Updated: 11 December 1998 |
OpenVMS Guide to System Security
Previous | Contents | Index |
The IMPORT privilege lets a process manipulate mandatory access
controls. The privilege lets a process mount unlabeled tape volumes.
This privilege is reserved for enhanced security products like SEVMS.
A.17 LOG_IO Privilege (All)
The LOG_IO privilege lets the user's process execute the Queue I/O Request ($QIO) system service to perform logical-level I/O operations. LOG_IO privilege is also required for certain device control functions, such as setting permanent terminal characteristics. A process with the typical privileges of NETMBX and TMPMBX that also holds LOG_IO and SYSNAM can reconfigure the Ethernet using the Phase IV network configuration procedure, NICONFIG.COM.
Usually, process I/O requests are handled indirectly by use of an I/O package such as OpenVMS Record Management Services (RMS). However, to increase their control over I/O operations and to improve the efficiency of I/O operations, skilled users sometimes prefer to handle the interface between their process and a system I/O driver program directly. They can do this by executing $QIO; in many instances, the operation called for is a logical-level I/O operation. Note that logical level functions are permitted without LOG_IO privilege on a device mounted with the /FOREIGN qualifier and on non-file-structured devices.
Grant this privilege only to users who need it because it allows a process to access data anywhere on the selected volume without the benefit of any file structuring. If this privilege is given to unqualified users who have no need for it, the operating system and service to other processes can be easily disrupted. Such disruptions can include the destruction of information on the system device, the destruction of user data, and the exposure of confidential information.
The LOG_IO privilege also lets a process perform the following tasks:
Task | Interface |
---|---|
Issue physical I/O calls to a private, non-file-structured device | $QIO |
Modify the following terminal attributes:
HANGUP SET_SPEED SECURE_SERVER |
SET TERMINAL (or TTDRIVER)
/[NO]HANGUP /[NO]SET_SPEED /[NO]SECURE_SERVER |
The MOUNT privilege lets the user's process execute the mount volume
QIO function. The use of this function should be restricted to system
software supplied by Compaq.
A.19 NETMBX Privilege (Normal)
The NETMBX privilege lets a process perform functions related to a
DECnet computer network. For example, it allows a process to switch a
terminal line to an asynchronous DECnet protocol or assign a channel to
a network device. Grant this privilege to general users who need to
access the network.
A.20 OPER Privilege (System)
The OPER privilege allows a process to use the Operator Communication Manager (OPCOM) process to reply to user's requests, to broadcast messages to all terminals logged in, to designate terminals as operators' terminals and specify the types of messages to be displayed on these operators' terminals, and to initialize and control the log file of operators' messages. In addition, this privilege lets the user spool devices, create and control all queues, and modify the protection and ownership of all non-file-structured devices.
Grant this privilege only to the operators of the system. These are the users who respond to the requests of ordinary users, who tend to the needs of the system's peripheral devices (mounting reels of tape and changing printer forms), and who attend to all the other day-to-day chores of system operation. (A nonprivileged user can log in on the console terminal to respond to operator requests, for example, to mount a tape.)
The OPER privilege lets a process perform the following tasks:
Task | Interface |
---|---|
Modify device protection | SET PROTECTION/DEVICE |
Modify device ownership | SET PROTECTION/DEVICE/OWNER |
Access the System Management utility | SYSMAN |
Perform operator tasks: | |
Issue a broadcast reply | REPLY, $SNDOPR |
Cancel a system operator request | REPLY/ABORT, $SNDOPR |
Initialize the system operator log file | $SNDOPR |
Reply to a pending system operator request | REPLY/TO, REPLY/PENDING, REPLY/INITIALIZE_TAPE, $SNDOPR |
Issue a system operator request | REQUEST, $SNDOPR |
Enable system operator classes | REPLY/ENABLE, $SNDOPR, $SNDMSG |
Disable system operator classes | REPLY/DISABLE, $SNDOPR |
Send a broadcast message | $BRKTHRU, $BRDCST |
Write an event to the operator log | $SNDOPR |
Initialize a system operator log | REPLY/LOG, $SNDOPR |
Close the current operator log | REPLY/NOLOG, $SNDOPR |
Send a message to an operator | REPLY, $SNDOPR |
Enable or disable autostart | $SNDJBC (SJC$_DISABLE_AUTO_START, SJC$_ENABLE_AUTO_START) |
Stop all queues | $SNDJBC (SJC$_STOP_ALL_QUEUES_ON_NODE) |
Modify the characteristics of devices: | |
Modify device availability | SET DEVICE/[NO]AVAILABLE |
Modify device dual-porting | SET DEVICE/[NO]DUAL_PORT |
Modify device error logging | SET DEVICE/[NO]ERROR_LOGGING |
Modify device spooling | SET DEVICE/[NO]SPOOLED |
Modify default definitions of days: | |
Set default day type to PRIMARY | SET DAY/PRIMARY |
Set default day type to SECONDARY | SET DAY/SECONDARY |
Return day type to DEFAULT | SET DAY/DEFAULT |
Modify or override login limits: | |
Modify interactive login limit | SET LOGIN/INTERACTIVE |
Modify network login limit | SET LOGIN/NETWORK |
Modify batch login limit | SET LOGIN/BATCH |
Create and modify queues: | |
Bypass discretionary access to a queue | |
Create a queue | $SNDJBC (SJC$_CREATE_QUEUE) |
Define queue characteristics | $SNDJBC (SJC$_DEFINE_CHARACTERISTICS) |
Define forms | $SNDJBC (SJC$_DEFINE_FORM) |
Delete characteristics | $SNDJBC (SJC$_DELETE_CHARACTERISTICS) |
Delete forms | $SNDJBC (SJC$_DELETE_FORM) |
Set the base priority of batch processes | $SNDJBC (SJC$_BASE_PRIORITY) |
Set the scheduling priority of a job | $SNDJBC (SJC$_PRIORITY) |
Start accounting | SET ACCOUNTING/ENABLE, $SNDJBC (SJC$_START_ACCOUNTING) |
Stop accounting | SET ACCOUNTING/DISABLE, $SNDJBC (SJC$_STOP_ACCOUNTING) |
Operate the LAT device: | |
Transmit LAT solicit information message | $QIO request to a LAT port driver (LTDRIVER) |
Set static rating for LAT service | $QIO request to a LAT port driver (LTDRIVER) |
Read last LAT response message buffer | $QIO request to a LAT port driver (LTDRIVER) |
Change port type from dedicated to application | $QIO request to a LAT port driver (LTDRIVER) |
Change port type from application to dedicated | $QIO request to a LAT port driver (LTDRIVER) |
Modify tape operations: | |
Specify number of file window-mapping pointers | MOUNT/WINDOWS, $MOUNT |
Mount a volume with an alternate ACP | MOUNT/PROCESSOR, $MOUNT |
Mount a volume with alternate cache limits | MOUNT/CACHE, $MOUNT |
Modify write caching for a tape controller | MOUNT/CACHE, $MOUNT |
Modify ODS1 directory FCB cache limit | SET VOLUME/ACCESSED, MOUNT/ACCESSED, $MOUNT |
Perform network operations: | |
Connect to an object while executor state is restricted | |
Read network event-logging buffer | NETACP |
Modify network volatile database | NETACP |
Access the permanent database for an update | DECnet/NML |
Connect to a DECnet circuit | $QIO request to the DECnet downline load and loopback class driver (NDDRIVER) |
Display the permanent DECnet service password | NCP |
Display the volatile DECnet service password | NCP |
Control character conversion by terminals: | |
Load terminal fallback table | TFU, $QIO request to the terminal fallback driver (FBDRIVER) |
Unload terminal fallback table | TFU, $QIO request to the terminal fallback driver (FBDRIVER) |
Establish system default terminal fallback table | TFU, $QIO request to the terminal fallback driver (FBDRIVER) |
Control cluster operations: | |
Request expected votes modification | SET CLUSTER/EXPECTED_VOTES |
Request MSCP serving of a device | SET DEVICE/SERVED |
Request quorum modification | SET CLUSTER/QUORUM |
Add an adapter to the failover list | $QIO request to the DEBNI BI bus NI driver (EFDRIVER) |
Remove an adapter from the failover list | $QIO request to the DEBNI BI bus NI driver (EFDRIVER) |
Set an adapter to be the current adapter | $QIO request to the DEBNI BI bus NI driver (EFDRIVER) |
Set the new adapter test interval | $QIO request to the DEBNI BI bus NI driver (EFDRIVER) |
Used in combination with other privileges, OPER lets processes perform the following tasks:
Privileges | Task | Interface |
---|---|---|
OPER and CMKRNL | Mount a volume with a private ACP | MOUNT/PROCESSOR, $MOUNT |
OPER and LOG_IO | Set the system time | SET TIME, $SETIME |
OPER and SYSNAM | Start or stop the queue manager | START/QUEUE/MANAGER, STOP/QUEUE/MANAGER, $SNDJBC |
OPER and VOLPRO | Initialize a blank tape or override access checks while initializing a blank tape | $INIT_VOL, MOUNT, $MOUNT |
The PFNMAP privilege lets a user's process create and map page frame number (PFN) global sections to specific pages of physical memory or I/O device registers, no matter who is using the pages or registers. Such a privileged process can also delete PFN-based global sections with the system service $DGBLSC.
Exercise caution when granting this privilege. If unqualified user
processes have unrestricted access to physical memory, the operating
system and service to other processes can be easily disrupted. Such
disruptions can include failure of the system, destruction of all
system and user data, and exposure of confidential information.
A.22 PHY_IO Privilege (All)
The PHY_IO privilege lets the user's process execute the Queue I/O Request ($QIO) system service to perform physical-level I/O operations.
Usually, process I/O requests are handled indirectly by use of an I/O package such as OpenVMS Record Management Services (RMS). However, to increase their control over I/O operations and to improve the efficiency of their applications, skilled users sometimes prefer to handle directly the interface between their process and a system I/O driver program. They can do this by executing the $QIO system service; in many instances, the operation called for is a physical-level I/O operation.
Grant the PHY_IO privilege only to users who need it; grant this privilege even more carefully than the LOG_IO privilege. If this privilege is given to unqualified users who have no need for it, the operating system and service to other users can be easily disrupted. Such disruptions can include the destruction of information on the system device, the destruction of user data, and the exposure of confidential information.
The PHY_IO privilege also lets a process perform the following tasks:
Task | Interface |
---|---|
Access an individual shadow-set member unit | $ASSIGN, $QIO |
Create or delete a watchpoint | $QIO request to the SMP watchpoint driver (WPDRIVER) |
Map an LTA device to a server/port (IO$_TTY_PORT!IO$M_LT_MAPPORT) | $QIO request to a LAT port driver (LTDRIVER) |
Issue the following I/O requests:
|
$QIO |
Modify the following terminal attributes:
HANGUP SET_SPEED SECURE_SERVER |
SET TERMINAL or the terminal driver (TTDRIVER)
/[NO]HANGUP /[NO]SET_SPEED /[NO]SECURE_SERVER |
Issue IO$_ACCESS (diagnostic) function to DEBNA/NI device driver | $QIO request to a synchronous communications line (XGDRIVER) |
Enable Ethernet promiscuous mode listening | |
Issue IO$_ACCESS (diagnostic) function to Ethernet common driver |
The PRMCEB privilege lets the user's process create or delete a permanent common event flag cluster by executing the Associate Common Event Flag Cluster ($ASCEFC) or the Delete Common Event Flag Cluster ($DLCEFC) system service. Common event flag clusters enable cooperating processes to communicate with each other and thus synchronize their execution.
Grant this privilege with care. If permanent common event flag clusters
are not explicitly deleted, they tie up space in system dynamic memory,
which may degrade system performance.
A.24 PRMGBL Privilege (Devour)
The PRMGBL privilege lets the user's process create or delete permanent global sections by executing the Create and Map Section ($CRMPSC) or the Delete Global Section ($DGBLSC) system service. In addition, a process with this privilege (plus CMKRNL and SYSGBL privileges) can use the Install utility (INSTALL).
Global sections are shared structures that can be mapped simultaneously in the virtual address space of many processes. All processes see the same code or data. Global sections are used for reentrant subroutines or data buffers.
Grant this privilege with care. If permanent global sections are not
explicitly deleted, they tie up space in the global section and global
page tables, which are limited resources.
A.25 PRMMBX Privilege (Devour)
The PRMMBX privilege lets the user's process create or delete a permanent mailbox by executing the Create Mailbox and Assign Channel ($CREMBX) system service or the Delete Mailbox ($DELMBX) system service. The privilege also allows the creation of temporary mailboxes with the $CREMBX service.
Mailboxes are buffers in virtual memory that are treated as if they were record-oriented I/O devices. A mailbox is used for general interprocess communication.
Do not grant PRMMBX to all users of the system. Permanent mailboxes are
not automatically deleted when the creating processes are deleted and,
thus, continue to use a portion of system dynamic memory. System
performance degrades as system dynamic memory becomes scarce.
A.26 PSWAPM Privilege (System)
The PSWAPM privilege lets the user's process control whether it can be swapped out of the balance set by executing the Set Process Swap Mode ($SETSWM) system service. A process must have this privilege to lock itself in the balance set (to disable swapping) or to unlock itself from the balance set (to enable swapping).
With this privilege, a process can create a process that is locked in the balance set (swap mode is disabled) by using an optional argument to the Create Process ($CREPRC) system service or, when the DCL command RUN is used to create a process, by using the /NOSWAPPING qualifier of the RUN command. Furthermore, a process can lock a page or range of pages in physical memory using the Lock Pages in Memory ($LCKPAG) system service.
Grant this privilege only to users who need to lock a process in memory
for performance reasons. Typically, this will be a real-time process.
If unqualified processes have the unrestricted ability to lock
processes in the balance set, physical memory can be held unnecessarily
and thereby degrade system performance.
A.27 READALL Privilege (Objects)
The READALL privilege lets the process bypass existing restrictions that would otherwise prevent the process from reading an object. However, unlike the BYPASS privilege, which permits writing and deleting, READALL permits only the reading of objects and allows updating of such backup-related file characteristics as the backup date. See the OpenVMS System Management Utilities Reference Manual and the OpenVMS System Manager's Manual for a discussion of backup operations.
READALL is intended to be an adequate privilege for backing up volumes, so grant this privilege to operators so they can perform system backups.
The READALL privilege lets a process perform the following tasks:
Task | Interface |
---|---|
Read a user authorization record | $GETUAI |
Display permanent network database records | NCP |
Previous | Next | Contents | Index |
Copyright © Compaq Computer Corporation 1998. All rights reserved. Legal |
6346PRO_032.HTML
|