Authorizations
The security mechanism has two types of authorization: kernel and subsystem.
A kernel privilege allows you to run specific processes on the
operating system.
A subsystem authorization allows you to use the commands of
a specific protected subsystem.
The kernel privileges are as follows:
execsuid-
allows you to run SUID (set user ID) programs.
An SUID program gains access to all the files,
processes, and resources belonging to the person running
the program and the owner of the program file.
chmodsugid-
allows you to change the setuid and setgid attributes of a
file or directory, using the
chmod(C)
command. Without this permission you cannot create
SUID files, which grant the permissions of the owner
of the file to whoever executes them, as described in
``Access control for files and directories''.
chown-
allows you to change the ownership of files using the
chown(C)
command.
Other kernel privileges include suspendaudit, configaudit,
and writeaudit.
There are two levels of subsystem authorization: primary and
secondary.
Primary authorizations are given to administrators and
are fully described in the System Administration Guide.
However, they can be given to ordinary users as well. Some primary
authorizations are:
mem-
allows you to use
ps(C)
to check the status of other users' processes, and
ipcs(ADM)
to report the status of interprocess communication.
Without this authorization, you can only use these commands to
report on processes belonging to you.
terminal-
allows you to use
write(C)
to communicate with other users.
If you use write without the authorization, any control
codes and escape sequences in your message are converted
to printable characters.
Other primary authorizations include audit, auth,
backup, cron, lp, sysadmin,
and root. (See
authorize(F)
for information on these authorizations.)
A secondary subsystem authorization allows you to use a subset of
the commands of a subsystem as an ordinary user (that is, you are not
given administrative privilege).
Secondary authorizations are described below:
audittrail-
allows the use of the audit subsystem to monitor your own
activities only.
This can be useful for debugging of programs because a detailed
record of system calls is generated by the audit daemon.
For more information, see ``Using the audit subsystem''
in the System Administration Guide.
printqueue-
allows you to view other users' jobs on the print queue.
printerstat-
allows you to use
enable(C)
and
disable(C)
to change the status of printers.
queryspace-
allows you to use
df(C)
to query the amount of space available on the filesystems.
-
su-
allows you to use
su(C)
to access another
account (including root).
Without this authorization, users can only access
their own accounts.
Other secondary authorizations include passwd,
create_backup, restore_backup, and shutdown.
Next topic:
Listing authorizations and running authorized commands
Previous topic:
Using commands on a trusted system
© 2005 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 03 June 2005