#illumos #privileges #security #solaris

illumos-priv

Crate providing an interface to illumos's PRIVILEGES(5)

2 unstable releases

0.2.0 Mar 16, 2021
0.1.0 Jun 20, 2019

#730 in Unix APIs

MPL-2.0 license

41KB
428 lines

rust-illumos-priv

Adjust illumos privilege sets.

illumos implements a set of privileges that provide fine-grained control over the actions of processes. The possession of a certain privilege allows a process to perform a specific set of restricted operations.

See PRIVILEGES(5) for a list of privileges and their descriptions, or take a look at this crates documentation.

Example

Dropping fork and exec privileges from a process running as root results in failure to fork-exec ls. Source for the below example can be found in examples/fork-exec.rs.

root - rustdev ~/src/rust-illumos-priv (git:master) # cargo run --example fork-exec
    Finished dev [unoptimized + debuginfo] target(s) in 0.02s
     Running `target/debug/examples/fork-exec`
failed to fork/exec ls: PermissionDenied

lib.rs:

illumos implements a set of privileges that provide fine-grained control over the actions of processes. The possession of a certain privilege allows a process to perform a specific set of restricted operations.

This crate provides a safe wrapper around this interface and lets you add/remove/replace a privilege set for a process or its off-spring.

Example:

use illumos_priv::{PrivOp, PrivPtype, PrivSet, Privilege};

// Get a new basic PrivSet.
let mut set = PrivSet::new_basic().unwrap();

// Remove the ability to fork(2) from the set.
let _ = set
    .delset(Privilege::ProcFork)
    .expect("failed to delete from set");

// Replace the effective privilege set with the new one
illumos_priv::setppriv(PrivOp::Set, PrivPtype::Effective, &set).unwrap();

No runtime deps