces.
PRIV_SYS_FS_IMPORT Allow a process to import a potentially untrusted file system (e.g.
ZFS recv).
PRIV_SYS_IP_CONFIG Allow a process to configure a system's IP interfaces and routes.
Allow a process to configure network parameters for
TCP/IP using
ndd.
Allow a process access to otherwise restricted
TCP/IP information
using
ndd. Allow a process to configure
IPsec. Allow a process to pop
anchored
STREAMs modules with matching
zoneid.
PRIV_SYS_IPC_CONFIG Allow a process to increase the size of a System V IPC Message Queue
buffer.
PRIV_SYS_IPTUN_CONFIG Allow a process to configure IP tunnel links.
PRIV_SYS_LINKDIR Allow a process to unlink and link directories.
PRIV_SYS_MOUNT Allow a process to mount and unmount filesystems that would otherwise
be restricted (that is, most filesystems except
namefs). Allow a
process to add and remove swap devices.
PRIV_SYS_NET_CONFIG Allow a process to do all that
PRIV_SYS_IP_CONFIG,
PRIV_SYS_DL_CONFIG, and
PRIV_SYS_PPP_CONFIG allow, plus the
following: use the
rpcmod STREAMS module and insert/remove STREAMS
modules on locations other than the top of the module stack.
PRIV_SYS_NFS Allow a process to provide NFS service: start NFS kernel threads,
perform NFS locking operations, bind to NFS reserved ports: ports
2049 (
nfs) and port 4045 (
lockd).
PRIV_SYS_PPP_CONFIG Allow a process to create, configure, and destroy PPP instances with
pppd(8) pppd(8) and control PPPoE plumbing with
sppptun(8). This
privilege is granted by default to exclusive IP stack instance zones.
PRIV_SYS_RES_BIND Allows a process to bind processes to processor sets.
PRIV_SYS_RES_CONFIG Allows all that PRIV_SYS_RES_BIND allows. Allow a process to create
and delete processor sets, assign CPUs to processor sets and override
the
PSET_NOESCAPE property. Allow a process to change the operational
status of CPUs in the system using
p_online(2). Allow a process to
configure filesystem quotas. Allow a process to configure resource
pools and bind processes to pools.
PRIV_SYS_RESOURCE Allow a process to exceed the resource limits imposed on it by
setrlimit(2) and
setrctl(2).
PRIV_SYS_SMB Allow a process to provide NetBIOS or SMB services: start SMB kernel
threads or bind to NetBIOS or SMB reserved ports: ports 137, 138, 139
(NetBIOS) and 445 (SMB).
PRIV_SYS_SUSER_COMPAT Allow a process to successfully call a third party loadable module
that calls the kernel
suser() function to check for allowed access.
This privilege exists only for third party loadable module
compatibility and is not used by illumos.
PRIV_SYS_TIME Allow a process to manipulate system time using any of the
appropriate system calls:
stime(2),
adjtime(2), and
ntp_adjtime(2).
PRIV_SYS_TRANS_LABEL Allow a process to translate labels that are not dominated by the
process's sensitivity label to and from an external string form.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_VIRT_MANAGE Allows a process to manage virtualized environments such as
xVM(7).
PRIV_WIN_COLORMAP Allow a process to override colormap restrictions.
Allow a process to install or remove colormaps.
Allow a process to retrieve colormap cell entries allocated by other
processes.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_CONFIG Allow a process to configure or destroy resources that are
permanently retained by the X server.
Allow a process to use SetScreenSaver to set the screen saver timeout
value
Allow a process to use ChangeHosts to modify the display access
control list.
Allow a process to use GrabServer.
Allow a process to use the SetCloseDownMode request that can retain
window, pixmap, colormap, property, cursor, font, or graphic context
resources.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_DAC_READ Allow a process to read from a window resource that it does not own
(has a different user ID).
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_DAC_WRITE Allow a process to write to or create a window resource that it does
not own (has a different user ID). A newly created window property is
created with the window's user ID.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_DEVICES Allow a process to perform operations on window input devices.
Allow a process to get and set keyboard and pointer controls.
Allow a process to modify pointer button and key mappings.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_DGA Allow a process to use the direct graphics access (DGA) X protocol
extensions. Direct process access to the frame buffer is still
required. Thus the process must have MAC and DAC privileges that
allow access to the frame buffer, or the frame buffer must be
allocated to the process.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_DOWNGRADE_SL Allow a process to set the sensitivity label of a window resource to
a sensitivity label that does not dominate the existing sensitivity
label.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_FONTPATH Allow a process to set a font path.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_MAC_READ Allow a process to read from a window resource whose sensitivity
label is not equal to the process sensitivity label.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_MAC_WRITE Allow a process to create a window resource whose sensitivity label
is not equal to the process sensitivity label. A newly created window
property is created with the window's sensitivity label.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_SELECTION Allow a process to request inter-window data moves without the
intervention of the selection confirmer.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_WIN_UPGRADE_SL Allow a process to set the sensitivity label of a window resource to
a sensitivity label that dominates the existing sensitivity label.
This privilege is interpreted only if the system is configured with
Trusted Extensions.
PRIV_XVM_CONTROL Allows a process access to the
xVM(7) control devices for managing
guest domains and the hypervisor. This privilege is used only if
booted into xVM on x86 platforms.
Of the privileges listed above, the privileges
PRIV_FILE_LINK_ANY,
PRIV_PROC_INFO,
PRIV_PROC_SESSION,
PRIV_PROC_FORK,
PRIV_FILE_READ,
PRIV_FILE_WRITE,
PRIV_NET_ACCESS and
PRIV_PROC_EXEC are considered
"basic" privileges. These are privileges that used to be always available
to unprivileged processes. By default, processes still have the basic
privileges.
The privileges
PRIV_PROC_SETID and
PRIV_PROC_AUDIT must be present in the
Limit set (see below) of a process in order for set-uid root
execs to be
successful, that is, get an effective UID of 0 and additional privileges.
The privilege implementation in illumos extends the process credential
with four privilege sets:
I, the inheritable set The privileges inherited on
exec.
P, the permitted set The maximum set of privileges for the process.
E, the effective set The privileges currently in effect.
L, the limit set The upper bound of the privileges a process and
its offspring can obtain. Changes to L take
effect on the next
exec.
The sets I, P and E are typically identical to the basic set of
privileges for unprivileged processes. The limit set is typically the
full set of privileges.
Each process has a Privilege Awareness State (PAS) that can take the
value PA (privilege-aware) and NPA (not-PA). PAS is a transitional
mechanism that allows a choice between full compatibility with the old
superuser model and completely ignoring the effective UID.
To facilitate the discussion, we introduce the notion of "observed
effective set" (oE) and "observed permitted set" (oP) and the
implementation sets iE and iP.
A process becomes privilege-aware either by manipulating the effective,
permitted, or limit privilege sets through
setppriv(2) or by using
setpflags(2). In all cases, oE and oP are invariant in the process of
becoming privilege-aware. In the process of becoming privilege-aware, the
following assignments take place:
iE = oE
iP = oP
When a process is privilege-aware, oE and oP are invariant under UID
changes. When a process is not privilege-aware, oE and oP are observed
as follows:
oE = euid == 0 ? L : iE
oP = (euid == 0 || ruid == 0 || suid == 0) ? L : iP
When a non-privilege-aware process has an effective UID of 0, it can
exercise the privileges contained in its limit set, the upper bound of
its privileges. If a non-privilege-aware process has any of the UIDs 0,
it appears to be capable of potentially exercising all privileges in L.
It is possible for a process to return to the non-privilege aware state
using
setpflags(). The kernel always attempts this on
exec(2). This
operation is permitted only if the following conditions are met:
o If any of the UIDs is equal to 0, P must be equal to L.
o If the effective UID is equal to 0, E must be equal to L.
When a process gives up privilege awareness, the following assignments
take place:
if (euid == 0) iE = L & I
if (any uid == 0) iP = L & I
The privileges obtained when not having a UID of
0 are the inheritable
set of the process restricted by the limit set.
Only privileges in the process's (observed) effective privilege set allow
the process to perform restricted operations. A process can use any of
the privilege manipulation functions to add or remove privileges from the
privilege sets. Privileges can be removed always. Only privileges found
in the permitted set can be added to the effective and inheritable set.
The limit set cannot grow. The inheritable set can be larger than the
permitted set.
When a process performs an
exec(2), the kernel first tries to relinquish
privilege awareness before making the following privilege set
modifications:
E' = P' = I' = L & I
L is unchanged
If a process has not manipulated its privileges, the privilege sets
effectively remain the same, as E, P and I are already identical.
The limit set is enforced at
exec time.
To run a non-privilege-aware application in a backward-compatible manner,
a privilege-aware application should start the non-privilege-aware
application with I=basic.
For most privileges, absence of the privilege simply results in a
failure. In some instances, the absence of a privilege can cause system
calls to behave differently. In other instances, the removal of a
privilege can force a set-uid application to seriously malfunction.
Privileges of this type are considered "unsafe". When a process is
lacking any of the unsafe privileges from its limit set, the system does
not honor the set-uid bit of set-uid root applications. The following
unsafe privileges have been identified:
proc_setid,
sys_resource and
proc_audit.
Privilege Escalation
In certain circumstances, a single privilege could lead to a process
gaining one or more additional privileges that were not explicitly
granted to that process. To prevent such an escalation of privileges, the
security policy requires explicit permission for those additional
privileges.
Common examples of escalation are those mechanisms that allow
modification of system resources through "raw" interfaces; for example,
changing kernel data structures through
/dev/kmem or changing files
through
/dev/dsk/*. Escalation also occurs when a process controls
processes with more privileges than the controlling process. A special
case of this is manipulating or creating objects owned by UID 0 or trying
to obtain UID 0 using
setuid(2). The special treatment of UID 0 is needed
because the UID 0 owns all system configuration files and ordinary file
protection mechanisms allow processes with UID 0 to modify the system
configuration. With appropriate file modifications, a given process
running with an effective UID of 0 can gain all privileges.
In situations where a process might obtain UID 0, the security policy
requires additional privileges, up to the full set of privileges. Such
restrictions could be relaxed or removed at such time as additional
mechanisms for protection of system files became available. There are no
such mechanisms in the current release.
The use of UID 0 processes should be limited as much as possible. They
should be replaced with programs running under a different UID but with
exactly the privileges they need.
Daemons that never need to
exec subprocesses should remove the
PRIV_PROC_EXEC privilege from their permitted and limit sets.
Assigned Privileges and Safeguards
When privileges are assigned to a user, the system administrator could
give that user more powers than intended. The administrator should
consider whether safeguards are needed. For example, if the
PRIV_PROC_LOCK_MEMORY privilege is given to a user, the administrator
should consider setting the
project.max-locked-memory resource control as
well, to prevent that user from locking all memory.
Privilege Debugging
When a system call fails with a permission error, it is not always
immediately obvious what caused the problem. To debug such a problem, you
can use a tool called
privilege debugging. When privilege debugging is
enabled for a process, the kernel reports missing privileges on the
controlling terminal of the process. (Enable debugging for a process with
the
-D option of
ppriv(1).) Additionally, the administrator can enable
system-wide privilege debugging by setting the
system(5) variable
priv_debug using:
set priv_debug = 1
On a running system, you can use
mdb(1) to change this variable.
Privilege Administration
Use
usermod(8) or
rolemod(8) to assign privileges to or modify privileges
for, respectively, a user or a role. Use
ppriv(1) to enumerate the
privileges supported on a system and
truss(1) to determine which
privileges a program requires.
SEE ALSO
mdb(1),
ppriv(1),
Intro(2),
access(2),
acct(2),
acl(2),
adjtime(2),
audit(2),
auditon(2),
chmod(2),
chown(2),
chroot(2),
creat(2),
exec(2),
fcntl(2),
fork(2),
fpathconf(2),
getacct(2),
getpflags(2),
getppriv(2),
getsid(2),
kill(2),
link(2),
memcntl(2),
mknod(2),
mount(2),
msgctl(2),
nice(2),
ntp_adjtime(2),
open(2),
p_online(2),
priocntl(2),
priocntlset(2),
processor_bind(2),
pset_bind(2),
pset_create(2),
readlink(2),
resolvepath(2),
rmdir(2),
semctl(2),
setauid(2),
setegid(2),
seteuid(2),
setgid(2),
setgroups(2),
setpflags(2),
setppriv(2),
setrctl(2),
setregid(2),
setreuid(2),
setrlimit(2),
settaskid(2),
setuid(2),
shmctl(2),
shmget(2),
shmop(2),
sigsend(2),
stat(2),
statvfs(2),
stime(2),
swapctl(2),
sysinfo(2),
uadmin(2),
ulimit(2),
umount(2),
unlink(2),
utime(2),
utimes(2),
door_ucred(3C),
priv_addset(3C),
priv_getbyname(3C),
priv_getbynum(3C),
priv_set(3C),
priv_set_to_str(3C),
priv_str_to_set(3C),
timer_create(3C),
ucred_get(3C),
t_bind(3NSL),
bind(3SOCKET),
socket(3SOCKET),
exec_attr(5),
proc(5),
system(5),
user_attr(5),
xVM(7),
add_drv(8),
ifconfig(8),
lockd(8),
nfsd(8),
pppd(8),
rem_drv(8),
smbd(8),
sppptun(8),
update_drv(8),
ddi_cred(9F),
drv_priv(9F),
priv_getbyname(9F),
priv_policy(9F),
priv_policy_choice(9F),
priv_policy_only(9F) System Administration Guide: Security Services August 26, 2019
PRIVILEGES(7)