Privileged device database

Edit online

The privileged device database stores the list of privileges that are allowed to read from or write to a device. This database provides a mechanism for an administrator to further control access to a device than can be managed through traditional device access controls.

When this database is stored locally, it is contained in the /etc/security/privdevs file. The database stores the privileges required to access a given device for read or write operations in the following attributes:

readprivs: Lists privileges which are allowed to read from the device
writeprivs: Lists privileges which are allowed to write to the device

When a privileged device is requested to be opened in read mode, the open is only allowed if one of the privileges specified in the readprivs attribute exists in the effective privilege set (EPS) for the process. Similarly, if the device is opened for write mode, a privilege in the writeprivs attribute must exist in the EPS.

The process of adding a device to the privileged device database is normally not a common operation. The lssecattr and setsecattr commands can be used to list and manipulate the database, but adding or modifying entries in the database requires considerable investigation. Since the read and write permission for a device is controlled through privileges, a thorough investigation of the commands and applications that need to access the device must be performed to ensure that the proper privileges are specified.