AIX privileges
The privileges that are available in AIX® are listed in the following table. A description of each privilege and its related system calls is provided. Some privileges form a hierarchy where one privilege can grant all of the rights that are associated with another privilege.
When checking for privileges, the system first determines if the
process has the lowest privilege needed, and then proceeds up the
hierarchy checking for the presence of a more powerful privilege.
For example, a process with the PV_AU_ privilege automatically
has the PV_AU_ADMIN, PV_AU_ADD, PV_AU_PROC, PV_AU_READ, and PV_AU_WRITE privileges, and a process
with the PV_ROOT privilege automatically has all of the privileges
listed below except for the PV_SU_ privileges.
Privilege | Description | System call reference |
---|---|---|
PV_ROOT | Grants a process the equivalent of all privileges listed below except PV_SU_ (and the privileges it dominates) | |
PV_AU_ADD | Allows a process to record/add an audit record | auditlog |
PV_AU_ADMIN | Allows a process to configure and query the audit system | audit, auditbin, auditevents, auditobj |
PV_AU_PROC | Allows a process to get or set an audit state of a process | auditproc |
PV_AU_READ | Allows a process to read a file marked as an audit file in Trusted AIX | |
PV_AU_WRITE | Allows a process to write or delete a file marked as an audit file, or to mark a file as an audit file in Trusted AIX | |
PV_AU_ | Equivalent to all above auditing privileges (PV_AU_*) combined | |
PV_AZ_ADMIN | Allows a process to modify the kernel security tables | sec_setkst |
PV_AZ_READ | Allows a process to retrieve the kernel security tables | sec_getkat, sec_getkpct, sec_getkpdt, sec_getkrt, etc. |
PV_AZ_ROOT | Causes a process to pass authorization checks during exec() (used for inheritance purposes) | |
PV_AZ_CHECK | Causes a process to pass all authorization checks | sec_checkauth |
PV_DAC_R | Allows a process to override DAC read restrictions | access, creat, accessx, open, read, faccessx, mkdir, getea, rename, statx, _sched_getparam, _sched_getscheduler, statea, listea |
PV_DAC_W | Allows a process to override DAC write restrictions | Many of the above and setea, write, symlink, _setpri, _sched_setparam, _sched_setscheduler, fsetea, rmdir, removeea |
PV_DAC_X | Allows a process to override DAC execute restrictions | Many of the above and execve, symlink, rmdir, chdir, fchdir, ra_execve |
PV_DAC_O | Allows a process to override DAC ownership restrictions | chmod, utimes, setacl, revoke, mprotect |
PV_DAC_UID | Allows a process to change its user ID | setuid, seteuid, setuidx, setreuid, ptrace64 |
PV_DAC_GID | Allows a process to set a new or change its group ID | setgid, setgidx, setgroups, ptrace64 |
PV_DAC_RID | Allows a process to set a new or change its role ID | setroles, getroles |
PV_DAC_ | Equivalent to all above DAC privileges (PV_DAC_*) combined | |
PV_FS_MOUNT | Allows a process to mount and unmount a filesystem | vmount, umount |
PV_FS_MKNOD | Allows a process to create a file of any type or to perform the mknod system call | mknod |
PV_FS_CHOWN | Allows a process to change the ownership of a file | chown, chownx, fchownx, lchown |
PV_FS_QUOTA | Allows a process to manage disk quotas related operations | quotactl |
PV_FS_LINKDIR | Allows a process to make a hard link to a directory | link, unlink, remove |
PV_FS_CNTL | Allows a process to perform various control operations except extend and shrink on a filesystem | fscntl |
PV_FS_RESIZE | Allows a process to perform extend and shrink type of operations on a filesystem | fscntl |
PV_FS_CHROOT | Allows a process to change its root directory | chroot |
PV_FS_PDMODE | Allows a process to make or set partitioned type directory | pdmkdir |
PV_FS_ | Equivalent to all above filesystem privileges (PV_FS_*) combined | |
PV_PROC_PRIV | Allows a process to modify or view privilege sets associated with a process | setppriv, getppriv |
PV_PROC_PRIO | Allows a process/thread to change priority, policy and other scheduling parameters | _prio_requeue, _setpri, _setpriority, _getpri, _sched_setparam, _sched_setscheduler, _thread_setsched, thread_boostceiling, thread_setmystate, thread_setstate |
PV_PROC_CORE | Allows a process to dump core | gencore |
PV_PROC_RAC | Allows a process create more processes than the per-user limit | appsetrlimit, setrlimit64, mlock, mlockall, munlock, munlockall, plock, upfget, upfput, restart, brk, sbrk |
PV_PROC_RSET | Allow to attach resource set (rset) to a process or thread | bindprocessor, ra_attachrset, ra_detachrset, rs_registername, rs_setnameattr, rs_discardname, rs_setpartition, rs_getassociativity, kra_mmapv |
PV_PROC_ENV | Allows a process to set user information in the user structure | ue_proc_register, ue_proc_unregister, usrinfo |
PV_PROC_CKPT | Allows a process to checkpoint or restart another process | setcrid, restart |
PV_PROC_CRED | Allows a process to set credential attributes | __pag_setvalue, __pag_setvalue64, __pag_genpagvalue |
PV_PROC_SIG | Allows a process to send signal to an unrelated process | _sigqueue, kill, signohup, gencore, thread_post, thread_post_many |
PV_PROC_TIMER | Allows a process to submit and use fine-granularity timers | appresabs, appresinc, absinterval, incinterval, _poll, _select _timer_settime |
PV_PROC_RTCLK | Allows a process to access the CPU-time clock | _clock_getres, _clock_gettime, _clock_settime, _clock_getcpuclockid |
PV_PROC_VARS | Allows a process to retrieve and update process tunable parameters | smttune |
PV_PROC_PDMODE | Allows a process to change REAL mode of partitioned directory | setppdmode |
PV_PROC_ | Equivalent to all above process privileges (PV_PROC_*) combined | |
PV_TCB | Allows a process to modify the kernel trusted library path | chpriv, fchpriv |
PV_TP | Indicates a process is a trusted path process and allows actions limited to trusted path processes. (note: same as old AIX BYPASS_TPATH privilege) | |
PV_WPAR_CKPT | Allows a process to perform checkpoint/restart operation in WPAR | smcr_proc_info, smcr_exec_info, smcr_mapinfo, smcr_net_oper, smcr_procattr, aio_suspend_io, aio_resume_io |
PV_KER_ACCT | Allows a process to perform restricted operations pertaining to the accounting subsystem | acct, _acctctl, projctl |
PV_KER_DR | Allows a process to invoke dynamic reconfiguration operations | _dr_register, _dr_notify, _dr_unregister, dr_reconfig |
PV_KER_TIME | Allows a process to modify the system clock and system time | adjtime, appsettimer, _clock_settime |
PV_KER_RAC | Allows a process to use large (non-pageable) pages for the shared memory segments | shmctl, vmgetinfo |
PV_KER_WLM | Allows a process to initialize and modify WLM configuration | _wlm_set, _wlm_tune, _wlm_assign |
PV_KER_EWLM | Allows a process to initialize or query the eWLM environment | |
PV_KER_VARS | Allows a process to examine or set kernel runtime tunable parameters | sys_parm, getkerninfo, __pag_setname, sysconfig, kunload64 |
PV_KER_REBOOT | Allows a process to shut down the system | reboot |
PV_KER_RAS | Allows a process to configure or write RAS records, error logging, tracing, dumps functions | mtrace_set, mtrace_ctl |
PV_KER_LVM | Allows a process to configure the LVM subsystem | |
PV_KER_NFS | Allows a process to configure the NFS subsystem | |
PV_KER_VMM | Allows a process to modify swap parameters and other VMM tunable parameters in the kernel | swapoff, _swapon_ext, vmgetinfo |
PV_KER_WPAR | Allows a process to configure a workload partition | brand, corral_config, corral_delete, corral_modify, wpar_mkdevexport, wpar_rmdevexport, wpar_lsdevexport |
PV_KER_CONF | Allows a process to perform various system-configuration operations | sethostname, sethostid, unameu, setdomainname |
PV_KER_EXTCONF | Allows a process to perform various configuration tasks in kernel extensions (for kernel extension services) | |
PV_KER_IPC | Allows a process to raise the value of IPC message queue buffer and allow shmget with ranges to attach | msgctl, shm_open, shmget, ra_shmget, ra_shmgetv, shmctl |
PV_KER_IPC_R | Allows a process to read a IPC message queue, semaphore set, or shared memory segment | msgctl, __msgrcv, _mq_open, semctl, shmat, shm_open, __semop, shmctl, __semtimedop, sem_post, _sem_wait, __msgrcv, __msgxrcv |
PV_KER_IPC_W | Allows a process to write a IPC message queue, semaphore set, or shared memory segment | _mq_open, shmat, _sem_open, semctl, shm_open, shmctl, mq_unlink, sem_unlink, shm_unlink, msgctl, __msgsnd |
PV_KER_IPC_O | Allows a process to override DAC ownership on all IPC objects | msgctl, semctl, shmctl, fchmod, fchown |
PV_KER_SECCONFIG | Allows a process to set kernel security flags | sec_setsecconf, sec_setrunmode, sec_setsyslab, sec_getsyslab |
PV_KER_PATCH | Allows a process to patch kernel extensions | |
PV_KER_ | Equivalent to all above kernel privileges (PV_KER_*) combined | |
PV_DEV_CONFIG | Allows a process to configure kernel extensions and devices in the system | sysconfig |
PV_DEV_LOAD | Allows a process to load and unload kernel extensions and devices in the system | sysconfig |
PV_DEV_QUERY | Allows a process to query kernel modules | sysconfig |
PV_SU_ROOT | Grants the process all privileges associated with the standard AIX superuser | |
PV_SU_EMUL | Grants the process all privileges associated with the standard AIX super user if the UID is 0 | |
PV_SU_UID | Causes the getuid system call to return 0 | getuidx |
PV_SU_ | Equivalent to all of the above superuser privileges (PV_SU_*) combined | |
PV_NET_CNTL | Allows a process to modify network tables | socket, bind, listen, _naccept, econnect, ioctl, rmsock, setsockopt |
PV_NET_PORT | Allows a process to bind to privileged ports | bind |
PV_NET_RAWSOCK | Allows a process to have direct access to the network layer | socket, _send, _sendto, sendmsg, _nsendmsg |
PV_NET_CONFIG | Allows a process to configure networking parameters | |
PV_NET_ | Equivalent to all above networking privileges (PV_NET_*) combined |
The privileges listed in the following table are specific to Trusted AIX:
Trusted AIX privilege | Description | System call reference |
---|---|---|
PV_LAB_CL | Allows a process to modify subject SCLs, subject to the process's clearance | |
PV_LAB_CLTL | Allows a process to modify subject TCLs, subject to the process’s clearance | |
PV_LAB_LEF | Allows a process to read the label encoding file | |
PV_LAB_SLDG | Allows a process to downgrade SLs, subject to the process's clearance | |
PV_LAB_SLDG_STR | Allows a process to downgrade the SL of a packet, subject to the process's clearance | |
PV_LAB_SL_FILE | Allows a process to change object SLs, subject to the process's clearance | |
PV_LAB_SL_PROC | Allows a process to change subject SL, subject to the process's clearance | |
PV_LAB_SL_SELF | Allows a process to change its own SL, subject to the process's clearance | |
PV_LAB_SLUG | Allows a process to upgrade SLs, subject to the process's clearance | |
PV_LAB_SLUG_STR | Allows a process to upgrade the SL of a packet, subject to the process's clearance | |
PV_LAB_TL | Allows a process to modify subject and object TLs | |
PV_LAB_ | Equivalent to all above label privileges (PV_LAB_*) combined | |
PV_MAC_CL | Allows a process to bypass sensitivity clearance restrictions | |
PV_MAC_R_PROC | Allows a process to bypass MAC read restrictions when getting information about a process, provided that the target process's label is within the acting process's clearance | |
PV_MAC_W_PROC | Allows a process to bypass MAC write restrictions when sending a signal to a process, provided that the target process's label is within the acting process's clearance | |
PV_MAC_R | Allows a process to bypass MAC read restrictions | |
PV_MAC_R_CL | Allows a process to bypass MAC read restrictions when the object's label is within the process's clearance | |
PV_MAC_R_STR | Allows a process to bypass MAC read restrictions when reading a message from a STREAM, provided that the message's label is within the process's clearance | |
PV_MAC_W | Allows a process to bypass MAC write restrictions | |
PV_MAC_W_CL | Allows a process to bypass MAC write restrictions when the object's label is within the process's clearance | |
PV_MAC_W_DN | Allows a process to bypass MAC write restrictions when the process label dominates the object's label and the object's label is within the process's clearance | |
PV_MAC_W_UP | Allows a process to bypass MAC write restrictions when the process label is dominated by the object's label and the object's label is within the process's clearance | |
PV_MAC_OVRRD | Bypasses MAC restrictions for files flagged as being exempt from MAC | |
PV_MAC_ | Equivalent to all above MAC privileges (PV_MAC_*) combined | |
PV_MIC | Allows a process to bypass integrity restrictions | |
PV_MIC_CL | Allows a process to bypass integrity clearance restrictions |