11621 fmadm and fmstat document privileges incorrectly

Reviewed by: Rob Johnston <rob.johnston@joyent.com>
Approved by: Richard Lowe <richlowe@richlowe.net>

3 files changed, 23 insertions, 61 deletions

diff --git a/usr/src/man/man1m/fmadm.1m b/usr/src/man/man1m/fmadm.1m
index b77aaacf5b..a166e1fe42 100644
--- a/usr/src/man/man1m/fmadm.1m
+++ b/usr/src/man/man1m/fmadm.1m
@@ -1,21 +1,19 @@
 '\" te
 .\" Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved.
 .\" Copyright 2012 Joshua M. Clulow <josh@sysmgr.org>
+.\" Copyright 2019 Peter Tribble
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License").  You may not use this file except in compliance with the License.
 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.  See the License for the specific language governing permissions and limitations under the License.
 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE.  If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH FMADM 1M "Oct 22, 2008"
+.TH FMADM 1M "Aug 26, 2019"
 .SH NAME
 fmadm \- fault management configuration tool
 .SH SYNOPSIS
-.LP
 .nf
 \fBfmadm\fR [\fB-q\fR] [\fIsubcommand\fR [\fIarguments\fR]]
 .fi
 
 .SH DESCRIPTION
-.sp
-.LP
 The \fBfmadm\fR utility can be used by administrators and service personnel to
 view and modify system configuration parameters maintained by the Fault
 Manager, \fBfmd\fR(1M). \fBfmd\fR receives telemetry information relating to
@@ -56,13 +54,10 @@ to gather more information or perform additional tasks. The documentation for
 to observe fault management activities.
 .sp
 .LP
-The \fBfmadm\fR utility requires the user to possess the \fBSYS_CONFIG\fR
-privilege. Refer to the \fI\fR for more information about how to configure
-privileges. The \fBfmadm\fR \fBload\fR subcommand requires that the
-user possess all privileges.
+The \fBfmadm\fR utility requires the user to possess the \fBPRIV_SYS_ADMIN\fR
+privilege. See \fBprivileges\fR(5). The \fBfmadm\fR \fBload\fR subcommand
+requires that the user possess all privileges.
 .SS "SUBCOMMANDS"
-.sp
-.LP
 \fBfmadm\fR accepts the following subcommands. Some of the subcommands accept
 or require additional options and operands:
 .sp
@@ -385,8 +380,6 @@ logfile to be rotated, if the current one is not zero in size:
 .RE
 
 .SH OPTIONS
-.sp
-.LP
 The following options are supported:
 .sp
 .ne 2
@@ -399,8 +392,6 @@ successful operations to standard output.
 .RE
 
 .SH OPERANDS
-.sp
-.LP
 The following operands are supported:
 .sp
 .ne 2
@@ -422,8 +413,6 @@ as described in \fBSUBCOMMANDS\fR.
 .RE
 
 .SH EXIT STATUS
-.sp
-.LP
 The following exit values are returned:
 .sp
 .ne 2
@@ -454,8 +443,6 @@ Invalid command-line options were specified.
 .RE
 
 .SH ATTRIBUTES
-.sp
-.LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
 
@@ -474,13 +461,8 @@ Interface Stability	See below.
 The command-line options are Committed. The human-readable output is
 not-an-interface.
 .SH SEE ALSO
-.sp
-.LP
 \fBfmd\fR(1M), \fBfmdump\fR(1M), \fBfmstat\fR(1M), \fBlogadm\fR(1M),
-\fBsyslogd\fR(1M), \fBattributes\fR(5)
-.sp
-.LP
-\fI\fR
+\fBsyslogd\fR(1M), \fBattributes\fR(5), \fBprivileges\fR(5)
 .sp
 .LP
 http://illumos.org/msg/
diff --git a/usr/src/man/man1m/fmstat.1m b/usr/src/man/man1m/fmstat.1m
index 5c7c21f7a4..6186c124d6 100644
--- a/usr/src/man/man1m/fmstat.1m
+++ b/usr/src/man/man1m/fmstat.1m
@@ -1,24 +1,22 @@
 '\" te
 .\" Copyright (c) 2005, Sun Microsystems, Inc. All Rights Reserved.
+.\" Copyright 2019 Peter Tribble
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH FMSTAT 1M "Jun 16, 2009"
+.TH FMSTAT 1M "Aug 26, 2019"
 .SH NAME
 fmstat \- report fault management module statistics
 .SH SYNOPSIS
-.LP
 .nf
 \fBfmstat\fR [\fB-astTz\fR] [\fB-d\fR u | d ] [\fB-m\fR \fImodule\fR] [\fIinterval\fR [\fIcount\fR]]
 .fi
 
 .SH DESCRIPTION
-.sp
-.LP
 The \fBfmstat\fR utility can be used by administrators and service personnel to
-report statistics associated with the Solaris Fault Manager, \fBfmd\fR(1M) and
+report statistics associated with the Fault Manager, \fBfmd\fR(1M) and
 its associated set of modules. The Fault Manager runs in the background on each
-Solaris system. It receives telemetry information relating to problems detected
+system. It receives telemetry information relating to problems detected
 by the system software, diagnoses these problems, and initiates proactive
 self-healing activities such as disabling faulty components.
 .sp
@@ -139,12 +137,9 @@ The amount of persistent buffer space currently allocated by this module.
 
 .sp
 .LP
-The \fBfmstat\fR utility requires the user to posses the \fBSYS_CONFIG\fR
-privilege. Refer to the \fI\fR for more information about how to configure
-Solaris privileges.
+The \fBfmstat\fR utility requires the user to possess the \fBPRIV_SYS_ADMIN\fR
+privilege. See \fBprivileges\fR(5).
 .SH OPTIONS
-.sp
-.LP
 The following options are supported:
 .sp
 .ne 2
@@ -234,8 +229,6 @@ with the \fB-m\fR option.
 .RE
 
 .SH OPERANDS
-.sp
-.LP
 The following operands are supported:
 .sp
 .ne 2
@@ -262,8 +255,6 @@ printed and \fBfmstat\fR exits. If an \fIinterval\fR is specified but no
 \fIcount\fR is specified, \fBfmstat\fR prints reports every \fIinterval\fR
 seconds indefinitely until the command is interrupted.
 .SH EXIT STATUS
-.sp
-.LP
 The following exit values are returned:
 .sp
 .ne 2
@@ -295,8 +286,6 @@ Invalid command-line options were specified.
 .RE
 
 .SH ATTRIBUTES
-.sp
-.LP
 See \fBattributes\fR(5) for descriptions of the following attributes:
 .sp
 
@@ -315,9 +304,5 @@ Interface Stability	See below.
 The command-line options are Evolving. The human-readable default report is
 Unstable. The human-readable module report is Private.
 .SH SEE ALSO
-.sp
-.LP
-\fBfmadm\fR(1M), \fBfmd\fR(1M), \fBfmdump\fR(1M), \fBattributes\fR(5)
-.sp
-.LP
-\fI\fR
+\fBfmadm\fR(1M), \fBfmd\fR(1M), \fBfmdump\fR(1M), \fBattributes\fR(5),
+\fBprivileges\fR(5)
diff --git a/usr/src/man/man5/privileges.5 b/usr/src/man/man5/privileges.5
index 9ca40fadad..048482f2ad 100644
--- a/usr/src/man/man5/privileges.5
+++ b/usr/src/man/man5/privileges.5
@@ -1,20 +1,20 @@
 '\" te
 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
 .\" Copyright 2015, Joyent, Inc. All Rights Reserved.
+.\" Copyright 2019 Peter Tribble
 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing.
 .\"  See the License for the specific language governing permissions and limitations under the License. When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with
 .\" the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
-.TH PRIVILEGES 5 "Feb 28, 2018"
+.TH PRIVILEGES 5 "Aug 26, 2019"
 .SH NAME
 privileges \- process privilege model
 .SH DESCRIPTION
-.LP
-Solaris software implements a set of privileges that provide fine-grained
+In illumos, software implements a set of privileges that provide fine-grained
 control over the actions of processes. The possession of a certain privilege
 allows a process to perform a specific set of restricted operations.
 .sp
 .LP
-The change to a primarily privilege-based security model in the Solaris
+The change to a primarily privilege-based security model in the
 operating system gives developers an opportunity to restrict processes to those
 privileged operations actually needed instead of all (super-user) or no
 privileges (non-zero UIDs). Additionally, a set of previously unrestricted
@@ -641,7 +641,7 @@ Allow a process to enable and disable and manage accounting through
 .sp .6
 .RS 4n
 Allow a process to perform system administration tasks such as setting node and
-domain name and specifying \fBcoreadm\fR(1M) and \fBnscd\fR(1M) settings
+domain name and managing \fBfmd\fR(1M) and \fBnscd\fR(1M).
 .RE
 
 .sp
@@ -845,7 +845,7 @@ bind to NetBIOS or SMB reserved ports: ports 137, 138, 139 (NetBIOS) and 445
 Allow a process to successfully call a third party loadable module that calls
 the kernel \fBsuser()\fR function to check for allowed access. This privilege
 exists only for third party loadable module compatibility and is not used by
-Solaris proper.
+illumos.
 .RE
 
 .sp
@@ -1096,7 +1096,7 @@ in the Limit set (see below) of a process in order for set-uid root \fBexec\fRs
 to be successful, that is, get an effective UID of 0 and additional privileges.
 .sp
 .LP
-The privilege implementation in Solaris extends the process credential with
+The privilege implementation in illumos extends the process credential with
 four privilege sets:
 .sp
 .ne 2
@@ -1259,7 +1259,6 @@ set, the system does not honor the set-uid bit of set-uid root applications.
 The following unsafe privileges have been identified: \fBproc_setid\fR,
 \fBsys_resource\fR and \fBproc_audit\fR.
 .SS "Privilege Escalation"
-.LP
 In certain circumstances, a single privilege could lead to a process gaining
 one or more additional privileges that were not explicitly granted to that
 process. To prevent such an escalation of privileges, the security policy
@@ -1267,7 +1266,7 @@ requires explicit permission for those additional privileges.
 .sp
 .LP
 Common examples of escalation are those mechanisms that allow modification of
-system resources through "raw'' interfaces; for example, changing kernel data
+system resources through "raw" interfaces; for example, changing kernel data
 structures through \fB/dev/kmem\fR or changing files through \fB/dev/dsk/*\fR.
 Escalation also occurs when a process controls processes with more privileges
 than the controlling process. A special case of this is manipulating or
@@ -1283,7 +1282,7 @@ In situations where a process might obtain UID 0, the security policy requires
 additional privileges, up to the full set of privileges. Such restrictions
 could be relaxed or removed at such time as additional mechanisms for
 protection of system files became available. There are no such mechanisms in
-the current Solaris release.
+the current release.
 .sp
 .LP
 The use of UID 0 processes should be limited as much as possible. They should
@@ -1294,7 +1293,6 @@ privileges they need.
 Daemons that never need to \fBexec\fR subprocesses should remove the
 \fBPRIV_PROC_EXEC\fR privilege from their permitted and limit sets.
 .SS "Assigned Privileges and Safeguards"
-.LP
 When privileges are assigned to a user, the system administrator could give
 that user more powers than intended. The administrator should consider whether
 safeguards are needed. For example, if the \fBPRIV_PROC_LOCK_MEMORY\fR
@@ -1302,7 +1300,6 @@ privilege is given to a user, the administrator should consider setting the
 \fBproject.max-locked-memory\fR resource control as well, to prevent that user
 from locking all memory.
 .SS "Privilege Debugging"
-.LP
 When a system call fails with a permission error, it is not always immediately
 obvious what caused the problem. To debug such a problem, you can use a tool
 called \fBprivilege debugging\fR. When privilege debugging is enabled for a
@@ -1322,13 +1319,11 @@ set priv_debug = 1
 .LP
 On a running system, you can use \fBmdb\fR(1) to change this variable.
 .SS "Privilege Administration"
-.LP
 Use \fBusermod\fR(1M) or \fBrolemod\fR(1M)
 to assign privileges to or modify privileges for, respectively, a user or a
 role. Use \fBppriv\fR(1) to enumerate the privileges supported on a system and
 \fBtruss\fR(1) to determine which privileges a program requires.
 .SH SEE ALSO
-.LP
 \fBmdb\fR(1), \fBppriv\fR(1), \fBadd_drv\fR(1M), \fBifconfig\fR(1M),
 \fBlockd\fR(1M), \fBnfsd\fR(1M), \fBpppd\fR(1M), \fBrem_drv\fR(1M),
 \fBsmbd\fR(1M), \fBsppptun\fR(1M), \fBupdate_drv\fR(1M), \fBIntro\fR(2),