HP OpenVMS Systems Documentation

OpenVMS Guide to System Security

5.5.1 Naming Rules

The name of the object is a string of 1 to 44 characters. For group global sections, the name is qualified by your UIC group number.

5.5.2 Types of Access

The global section class supports the following types of access:

Read	Gives you the right to map the section for read access.
Write	Gives you the right to map the section for write access.
Execute	Gives you the right to map the section for read access. Only software running in executive or kernel mode can request this access.
Control	Gives you the right to modify the protection elements of PFN global sections and page file-backed global sections.

5.5.3 Template Profile

File-backed global sections share the security profile of the associated disk file. Whenever the profile of the backing file is modified, the global section's profile automatically changes. To modify the protection elements of file-backed global sections, you must modify the backing file instead.

The global section class provides the following template profiles. Although the template assigns an owner UIC of [0,0], this value is only temporary. As soon as the object is created, the operating system replaces a 0 value with the value in the corresponding field of the creating process's UIC.

Type	Template Name	Owner UIC	Protection Code
System	DEFAULT	[0,0]	S:RWE,O:RWE,G:RWE,W:RWE
Group	DEFAULT	[0,0]	S:RWE,O:RWE,G:RWE,W:RWE

The operating system modifies the templates according to the values provided in the prot argument to $CRMPSC. The prot argument is ignored for file-backed sections.

To maintain compatibility with earlier versions of the operating system, the DEFAULT templates have protection codes allowing world access. Some applications may need a more restrictive default than the templates provide. If you do choose to restrict global section access, be aware that the more restrictive access can cause applications to fail in ways that are difficult to diagnose.

5.5.4 Privilege Requirements

The SYSGBL privilege is required to create or delete a system global section. The PFNMAP privilege is necessary to create or delete a page frame section, and the PRMGBL privilege is required to create or delete a permanent global section.

5.5.5 Kinds of Auditing Performed

The following types of events can be audited, provided the security administrator enables auditing for the appropriate event class:

Event Audited	When Audit Occurs
Creation	When a page file-backed or a PFN global section is created by the Create and Map Section system service ($CRMPSC).
Access	When an existing page file-backed or a PFN global section is accessed with either $CRMPSC or the Map Global Section system service ($MGBLSC). The operating system audits access to a file-backed global section as a file access.
Deaccess	At image or process rundown when the process virtual address space is reset or deleted.
Deletion	If a process with PRMGBL privilege, PFNMAP privilege, or SYSGBL privilege (in the case of a system global section) deletes a permanent global section, the operating system audits the event through the use of privilege.

5.5.6 Permanence of the Object

A global section and its security profile need to be reset after every system boot.

5.6 Logical Name Tables

Logical name assignments are maintained in logical name tables. A logical name table can be accessible to only one process, or it can be shareable if its parent table is shareable. All shareable name tables are listed in the LNM$SYSTEM_DIRECTORY, the system directory table. It is shareable logical name tables that the operating system protects.

5.6.1 Naming Rules

The name of a logical name table is a string of 1 to 32 characters.

5.6.2 Types of Access

The logical name table class supports the following types of access:

Read	Gives you the right to look up (translate) logical names in the table
Write	Gives you the right to create and delete logical names in the table
Create	Gives you the right to create a descendant logical name table, including the right to use a subset of the dynamic memory allocated to the parent logical name table when creating the descendant logical name table
Delete	Gives you the right to delete the table
Control	Gives you the right to modify the protection elements and owner of the table

5.6.3 Template Profile

The logical name table class provides the following template profiles. Although the template assigns an owner UIC of [0,0], this value is only temporary. As soon as the object is created, the operating system replaces a 0 value with the value in the corresponding field of the creating process's UIC.

Template Name	Owner UIC	Protection Code
DEFAULT	[0,0]	S:RW,O:RW,G:R,W:R
GROUP	[0,*]	S:RWCD,O:R,G:R,W
JOB	[0,0]	S:RWCD,O:RWCD,G,W

5.6.4 Privilege Requirements

The operating system allows read and write access to the group logical name tables with GRPNAM privilege and to the system logical name table with SYSNAM privilege.

Deletion of a shared table from the system directory requires SYSNAM privilege, and deletion of a logical name from the group directory requires GRPNAM privilege. Deletion of a parent logical name table results in the deletion of all its descendant logical name tables.

Creation or deletion of an inner-mode logical name or logical name table requires SYSNAM privilege (or being in an inner mode).

5.6.5 Kinds of Auditing Performed

The following events can be audited, provided the security administrator enables auditing for the event class:

Event Audited	When Audit Occurs
Access	When translating a name, when creating a name or a descendent table, or when deleting a name or a descendent table
Creation	During access to a parent table for the right to create a table or when the table itself is created

5.6.6 Permanence of the Object

A logical name table and its security profile must be reset each time the system is rebooted.

5.7 Queues

A queue is a set of jobs to be processed. In general, queues are of two types, generic or execution. No processing takes place in generic queues. Execution queues hold jobs that will execute on an execution queue when one is available. Execution queues can be batch queues, printer queues, server queues, or terminal queues.

5.7.1 Naming Rules

A queue name is a string of 1 to 31 characters, including any alphanumeric character, the dollar sign ($), or the underscore (_).

5.7.2 Types of Access

The queue class supports the following types of access:

Read	Gives you the right to see the security elements of either a queue or a job in the queue.
Submit	Gives you the right to place jobs in the queue.
Delete	Gives you the right to either delete a job in the queue or modify the elements of a job.
Manage	Gives you the right to affect any job in the queue. You can start, stop, or delete a queue and change its status and any elements that are unrelated to security.
Control	Gives you the right to modify the protection elements and owner of a queue.

Note: When a process receives read or delete access through a protection code, it can operate on only its job in the queue. However, when granted through an ACL, read and delete access allow a process to operate on all jobs in the queue.

5.7.3 Template Profile

The queue class provides the following template profile:

Template Name	Owner UIC	Protection Code
DEFAULT	[SYSTEM]	S:M,O:D,G:R,W:S

5.7.4 Privilege Requirements

You need SYSNAM and OPER privileges to stop or start the queue manager. OPER is necessary to either create and delete queues, or to change the symbiont definition.

5.7.5 Kinds of Auditing Performed

The following events can be audited, provided the security administrator enables auditing for the event class:

Event Audited	When Audit Occurs
Access	When a job is submitted to the queue and when either a job or queue is modified.
Creation	When a queue is initialized.
Deletion	When a process deletes a job from the queue or when the queue itself is deleted. (To enable auditing for queue deletions, enable auditing for manage [M] access to the queue.)

If access auditing is enabled for both files and queues, one queue operation can generate a number of auditing messages because, within a single operation, the operating system performs several access checks. For example, before a job is executed on a print queue, the system checks to see if you have read access to the file, and it checks for read access again before printing the file.

5.7.6 Permanence of the Object

Queues are permanent objects. They are stored in the system queue database together with their security profiles.

5.8 Resource Domains

Processes that access shared resources can coordinate access using the services of the lock manager. These services allow processes to associate a name with a resource, such as a file or a data structure, to arbitrate access to that resource, and to exchange limited information through a lock value block. The namespaces that catalog resources on which locks can be taken are called resource domains.

A process must become a member of a resource domain to take and release locks and to read and write value blocks associated with resources in that resource domain. A process implicitly joins the system and group domains, but it explicitly joins other domains through a call to the $SET_RESOURCE_DOMAIN system service. Access to all locks and value blocks within a domain is controlled by access to the domain itself.

5.8.1 Naming Rules

A resource domain is identified to $SET_RESOURCE_DOMAIN by a longword binary value. However, the name of the resource domain object is a string containing the resource number interpreted in octal surrounded by brackets [] or angle brackets <>. Alternatively, the name of the resource domain object can be expressed as an identifier enclosed in brackets or angle brackets. The identifier must translate to a UIC value; the group field of the UIC is used as the resource domain number.

5.8.2 Types of Access

The resource domain class supports the following types of access:

Read	Gives you the right to read lock value blocks in the domain, including the right to use the $GETLKI system service to retrieve it
Write	Gives you the right to write to lock value blocks in the domain
Lock	Gives you the right to take locks using $ENQ, release locks using $DEQ, and obtain information about the lock database using $GETLKI
Control	Gives you the right to modify the protection elements of a resource domain

5.8.3 Template Profile

The resource domain class provides the following template profile. The template assigns an owner UIC of [n,*] where n is the resource domain's number.

Template Name	Owner UIC	Protection Code
DEFAULT	[ n,*]	S:RWL,O:RWL,G:RWL,W

5.8.4 Privilege Requirements

The SYSLCK privilege allows lock access to the system resource domain (Domain 0).

5.8.5 Kinds of Auditing Performed

The following events can be audited, provided the security administrator enables auditing for the event class:

Event Audited	When Audit Occurs
Access	When a process calls $SET_RESOURCE_DOMAIN or $ENQ to join a domain
Creation	The first time a process joins the resource domain
Deaccess	When a process called $SET_RESOURCE_DOMAIN or at image or process rundown

5.8.6 Permanence of the Object

Both the resource domain and its security elements are saved in SYS$SYSTEM:VMS$OBJECTS.DAT.

5.9 Security Classes

The security class is the parent of all classes of protected objects. It protects the template profiles associated with the various object classes. Each object in the security class holds the following information:

An object name
A security profile for new objects of the class
One or more template profiles
A set of access names
Auditing controls

Chapter 8 discusses how to manage objects in the security class.

5.9.1 Naming Rules

The security class has the following members:

CAPABILITY	COMMON_EVENT_CLUSTER
DEVICE	FILE
GROUP_GLOBAL_SECTION	LOGICAL_NAME_TABLE
QUEUE	RESOURCE_DOMAIN
SECURITY_CLASS	SYSTEM_GLOBAL_SECTION
VOLUME

5.9.2 Types of Access

Security class objects support the following types of access:

Read	Gives you the right to read a template profile. Template profiles contain the security elements assigned to new objects.
Write	Gives you the right to modify the values of a template profile.
Control	Gives you the right to modify the security profile of a security class object. Control access implies read and write access.

5.9.3 Template Profile

The security class object provides the following template profile:

Template Name	Owner UIC	Protection Code
DEFAULT	[SYSTEM]	S:RW,O:RW,G:R,W:R

5.9.4 Kinds of Auditing Performed

The following events can be audited, provided the security administrator enables auditing for the event class:

Event Audited	When Audit Occurs
Access	When a process enters the DCL command SET SECURITY or SHOW SECURITY with the /CLASS=SECURITY_CLASS qualifier or when it uses the name SECURITY_CLASS in a call to the system service $SET_SECURITY or $GET_SECURITY

5.9.5 Permanence of the Object

The security profiles of the security class object and all its members are stored in the security object database.

5.10 Volumes

A volume object is one or more ODS-2 disk volumes. The object consists of multiple volumes when they are part of a bound volume set. Although you might have access to the directories and files on the volume, you cannot access them if you do not have access to the volume itself.

For access information on tapes and foreign volumes, see the OpenVMS System Manager's Manual and the Mount utility documentation in the OpenVMS System Management Utilities Reference Manual.

Contents

Index