System Administration Guide
Chapter 5, Maintaining system security

LUID enforcement

LUID enforcement

LUID enforcement requires that all processes have an LUID. Daemon processes that are setuid require special consideration on a trusted system. The only exceptions to the LUID rule are the processes that stamp the identifier on processes, namely the init(M), login(M), and cron(C) programs. (Technically, getty(M) also lacks an LUID, but it does not run set user ID programs). All trusted utilities either stamp their own LUID (as auditd(ADM) does) or assume that their LUID was stamped before they run (as lpsched(ADM) does). The setuid(S) and setgid(S) system calls fail if the LUID is not set.

The cron daemon is a special case and is allowed to run without an LUID. To start special daemons like cron, another daemon process, sdd, and a special utility, sd(ADM), are used to start and restart them. If you need to create a daemon that runs without an LUID, refer to the sd(ADM) manual page for more information.

NOTE: If LUID enforcement has been disabled, use of the sd(ADM) command is unnecessary. See ``Disabling C2 features''.

As administrator, you must ensure that every newly introduced daemon is stamped with an LUID if it is started from the system startup files (/etc/rc?.d/*). The proper procedure is to set up the /etc/passwd and /etc/group files with the proper pseudo-user and group accounts, and the Protected Password entry for the account. If the daemon is to be run from a startup script, add a line to that script like the one below to run the program from su(C) so that the identity of the process is set properly. The procedure is the same as running daemons under a certain account using the traditional startup scripts. For example, the line printer daemon lpsched is started with the following line:

   su lp -c /usr/lib/lpsched >/dev/null 2>&1
The trusted version of su program sets the LUID for a process if it has not already been set.