Recalculating process privileges

When created, a process inherits the maximum and working sets of its parent. Whenever a process executes a file, using the exec(2) system call, the privilege policy rules require the process' privilege sets to be recalculated.

This mechanism works by using

• a list of system privileges

• a working and maximum set of privileges for each process on the system

• a fixed set of privileges for files

When a user executes a command, the privilege mechanism does the following:

• if an executable file has any fixed privileges, these fixed privileges are added to the maximum and working sets of the new process

• if the effective UID of a calling process is equal to 0 or a file has its set-user-ID-on-execution bit set and is owned by root, all privileges are placed in the maximum and working sets of the new process

Because UID 0 is a special case, provisions must be made if the effective UID of a process changes. If the effective UID of a process changes during execution, then the following occurs:

• if none of the real, new effective, or saved UIDs of a process are equal to 0, then remove all privileges from the current maximum and working sets of that process

• if the new effective UID of a process is equal to 0, then set the current working privileges to the current maximum set

• if the new effective UID of a process is not equal to 0 (but the real and/or saved UIDs are equal to 0), then remove all privileges from the current working set

Additionally, fixed privileges on a file are passed to a new process. This behavior provides a way for non-UID 0 processes to execute commands with privilege. The union of the maximum privileges of the calling process and fixed privileges of the executable are propagated to a new process regardless of UID.