PRIVMAN(7) Miscellaneous PRIVMAN(7)NAME
Privman - A library for privilege separation.
DESCRIPTION
Privman is a library that makes it easy for programs to use privilege
separation, a technique that prevents the leak or misuse of privilege
from applications that must run with some elevated permissions. Priv‐
man-managed processes can implement fine grained control of root privi‐
lege on common Unix-based operating systems.
Applications that use the Privman library split into two halves, the
half that performs valid privileged operations, and the half that con‐
tains the application's logic. The Privman library simplifies the oth‐
erwise complex task of separating the applications, protecting the sys‐
tem from compromise if an error in the applications logic is found.
The library uses configuration files ( privman_conf(5) ) to allow fine-
grained access control decisions for the privileged operations, limit‐
ing exposure in the event of an attack against the application. If the
applications is compromised, the attacker gains only the privileges of
an unprivileged user, and the specific privileges granted to the appli‐
cation by the application's Privman configuration file.
FILES
${prefix}/etc/privman.d/*
Applications specific configuration files. See privman_conf(5)
for further details.
${prefix}/include/privman.h
The include file for the library.
${exec_prefix}/lib/libprivman.so
The library itself. On most systems, you will need to link
against libpam and libpam_misc in addition to libprivman
OVERVIEW
A Privman managed program will generally start with a call to
priv_init(3). priv_init() splits the process: the still-privileged
parent listens to a pipe for requests, the child drops privilege and
and returns from priv_init().
After priv_init(), continue normally. When you need to invoke privi‐
leged operation "foo()", use "priv_foo()" instead. For example, if you
want your server to bind to a low port, you would pass the socket to
priv_bind(3) instead of bind(2).
BUGS
The API may seem a bit complex.
There is no permission checking on the chroot jail for either execve or
rerunas.
TODOpriv_fdreopen().
AUTHOR
Network Associates. Send email to <privman@nailabs.com>
SEE ALSOpriv_bind(3)priv_daemon(3)priv_execve(3)priv_fopen(3)priv_fork(3)priv_init(3)privman_conf(5)priv_open(3)priv_pam(3)priv_rerunas(3)Unix SEPTEMBER 2002 PRIVMAN(7)