[OpenVMS documentation]
[Site home] [Send comments] [Help with this site] [How to order documentation] [OpenVMS site] [Compaq site]
Updated: 11 December 1998

OpenVMS Guide to System Security


Previous Contents Index

A.28 SECURITY Privilege (System)

The SECURITY privilege lets a process perform security-related functions such as modifying the system password with the DCL command SET PASSWORD/SYSTEM or modifying the system alarm and audit settings using the DCL command SET AUDIT. The privilege not only lets a user process start and stop the audit server process with SET AUDIT, it also permits the process to use SET AUDIT to modify the characteristics of the auditing database, including those of the audit server, the system audit journal, the security archive file, resource monitoring, and the audit, alarm, or failure mode.

Grant this privilege only to security administrators. Irresponsible users who obtain this privilege can subvert the system's security mechanisms, can lock out users through improper application of system passwords, and can disable security auditing.

The SECURITY privilege also lets a process perform the following tasks:
Task Interface
Display system auditing information about the system audit log file, audit server settings, and so on SHOW AUDIT
Display Hidden ACEs SHOW SECURITY
Display the system intrusion list or delete a record SHOW INTRUSION, DELETE/INTRUSION
Enable the security operator terminal REPLY/ENABLE=SECURITY, $SNDOPR
Enable protected subsystems on a volume MOUNT/SUBSYSTEM, $MOUNT, SET VOLUME/SUBSYSTEM

A.29 SETPRV Privilege (All)

The SETPRV privilege lets the user's process create processes whose privileges are greater than its own by executing the Create Process ($CREPRC) system service with an optional argument or by issuing the DCL command RUN to create a process. A process with this privilege can also execute the DCL command SET PROCESS/PRIVILEGES to obtain any desired privilege.

Exercise the same caution in granting SETPRV as in granting any other privilege because SETPRV lets a process enable any or all privileges.

A.30 SHARE Privilege (All)

The SHARE privilege lets processes assign channels to devices allocated to other processes or to a nonshared device using the Assign I/O Channel ($ASSIGN) system service.

Grant this privilege only to system processes such as print symbionts. Otherwise, an irresponsible user can interfere with the operation of devices belonging to other users.

A.31 SHMEM Privilege (Devour)

The SHMEM privilege lets the user's process create global sections and mailboxes (permanent and temporary) in memory shared by multiple processors if the process also has appropriate PRMGBL, PRMMBX, SYSGBL, and TMPMBX privileges. Just as in local memory, the space required for a temporary mailbox in multiport memory counts against the buffered I/O byte count limit (BYTLM) of the process.

The privilege also lets a user's process create or delete an event flag cluster in shared memory using the Associate Common Event Flag Cluster ($ASCEFC) or the Disassociate Common Event Flag Cluster ($DACEFC) system service.

A.32 SYSGBL Privilege (Files)

The SYSGBL privilege lets the user's process create or delete system global sections by executing the Create and Map Section ($CRMPSC) or the Delete Global Section ($DGBLSC) system service. In addition, a process with this privilege (plus the CMKRNL and PRMGBL privileges) can use the Install utility (INSTALL).

Exercise caution when granting this privilege. System global sections require space in the global section and global page tables, which are limited resources.

A.33 SYSLCK Privilege (System)

The SYSLCK privilege lets the user's process lock systemwide resources with the Enqueue Lock Request ($ENQ) system service or obtain information about a system resource with the Get Lock Information ($GETLKI) system service.

Grant this privilege to users who need to run programs that lock resources in the systemwide resource namespace. However, exercise caution when granting this privilege. Users who hold the SYSLCK privilege can interfere with the synchronization of all system and user software.

A.34 SYSNAM Privilege (All)

The SYSNAM privilege lets the user's process bypass discretionary access controls and insert names into the system logical name table and delete names from that table by using the Create Logical Name ($CRELNM) and Delete Logical Name ($DELLNM) system services. A process with this privilege can use the DCL commands ASSIGN and DEFINE to add names to the system logical name table in user or executive mode and can use the DEASSIGN command in either mode to delete names from the table.

To mount a system volume or to dismount a system or group volume with the appropriate mount or dismount command or system service, you must have the SYSNAM privilege.

Grant this privilege only to the system operators or to system programmers who need to define system logical names (such as names for user devices, library directories, and the system directory). Note that a process with SYSNAM privilege could redefine such critical system logical names as SYS$SYSTEM and SYSUAF, thus gaining control of the system.

The SYSNAM privilege also lets a process perform the following tasks:
Task Interface
Access a MAIL maintenance record MAIL
Modify a MAIL forward record MAIL
Declare a network object NETACP
Create an IPC association $IPC
With CMKRNL, add or remove an identifier to system rights list SET RIGHTS_LIST/SYSTEM, $GRANTID, $REVOKID

A.35 SYSPRV Privilege (All)

The SYSPRV privilege lets a process access protected objects by the system protection field and also read and modify the owner (UIC), the UIC-based protection code, and the ACL of an object. Even if an object is protected against system access, a process with SYSPRV privilege can change the object's protection to gain access to it. Any process with SYSPRV privilege can add, modify, or delete entries in the system user authorization file (SYSUAF.DAT).

Exercise caution when granting this privilege. Normally, grant this privilege only to system managers and security administrators. If unqualified users have system access rights, the operating system and service to others can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.

The SYSPRV privilege also lets a process perform the following tasks:
Task Interface
Modify a file's expiration date SET FILE/EXPIRATION
Modify the number of interlocked queue retries $QIO request to an Ethernet 802 driver (DEBNA/NI)
Set the spin-wait time on the port command register $QIO request to an Ethernet 802 driver (DEBNA)
Set the FROM field in a mail message MAIL routines
Access a MAIL maintenance record MAIL
Modify or delete a MAIL database record MAIL
Modify the group number and password of a local area cluster CLUSTER_AUTHORIZE component of SYSMAN
Perform transaction recovery, join a transaction as coordinator, transition a transaction DECdtm software

A process whose group UIC is less than or equal to the system parameter MAXSYSGRP has implied SYSPRV. When a process has SYSPRV or implied SYSPRV, it can also perform the following tasks:
Task Interface
Initialize a magnetic tape $INIT_VOL
Override creation of an owner ACE on a newly created file $QIO request to F11BXQP
Clear the directory bit in a directory's file header $QIO request to the F11BXQP, SET FILE/NODIRECTORY
Acquire or release a volume lock $QIO request to F11BXQP
Force mount verification on a volume $QIO request to F11BXQP
Create a file access window with the no access lock bit set $QIO request to F11BXQP
Specify null lock mode for a volume lock $QIO request to F11BXQP
Access a locked file $QIO request to F11BXQP
Disable disk quotas on volume $QIO request to F11BXQP
Enable disk quotas on volume $QIO request to F11BXQP

A.36 TMPMBX Privilege (Normal)

The TMPMBX privilege lets the user's process create a temporary mailbox by executing the Create Mailbox and Assign Channel ($CREMBX) system service.

Mailboxes are buffers in virtual memory that are treated as if they were record-oriented I/O devices. A mailbox is used for general interprocess communication. Unlike a permanent mailbox, which must be explicitly deleted, a temporary mailbox is deleted automatically when it is no longer referenced by any process.

Grant this privilege to all users of the system to facilitate interprocess communication. System performance is not likely to be degraded by permitting the creation of temporary mailboxes, because their number is controlled by limits on the use of system dynamic memory (BYTLM quota).

A.37 UPGRADE Privilege (All)

The UPGRADE privilege lets a process manipulate mandatory access controls. The privilege allows a process to write to an object of higher integrity, in violation of the Biba confinement (*) property. This privilege is reserved for enhanced security products like SEVMS.

A.38 VOLPRO Privilege (Objects)

The VOLPRO privilege lets the user's process:

The VOLPRO privilege permits control only over volumes that the user's process can mount or initialize. Volumes mounted with the /SYSTEM qualifier are safe from a process with the VOLPRO privilege as long as the process does not also have the SYSNAM privilege.

Exercise extreme caution when granting the VOLPRO privilege. If unqualified users can override volume protection, the operating system and service to others can be disrupted. Such disruptions can include destruction of the database and exposure of confidential information.

The VOLPRO privilege lets a process perform the following tasks:
Task Interface
Dismount a volume DISMOUNT/ABORT, $DISMOU
Initialize a volume $INIT_VOL
Mount foreign multivolume magnetic tape set MOUNT/MULTI_VOLUME
Override volume labels or accessibility $MOUNT
Initialize blank tape REPLY/BLANK_TAPE, $SNDOPR
Override access while initializing a magnetic tape after a file access error $INIT_VOL
Override write-locking of volume on errors $MOUNT
Override write protection of former shadow set member $MOUNT
Override volume expiration, protection, or ownership $MOUNT

A.39 WORLD Privilege (System)

The WORLD privilege lets the user's process affect other processes both inside and outside its group by executing the following process control system services:

The user's process is also allowed to examine processes outside its own group by executing the Get Job/Process Information ($GETJPI) system service. A process with WORLD privilege can issue the SET PROCESS command for all other processes. Any process with WORLD privilege can also obtain information about a lock held by a process in another group using the Get Lock Information ($GETLKI) system service.

To exercise control over subprocesses that it created or to examine these subprocesses, a process needs no special privilege. To affect or examine other processes inside its own group, a process needs only the GROUP privilege. You should, however, grant this privilege to users who need to affect or examine processes outside their own group.


Appendix B
Protection for OpenVMS VAX System Files

This appendix lists OpenVMS VAX system files and their protections so you can monitor them regularly to ensure that no tampering has occurred. Section B.1 identifies the protection codes and ownership assigned to the files and calls out any exceptions. Section B.2 lists the system files supplied on OpenVMS VAX media.

See Chapter 8, particularly Section 8.9.2 for a discussion of how to protect OpenVMS system files.

B.1 Standard Ownership and Protection

The system (SYSTEM) owns all OpenVMS system files except one. The directory MOM$SYSTEM is owned by UIC [376,375].

All files in SYS$DEVICE:[VMS$COMMON], except those listed in Table B-1, have a protection code of S:RWED,O:RWED,G:RWED,W:RE.

Table B-1 Exceptions to Standard OpenVMS VAX System File Protection
Files Protection
[VMS$COMMON]    
DECW$DEFAULTS.DIR MOM$SYSTEM.DIR S:RWE,O:RWE,G:RE,W:RE
SYS$KEYMAP.DIR; SYS$LDR.DIR  
SYS$STARTUP.DIR SYSCBI.DIR  
SYSERR.DIR SYSEXE.DIR  
SYSFONT.DIR SYSHLP.DIR  
SYSLIB.DIR SYSMAINT.DIR  
SYSMGR.DIR SYSMSG.DIR  
SYSTEST.DIR SYSUPD.DIR  
VUE$LIBRARY.DIR    
[VMS$COMMON.SYS$KEYMAP]    
DECW.DIR   S:RWE,O:RWE,G:RE,W:RE
[VMS$COMMON.SYS$KEYMAP.DECW]    
SYSTEM.DIR USER.DIR S:RWE,O:RWE,G:RE,W:RE
[VMS$COMMON.SYSEXE]    
ISL_LVAX_061.SYS ISL_SVAX_061.SYS S:RWED,O:RWED,G:RE,W:RE
MSGHLP$MAIN.EXE   S:RE,O:RE,G:RE,W:RE
RIGHTSLIST.DAT   S:RWED,O:RWED,G:R,W
SYSUAF.DAT   S:RWE,O:RWE,G:RWE,W
VMS$OBJECTS.DAT   S:RWE,O:RWE,G:RE,W
[VMS$COMMON.SYSFONT]    
DECW.DIR PS_FONT_METRICS.DIR S:RWE,O:RWE,G:RE,W:RE
VWS.DIR XDPS.DIR  
[VMS$COMMON.SYSFONT]    
DECW.DIR PS_FONT_METRICS.DIR S:RWE,O:RWE,G:RE,W:RE
VWS.DIR XDPS.DIR  
[VMS$COMMON.SYSFONT.DECW]    
100DPI.DIR 75DPI.DIR S:RWE,O:RWE,G:RE,W:RE
COMMON.DIR CURSOR16.DIR  
CURSOR32.DIR USER_100DPI.DIR  
USER_75DPI.DIR USER_COMMON.DIR  
USER_CURSOR16.DIR USER_CURSOR32.DIR  
[VMS$COMMON.SYSHLP]    
DECW.DIR VMSDOC.DIR S:RWE,O:RWE,G:RE,W:RE
MSGHLP$ENGLISH.EXE   S:RE,O:RE,G:RE,W:RE
EXAMPLES.DIR   S:RWE,O:RWE,G:RE,W:RE
[VMS$COMMON.SYSLIB]    
CDA$ACCESS.EXE DECW$DWTLIBSHR.EXE S:RW,O:RWED,G:R,W:R
DECW$PRINTWGTSHR.EXE DECW$XLIBSHR.EXE  
MSGHLP$ENGLISH.EXE MSGHLP$SHARE.EXE S:RE,O:RE,G:RE,W:RE
VMS$PASSWORD_DIC
TIONARY.DATA
  S:RE,O:RE,G,W
XDPS$DPSBINDINGSSHR.EXE XDPS$DPSCLIENTSHR.EXE S:RW,O:RWED,G:R,W:R
XDPS$DPSLIBSHR.EXE XNL$SHR.EXE  
[VMS$COMMON.SYSMGR]    
SECURITY.AUDIT$JOURNAL   S:RWED,O:RWED,G:RE,W
VMS$AUDIT_SERVER.DAT   S:RWE,O:RWE,G:RE,W
WELCOME.TEMPLATE WELCOME.TXT S:RWED,O:RWED,G:RE,W:RE
[VMS$COMMON.VUE$LIBRARY]    
SYSTEM.DIR USER.DIR S:RWE,O:RWE,G:RE,W:RE


Previous Next Contents Index

[Site home] [Send comments] [Help with this site] [How to order documentation] [OpenVMS site] [Compaq site]
[OpenVMS documentation]

Copyright © Compaq Computer Corporation 1998. All rights reserved.

Legal
6346PRO_033.HTML