System Administration Guide
Chapter 1, Administering user accounts

Changing system privileges

Changing system privileges

System privileges allow user processes to execute specific operating system services. For example, the ability to change ownership of a file is governed by the chown privilege. (The chown privilege allows the use of the chown(S) system call that enables chown(C) to work.)

In the Account Manager, select the user name, then select Privileges from the Users menu.

To change privileges assigned, deselect the Use system default privileges for this user account button. This allows you to assign a set of privileges specific to this account.

To add a privilege, select an entry the ``Not allowed'' column and click on the Add button.

To remove a privilege, select an entry in the ``Allowed'' column and click on the Remove button.

To change the privileges assigned by default, use this command:

usermod -D -x "{privs {list}}"

where list is one or more privileges separated by spaces.

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command. 

Table 1-4 System privileges

 Privilege              Allows user processes to
 configaudit            configure audit subsystem parameters
 writeaudit             write audit records to the audit trail
 execsuid               run set-UID programs
 chmodsugid             to set set-UID and set-GID bit on files
 chown                  to change the owner of an object
 suspendaudit           suspend operating system auditing of the process

NOTE: Restricted chown is required for NIST FIPS 151-1 conformance. The chown privilege should not be assigned to users if you wish to conform to NIST FIPS 151-1 requirements. The kernel parameter CHOWN_RES also controls this behavior; see the Performance Guide for more information.

Under the Low and Traditional security profiles, most system privileges are assigned by default and should not require modification. Under the High security profile, chmodsugid is not assigned by default. Most users require only execsuid to perform routine tasks. If the user needs to create files with the SUID or SGID bits, they must have chmodsugid. To change ownership of a file (``give it away''), the chown privilege is required. If a user does not have this privilege, ownership of files can only be changed by root. The audit privileges (configaudit, writeaudit, and suspendaudit) should never be assigned to anyone other than the audit administrator. They are intended for use by a program designed to run as a trusted application.

See also: