Updated: 11 December 1998 |
OpenVMS Guide to System Security
Previous | Contents | Index |
The SECURITY privilege lets a process perform security-related functions such as modifying the system password with the DCL command SET PASSWORD/SYSTEM or modifying the system alarm and audit settings using the DCL command SET AUDIT. The privilege not only lets a user process start and stop the audit server process with SET AUDIT, it also permits the process to use SET AUDIT to modify the characteristics of the auditing database, including those of the audit server, the system audit journal, the security archive file, resource monitoring, and the audit, alarm, or failure mode.
Grant this privilege only to security administrators. Irresponsible users who obtain this privilege can subvert the system's security mechanisms, can lock out users through improper application of system passwords, and can disable security auditing.
The SECURITY privilege also lets a process perform the following tasks:
Task | Interface |
---|---|
Display system auditing information about the system audit log file, audit server settings, and so on | SHOW AUDIT |
Display Hidden ACEs | SHOW SECURITY |
Display the system intrusion list or delete a record | SHOW INTRUSION, DELETE/INTRUSION |
Enable the security operator terminal | REPLY/ENABLE=SECURITY, $SNDOPR |
Enable protected subsystems on a volume | MOUNT/SUBSYSTEM, $MOUNT, SET VOLUME/SUBSYSTEM |
The SETPRV privilege lets the user's process create processes whose privileges are greater than its own by executing the Create Process ($CREPRC) system service with an optional argument or by issuing the DCL command RUN to create a process. A process with this privilege can also execute the DCL command SET PROCESS/PRIVILEGES to obtain any desired privilege.
Exercise the same caution in granting SETPRV as in granting any other
privilege because SETPRV lets a process enable any or all privileges.
A.30 SHARE Privilege (All)
The SHARE privilege lets processes assign channels to devices allocated to other processes or to a nonshared device using the Assign I/O Channel ($ASSIGN) system service.
Grant this privilege only to system processes such as print symbionts.
Otherwise, an irresponsible user can interfere with the operation of
devices belonging to other users.
A.31 SHMEM Privilege (Devour)
The SHMEM privilege lets the user's process create global sections and mailboxes (permanent and temporary) in memory shared by multiple processors if the process also has appropriate PRMGBL, PRMMBX, SYSGBL, and TMPMBX privileges. Just as in local memory, the space required for a temporary mailbox in multiport memory counts against the buffered I/O byte count limit (BYTLM) of the process.
The privilege also lets a user's process create or delete an event flag
cluster in shared memory using the Associate Common Event Flag Cluster
($ASCEFC) or the Disassociate Common Event Flag Cluster ($DACEFC)
system service.
A.32 SYSGBL Privilege (Files)
The SYSGBL privilege lets the user's process create or delete system global sections by executing the Create and Map Section ($CRMPSC) or the Delete Global Section ($DGBLSC) system service. In addition, a process with this privilege (plus the CMKRNL and PRMGBL privileges) can use the Install utility (INSTALL).
Exercise caution when granting this privilege. System global sections
require space in the global section and global page tables, which are
limited resources.
A.33 SYSLCK Privilege (System)
The SYSLCK privilege lets the user's process lock systemwide resources with the Enqueue Lock Request ($ENQ) system service or obtain information about a system resource with the Get Lock Information ($GETLKI) system service.
Grant this privilege to users who need to run programs that lock
resources in the systemwide resource namespace. However, exercise
caution when granting this privilege. Users who hold the SYSLCK
privilege can interfere with the synchronization of all system and user
software.
A.34 SYSNAM Privilege (All)
The SYSNAM privilege lets the user's process bypass discretionary access controls and insert names into the system logical name table and delete names from that table by using the Create Logical Name ($CRELNM) and Delete Logical Name ($DELLNM) system services. A process with this privilege can use the DCL commands ASSIGN and DEFINE to add names to the system logical name table in user or executive mode and can use the DEASSIGN command in either mode to delete names from the table.
To mount a system volume or to dismount a system or group volume with the appropriate mount or dismount command or system service, you must have the SYSNAM privilege.
Grant this privilege only to the system operators or to system programmers who need to define system logical names (such as names for user devices, library directories, and the system directory). Note that a process with SYSNAM privilege could redefine such critical system logical names as SYS$SYSTEM and SYSUAF, thus gaining control of the system.
The SYSNAM privilege also lets a process perform the following tasks:
Task | Interface |
---|---|
Access a MAIL maintenance record | |
Modify a MAIL forward record | |
Declare a network object | NETACP |
Create an IPC association | $IPC |
With CMKRNL, add or remove an identifier to system rights list | SET RIGHTS_LIST/SYSTEM, $GRANTID, $REVOKID |
The SYSPRV privilege lets a process access protected objects by the system protection field and also read and modify the owner (UIC), the UIC-based protection code, and the ACL of an object. Even if an object is protected against system access, a process with SYSPRV privilege can change the object's protection to gain access to it. Any process with SYSPRV privilege can add, modify, or delete entries in the system user authorization file (SYSUAF.DAT).
Exercise caution when granting this privilege. Normally, grant this privilege only to system managers and security administrators. If unqualified users have system access rights, the operating system and service to others can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.
The SYSPRV privilege also lets a process perform the following tasks:
Task | Interface |
---|---|
Modify a file's expiration date | SET FILE/EXPIRATION |
Modify the number of interlocked queue retries | $QIO request to an Ethernet 802 driver (DEBNA/NI) |
Set the spin-wait time on the port command register | $QIO request to an Ethernet 802 driver (DEBNA) |
Set the FROM field in a mail message | MAIL routines |
Access a MAIL maintenance record | |
Modify or delete a MAIL database record | |
Modify the group number and password of a local area cluster | CLUSTER_AUTHORIZE component of SYSMAN |
Perform transaction recovery, join a transaction as coordinator, transition a transaction | DECdtm software |
A process whose group UIC is less than or equal to the system parameter MAXSYSGRP has implied SYSPRV. When a process has SYSPRV or implied SYSPRV, it can also perform the following tasks:
Task | Interface |
---|---|
Initialize a magnetic tape | $INIT_VOL |
Override creation of an owner ACE on a newly created file | $QIO request to F11BXQP |
Clear the directory bit in a directory's file header | $QIO request to the F11BXQP, SET FILE/NODIRECTORY |
Acquire or release a volume lock | $QIO request to F11BXQP |
Force mount verification on a volume | $QIO request to F11BXQP |
Create a file access window with the no access lock bit set | $QIO request to F11BXQP |
Specify null lock mode for a volume lock | $QIO request to F11BXQP |
Access a locked file | $QIO request to F11BXQP |
Disable disk quotas on volume | $QIO request to F11BXQP |
Enable disk quotas on volume | $QIO request to F11BXQP |
The TMPMBX privilege lets the user's process create a temporary mailbox by executing the Create Mailbox and Assign Channel ($CREMBX) system service.
Mailboxes are buffers in virtual memory that are treated as if they were record-oriented I/O devices. A mailbox is used for general interprocess communication. Unlike a permanent mailbox, which must be explicitly deleted, a temporary mailbox is deleted automatically when it is no longer referenced by any process.
Grant this privilege to all users of the system to facilitate
interprocess communication. System performance is not likely to be
degraded by permitting the creation of temporary mailboxes, because
their number is controlled by limits on the use of system dynamic
memory (BYTLM quota).
A.37 UPGRADE Privilege (All)
The UPGRADE privilege lets a process manipulate mandatory access
controls. The privilege allows a process to write to an object of
higher integrity, in violation of the Biba confinement (*) property.
This privilege is reserved for enhanced security products like SEVMS.
A.38 VOLPRO Privilege (Objects)
The VOLPRO privilege lets the user's process:
The VOLPRO privilege permits control only over volumes that the user's process can mount or initialize. Volumes mounted with the /SYSTEM qualifier are safe from a process with the VOLPRO privilege as long as the process does not also have the SYSNAM privilege.
Exercise extreme caution when granting the VOLPRO privilege. If unqualified users can override volume protection, the operating system and service to others can be disrupted. Such disruptions can include destruction of the database and exposure of confidential information.
The VOLPRO privilege lets a process perform the following tasks:
Task | Interface |
---|---|
Dismount a volume | DISMOUNT/ABORT, $DISMOU |
Initialize a volume | $INIT_VOL |
Mount foreign multivolume magnetic tape set | MOUNT/MULTI_VOLUME |
Override volume labels or accessibility | $MOUNT |
Initialize blank tape | REPLY/BLANK_TAPE, $SNDOPR |
Override access while initializing a magnetic tape after a file access error | $INIT_VOL |
Override write-locking of volume on errors | $MOUNT |
Override write protection of former shadow set member | $MOUNT |
Override volume expiration, protection, or ownership | $MOUNT |
The WORLD privilege lets the user's process affect other processes both inside and outside its group by executing the following process control system services:
The user's process is also allowed to examine processes outside its own group by executing the Get Job/Process Information ($GETJPI) system service. A process with WORLD privilege can issue the SET PROCESS command for all other processes. Any process with WORLD privilege can also obtain information about a lock held by a process in another group using the Get Lock Information ($GETLKI) system service.
To exercise control over subprocesses that it created or to examine these subprocesses, a process needs no special privilege. To affect or examine other processes inside its own group, a process needs only the GROUP privilege. You should, however, grant this privilege to users who need to affect or examine processes outside their own group.
This appendix lists OpenVMS VAX system files and their protections so you can monitor them regularly to ensure that no tampering has occurred. Section B.1 identifies the protection codes and ownership assigned to the files and calls out any exceptions. Section B.2 lists the system files supplied on OpenVMS VAX media.
See Chapter 8, particularly Section 8.9.2 for a discussion of how
to protect OpenVMS system files.
B.1 Standard Ownership and Protection
The system (SYSTEM) owns all OpenVMS system files except one. The directory MOM$SYSTEM is owned by UIC [376,375].
All files in SYS$DEVICE:[VMS$COMMON], except those listed in Table B-1, have a protection code of S:RWED,O:RWED,G:RWED,W:RE.
Files | Protection | |
---|---|---|
[VMS$COMMON] | ||
DECW$DEFAULTS.DIR | MOM$SYSTEM.DIR | S:RWE,O:RWE,G:RE,W:RE |
SYS$KEYMAP.DIR; | SYS$LDR.DIR | |
SYS$STARTUP.DIR | SYSCBI.DIR | |
SYSERR.DIR | SYSEXE.DIR | |
SYSFONT.DIR | SYSHLP.DIR | |
SYSLIB.DIR | SYSMAINT.DIR | |
SYSMGR.DIR | SYSMSG.DIR | |
SYSTEST.DIR | SYSUPD.DIR | |
VUE$LIBRARY.DIR | ||
[VMS$COMMON.SYS$KEYMAP] | ||
DECW.DIR | S:RWE,O:RWE,G:RE,W:RE | |
[VMS$COMMON.SYS$KEYMAP.DECW] | ||
SYSTEM.DIR | USER.DIR | S:RWE,O:RWE,G:RE,W:RE |
[VMS$COMMON.SYSEXE] | ||
ISL_LVAX_061.SYS | ISL_SVAX_061.SYS | S:RWED,O:RWED,G:RE,W:RE |
MSGHLP$MAIN.EXE | S:RE,O:RE,G:RE,W:RE | |
RIGHTSLIST.DAT | S:RWED,O:RWED,G:R,W | |
SYSUAF.DAT | S:RWE,O:RWE,G:RWE,W | |
VMS$OBJECTS.DAT | S:RWE,O:RWE,G:RE,W | |
[VMS$COMMON.SYSFONT] | ||
DECW.DIR | PS_FONT_METRICS.DIR | S:RWE,O:RWE,G:RE,W:RE |
VWS.DIR | XDPS.DIR | |
[VMS$COMMON.SYSFONT] | ||
DECW.DIR | PS_FONT_METRICS.DIR | S:RWE,O:RWE,G:RE,W:RE |
VWS.DIR | XDPS.DIR | |
[VMS$COMMON.SYSFONT.DECW] | ||
100DPI.DIR | 75DPI.DIR | S:RWE,O:RWE,G:RE,W:RE |
COMMON.DIR | CURSOR16.DIR | |
CURSOR32.DIR | USER_100DPI.DIR | |
USER_75DPI.DIR | USER_COMMON.DIR | |
USER_CURSOR16.DIR | USER_CURSOR32.DIR | |
[VMS$COMMON.SYSHLP] | ||
DECW.DIR | VMSDOC.DIR | S:RWE,O:RWE,G:RE,W:RE |
MSGHLP$ENGLISH.EXE | S:RE,O:RE,G:RE,W:RE | |
EXAMPLES.DIR | S:RWE,O:RWE,G:RE,W:RE | |
[VMS$COMMON.SYSLIB] | ||
CDA$ACCESS.EXE | DECW$DWTLIBSHR.EXE | S:RW,O:RWED,G:R,W:R |
DECW$PRINTWGTSHR.EXE | DECW$XLIBSHR.EXE | |
MSGHLP$ENGLISH.EXE | MSGHLP$SHARE.EXE | S:RE,O:RE,G:RE,W:RE |
VMS$PASSWORD_DIC
TIONARY.DATA |
S:RE,O:RE,G,W | |
XDPS$DPSBINDINGSSHR.EXE | XDPS$DPSCLIENTSHR.EXE | S:RW,O:RWED,G:R,W:R |
XDPS$DPSLIBSHR.EXE | XNL$SHR.EXE | |
[VMS$COMMON.SYSMGR] | ||
SECURITY.AUDIT$JOURNAL | S:RWED,O:RWED,G:RE,W | |
VMS$AUDIT_SERVER.DAT | S:RWE,O:RWE,G:RE,W | |
WELCOME.TEMPLATE | WELCOME.TXT | S:RWED,O:RWED,G:RE,W:RE |
[VMS$COMMON.VUE$LIBRARY] | ||
SYSTEM.DIR | USER.DIR | S:RWE,O:RWE,G:RE,W:RE |
Previous | Next | Contents | Index |
Copyright © Compaq Computer Corporation 1998. All rights reserved. Legal |
6346PRO_033.HTML
|