Process privilegesProcmgr abilities Parent topic: Procmgr abilities

Ability domains

The process manager supports PROCMGR_ADN_ROOT and PROCMGR_ADN_NONROOT flags that indicate which domain an ability applies to.

These flags let a process further limit what actions can be carried out depending on its effective user ID:

PROCMGR_ADN_NONROOT
Modify the ability of the process when it has an effective user ID of 0.
PROCMGR_ADN_ROOT
Modify the ability of the process when it has an effective user ID other than 0.

The following example shows how you can retain a specific ability for your process, before dropping root privileges. In the following example, the PROCMGR_AID_PATHSPACE ability is being allowed for non-root users: 

procmgr_ability( 0, PROCMGR_ADN_NONROOT
                      | PROCMGR_AOP_ALLOW
                      | PROCMGR_AID_PATHSPACE,
                    PROCMGR_AID_EOL);
setreuid(new_user, new_user);
setregid(new_group, new_group);
Parent topic: Procmgr abilities