include file for privilege mechanism definitions
This header file is used by all privilege
All privileges are defined here, as
well as certain operations that are necessary
to manipulate privileges.
At user level, each privilege attached to a file or process is
defined as a 32 bit quantity called a privilege descriptor.
The most significant eight bits contain a mask value for the known
privilege sets: fixed, inheritable, maximum and working.
The remaining twenty-four bits contains a value for the
In the kernel, privileges are maintained as bit vectors in the
credentials structure, with the state of the corresponding bit
denoting whether a particular privilege is set or clear.
set in the credentials structure has its own bit vector.
Several macros exist to manipulate privilege descriptors and
convert between the user level descriptors and the kernel level
In the examples below, p denotes a privilege
descriptor, v denotes a privilege bit vector, and a and
b denotes a credential structure.
Returns a value equivalent to a privilege vector with all bits
Used for pm_setbits
Given a privilege descriptor p, return the privilege part only.
Given a privilege descriptor p, return the type of privilege set
Given a privilege descriptor p, return the type of privilege set as
an ASCII character (F for fixed, I for inheritable, M for maximum,
and W for working).
Given a privilege descriptor p containing only the privilege number, return a bit vector with the bit for
this privilege turned on.
Given an ASCII character stored in p, return a privilege
descriptor containing the type of privilege set corresponding to
Valid values are F for fixed privilege set, I for
inheritable set, M for maximum set, and W for working set.
Check the supplied privilege descriptor, p returning 0 if valid, and
1 if not.
Given a privilege descriptor p and a bit vector v, turn on the bit in
the bit vector corresponding to the privilege supplied in the
Use pm_allon to set all bits if the descriptor contains
Given a credential structure a and a bit vector v with the bit
corresponding to the privilege of interest turned on, return 1 if
the privilege is on in the working privilege set of the
credentials, and 0 if not.
Given two credential structures a and b, determine if the maximum
privilege set of the second is an improper subset of the maximum
privilege set of the first.
Given a credential structure a, return 0 if the maximum privilege
set is empty (the process does not and can not have privilege), or
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004