|
|
With the exception of processes with a UID of 0, the privileges inherited by an existing process when commencing execution of a file are derived from the current privileges and the fixed privileges set on the file being executed. This type of privilege mechanism is called a file-based privilege mechanism.
The most important advantage of this privilege mechanism over the UID-based privilege mechanism is the ability to apportion system privileges to executing processes with fine granularity. The inheritance mechanism used provides the ability to control the assertion of privilege throughout the execution of a process, and the granularity of the available discrete privileges alows you greater flexibility with configuration of security sensitive commands that must be executed by ordinary users.
While the privilege mechanism provides the means by which a system can apportion and control process privileges, the privilege policy provides the rules by which the system grants privileges to processes.