/etc/security/privdevs File

Purpose

Contains security attributes for privileged devices.

Description

The /etc/security/privdevs file is an ASCII stanza file that contains privileged devices and their security attributes. Each stanza in the /etc/security/privdevs file is identified by the full path name to the device, followed by a colon (:). Each stanza contains attributes in the Attribute=Value form. The path name must be the absolute path to the device and cannot contain symbolic link directories or be a symbolic link to the device. Each Attribute=Value pair is ended by a newline character, and each stanza is ended by an additional newline character. For an example of a stanza, see Examples.

Changes made to the privdevs file do not impact security considerations until the entire privileged device database is sent to the Kernel Security Tables through the setkst command or until the system is rebooted.

Modifying and Listing Entries in the devices File

Do not directly edit the /etc/security/privdevs file. Use the following commands and subroutines to manipulate the privileged devices database:
setsecattr
Adds a device entry to, or changes a device entry in, the /etc/security/privdevs file.
lssecattr
Displays attributes and their values.
rmsecattr
Removes a command from the devices file.
To write programs that affect entries in the /etc/security/privdevs file, use one or more of the following subroutines:
  • getdevattr
  • getdevattrs
  • putdevattr
  • putdevattrs

Attributes

A stanza in this file contains one or more of the following security attributes:

Attribute Description
readprivs

Specifies the privileges required to read from the device as a comma-separated list of privilege names. You can define a maximum of eight privileges. A process with any of the specified read privileges can read from the device.

writeprivs Specifies the privileges required to write to the device as a comma-separated list of privilege names. You can define a maximum of eight privileges. A process with any of the specified write privileges can write to the device.

Security

The root user and the security group own this file. Read and write access is granted to the root user. Access for other users and groups depends on the security policy for the system.

Examples

The following example for a Device displays a typical stanza in the file:
/dev/mydev:
        readprivs = PV_DAC_R,PV_AU_READ
        writeprivs = PV_DAC_W,PV_AU_WRITE
This entry indicates that the process must have either the PV_DAC_R privilege or the PV_AU_READ privilege to read from the device. The process also must have either the PV_DAC_W privilege or the PV_AU_WRITE privilege to write to the device.