Determining required privileges for a command

Edit online

Many applications require specific privileges in order to execute properly. While a set of predefined commands is provided in the privileged command database, a system administrator may need to add entries that are specific to their application or environment. The privileged command database allows entries to be added for commands and their associated privileges.

Prior to adding a command to the privileged command database, the minimum set of required privileges must be determined to ensure that command execution is as secure as possible. Any privileges granted beyond those necessary for proper execution violate the least-privilege principle. Therefore, an important step in adding a privileged command to the system is determining the minimum required privileges.

The following is the basic strategy to determine the minimum required privileges for a command:

The Information System Security Officer (ISSO) or a user with the isso role can assign PV_ROOT privilege to the system administrator executing the command to be assigned to the privileged database. The assignment of the PV_ROOT privilege to the invoking shell will be done using the setsecattr command. For example:
setsecattr -p eprivs=PV_ROOT mprivs=PV_ROOT $$
Run the command to collect the set of privileges.
Record the privilege set used for the process.
Store the necessary privileges in the innateprivs attribute of the command in the privileged command database.

These steps should be performed in a controlled environment since the PV_ROOT privilege is assigned to a shell and the PV_ROOT privilege is extremely powerful. In addition, running the command may have some system impact that can affect other users. In practice, this is likely to be a trial-and-error procedure. In order to obtain the full set of privileges, the command will likely need to be run repeatedly with different flags and options, and possibly for a long period of time for long-running applications. The required privilege set of the process can be easily gathered using one of the following procedures, which can be performed by an administrator with proper authority:

tracepriv: Takes an argument that is the command to execute. The tracepriv command runs the command and records the privileges used during the lifetime of the process. When the command finishes, the tracepriv command displays the privileges that were used on stdout.
lssecattr: If the command is a long-running process, the lssecattr command can be used to display the privileges used by the process. To display the used privilege set for a process, run the command as follows, substituting the PID of the process that is being monitored:
lssecattr –p –a uprivs PID

After the minimum required privileges have been determined, perform the steps in Adding a command to the privileged command database to add the command to the privileged command database. The command should then be run by an authorized user to verify that it runs properly.