Administrator's Guide
The following are compound privileges:
• BASIC
Basic privileges available to all processes by default. Processes may drop one or
more privileges from this set.
• BASICROOT
Basic and privileges and privileges that provide powers usually associated with
UID=0.
• POLICY
Policy override privileges and policy configuration privileges. Policy override
privileges override compartment rules. Policy configuration privileges control how
privileges are configured.
For a complete list of the privileges in each of the compound privileges, see privileges(5).
7.5 Security Implications of Fine-Grained Privileges
Fine-grained privileges are not propagated across distributed systems; they are applied
only on the local system. For example a process on one system that has PRIV_DACREAD
and PRIV_DACWRITE cannot override discretionary restrictions on another system to
read or write to a file.
7.5.1 Privilege Escalation
In certain situations, if you grant a process a certain privilege or set of privileges, that
process can gain additional privileges that were not explicitly granted to it. This is called
privilege escalation. For example, a process with the PRIV_DACWRITE privilege can
overwrite critical operating system files and, in the process, can grant itself additional
fine-grained privileges.
7.6 Fine-Grained Privileges in HP Serviceguard Clusters
Privilege-aware applications can be monitored by HP Serviceguard. There are no changes
to Serviceguard package configuration files or Serviceguard package management to
support fine-grained privileges. No changes were made in Serviceguard scripts to facilitate
the use of fine-grained privileges.
To maintain proper Serviceguard operations when deploying HP-UX 11i fine-grained
privileges to Serviceguard nodes or packages:
• Ensure root (UID=0) has full privileges in the INIT compartment.
• Ensure fine-grained privileges implementations do not create security risks for
Serviceguard clusters.
7.5 Security Implications of Fine-Grained Privileges 139