Kernel privileges
The following kernel privileges are available on Trusted AIX®. A synopsis and description of each privilege and its uses is provided. Some privileges form a hierarchy, where one privilege can grant all of the rights associated with another privilege.
When checking for privileges, the system first checks to determine if the process has the lowest privilege needed, and then proceeds up the hierarchy checking for the presence of more powerful privileges. For example, a process with the PV_AU_ privilege automatically has the PV_AU_ADMIN, PV_AU_ADD, PV_AU_PROC, PV_AU_READ, and PV_AU_WRITE privilege and a process with the PV_ROOT privilege automatically has all of the privileges listed below except the PV_SU_ privileges.
- PV_KER_
- Equivalent to all of the other PV_KER_ privileges combined
- PV_KER_ACCT
- Allows a process to perform restricted operations related to the accounting subsystem
- PV_KER_DR
- Allows a process to invoke dynamic reconfiguration operations
- PV_KER_TIME
- Allows a process to modify the system clock and time
- PV_KER_RAC
- Allows a process to use large (non-pageable) pages for shared memory segments
- PV_KER_WLM
- Allows a process to initialize and modify WLM configuration
- PV_KER_EWLM
- Allows a process to initialize or query the eWLM environment
- PV_KER_VARS
- Allows a process to examine or set kernel run time tunable parameters
- PV_KER_REBOOT
- Allows a process to shut down the system
- PV_KER_RAS
- Allows a process to configure or write RAS records, error logging, tracing, and dump functions
- PV_KER_LVM
- Allows a process to configure the LVM subsystem
- PV_KER_NFS
- Allows a process to configure the NFS subsystem
- PV_KER_VMM
- Allows a process modify swap parameters and other VMM tunable parameters in the kernel
- PV_KER_WPAR
- Allows a process to configure a workload partition
- PV_KER_CONF
- Allows a process to perform various system configuration operations
- PV_KER_EXTCONF
- Allows a process to perform various configuration tasks in kernel extensions
- PV_KER_IPC
- Allows a process to raise the value of the IPC message queue buffer and allow shmget system calls with ranges to attach
- PV_KER_IPC_R
- Allows a process to read an IPC message queue, semaphore set, or shared memory segment
- PV_KER_IPC_W
- Allows a process to write an IPC message queue, semaphore set, or shared memory segment
- PV_KER_IPC_O
- Allows a process to read override DAC ownership on all IPC objects
- PV_KER_SECCONFIG
- Allows a process to set kernel security flags
- PV_KER_PATCH
- Allows a process to patch kernel extensions