Lines Matching full:to

5 .\" The contents of this file are subject to the terms of the Common Development and Distribution L…
14 allows a process to perform a specific set of restricted operations.
17 The change to a primarily privilege-based security model in the
18 operating system gives developers an opportunity to restrict processes to those
22 privileges and are by default given to all processes.
28 were accustomed to having.
39 Allow a process to request reliable delivery of events to an event endpoint.
41 Allow a process to include events in the critical event set term of a template
52 Allows a process to set the service FMRI value of a process contract template.
62 Allow a process to observe contract events generated by contracts created and
65 Allow a process to open contract event endpoints belonging to contracts created
76 Allow a process to access per-CPU hardware performance counters.
96 Allow DTrace process-level tracing. Allow process-level tracing probes to be
97 placed and enabled in processes to which the user has permissions.
108 providers to examine processes to which the user has permissions.
118 Allow a process to change a file's owner user ID. Allow a process to change a
119 file's group ID to one other than the process's effective group ID or one of
130 Allow a process to give away its files. A process with this privilege runs as
141 Allow a process to execute an executable file whose permission bits or ACL
152 Allow a process to read a file or directory whose permission bits or ACL would
163 Allow a process to search a directory whose permission bits or ACL would not
174 Allow a process to write a file or directory whose permission bits or ACL do
175 not allow the process write permission. All privileges are required to write
186 Allow a process to set the sensitivity label of a file or directory to a
200 Allows a process to set immutable, nounlink or appendonly file attributes.
210 Allow a process to create hardlinks to files owned by a UID different from the
221 Allow a process that is not the owner of a file to modify that file's access
222 and modification times. Allow a process that is not the owner of a directory to
224 not the owner of a file or directory to remove or rename a file or directory
226 set. Allow a process that is not the owner of a file to mount a \fBnamefs\fR
227 upon that file. Allow a process that is not the owner of a file or directory to
238 Allow a process to open objects in the filesystem for reading. This
239 privilege is not necessary to read from an already open file which was opened
250 Allow a process to change the ownership of a file or write to a file without
251 the set-user-ID and set-group-ID bits being cleared. Allow a process to set the
253 effective group or one of the process's supplemental groups. Allow a process to
266 Allow a process to set the sensitivity label of a file or directory to a
280 Allow a process to open objects in the filesystem for writing, or otherwise
281 modify them. This privilege is not necessary to write to an already open file
292 Allow a process to make privileged ioctls to graphics devices. Typically only
293 an xserver process needs to have this privilege. A process with this privilege
294 is also allowed to perform privileged graphics device mappings.
304 Allow a process to perform privileged mappings through a graphics device.
314 Allow a process to read a System V IPC Message Queue, Semaphore Set, or Shared
326 Allow a process to write a System V IPC Message Queue, Semaphore Set, or Shared
339 Semaphore Set, or Shared Memory Segment to remove, change ownership of, or
351 Allow a process to open a TCP, UDP, SDP, or SCTP network endpoint. This
352 privilege is not necessary to communicate using an existing endpoint already
363 Allow a process to bind to a port that is configured as a multi-level port
364 (MLP) for the process's zone. This privilege applies to both shared address and
379 Allow a process to send and receive ICMP packets.
389 Allow a process to set the \fBNET_MAC_AWARE\fR process flag by using
390 \fBsetpflags\fR(2). This privilege also allows a process to set the
393 allow a local process to communicate with an unlabeled peer if the local
408 Allow a process to set \fBSO_MAC_IMPLICIT\fR option by using
409 \fBsetsockopt\fR(3SOCKET).  This allows a privileged process to transmit
410 implicitly-labeled packets to a peer.
423 Allow a process to open a device for just receiving network traffic, sending
434 Allow a process to bind to a privileged port number. The privilege port numbers
447 Allow a process to have direct access to the network layer.
457 Allow a process to generate audit records. Allow a process to get its own audit
468 Allow a process to change its root directory.
478 Allow a process to use high resolution timers with very small time values.
488 Allow a process to call \fBexec\fR(2).
498 Allow a process to call \fBfork\fR(2), \fBfork1\fR(2), or \fBvfork\fR(2).
508 Allow a process to examine the status of processes other than those to which it
510 \fB/proc\fR and appear not to exist.
520 Allow a process to lock pages in physical memory.
530 Allow a process to access physical memory information.
540 Allow a process to send signals to other processes and inspect and modify the
545 target's limit set; if the target process has any UID set to 0 all privilege
546 must be asserted unless the effective UID is 0. Allow a process to bind
547 arbitrary processes to CPUs.
557 Allow a process to elevate its priority above its current level.
568 Allow a process to change its scheduling class to any scheduling class,
579 Allow a process to manipulate the secflags of processes (subject to,
580 additionally, the ability to signal that process).
590 Allow a process to send signals or trace processes outside its session.
600 Allow a process to set its UIDs at will, assuming UID 0 requires all privileges
611 Allow a process to assign a new task ID to the calling process.
621 Allow a process to trace or send signals to processes in other zones. See
632 Allow a process to enable and disable and manage accounting through
643 Allow a process to perform system administration tasks such as setting node and
654 Allow a process to start the (kernel) audit daemon. Allow a process to view and
656 pre-selection mask). Allow a process to turn off and on auditing. Allow a
657 process to configure the audit parameters (cache and queue sizes, event to
668 Allow a process to perform various system configuration tasks. Allow
681 Allow a process to create device special files. Allow a process to successfully
682 call a kernel module that calls the kernel \fBdrv_priv\fR(9F) function to check
683 for allowed access. Allow a process to open the real console device directly.
684 Allow a process to open devices that have been exclusively opened.
694 Allow a process to configure a system's datalink interfaces.
704 Allow a process to configure a system's IP interfaces and routes. Allow a
705 process to configure network parameters for \fBTCP/IP\fR using \fBndd\fR. Allow
706 a process access to otherwise restricted \fBTCP/IP\fR information using
707 \fBndd\fR. Allow a process to configure \fBIPsec\fR. Allow a process to pop
718 Allow a process to increase the size of a System V IPC Message Queue buffer.
728 Allow a process to configure IP tunnel links.
738 Allow a process to unlink and link directories.
748 Allow a process to mount and unmount filesystems that would otherwise be
749 restricted (that is, most filesystems except \fBnamefs\fR). Allow a process to
760 Allow a process to do all that \fBPRIV_SYS_IP_CONFIG\fR,
773 Allow a process to provide NFS service: start NFS kernel threads, perform NFS
774 locking operations, bind to NFS reserved ports: ports 2049 (\fBnfs\fR) and port
785 Allow a process to create, configure, and destroy PPP instances with pppd(8)
787 This privilege is granted by default to exclusive IP stack instance zones.
797 Allows a process to bind processes to processor sets.
808 Allow a process to create and delete processor sets, assign CPUs to processor
809 sets and override the \fBPSET_NOESCAPE\fR property. Allow a process to change
811 process to configure filesystem quotas. Allow a process to configure resource
812 pools and bind processes to pools.
822 Allow a process to exceed the resource limits imposed on it by
833 Allow a process to provide NetBIOS or SMB services: start SMB kernel threads or
834 bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
845 Allow a process to successfully call a third party loadable module that calls
846 the kernel \fBsuser()\fR function to check for allowed access. This privilege
858 Allow a process to manipulate system time using any of the appropriate system
869 Allow a process to translate labels that are not dominated by the process's
870 sensitivity label to and from an external string form.
883 Allows a process to manage virtualized environments such as \fBxVM\fR(7).
893 Allow a process to override colormap restrictions.
895 Allow a process to install or remove colormaps.
897 Allow a process to retrieve colormap cell entries allocated by other processes.
910 Allow a process to configure or destroy resources that are permanently retained
913 Allow a process to use SetScreenSaver to set the screen saver timeout value
915 Allow a process to use ChangeHosts to modify the display access control list.
917 Allow a process to use GrabServer.
919 Allow a process to use the SetCloseDownMode request that can retain window,
933 Allow a process to read from a window resource that it does not own (has a
947 Allow a process to write to or create a window resource that it does not own
962 Allow a process to perform operations on window input devices.
964 Allow a process to get and set keyboard and pointer controls.
966 Allow a process to modify pointer button and key mappings.
979 Allow a process to use the direct graphics access (DGA) X protocol extensions.
980 Direct process access to the frame buffer is still required. Thus the process
981 must have MAC and DAC privileges that allow access to the frame buffer, or the
982 frame buffer must be allocated to the process.
995 Allow a process to set the sensitivity label of a window resource to a
1009 Allow a process to set a font path.
1022 Allow a process to read from a window resource whose sensitivity label is not
1023 equal to the process sensitivity label.
1036 Allow a process to create a window resource whose sensitivity label is not
1037 equal to the process sensitivity label. A newly created window property is
1051 Allow a process to request inter-window data moves without the intervention of
1065 Allow a process to set the sensitivity label of a window resource to a
1079 Allows a process access to the \fBxVM\fR(7) control devices for managing guest
1090 that used to be always available to unprivileged processes. By default,
1135 Changes to L take effect on the next \fBexec\fR.
1140 The sets I, P and E are typically identical to the basic set of privileges for
1184 If a non-privilege-aware process has any of the UIDs 0, it appears to be
1188 It is possible for a process to return to the non-privilege aware state using
1195 If any of the UIDs is equal to 0, P must be equal to L.
1201 If the effective UID is equal to 0, E must be equal to L.
1222 process to perform restricted operations. A process can use any of the
1223 privilege manipulation functions to add or remove privileges from the privilege
1225 set can be added to the effective and inheritable set. The limit set cannot
1229 When a process performs an \fBexec\fR(2), the kernel first tries to relinquish
1254 some instances, the absence of a privilege can cause system calls to behave
1256 application to seriously malfunction. Privileges of this type are considered
1262 In certain circumstances, a single privilege could lead to a process gaining
1263 one or more additional privileges that were not explicitly granted to that
1264 process. To prevent such an escalation of privileges, the security policy
1273 creating objects owned by UID 0 or trying to obtain UID 0 using
1276 allow processes with UID 0 to modify the system configuration. With appropriate
1282 additional privileges, up to the full set of privileges. Such restrictions
1293 Daemons that never need to \fBexec\fR subprocesses should remove the
1296 When privileges are assigned to a user, the system administrator could give
1299 privilege is given to a user, the administrator should consider setting the
1300 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
1304 obvious what caused the problem. To debug such a problem, you can use a tool
1320 On a running system, you can use \fBmdb\fR(1) to change this variable.
1323 to assign privileges to or modify privileges for, respectively, a user or a
1324 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
1325 \fBtruss\fR(1) to determine which privileges a program requires.