OpenVMS Guide to System Security

Document revision date: 30 March 2001

OpenVMS Guide to System Security

Contents

Index

All subsystem users, those holding the SUPPLIERS_ORDERS or ACCOUNTS_PAYABLE identifier, can run ORDERS.EXE.
Only subsystem images and holders of the ACCOUNTS_PAYABLE identifier can run PAYMENTS.EXE.
The data files for the subsystem reside in [SUPPLIERS_SUBSYSTEM.LIB]. Only the subsystem images and McGrey can access them.

13.9.4 Protecting the Printer

The print queue for checks needs equal protection. Access is restricted to trusted administrators because they are the only ones who hold both the subsystem and the ACCOUNTS_PAYABLE identifiers. The following display shows that the queue is protected in such a way that only the trusted administrators can queue jobs to the printer:

$ SHOW SECURITY/CLASS=QUEUE TTA1

TTA1 object of class QUEUE Owner: [SYSTEM] Protection: (System: M, Owner: D, Group, World) Access Control List: (IDENTIFIER=SUPPLIERS_SUBSYSTEM+ACCOUNTS_PAYABLE,- ACCESS=READ+SUBMIT+MANAGE+DELETE) (IDENTIFIER=*,ACCESS=NONE)

13.9.5 Command Procedure for Building the Subsystem

Example 13-1 shows the command procedure used to create the R. D. Taylor subsystem.

Example 13-1 Subsystem Command Procedure

$ SET NOON $ OLD_PRIV = F$SETPRV("NOALL,SYSPRV,CMKRNL,OPER") $ OLD_DEFAULT = F$ENVIRONMENT("DEFAULT") $ $ ON CONTROL_Y THEN GOTO LEAVE $ $ IF P1 .EQS. "REMOVE" THEN GOTO CLEANUP $ IF P1 .EQS. "VERIFY" THEN SET VERIFY $! $! Create the subsystem identifier and the identifiers for personnel $! performing two different tasks. $! $ SET DEFAULT SYS$SYSTEM $ RUN AUTHORIZE ADD/IDENTIFIER SUPPLIERS_SUBSYSTEM/ATTRIBUTES=(RESOURCE,SUBSYSTEM) ADD/IDENTIFIER SUPPLIERS_ORDERS ADD/IDENTIFIER ACCOUNTS_PAYABLE ! ! Grant the subsystem identifier to the subsystem manager: McGrey. ! GRANT/IDENTIFIER SUPPLIERS_SUBSYSTEM MCGREY/ATTRIBUTE=(RESOURCE,SUBSYSTEM) $! $! Set up the print queue. $! $ INITIALIZE/QUEUE/START TTA1 $ SET SECURITY/ACL=(- (ID=SUPPLIERS_SUBSYSTEM+ACCOUNTS_PAYABLE,ACCESS=READ+SUBMIT+MANAGE+DELETE), - (ID=*,ACCESS=NONE))/PROTECTION=(G,W)/CLASS=QUEUE TTA1: $! $! Create the directory root to hold the subsystem. $! $! $! Assume that we logged in as McGrey. $! $ SET RIGHTS_LIST/ENABLE SUPPLIERS_SUBSYSTEM/ATTRIBUTE=(RESOURCE,SUBSYSTEM) $ SET DEFAULT SYS$SYSDEVICE:[SUPPLIERS_SUBSYSTEM] $! $! Create the directories for the images and the data files. $! $ CREATE/DIR [SUPPLIERS_SUBSYSTEM.EXE]/PROTECTION=(G,W) $ CREATE/DIR [SUPPLIERS_SUBSYSTEM.LIB]/PROTECTION=(G,W) $ SET SECURITY/ACL=((ID=SUPPLIERS_ORDERS,ACCESS=EXECUTE), - (ID=ACCOUNTS_PAYABLE,ACCESS=EXECUTE), - (ID=SUPPLIERS_ORDERS,OPTIONS=DEFAULT,ACCESS=EXECUTE), - (ID=ACCOUNTS_PAYABLE,OPTIONS=DEFAULT,ACCESS=EXECUTE))/DELETE - [SUPPLIERS_SUBSYSTEM]LIB.DIR $! $! Emulate the creation of the subsystem images. $! $ SET DEFAULT [.EXE] $ CREATE ORDERS.MAR .ENTRY START,0 $setpri_s pri=#0 10$: BRB 10$ ret .END START $ MACRO ORDERS $ LINK ORDERS $ SET SECURITY/PROTECTION=(W:RWED) ORDERS.MAR;*,.OBJ;* $ DELETE ORDERS.MAR;*,.OBJ;* $ COPY ORDERS.EXE PAYMENTS.EXE $! $! Apply the appropriate protection to the images. $! $ SET SECURITY/ACL=(ID=SUPPLIERS_ORDERS,ACCESS=EXECUTE)/DELETE PAYMENTS.EXE $ SET SECURITY/ACL=(SUBSYSTEM,ID=SUPPLIERS_SUBSYSTEM,ATTRIBUTES=RESOURCE) ORDERS.EXE $ SET SECURITY/ACL=(SUBSYSTEM,ID=SUPPLIERS_SUBSYSTEM,ATTRIBUTES=RESOURCE) PAYMENTS.EXE $! $! Create and protect the data files used by the applications. $! $ SET DEFAULT [-.LIB] $ CREATE ORDERS.DAT $ CREATE PAYMENTS.DAT $ SET SECURITY/ACL=((ID=SUPPLIERS_SUBSYSTEM,ACCESS=READ+WRITE), - (ID=*,ACCESS=NONE)) ORDERS.DAT $ SET SECURITY/LIKE=(NAME=ORDERS.DAT) PAYMENTS.DAT $! $! Show the directory structure and the queue protection. $! $ SET DEFAULT 'OLD_DEFAULT' $ DEFINE SYS$OUTPUT SUBSYS.LIS $ DIRECTORY/SECURITY SYS$SYSDEVICE:[000000]SUPPLIERS_SUBSYSTEM.DIR $ DIRECTORY/SECURITY SYS$SYSDEVICE:[SUPPLIERS_SUBSYSTEM...] $ SHOW SECURITY/CLASS=QUEUE TTA1 $ DEASSIGN SYS$OUTPUT $ $ LEAVE: $ IF P1 .EQS. "VERIFY" THEN SET NOVERIFY $ SET DEFAULT 'OLD_DEFAULT' $ SET PROC/PRIV=('OLD_PRIV') $ EXIT $ $ CLEANUP: $ SET PROC/PRIV=BYPASS $ SET DEFAULT SYS$SYSDEVICE:[000000] $ DELETE [SUPPLIERS_SUBSYSTEM...]*.*.* $ DELETE [SUPPLIERS_SUBSYSTEM]EXE.DIR; $ DELETE [SUPPLIERS_SUBSYSTEM]LIB.DIR; $ DELETE SUPPLIERS_SUBSYSTEM.DIR; $ STOP/QUE/NEXT TTA1 $ DELETE/QUEUE TTA1 $ GOTO LEAVE

Appendix A
Assigning Privileges

Privileges restrict the use of certain system functions to processes created on behalf of authorized users. These restrictions protect the integrity of the operating system's code, data, and resources and thus, the integrity of user service. Grant privileges to individual users only after carefully considering the following two factors:

Whether the user has the skill and experience to use the privilege without disrupting the system
Whether the user has a legitimate need for the privilege

Privileges fall into the following seven categories according to the damage that the user possessing them could cause the system:

None: No privileges
Normal: Minimum privileges to use the system effectively
Group: Potential to interfere with members of the same group
Devour: Potential to consume noncritical systemwide resources
System: Potential to interfere with normal system operation
Objects: Potential to compromise the security of protected objects (files, devices, logical name tables, global sections, and so on)
All: Potential to control the system

A user's privileges are recorded in the user's UAF record in a 64-bit privilege mask. When a user logs in to the system, the user's privileges are stored in the header of the user's process. In this way, the user's privileges are passed on to the process created for the user. Users can use the DCL command SET PROCESS/PRIVILEGES to enable and disable privileges for which they are authorized and to further control the privileges available to the images they run. Moreover, any user with the SETPRV privilege can enable any privilege.

Table 8-2 lists the privileges by category and gives brief, general definitions of them. The following sections describe all privileges available on OpenVMS systems in detail; each section title identifies the privilege category (Normal, Devour, and so on). For each privilege, the appendix describes the capabilities granted by the privilege and the users who should receive them.

A.1 ACNT Privilege (Devour)

The ACNT privilege lets a process use the RUN (Process) command and the Create Process ($CREPRC) system service to create processes in which accounting is disabled. A process in which accounting is disabled is one whose resource usage is not logged in the current accounting file.

A.2 ALLSPOOL Privilege (Devour)

The ALLSPOOL privilege lets the user's process allocate a spooled device by executing the Allocate Device ($ALLOC) system service or by using the DCL command ALLOCATE.

The $ALLOC system service lets a process allocate or reserve a device for its exclusive use. A shareable mounted device cannot be allocated.

Grant this privilege only to users who need to perform logical or physical I/O operations to a spooled device. Ordinarily, the privilege of allocating a spooled device is granted only to symbionts.

A.3 ALTPRI Privilege (System)

The ALTPRI privilege allows the user's process to:

Increase its own base priority
Set the base priority of a target process
Change the priority of its batch or print jobs

The base priority is increased by executing the Set Priority ($SETPRI) system service or the DCL command SET PROCESS/PRIORITY. As a rule, this system service lets a process set its own base priority or the base priority of another process. However, one process can set the priority of a second process only if one of the following conditions applies:

The process calling the $SETPRI system service has the same UIC as the target process.
The calling process has process control privilege (GROUP or WORLD) over the target process.

With ALTPRI, a process can create a detached process with a priority higher than its own. It creates such a process by using an optional argument to the Create Process ($CREPRC) system service or to the DCL command RUN/PRIORITY.

ALTPRI also lets you adjust the scheduling priority of a job ($SNDJBC) to a value even greater than that established with the system parameter MAXQUEPRI.

Do not grant this privilege widely; if unqualified users have the unrestricted ability to set base priorities, fair and orderly scheduling of processes for execution can easily be disrupted.

A.4 AUDIT Privilege (System)

The AUDIT privilege allows software to append audit records to the system security audit log file using one of four system services: $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS. In addition, the $AUDIT_EVENT system service allows all components of an audit message to be specified. As a result, this privilege permits the logging of events that appear to have come from the operating system or a user process.

Grant this privilege only to trusted images that need to append audit messages to the system audit log file. Users possessing this privilege can provoke a system failure by attempting to log invalid events with the NSA$M_INTERNAL flag set.

A.5 BUGCHK Privilege (Devour)

The BUGCHK privilege allows the process either to make bugcheck error log entries from user, supervisor, or compatibility mode (EXE$BUG_CHECK) or to send messages to the system error logger ($SNDERR). Restrict this privilege to Compaq-supplied system software that uses the Bugcheck facility.

A.6 BYPASS Privilege (All)

The BYPASS privilege allows the user's process full access to all protected objects, totally bypassing UIC-based protection, access control list (ACL) protection, and mandatory access controls. With the BYPASS privilege, a process has unlimited access to the system. Among the operations that can be performed are

Modification of all user authorization records (SYSUAF.DAT)
Modification of all rights identifier and holder records (RIGHTSLIST.DAT)
Modification of all network proxy records (NETPROXY.DAT or NET$PROXY.DAT [VAX only])
Modification of all DECnet object passwords and accounts (NETOBJECT.DAT)
Unlimited access to all files on all volumes

Grant this privilege with extreme caution because it overrides all object protection. It should be reserved for use by well-tested, reliable programs and command procedures. The SYSPRV privilege is adequate for interactive use because it ultimately grants access to all objects while still providing access checks. The READALL privilege is adequate for backup operations.

The BYPASS privilege lets a process perform the following tasks:

Task Interface

Perform file system operations:

Modify file ownership SET SECURITY/OWNER, $QIO request to F11BXQP

Access a file that is marked for deletion $QIO request to F11A ACP or F11BXQP

Access a file that is deaccess locked $QIO request to F11A ACP or F11BXQP

Override creation of an owner ACE on a newly created file $QIO request to F11BXQP

Clear the directory bit in a directory's file header $QIO request to F11BXQP

Operate on an extension header $QIO request to F11BXQP

Acquire or release a volume lock $QIO request to F11BXQP

Force mount verification on a volume $QIO request to F11BXQP

Create a file access window with the no access lock bit set $QIO request to F11BXQP

Specify null lock mode for volume lock $QIO request to F11BXQP

Access a locked file $QIO request to F11BXQP

Enable or disable disk quotas on a volume $QIO request to F11BXQP

Operate on network databases:

Display permanent network database records NCP

Display permanent DECnet object password NCP

Display volatile DECnet object password NCP

Adjust discretionary or mandatory access controls:

Read a user authorization record $GETUAI

Modify a user authorization record $SETUAI

Modify mailbox protection $QIO request request to the mailbox driver (MBDRIVER)

Modify shared memory mailbox protection $QIO request request to the mailbox driver (MBXDRIVER)

Bypass discretionary or mandatory object protection $CHKPRO

Miscellaneous:

Initialize a magnetic tape $INIT_VOL

Unload an InfoServer system $QIO request to the InfoServer system (DADDRIVER)

Task	Interface
Perform file system operations:
Modify file ownership	SET SECURITY/OWNER, $QIO request to F11BXQP
Access a file that is marked for deletion	$QIO request to F11A ACP or F11BXQP
Access a file that is deaccess locked	$QIO request to F11A ACP or F11BXQP
Override creation of an owner ACE on a newly created file	$QIO request to F11BXQP
Clear the directory bit in a directory's file header	$QIO request to F11BXQP
Operate on an extension header	$QIO request to F11BXQP
Acquire or release a volume lock	$QIO request to F11BXQP
Force mount verification on a volume	$QIO request to F11BXQP
Create a file access window with the no access lock bit set	$QIO request to F11BXQP
Specify null lock mode for volume lock	$QIO request to F11BXQP
Access a locked file	$QIO request to F11BXQP
Enable or disable disk quotas on a volume	$QIO request to F11BXQP
Operate on network databases:
Display permanent network database records	NCP
Display permanent DECnet object password	NCP
Display volatile DECnet object password	NCP
Adjust discretionary or mandatory access controls:
Read a user authorization record	$GETUAI
Modify a user authorization record	$SETUAI
Modify mailbox protection	$QIO request request to the mailbox driver (MBDRIVER)
Modify shared memory mailbox protection	$QIO request request to the mailbox driver (MBXDRIVER)
Bypass discretionary or mandatory object protection	$CHKPRO
Miscellaneous:
Initialize a magnetic tape	$INIT_VOL
Unload an InfoServer system	$QIO request to the InfoServer system (DADDRIVER)

A.7 CMEXEC Privilege (All)

The CMEXEC privilege allows the user's process to execute the Change Mode to Executive ($CMEXEC) system service.

This system service lets a process change its access mode to executive mode, execute a specified routine, and then return to the access mode that was in effect before the system service was called. While in executive mode, the process is allowed to execute the Change Mode to Kernel ($CMKRNL) system service.

Grant this privilege only to users who need to gain access to protected and sensitive data structures and internal functions of the operating system. If unqualified users have unrestricted access to sensitive data structures and functions, the operating system and service to other users can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.

A.8 CMKRNL Privilege (All)

The CMKRNL privilege allows the user's process to execute the Change Mode to Kernel ($CMKRNL) system service.

This system service lets a process change its access mode to kernel mode, execute a specified routine, and then return to the access mode that was in effect before the system service was called. While in kernel mode, a process can enable any system privilege.

A process holding both CMKRNL and SYSNAM can set the system time.

Grant this privilege only to users who need to execute privileged instructions or who need to gain access to the most protected and sensitive data structures and functions of the operating system. If unqualified users have unrestricted use of privileged instructions and unrestricted access to sensitive data structures and functions, the operating system and service to other users can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.

The CMKRNL privilege lets a process perform the following tasks:

Task Interface

Modify a multiprocessor operation START/CPU, STOP/CPU

Modify systemwide RMS defaults SET RMS/SYSTEM

Suspend a process in kernel mode SET PROCESS/SUSPEND=KERNEL

Modify another process' rights list or its nondynamic identifier attributes SET RIGHTS_LIST

Grant an identifier with modified attributes SET RIGHTS/ATTRIBUTE

Modify the system rights list SET RIGHTS_LIST/SYSTEM

Change a process UIC SET UIC

Modify the number of interlocked queue retries $QIO request to an Ethernet 802 driver (DEBNA/NI)

Connect to a device interrupt vector $QIO request to an interrupt vector (CONINTERR)

Start or modify a line in Genbyte mode $QIO request to a synchronous communications line (XGDRIVER)

Set the spin-wait time on the port command register $QIO request to an Ethernet 802 driver (DEBNA)

Modify a known image list INSTALL

Process the following item codes:
SJC$_ACCOUNT_NAME item
SJC$_UIC
SJC$_USERNAME
Send to Job Controller system service ($SNDJBC)

Create a detached process with unrestricted quotas RUN/DETACHED, $CREPRC

Examine the internals of the running system ANALYZE/SYSTEM

Task	Interface
Modify a multiprocessor operation	START/CPU, STOP/CPU
Modify systemwide RMS defaults	SET RMS/SYSTEM
Suspend a process in kernel mode	SET PROCESS/SUSPEND=KERNEL
Modify another process' rights list or its nondynamic identifier attributes	SET RIGHTS_LIST
Grant an identifier with modified attributes	SET RIGHTS/ATTRIBUTE
Modify the system rights list	SET RIGHTS_LIST/SYSTEM
Change a process UIC	SET UIC
Modify the number of interlocked queue retries	$QIO request to an Ethernet 802 driver (DEBNA/NI)
Connect to a device interrupt vector	$QIO request to an interrupt vector (CONINTERR)
Start or modify a line in Genbyte mode	$QIO request to a synchronous communications line (XGDRIVER)
Set the spin-wait time on the port command register	$QIO request to an Ethernet 802 driver (DEBNA)
Modify a known image list	INSTALL
Process the following item codes: SJC$_ACCOUNT_NAME item SJC$_UIC SJC$_USERNAME	Send to Job Controller system service ($SNDJBC)
Create a detached process with unrestricted quotas	RUN/DETACHED, $CREPRC
Examine the internals of the running system	ANALYZE/SYSTEM

A.9 DIAGNOSE Privilege (Objects)

The DIAGNOSE privilege lets a process run online diagnostic programs and intercept and copy all messages written to the error log file.

The DIAGNOSE privilege also lets a process perform the following tasks:

Task Interface

Issue a $QIO request with associated diagnostic buffer $QIO

Modify the number of interlocked queue retries $QIO request to an Ethernet 802 driver (DEBNA/NI)

Set the spin-wait time on the port command register $QIO request to an Ethernet 802 driver (DEBNA)

Access the Diagnostic and Utilities Protocol (DUP) class driver $QIO request to the DUP class driver used by SET HOST/HSC (FYDRIVER)

Execute a special passthrough function in the SCSI generic class driver $QIO request to the SCSI driver (GKDRIVER)

Process a diagnostic buffer $QIO request to a TU58 magnetic tape (TUDRIVER)

Task	Interface
Issue a $QIO request with associated diagnostic buffer	$QIO
Modify the number of interlocked queue retries	$QIO request to an Ethernet 802 driver (DEBNA/NI)
Set the spin-wait time on the port command register	$QIO request to an Ethernet 802 driver (DEBNA)
Access the Diagnostic and Utilities Protocol (DUP) class driver	$QIO request to the DUP class driver used by SET HOST/HSC (FYDRIVER)
Execute a special passthrough function in the SCSI generic class driver	$QIO request to the SCSI driver (GKDRIVER)
Process a diagnostic buffer	$QIO request to a TU58 magnetic tape (TUDRIVER)

A.10 DOWNGRADE Privilege (All)

The DOWNGRADE privilege permits a process to manipulate mandatory access controls. The privilege lets a process write to an object of lower secrecy, in violation of the Bell and LaPadula confinement (*) property.¹ This privilege is reserved for enhanced security products like the Security Enhancement Service software (SEVMS).

Note

¹ Name of the restriction on write-downs. Multilevel security requires the complete prohibition of write-downs by untrusted software.

A.11 EXQUOTA Privilege (Devour)

The EXQUOTA privilege allows the space taken by the user's files on given disk volumes to exceed any usage quotas set for the user (as determined by UIC) on those volumes.

A.12 GROUP Privilege (Group)

The GROUP privilege allows the user's process to affect other processes in its own group by executing the following process-control system services:

Suspend Process ($SUSPND)
Resume Process ($RESUME)
Delete Process ($DELPRC)
Set Priority ($SETPRI)
Wake ($WAKE)
Schedule Wakeup ($SCHDWK)
Cancel Wakeup ($CANWAK)
Force Exit ($FORCEX)

With GROUP privilege, a user's process can control another process in the same group. The user's process is allowed to examine other processes in its own group by executing the Get Job/Process Information ($GETJPI) system service. A process with GROUP privilege can issue the SET PROCESS command for other processes in its group.

GROUP privilege is not needed for a process to exercise control over, or to examine, subprocesses that it created or other detached processes of its UIC. You should, however, grant this privilege to users who need to exercise control over the processes and operations of other members of their UIC group.

Contents

Index

privacy and legal statement

6346PRO_031.HTML

OpenVMS Guide to System Security

13.9.4 Protecting the Printer

Appendix AAssigning Privileges

1 Name of the restriction on write-downs. Multilevel security requires the complete prohibition of write-downs by untrusted software.

Appendix A
Assigning Privileges

¹ Name of the restriction on write-downs. Multilevel security requires the complete prohibition of write-downs by untrusted software.