On Sun, 28 Aug 2005, Hubert Feyrer wrote:
> 	solaris10% auths  | tr , '\012' | sort

FYI:
Actually, I think the command below would be more to the point here (I 
have no idea how they play together). For the case at hand, "proc_info" 
may be what is done for processes, there doesn't seem to be an equivalent 
to see open sockets.


solaris10% ppriv -lv
contract_event
 	Allows a process to request critical events without limitation.
 	Allows a process to request reliable delivery of all events on
 	any event queue.
contract_observer
 	Allows a process to observe contract events generated by
 	contracts created and owned by users other than the process's
 	effective user ID.
 	Allows a process to open contract event endpoints belonging to
 	contracts created and owned by users other than the process's
 	effective user ID.
cpc_cpu
 	Allow a process to access per-CPU hardware performance counters.
dtrace_kernel
 	Allows DTrace kernel-level tracing.
dtrace_proc
 	Allows DTrace process-level tracing.
 	Allows process-level tracing probes to be placed and enabled in
 	processes to which the user has permissions.
dtrace_user
 	Allows DTrace user-level tracing.
 	Allows use of the syscall and profile DTrace providers to
 	examine processes to which the user has permissions.
file_chown
 	Allows a process to change a file's owner user ID.
 	Allows a process to change a file's group ID to one other than
 	the process' effective group ID or one of the process'
 	supplemental group IDs.
file_chown_self
 	Allows a process to give away its files; a process with this
 	privilege will run as if {_POSIX_CHOWN_RESTRICTED} is not
 	in effect.
file_dac_execute
 	Allows a process to execute an executable file whose permission
 	bits or ACL do not allow the process execute permission.
file_dac_read
 	Allows a process to read a file or directory whose permission
 	bits or ACL do not allow the process read permission.
file_dac_search
 	Allows a process to search a directory whose permission bits or
 	ACL do not allow the process search permission.
file_dac_write
 	Allows a process to write a file or directory whose permission
 	bits or ACL do not allow the process write permission.
 	In order to write files owned by uid 0 in the absence of an
 	effective uid of 0 ALL privileges are required.
file_link_any
 	Allows a process to create hardlinks to files owned by a uid
 	different from the process' effective uid.
file_owner
 	Allows a process which is not the owner of a file or directory
 	to perform the following operations that are normally permitted
 	only for the file owner: modify that file's access and
 	modification times; remove or rename a file or directory whose
 	parent directory has the ``save text image after execution''
 	(sticky) bit set; mount a ``namefs'' upon a file; modify
 	permission bits or ACL except for the set-uid and set-gid
 	bits.
file_setid
 	Allows a process to change the ownership of a file or write to
 	a file without the set-user-ID and set-group-ID bits being
 	cleared.
 	Allows a process to set the set-group-ID bit on a file or
 	directory whose group is not the process' effective group or
 	one of the process' supplemental groups.
 	Allows a process to set the set-user-ID bit on a file with
 	different ownership in the presence of PRIV_FILE_OWNER.
 	Additional restrictions apply when creating or modifying a
 	set-uid 0 file.
ipc_dac_read
 	Allows a process to read a System V IPC
 	Message Queue, Semaphore Set, or Shared Memory Segment whose
 	permission bits do not allow the process read permission.
 	Allows a process to read remote shared memory whose
 	permission bits do not allow the process read permission.
ipc_dac_write
 	Allows a process to write a System V IPC
 	Message Queue, Semaphore Set, or Shared Memory Segment whose
 	permission bits do not allow the process write permission.
 	Allows a process to read remote shared memory whose
 	permission bits do not allow the process write permission.
 	Additional restrictions apply if the owner of the object has uid 0
 	and the effective uid of the current process is not 0.
ipc_owner
 	Allows a process which is not the owner of a System
 	V IPC Message Queue, Semaphore Set, or Shared Memory Segment to
 	remove, change ownership of, or change permission bits of the
 	Message Queue, Semaphore Set, or Shared Memory Segment.
 	Additional restrictions apply if the owner of the object has uid 0
 	and the effective uid of the current process is not 0.
net_icmpaccess
 	Allows a process to send and receive ICMP packets.
net_privaddr
 	Allows a process to bind to a privileged port
 	number. The privilege port numbers are 1-1023 (the traditional
 	UNIX privileged ports) as well as those ports marked as
 	"udp/tcp_extra_priv_ports" with the exception of the ports
 	reserved for use by NFS.
net_rawaccess
 	Allows a process to have direct access to the network layer.
proc_audit
 	Allows a process to generate audit records.
 	Allows a process to get its own audit pre-selection information.
proc_chroot
 	Allows a process to change its root directory.
proc_clock_highres
 	Allows a process to use high resolution timers.
proc_exec
 	Allows a process to call execve().
proc_fork
 	Allows a process to call fork1()/forkall()/vfork()
proc_info
 	Allows a process to examine the status of processes other
 	than those it can send signals to.  Processes which cannot
 	be examined cannot be seen in /proc and appear not to exist.
proc_lock_memory
 	Allows a process to lock pages in physical memory.
proc_owner
 	Allows a process to send signals to other processes, inspect
 	and modify process state to other processes regardless of
 	ownership.  When modifying another process, additional
 	restrictions apply:  the effective privilege set of the
 	attaching process must be a superset of the target process'
 	effective, permitted and inheritable sets; the limit set must
 	be a superset of the target's limit set; if the target process
 	has any uid set to 0 all privilege must be asserted unless the
 	effective uid is 0.
 	Allows a process to bind arbitrary processes to CPUs.
proc_priocntl
 	Allows a process to elevate its priority above its current level.
 	Allows a process to change its scheduling class to any scheduling class,
 	including the RT class.
proc_session
 	Allows a process to send signals or trace processes outside its
 	session.
proc_setid
 	Allows a process to set its uids at will.
 	Assuming uid 0 requires all privileges to be asserted.
proc_taskid
 	Allows a process to assign a new task ID to the calling process.
proc_zone
 	Allows a process to trace or send signals to processes in
 	other zones.
sys_acct
 	Allows a process to enable and disable and manage accounting through
 	acct(2), getacct(2), putacct(2) and wracct(2).
sys_admin
 	Allows a process to perform system administration tasks such
 	as setting node and domain name and specifying nscd and coreadm
 	settings.
sys_audit
 	Allows a process to start the (kernel) audit daemon.
 	Allows a process to view and set audit state (audit user ID,
 	audit terminal ID, audit sessions ID, audit pre-selection mask).
 	Allows a process to turn off and on auditing.
 	Allows a process to configure the audit parameters (cache and
 	queue sizes, event to class mappings, policy options).
sys_config
 	Allows a process to perform various system configuration tasks.
 	Allows a process to add and remove swap devices; when adding a swap
 	device, a process must also have sufficient privileges to read from
 	and write to the swap device.
sys_devices
 	Allows a process to successfully call a kernel module that
 	calls the kernel drv_priv(9F) function to check for allowed
 	access.
 	Allows a process to open the real console device directly.
 	Allows a process to open devices that have been exclusively opened.
sys_ipc_config
 	Allows a process to increase the size of a System V IPC Message
 	Queue buffer.
sys_linkdir
 	Allows a process to unlink and link directories.
sys_mount
 	Allows filesystem specific administrative procedures, such as
 	filesystem configuration ioctls, quota calls and creation/deletion
 	of snapshots.
 	Allows a process to mount and unmount filesystems which would
 	otherwise be restricted (i.e., most filesystems except
 	namefs).
 	A process performing a mount operation needs to have
 	appropriate access to the device being mounted (read-write for
 	"rw" mounts, read for "ro" mounts).
 	A process performing any of the aforementioned
 	filesystem operations needs to have read/write/owner
 	access to the mount point.
 	Only regular files and directories can serve as mount points
 	for processes which do not have all zone privileges asserted.
 	Unless a process has all zone privileges, the mount(2)
 	system call will force the "nosuid" and "restrict" options, the
 	latter only for autofs mountpoints.
 	Regardless of privileges, a process running in a non-global zone may
 	only control mounts performed from within said zone.
 	Outside the global zone, the "nodevices" option is always forced.
sys_net_config
 	Allows a process to configure a system's network interfaces and routes.
 	Allows a process to configure network parameters using ndd.
 	Allows a process access to otherwise restricted information using ndd.
 	Allows a process to push the rpcmod STREAMs module.
 	Allows a process to pop anchored STREAMs modules.
 	Allows a process to INSERT/REMOVE STREAMs modules on locations other
 	than the top of the module stack.
 	Allows a process to configure IPsec.
sys_nfs
 	Allows a process to perform Sun private NFS specific system calls.
 	Allows a process to bind to ports reserved by NFS: ports 2049 (nfs)
 	and port 4045 (lockd).
sys_res_config
 	Allows a process to create and delete processor sets, assign
 	CPUs to processor sets and override the PSET_NOESCAPE property.
 	Allows a process to change the operational status of CPUs in
 	the system using p_online(2).
 	Allows a process to configure resource pools and to bind
 	processes to pools
sys_resource
 	Allows a process to modify the resource limits specified
 	by setrlimit(2) and setrctl(2) without restriction.
 	Allows a process to exceed the per-user maximum number of
 	processes.
 	Allows a process to extend or create files on a filesystem that
 	has less than minfree space in reserve.
sys_suser_compat
 	Allows a process to successfully call a third party loadable module
 	that calls the kernel suser() function to check for allowed access.
 	This privilege exists only for third party loadable module
 	compatibility and is not used by Solaris proper.
sys_time
 	Allows a process to manipulate system time using any of the
 	appropriate system calls: stime, adjtime, ntp_adjtime and
 	the IA specific RTC calls.


  - Hubert