HP OpenVMS Systems Documentation

Content starts here

OpenVMS Guide to System Security


Previous Contents Index

8.6.7.6 Subsystem Attribute

You can authorize users to manage protected subsystems by granting them a subsystem identifier with the Subsystem attribute. This empowers users to enable images to access the objects managed by the subsystem. (See Chapter 13 for a discussion of protected subsystems.)

In the following example, user Schwartz is given the authority to create a subsystem with the identifier MAIL_SUBSYSTEM. Schwartz is also given control access to the application image to set access controls.


$ SET DEFAULT SYS$SYSTEM
$ RUN AUTHORIZE
UAF> ADD/IDENTIFIER MAIL_SUBSYSTEM /ATTRIBUTES=SUBSYSTEM
UAF> GRANT/IDENTIFIER MAIL_SUBSYSTEM -
_UAF> /ATTRIBUTES=SUBSYSTEM SCHWARTZ
UAF> Exit
$ SET SECURITY/ACL=(IDENTIFIER=MAIL_SUBSYSTEM,ACCESS=CONTROL)-
_$ MEMBER_LIST.EXE

8.6.8 Modifying a System or Process Rights List

As a privileged security administrator, you can use the SET RIGHTS_LIST command to modify the rights list of any process on the system or to modify identifiers in the system rights list. Adding an identifier to the system rights list effectively grants it to all users. You can also use the SET RIGHTS_LIST command to add attributes to existing identifiers.

A possible use of the system rights list is to enable site-specific environmental conditions. For example, a batch job scheduled to run at 8:00 a.m. could add the following identifier:


$ SET RIGHTS_LIST/SYSTEM/ENABLE DAY_SHIFT

Another batch job scheduled for 5:00 p.m. could remove the identifier DAY_SHIFT:


$ SET RIGHTS_LIST/SYSTEM/DISABLE DAY_SHIFT

The effect is to enable access to protected objects with the identifier DAY_SHIFT during the 8:00 a.m. to 5:00 p.m. period.

The command in the next example modifies a process rights list by adding the SALES identifier to the rights list of the process DEDNAM. Specifying the Resource attribute allows the holders of the SALES identifier to charge disk space to it.


$ SET RIGHTS_LIST/ENABLE/ATTRIBUTES=RESOURCE/PROCESS=DEDNAM SALES

8.7 Giving Users Privileges

Some system activities are limited to users who hold specific privileges. These restrictions protect the integrity of the operating system's performance and, thus, the integrity of service provided to users. Grant privileges to each user on the basis of two factors: (a) whether the user has a legitimate need for the privilege and (b) whether the user has the skill and experience to use the privilege without disrupting the system.

A user's privileges are recorded in the user's UAF record in two privilege vectors. One vector stores the authorized privileges, and the other vector stores the default privileges. The default privileges are the subset of authorized privileges that a user process receives at login.

When a user logs in to the system, the user's privilege vector is stored in the header of the user's process. In this way, the user's privileges are passed on to the process created for the user. Users can use the DCL command SET PROCESS/PRIVILEGES to enable and disable privileges for which they are authorized.

The operating system monitors and audits the use of privilege. You can enable auditing for specific privileges and examine the audit log file to see what privileges were used to execute DCL commands or system services. See Chapter 9 for further information.

8.7.1 Categories of Privilege

Privileges are divided into the following seven categories according to the damage that the user possessing them could cause the system:

  • None: No privileges
  • Normal: Minimum privileges to effectively use the system
  • Group: Potential to interfere with members of the same group
  • Devour: Potential to consume noncritical systemwide resources
  • System: Potential to interfere with normal system operation
  • Objects: Potential to compromise object security
  • All: Potential to control the system

Table 8-2 categorizes the privileges and includes a brief definition of the powers associated with each privilege.

Table 8-2 OpenVMS Privileges
Category Privilege Activity Permitted
None None Deny activities requiring privileges
Normal NETMBX
TMPMBX
Create network connections
Create temporary mailbox
Group GROUP
GRPPRV
Control processes in the same group
Gain access through the system protection field of the group's objects
Devour ACNT
ALLSPOOL
BUGCHK
EXQUOTA
GRPNAM
PRMCEB
PRMGBL
PRMMBX
SHMEM
Disable accounting
Allocate spooled devices
Make bugcheck error log entries
Exceed disk quotas
Insert group logical names in the name table
Create/delete permanent common event flag clusters
Create permanent global sections
Create permanent mailboxes
Create/delete structures in shared memory
System ALTPRI
AUDIT
OPER
PSWAPM
WORLD
SECURITY
SYSLCK
Set base priority higher than allotment
Generate audit records
Perform operator functions
Change process swap mode
Control any process
Perform security-related functions
Lock systemwide resources
Objects DIAGNOSE
IMPORT
MOUNT
READALL
SYSGBL
VOLPRO
Diagnose devices
Mount a nonlabeled tape volume
Execute mount volume QIO
Possess read access to all system objects
Create systemwide global sections
Override volume protection
All BYPASS
CMEXEC
CMKRNL
IMPERSONATE
DOWNGRADE

LOG_IO
PFNMAP
PHY_IO
SETPRV
SHARE
SYSNAM
SYSPRV
UPGRADE
Disregard protection
Change to executive mode
Change to kernel mode
Create detached processes of arbitrary UIC
Write to a lower secrecy object or lower an object's classification
Issue logical I/O requests
Map to specific physical pages
Issue physical I/O requests
Enable any privilege
Access devices allocated to other users
Insert system logical names in the name table
Access objects through the system protection field
Write to a higher integrity object or raise an object's integrity level

8.7.2 Suggested Privilege Allocations

Appendix A lists all user privileges and includes recommendations on when to grant them. When allocating user privileges, be conservative.

The summary guidelines in Table 8-3 indicate the minimum privilege requirements for common classes of system users.

Table 8-3 Minimum Privileges for System Users
Type of User Minimum Privileges
General TMPMBX, NETMBX
Operator OPER
Group manager GROUP, GRPPRV
System manager/administrator SYSPRV, OPER, SYSNAM, CMKRNL 1
Security administrator SECURITY, AUDIT, READALL

1The general purpose system manager often needs an authorized privilege set consisting of all privileges except BYPASS.

8.7.3 Limiting User Privileges

Granting privileges allows users those privileges until you remove them. To avoid such blanket permission, you may want to grant privileges on an as-needed basis. For example, certain users may need to run a program requiring one of the more powerful privileges. You can install the program with the necessary privilege by using the Install utility (INSTALL). Section 8.7.4 discusses installing privileged images in more detail.

An alternative to granting blanket privileges is to set up emergency or specialized privileged accounts. Users would log in to these privileged accounts only to perform specific functions. You have two options with this technique:

  • Establish a limited group of users who know about the account and are informed how to use it.
  • Create two accounts for the user, giving the privileges to one account but not to the other. In this case, the user would have the same UIC and the same default directory in each account. (This is the only case where Compaq recommends shared UICs, because there is still only one actual user.) If you decide to adopt this dual account practice, avoid obvious user names that reveal which account is the privileged account.

With both options, you can place special restrictions on the privileged account, such as long passwords, brief password lifetimes, restricted hours, and limited modes of operation (no dialup, network, remote, or batch logins). In addition, limited account durations would force frequent consideration of privilege requirements.

Yet another alternative is to use protected subsystems, which are described in Chapter 13, and thereby eliminate the need for any system privileges.

8.7.4 Installing Images with Privilege

A user cannot execute an image that requires a privilege the user does not possess unless the image is installed as a known image with the privilege in question. (See the OpenVMS System Management Utilities Reference Manual for instructions on installing known images.) Execution of a known image with privileges grants those privileges to the user process executing the image for the duration of the image's execution. Thus, you should install images with amplified privileges (other than the normal Compaq-supplied configuration) only after ensuring that the privileges are required by the image's function and that the image operates safely. Also consider restricting access to the image to a selected set of users.

Images installed with privileges are activated with all amplified privileges enabled. For maximum safety, images designed to run with amplified privilege should use the $SETPRV system service to disable all amplified privileges immediately on activation, and enable them only when they are needed.

Following is an example of installing an image with privilege. The System Dump Analyzer utility (SDA) requires CMKRNL privilege to analyze the running system.

  1. Install SDA.EXE with the CMKRNL privilege, as follows:


    $ INSTALL SDA.EXE /PRIVILEGED=CMKRNL
    
  2. Place an ACL on SDA.EXE, and also set the UIC-based protection to deny all access to the world category of users, as follows:


    $ SET SECURITY/ACL=(IDENTIFIER=SDA,ACCESS=EXECUTE)-
    _$ SYS$SYSTEM:SDA.EXE
    $ SET SECURITY/PROTECTION=(WORLD) SYS$SYSTEM:SDA.EXE
    
  3. Use the AUTHORIZE command to confirm that the users who hold the SDA identifier are those intended to run the program. If necessary, make adjustments to this list of users.

    Note

    All images that you install with privilege must be linked with the /NOTRACEBACK qualifier to prevent online debugging and traceback.
    Compaq ensures that all system programs that are supplied with the operating system (such as the SDA) are linked with the /NOTRACEBACK qualifier to prevent online debugging or traceback.

8.7.5 Restricting Command Output

Some DCL commands behave differently depending on the privileges that the user holds.

For example, unless a user holds the GROUP or WORLD privilege, the SHOW PROCESS command limits the display of process information to the user's process. A user with GROUP privilege can display other processes in the user's UIC group; a user with WORLD privilege can display any process on the system.

8.8 Setting Default Protection and Ownership

After designing user groups and identifiers, you need to address which protected objects your users need permission to access and which ones can be unrestricted. Become familiar with the default protection of new objects, shown in Chapter 5, and when necessary modify the defaults, as shown in the following sections.

The procedure for setting up object protection and ownership defaults varies, depending on whether the object is a file or another class of protected object.

8.8.1 Controlling File Access

As Section 5.4.5 explains, there are four possible areas where you can specify protection defaults that would affect the user. In order of increasing influence, they are as follows:

  • The system parameter RMS_FILEPROT sets the systemwide default for file protection. You can change the value of RMS_FILEPROT with AUTOGEN. However, the effectiveness of this value may be overridden by any of the following defaults.
  • The DCL command SET PROTECTION/DEFAULT can specify the file protection placed on files created or modified by the user during the terminal session. While the command typically appears in the user's login command procedure, the user can also enter this command at any time during a session to override the value set by a previous SET PROTECTION/DEFAULT command. The SET PROTECTION/DEFAULT command negates the influence of the systemwide protection for this user.
  • The default protection for the specific directory can be specified in an ACL applied to the directory. If a Default Protection ACE exists for the directory, all new files added to the directory, including subdirectories and their files, are subject to this protection code. This code overrides the systemwide default and the user-specified default (if any).
  • In special cases where the file being created is not owned by the user identification code (UIC) of the process creating the file (for example, when a directory is owned by a resource identifier), the default protection for the new file can be modified by a Creator ACE within the directory's ACL. Refer to Section 5.4.5 for a discussion of the Creator ACE.

Also consider the protection imposed on the volume through the DCL command SET VOLUME/PROTECTION. This protection code, if specified, prevents a user from accessing any part of the volume, regardless of the protection code on the directory or the file. If no volume protection is specified with the SET VOLUME command, the volume is accessible to all users.

The assignment of file ownership affects the outcome of any protection check. The operational effect of this combined protection structure is depicted in Figure 8-1.

Figure 8-1 Flowchart of File Creation




8.8.1.1 Adjusting Protection Defaults

You may want to make adjustments to control default behavior. The systemwide default protection code specified by the system parameter RMS_FILE PROT sets the user's default protection to the following:


(S:RWED,O:RWED,G:RE,W)

Assume that the volume protection has been set by the operator to the following:


(S:RWED,O:RWED,G:R,W)

The file protection on the directory [PROJECT] has been set to the following:


(S:RWED,O:RW,G:R,W)

If all the files created in the subdirectory [PROJECT.DIARY] demand more protection, you, or any user who has control access to the directory, could define a specific default protection code for this specific directory with an ACL consisting of a Default Protection ACE, as follows:


(DEFAULT_PROTECTION,S:RWED,O:RWED,G,W)

The following DCL command would provide the desired default protection:


$ SET SECURITY/ACL=(DEFAULT_PROTECTION,S:RWED,O:RWED)-
_$ [PROJECT]DIARY.DIR

Once this ACE is placed on the directory file, files created or modified in the directory are subject to the default protection code. Because these protection codes are only defaults, a user who has control access to a file in the directory can include a specific protection code as a replacement for the default value on the file by using the following DCL commands:

  • SET SECURITY/PROTECTION
  • COPY/PROTECTION
  • APPEND/PROTECTION
  • CREATE/PROTECTION

Once the default protection code is replaced, the new code becomes the default and is propagated to subsequent versions of the file.

If you provide a special login command procedure for some of your users, you may want to supplement the systemwide default process protection specified by the system parameter RMS_FILEPROT for this group of users. Add the SET PROTECTION/DEFAULT command to the login command procedure to specify the default process protection, as follows:


SET PROTECTION=(S:RWED,O:RWED,G,W)/DEFAULT

Files created in users' directories receive this default protection code unless explicitly overridden.

8.8.1.2 Setting Defaults for a Directory Owned by a Resource Identifier

To allow for more flexible data management as well as more accurate accounting of disk space, you can set up a directory that is owned by a resource identifier and rely on ACLs to control access to the directory and to files created within it.

The ACL can limit file access to all project members holding the project identifier. To achieve this kind of access restriction, you add an Identifier ACE to define the group's access to files. A second Identifier ACE is added that duplicates the first but holds the Default attribute. It is the Default attribute that ensures the ACE is copied to all files created within the directory. Sometimes a third ACE is necessary---a Default Protection ACE, depending on the default protection code for the directory. A Default Protection ACE establishes the protection code for the directory's files. (As Section 4.3 explains, if an ACL denies access to a file, it is still possible to gain access through a protection code.)

In addition to limiting the group's access to files, an ACL can control the type of access users have to files that they have created within the common directory. Because the file is created in the resource identifier's directory, the resource identifier owns the file. For users to access files they have created, the operating system normally gives control access to the file's creator plus the access specified in the owner field of the protection code. However, you can modify this behavior by adding a Creator ACE to the directory's ACL. A Creator ACE defines the type of access users have to files they have created in the project's directory.

8.8.1.2.1 Setting Up the Resource Identifier

A security administrator used the following command sequence to set up the project identifier PROJECTX and grant it to members of the project. Notice that the identifier is added to the rights database with the resource identifier, and it is also granted to users with the resource identifier. The project identifier needs to carry the Resource attribute so it can own disk space.


$ RUN SYS$SYSTEM:AUTHORIZE
UAF> ADD/IDENTIFIER PROJECTX /ATTRIBUTES=RESOURCE
UAF> GRANT/IDENTIFIER PROJECTX user1 /ATTRIBUTES=RESOURCE
UAF> GRANT/IDENTIFIER PROJECTX user2 /ATTRIBUTES=RESOURCE
   .
   .
   .


Previous Next Contents Index