DragonFly On-Line Manual Pages
PRIVMAN(7) Miscellaneous PRIVMAN(7)
NAME
Privman - A library for privilege separation.
DESCRIPTION
Privman is a library that makes it easy for programs to use privilege
separation, a technique that prevents the leak or misuse of privilege
from applications that must run with some elevated permissions.
Privman-managed processes can implement fine grained control of root
privilege on common Unix-based operating systems.
Applications that use the Privman library split into two halves, the
half that performs valid privileged operations, and the half that
contains the application's logic. The Privman library simplifies the
otherwise complex task of separating the applications, protecting the
system from compromise if an error in the applications logic is found.
The library uses configuration files ( privman_conf(5) ) to allow fine-
grained access control decisions for the privileged operations,
limiting exposure in the event of an attack against the application. If
the applications is compromised, the attacker gains only the privileges
of an unprivileged user, and the specific privileges granted to the
application by the application's Privman configuration file.
FILES
${prefix}/etc/privman.d/*
Applications specific configuration files. See privman_conf(5)
for further details.
${prefix}/include/privman.h
The include file for the library.
${exec_prefix}/lib/libprivman.so
The library itself. On most systems, you will need to link
against libpam and libpam_misc in addition to libprivman
OVERVIEW
A Privman managed program will generally start with a call to
priv_init(3). priv_init() splits the process: the still-privileged
parent listens to a pipe for requests, the child drops privilege and
and returns from priv_init().
After priv_init(), continue normally. When you need to invoke
privileged operation "foo()", use "priv_foo()" instead. For example, if
you want your server to bind to a low port, you would pass the socket
to priv_bind(3) instead of bind(2).
BUGS
The API may seem a bit complex.
There is no permission checking on the chroot jail for either execve or
rerunas.
TODO
priv_fdreopen().
AUTHOR
Network Associates. Send email to <privman@nailabs.com>
SEE ALSO
priv_bind(3) priv_daemon(3) priv_execve(3) priv_fopen(3) priv_fork(3)
priv_init(3) privman_conf(5) priv_open(3) priv_pam(3) priv_rerunas(3)
Unix SEPTEMBER 2002 PRIVMAN(7)