OpenVMS Guide to System Security

Document revision date: 30 March 2001

OpenVMS Guide to System Security

Contents

Index

A.13 GRPNAM Privilege (Devour)

The GRPNAM privilege lets the user's process bypass discretionary access controls and insert names into (and delete names from) the logical name table of the group to which the process belongs by the use of the Create Logical Name ($CRELNM) and Delete Logical Name ($DELLNM) system services.

In addition, the privileged process can issue the DCL commands ASSIGN and DEFINE to add names to the group logical name table and the DCL command DEASSIGN to delete names from the table. The privilege allows the use of the /GROUP qualifier with the DCL commands MOUNT and DISMOUNT (as well as the system services $MOUNT and $DISMOUNT) when sharing volumes among group members.

Do not grant this privilege to all users of the system because it allows the user's process to create an unlimited number of group logical names. When unqualified users have the unrestricted ability to create group logical names, excessive use of system dynamic memory can degrade system performance. In addition, a process with the GRPNAM privilege can interfere with the activities of other processes in the same group by creating definitions of commonly used logical names such as SYS$SYSTEM.

A.14 GRPPRV Privilege (Group)

When the process's group matches the group of the object owner, the GRPPRV privilege gives a process the access rights provided by the object's system protection field. GRPPRV also lets a process change the protection or the ownership of any object whose owner group matches the process's group by using the DCL commands SET SECURITY.

Grant this privilege only to users who function as group managers. If this privilege is given to unqualified users who have no need for it, they can modify group UAF records to values equal to those of the group manager. They can increase resource allocations and grant privileges for which they are authorized.

The GRPPRV privilege lets a process perform the following tasks:

Task Interface

Modify object ownership SET SECURITY/OWNER, $QIO request to F11BXQP

Read or modify a user authorization record $GETUAI, $SETUAI

File system operations: $QIO request to F11BXQP

Override the creation of an owner ACE on a newly created file
Clear the directory bit in a directory's file header
Acquire or release a volume lock
Force mount verification on a volume
Create a file access window with the no access lock bit set
Specify a null lock mode for a volume lock
Access a locked file
Enable or disable disk quotas on a volume

Task	Interface
Modify object ownership	SET SECURITY/OWNER, $QIO request to F11BXQP
Read or modify a user authorization record	$GETUAI, $SETUAI
File system operations:	$QIO request to F11BXQP
Override the creation of an owner ACE on a newly created file Clear the directory bit in a directory's file header Acquire or release a volume lock Force mount verification on a volume Create a file access window with the no access lock bit set Specify a null lock mode for a volume lock Access a locked file Enable or disable disk quotas on a volume

A.15 IMPERSONATE Privilege (All) (Formerly DETACH)

Processes can create detached processes that have their own UIC without the IMPERSONATE privilege, provided the processes do not exceed their MAXJOBS and MAXDETACH quotas. However, the IMPERSONATE privilege becomes valuable when a process wants to specify a different UIC for the detached process. There is no restriction on the UIC that can be specified for a detached process if you have the IMPERSONATE privilege. Thus, there are no restrictions on the files, directories, and other objects to which a detached process can gain access. The IMPERSONATE privilege also lets a process create a detached process with unrestricted quotas. A process can create detached processes by executing the Create Process ($CREPRC) system service.

In addition, IMPERSONATE grants the ability to create a trusted server process using the DCL command RUN/DETACH. Trusted processes are exempt from the normal system security auditing policy.

Detached processes remain in existence even after the user who created them has logged out of the system.

Note

The IMPERSONATE privilege was formerly called the DETACH privilege. For backwards compatability, if you specify DETACH in a command line, the command continues to work properly.

A.16 IMPORT Privilege (Objects)

The IMPORT privilege lets a process manipulate mandatory access controls. The privilege lets a process mount unlabeled tape volumes. This privilege is reserved for enhanced security products like SEVMS.

A.17 LOG_IO Privilege (All)

The LOG_IO privilege lets the user's process execute the Queue I/O Request ($QIO) system service to perform logical-level I/O operations. LOG_IO privilege is also required for certain device control functions, such as setting permanent terminal characteristics. A process with the typical privileges of NETMBX and TMPMBX that also holds LOG_IO and SYSNAM can reconfigure the Ethernet using the Phase IV network configuration procedure, NICONFIG.COM.

Usually, process I/O requests are handled indirectly by use of an I/O package such as OpenVMS Record Management Services (RMS). However, to increase their control over I/O operations and to improve the efficiency of I/O operations, skilled users sometimes prefer to handle the interface between their process and a system I/O driver program directly. They can do this by executing $QIO; in many instances, the operation called for is a logical-level I/O operation. Note that logical level functions are permitted without LOG_IO privilege on a device mounted with the /FOREIGN qualifier and on non-file-structured devices.

Grant this privilege only to users who need it because it allows a process to access data anywhere on the selected volume without the benefit of any file structuring. If this privilege is given to unqualified users who have no need for it, the operating system and service to other processes can be easily disrupted. Such disruptions can include the destruction of information on the system device, the destruction of user data, and the exposure of confidential information.

The LOG_IO privilege also lets a process perform the following tasks:

Task Interface

Issue physical I/O calls to a private, non-file-structured device $QIO

Modify the following terminal attributes:
HANGUP
SET_SPEED
SECURE_SERVER SET TERMINAL (or TTDRIVER)
/[NO]HANGUP
/[NO]SET_SPEED
/[NO]SECURE_SERVER

Task	Interface
Issue physical I/O calls to a private, non-file-structured device	$QIO
Modify the following terminal attributes: HANGUP SET_SPEED SECURE_SERVER	SET TERMINAL (or TTDRIVER) /[NO]HANGUP /[NO]SET_SPEED /[NO]SECURE_SERVER

A.18 MOUNT Privilege (Normal)

The MOUNT privilege lets the user's process execute the mount volume QIO function. The use of this function should be restricted to system software supplied by Compaq.

A.19 NETMBX Privilege (Normal)

The NETMBX privilege lets a process perform functions related to a DECnet computer network. For example, it allows a process to switch a terminal line to an asynchronous DECnet protocol or assign a channel to a network device. Grant this privilege to general users who need to access the network.

A.20 OPER Privilege (System)

The OPER privilege allows a process to use the Operator Communication Manager (OPCOM) process to reply to user's requests, to broadcast messages to all terminals logged in, to designate terminals as operators' terminals and specify the types of messages to be displayed on these operators' terminals, and to initialize and control the log file of operators' messages. In addition, this privilege lets the user spool devices, create and control all queues, and modify the protection and ownership of all non-file-structured devices.

Grant this privilege only to the operators of the system. These are the users who respond to the requests of ordinary users, who tend to the needs of the system's peripheral devices (mounting reels of tape and changing printer forms), and who attend to all the other day-to-day chores of system operation. (A nonprivileged user can log in on the console terminal to respond to operator requests, for example, to mount a tape.)

The OPER privilege lets a process perform the following tasks:

Task Interface

Modify device protection SET PROTECTION/DEVICE

Modify device ownership SET PROTECTION/DEVICE/OWNER

Access the System Management utility SYSMAN

Perform operator tasks:

Issue a broadcast reply REPLY, $SNDOPR

Cancel a system operator request REPLY/ABORT, $SNDOPR

Initialize the system operator log file $SNDOPR

Reply to a pending system operator request REPLY/TO, REPLY/PENDING, REPLY/INITIALIZE_TAPE, $SNDOPR

Issue a system operator request REQUEST, $SNDOPR

Enable system operator classes REPLY/ENABLE, $SNDOPR, $SNDMSG

Disable system operator classes REPLY/DISABLE, $SNDOPR

Send a broadcast message $BRKTHRU, $BRDCST

Write an event to the operator log $SNDOPR

Initialize a system operator log REPLY/LOG, $SNDOPR

Close the current operator log REPLY/NOLOG, $SNDOPR

Send a message to an operator REPLY, $SNDOPR

Enable or disable autostart $SNDJBC (SJC$_DISABLE_AUTO_START, SJC$_ENABLE_AUTO_START)

Stop all queues $SNDJBC (SJC$_STOP_ALL_QUEUES_ON_NODE)

Modify the characteristics of devices:

Modify device availability SET DEVICE/[NO]AVAILABLE

Modify device dual-porting SET DEVICE/[NO]DUAL_PORT

Modify device error logging SET DEVICE/[NO]ERROR_LOGGING

Modify device spooling SET DEVICE/[NO]SPOOLED

Modify default definitions of days:

Set default day type to PRIMARY SET DAY/PRIMARY

Set default day type to SECONDARY SET DAY/SECONDARY

Return day type to DEFAULT SET DAY/DEFAULT

Modify or override login limits:

Modify interactive login limit SET LOGIN/INTERACTIVE

Modify network login limit SET LOGIN/NETWORK

Modify batch login limit SET LOGIN/BATCH

Create and modify queues:

Bypass discretionary access to a queue

Create a queue $SNDJBC (SJC$_CREATE_QUEUE)

Define queue characteristics $SNDJBC (SJC$_DEFINE_CHARACTERISTICS)

Define forms $SNDJBC (SJC$_DEFINE_FORM)

Delete characteristics $SNDJBC (SJC$_DELETE_CHARACTERISTICS)

Delete forms $SNDJBC (SJC$_DELETE_FORM)

Set the base priority of batch processes $SNDJBC (SJC$_BASE_PRIORITY)

Set the scheduling priority of a job $SNDJBC (SJC$_PRIORITY)

Start accounting SET ACCOUNTING/ENABLE, $SNDJBC (SJC$_START_ACCOUNTING)

Stop accounting SET ACCOUNTING/DISABLE, $SNDJBC (SJC$_STOP_ACCOUNTING)

Operate the LAT device:

Transmit LAT solicit information message $QIO request to a LAT port driver (LTDRIVER)

Set static rating for LAT service $QIO request to a LAT port driver (LTDRIVER)

Read last LAT response message buffer $QIO request to a LAT port driver (LTDRIVER)

Change port type from dedicated to application $QIO request to a LAT port driver (LTDRIVER)

Change port type from application to dedicated $QIO request to a LAT port driver (LTDRIVER)

Modify tape operations:

Specify number of file window-mapping pointers MOUNT/WINDOWS, $MOUNT

Mount a volume with an alternate ACP MOUNT/PROCESSOR, $MOUNT

Mount a volume with alternate cache limits MOUNT/CACHE, $MOUNT

Modify write caching for a tape controller MOUNT/CACHE, $MOUNT

Modify ODS1 directory FCB cache limit SET VOLUME/ACCESSED, MOUNT/ACCESSED, $MOUNT

Perform network operations:

Connect to an object while executor state is restricted

Read network event-logging buffer NETACP

Modify network volatile database NETACP

Access the permanent database for an update DECnet/NML

Connect to a DECnet circuit $QIO request to the DECnet downline load and loopback class driver (NDDRIVER)

Display the permanent DECnet service password NCP

Display the volatile DECnet service password NCP

Control character conversion by terminals:

Load terminal fallback table TFU, $QIO request to the terminal fallback driver (FBDRIVER)

Unload terminal fallback table TFU, $QIO request to the terminal fallback driver (FBDRIVER)

Establish system default terminal fallback table TFU, $QIO request to the terminal fallback driver (FBDRIVER)

Control cluster operations:

Request expected votes modification SET CLUSTER/EXPECTED_VOTES

Request MSCP serving of a device SET DEVICE/SERVED

Request quorum modification SET CLUSTER/QUORUM

Add an adapter to the failover list $QIO request to the DEBNI BI bus NI driver (EFDRIVER)

Remove an adapter from the failover list $QIO request to the DEBNI BI bus NI driver (EFDRIVER)

Set an adapter to be the current adapter $QIO request to the DEBNI BI bus NI driver (EFDRIVER)

Set the new adapter test interval $QIO request to the DEBNI BI bus NI driver (EFDRIVER)

Task	Interface
Modify device protection	SET PROTECTION/DEVICE
Modify device ownership	SET PROTECTION/DEVICE/OWNER
Access the System Management utility	SYSMAN
Perform operator tasks:
Issue a broadcast reply	REPLY, $SNDOPR
Cancel a system operator request	REPLY/ABORT, $SNDOPR
Initialize the system operator log file	$SNDOPR
Reply to a pending system operator request	REPLY/TO, REPLY/PENDING, REPLY/INITIALIZE_TAPE, $SNDOPR
Issue a system operator request	REQUEST, $SNDOPR
Enable system operator classes	REPLY/ENABLE, $SNDOPR, $SNDMSG
Disable system operator classes	REPLY/DISABLE, $SNDOPR
Send a broadcast message	$BRKTHRU, $BRDCST
Write an event to the operator log	$SNDOPR
Initialize a system operator log	REPLY/LOG, $SNDOPR
Close the current operator log	REPLY/NOLOG, $SNDOPR
Send a message to an operator	REPLY, $SNDOPR
Enable or disable autostart	$SNDJBC (SJC$_DISABLE_AUTO_START, SJC$_ENABLE_AUTO_START)
Stop all queues	$SNDJBC (SJC$_STOP_ALL_QUEUES_ON_NODE)
Modify the characteristics of devices:
Modify device availability	SET DEVICE/[NO]AVAILABLE
Modify device dual-porting	SET DEVICE/[NO]DUAL_PORT
Modify device error logging	SET DEVICE/[NO]ERROR_LOGGING
Modify device spooling	SET DEVICE/[NO]SPOOLED
Modify default definitions of days:
Set default day type to PRIMARY	SET DAY/PRIMARY
Set default day type to SECONDARY	SET DAY/SECONDARY
Return day type to DEFAULT	SET DAY/DEFAULT
Modify or override login limits:
Modify interactive login limit	SET LOGIN/INTERACTIVE
Modify network login limit	SET LOGIN/NETWORK
Modify batch login limit	SET LOGIN/BATCH
Create and modify queues:
Bypass discretionary access to a queue
Create a queue	$SNDJBC (SJC$_CREATE_QUEUE)
Define queue characteristics	$SNDJBC (SJC$_DEFINE_CHARACTERISTICS)
Define forms	$SNDJBC (SJC$_DEFINE_FORM)
Delete characteristics	$SNDJBC (SJC$_DELETE_CHARACTERISTICS)
Delete forms	$SNDJBC (SJC$_DELETE_FORM)
Set the base priority of batch processes	$SNDJBC (SJC$_BASE_PRIORITY)
Set the scheduling priority of a job	$SNDJBC (SJC$_PRIORITY)
Start accounting	SET ACCOUNTING/ENABLE, $SNDJBC (SJC$_START_ACCOUNTING)
Stop accounting	SET ACCOUNTING/DISABLE, $SNDJBC (SJC$_STOP_ACCOUNTING)
Operate the LAT device:
Transmit LAT solicit information message	$QIO request to a LAT port driver (LTDRIVER)
Set static rating for LAT service	$QIO request to a LAT port driver (LTDRIVER)
Read last LAT response message buffer	$QIO request to a LAT port driver (LTDRIVER)
Change port type from dedicated to application	$QIO request to a LAT port driver (LTDRIVER)
Change port type from application to dedicated	$QIO request to a LAT port driver (LTDRIVER)
Modify tape operations:
Specify number of file window-mapping pointers	MOUNT/WINDOWS, $MOUNT
Mount a volume with an alternate ACP	MOUNT/PROCESSOR, $MOUNT
Mount a volume with alternate cache limits	MOUNT/CACHE, $MOUNT
Modify write caching for a tape controller	MOUNT/CACHE, $MOUNT
Modify ODS1 directory FCB cache limit	SET VOLUME/ACCESSED, MOUNT/ACCESSED, $MOUNT
Perform network operations:
Connect to an object while executor state is restricted
Read network event-logging buffer	NETACP
Modify network volatile database	NETACP
Access the permanent database for an update	DECnet/NML
Connect to a DECnet circuit	$QIO request to the DECnet downline load and loopback class driver (NDDRIVER)
Display the permanent DECnet service password	NCP
Display the volatile DECnet service password	NCP
Control character conversion by terminals:
Load terminal fallback table	TFU, $QIO request to the terminal fallback driver (FBDRIVER)
Unload terminal fallback table	TFU, $QIO request to the terminal fallback driver (FBDRIVER)
Establish system default terminal fallback table	TFU, $QIO request to the terminal fallback driver (FBDRIVER)
Control cluster operations:
Request expected votes modification	SET CLUSTER/EXPECTED_VOTES
Request MSCP serving of a device	SET DEVICE/SERVED
Request quorum modification	SET CLUSTER/QUORUM
Add an adapter to the failover list	$QIO request to the DEBNI BI bus NI driver (EFDRIVER)
Remove an adapter from the failover list	$QIO request to the DEBNI BI bus NI driver (EFDRIVER)
Set an adapter to be the current adapter	$QIO request to the DEBNI BI bus NI driver (EFDRIVER)
Set the new adapter test interval	$QIO request to the DEBNI BI bus NI driver (EFDRIVER)

Used in combination with other privileges, OPER lets processes perform the following tasks:

Privileges Task Interface

OPER and CMKRNL Mount a volume with a private ACP MOUNT/PROCESSOR, $MOUNT

OPER and LOG_IO Set the system time SET TIME, $SETIME

OPER and SYSNAM Start or stop the queue manager START/QUEUE/MANAGER, STOP/QUEUE/MANAGER, $SNDJBC

OPER and VOLPRO Initialize a blank tape or override access checks while initializing a blank tape $INIT_VOL, MOUNT, $MOUNT

Privileges	Task	Interface
OPER and CMKRNL	Mount a volume with a private ACP	MOUNT/PROCESSOR, $MOUNT
OPER and LOG_IO	Set the system time	SET TIME, $SETIME
OPER and SYSNAM	Start or stop the queue manager	START/QUEUE/MANAGER, STOP/QUEUE/MANAGER, $SNDJBC
OPER and VOLPRO	Initialize a blank tape or override access checks while initializing a blank tape	$INIT_VOL, MOUNT, $MOUNT

A.21 PFNMAP Privilege (All)

The PFNMAP privilege lets a user's process create and map page frame number (PFN) global sections to specific pages of physical memory or I/O device registers, no matter who is using the pages or registers. Such a privileged process can also delete PFN-based global sections with the system service $DGBLSC.

Exercise caution when granting this privilege. If unqualified user processes have unrestricted access to physical memory, the operating system and service to other processes can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.

A.22 PHY_IO Privilege (All)

The PHY_IO privilege lets the user's process execute the Queue I/O Request ($QIO) system service to perform physical-level I/O operations.

Usually, process I/O requests are handled indirectly by use of an I/O package such as OpenVMS Record Management Services (RMS). However, to increase their control over I/O operations and to improve the efficiency of their applications, skilled users sometimes prefer to handle directly the interface between their process and a system I/O driver program. They can do this by executing the $QIO system service; in many instances, the operation called for is a physical-level I/O operation.

Grant the PHY_IO privilege only to users who need it; grant this privilege even more carefully than the LOG_IO privilege. If this privilege is given to unqualified users who have no need for it, the operating system and service to other users can be easily disrupted. Such disruptions can include the destruction of information on the system device, the destruction of user data, and the exposure of confidential information.

The PHY_IO privilege also lets a process perform the following tasks:

Task Interface

Access an individual shadow-set member unit $ASSIGN, $QIO

Create or delete a watchpoint $QIO request to the SMP watchpoint driver (WPDRIVER)

Map an LTA device to a server/port (IO$_TTY_PORT!IO$M_LT_MAPPORT) $QIO request to a LAT port driver (LTDRIVER)

Issue the following I/O requests:

Logical I/O request
Logical or virtual I/O request with IO$M_MSCPMODIFS modifier
Physical I/O to private, non-file-structured device
$QIO

Modify the following terminal attributes:
HANGUP
SET_SPEED
SECURE_SERVER SET TERMINAL or the terminal driver (TTDRIVER)
/[NO]HANGUP
/[NO]SET_SPEED
/[NO]SECURE_SERVER

Issue IO$_ACCESS (diagnostic) function to DEBNA/NI device driver $QIO request to a synchronous communications line (XGDRIVER)

Enable Ethernet promiscuous mode listening

Issue IO$_ACCESS (diagnostic) function to Ethernet common driver

Task	Interface
Access an individual shadow-set member unit	$ASSIGN, $QIO
Create or delete a watchpoint	$QIO request to the SMP watchpoint driver (WPDRIVER)
Map an LTA device to a server/port (IO$_TTY_PORT!IO$M_LT_MAPPORT)	$QIO request to a LAT port driver (LTDRIVER)
Issue the following I/O requests: Logical I/O request Logical or virtual I/O request with IO$M_MSCPMODIFS modifier Physical I/O to private, non-file-structured device	$QIO
Modify the following terminal attributes: HANGUP SET_SPEED SECURE_SERVER	SET TERMINAL or the terminal driver (TTDRIVER) /[NO]HANGUP /[NO]SET_SPEED /[NO]SECURE_SERVER
Issue IO$_ACCESS (diagnostic) function to DEBNA/NI device driver	$QIO request to a synchronous communications line (XGDRIVER)
Enable Ethernet promiscuous mode listening
Issue IO$_ACCESS (diagnostic) function to Ethernet common driver

Contents

Index

privacy and legal statement

6346PRO_032.HTML