HP OpenVMS Systems Documentation

OpenVMS Guide to System Security

A.23 PRMCEB Privilege (Devour)

The PRMCEB privilege lets the user's process create or delete a permanent common event flag cluster by executing the Associate Common Event Flag Cluster ($ASCEFC) or the Delete Common Event Flag Cluster ($DLCEFC) system service. Common event flag clusters enable cooperating processes to communicate with each other and thus synchronize their execution.

Grant this privilege with care. If permanent common event flag clusters are not explicitly deleted, they tie up space in system dynamic memory, which may degrade system performance.

A.24 PRMGBL Privilege (Devour)

The PRMGBL privilege lets the user's process create or delete permanent global sections by executing the Create and Map Section ($CRMPSC) or the Delete Global Section ($DGBLSC) system service. In addition, a process with this privilege (plus CMKRNL and SYSGBL privileges) can use the Install utility (INSTALL).

Global sections are shared structures that can be mapped simultaneously in the virtual address space of many processes. All processes see the same code or data. Global sections are used for reentrant subroutines or data buffers.

Grant this privilege with care. If permanent global sections are not explicitly deleted, they tie up space in the global section and global page tables, which are limited resources.

A.25 PRMMBX Privilege (Devour)

The PRMMBX privilege lets the user's process create or delete a permanent mailbox by executing the Create Mailbox and Assign Channel ($CREMBX) system service or the Delete Mailbox ($DELMBX) system service. The privilege also allows the creation of temporary mailboxes with the $CREMBX service.

Mailboxes are buffers in virtual memory that are treated as if they were record-oriented I/O devices. A mailbox is used for general interprocess communication.

Do not grant PRMMBX to all users of the system. Permanent mailboxes are not automatically deleted when the creating processes are deleted and, thus, continue to use a portion of system dynamic memory. System performance degrades as system dynamic memory becomes scarce.

A.26 PSWAPM Privilege (System)

The PSWAPM privilege lets the user's process control whether it can be swapped out of the balance set by executing the Set Process Swap Mode ($SETSWM) system service. A process must have this privilege to lock itself in the balance set (to disable swapping) or to unlock itself from the balance set (to enable swapping).

With this privilege, a process can create a process that is locked in the balance set (swap mode is disabled) by using an optional argument to the Create Process ($CREPRC) system service or, when the DCL command RUN is used to create a process, by using the /NOSWAPPING qualifier of the RUN command. Furthermore, a process can lock a page or range of pages in physical memory using the Lock Pages in Memory ($LCKPAG) system service.

Grant this privilege only to users who need to lock a process in memory for performance reasons. Typically, this will be a real-time process. If unqualified processes have the unrestricted ability to lock processes in the balance set, physical memory can be held unnecessarily and thereby degrade system performance.

A.27 READALL Privilege (Objects)

The READALL privilege lets the process bypass existing restrictions that would otherwise prevent the process from reading an object. However, unlike the BYPASS privilege, which permits writing and deleting, READALL permits only the reading of objects and allows updating of such backup-related file characteristics as the backup date. See the OpenVMS System Management Utilities Reference Manual and the OpenVMS System Manager's Manual for a discussion of backup operations.

READALL is intended to be an adequate privilege for backing up volumes, so grant this privilege to operators so they can perform system backups.

The READALL privilege lets a process perform the following tasks:

Task	Interface
Read a user authorization record	$GETUAI
Display permanent network database records	NCP

A.28 SECURITY Privilege (System)

The SECURITY privilege lets a process perform security-related functions such as modifying the system password with the DCL command SET PASSWORD/SYSTEM or modifying the system alarm and audit settings using the DCL command SET AUDIT. The privilege not only lets a user process start and stop the audit server process with SET AUDIT, it also permits the process to use SET AUDIT to modify the characteristics of the auditing database, including those of the audit server, the system audit journal, the security archive file, resource monitoring, and the audit, alarm, or failure mode.

Grant this privilege only to security administrators. Irresponsible users who obtain this privilege can subvert the system's security mechanisms, lock out users through improper application of system passwords, and disable security auditing.

The SECURITY privilege also lets a process perform the following tasks:

Task	Interface
Display system auditing information about the system audit log file, audit server settings, and so on	SHOW AUDIT
Display Hidden ACEs	SHOW SECURITY
Display the system intrusion list or delete a record	SHOW INTRUSION, DELETE/INTRUSION
Enable the security operator terminal	REPLY/ENABLE=SECURITY, $SNDOPR
Enable protected subsystems on a volume	MOUNT/SUBSYSTEM, $MOUNT, SET VOLUME/SUBSYSTEM

A.29 SETPRV Privilege (All)

The SETPRV privilege lets the user's process create processes whose privileges are greater than its own either by executing the Create Process ($CREPRC) system service with an optional argument or by issuing the DCL command RUN to create a process. A process with this privilege can also execute the DCL command SET PROCESS/PRIVILEGES to obtain any desired privilege.

Exercise the same caution in granting SETPRV as in granting any other privilege because SETPRV lets a process enable any or all privileges.

A.30 SHARE Privilege (All)

The SHARE privilege lets processes assign channels to devices allocated to other processes or to a nonshared device using the Assign I/O Channel ($ASSIGN) system service.

Grant this privilege only to system processes such as print symbionts. Otherwise, an irresponsible user can interfere with the operation of devices belonging to other users.

A.31 SHMEM Privilege (Devour)

The SHMEM privilege lets the user's process create global sections and mailboxes (permanent and temporary) in memory shared by multiple processors if the process also has appropriate PRMGBL, PRMMBX, SYSGBL, and TMPMBX privileges. Just as in local memory, the space required for a temporary mailbox in multiport memory counts against the buffered I/O byte count limit (BYTLM) of the process.

The privilege also lets a user's process create or delete an event flag cluster in shared memory using the Associate Common Event Flag Cluster ($ASCEFC) or the Disassociate Common Event Flag Cluster ($DACEFC) system service.

A.32 SYSGBL Privilege (Files)

The SYSGBL privilege lets the user's process create or delete system global sections by executing the Create and Map Section ($CRMPSC) or the Delete Global Section ($DGBLSC) system service. In addition, a process with this privilege (plus the CMKRNL and PRMGBL privileges) can use the Install utility (INSTALL).

Exercise caution when granting this privilege. System global sections require space in the global section and global page tables, which are limited resources.

A.33 SYSLCK Privilege (System)

The SYSLCK privilege lets the user's process lock systemwide resources with the Enqueue Lock Request ($ENQ) system service or obtain information about a system resource with the Get Lock Information ($GETLKI) system service.

Grant this privilege to users who need to run programs that lock resources in the systemwide resource namespace. However, exercise caution when granting this privilege. Users who hold the SYSLCK privilege can interfere with the synchronization of all system and user software.

A.34 SYSNAM Privilege (All)

The SYSNAM privilege lets the user's process bypass discretionary access controls and insert names into the system logical name table and delete names from that table by using the Create Logical Name ($CRELNM) and Delete Logical Name ($DELLNM) system services. A process with this privilege can use the DCL commands ASSIGN and DEFINE to add names to the system logical name table in user or executive mode and can use the DEASSIGN command in either mode to delete names from the table.

To mount a system volume or to dismount a system or group volume with the appropriate mount or dismount command or system service, you must have the SYSNAM privilege.

Grant this privilege only to the system operators or to system programmers who need to define system logical names (such as names for user devices, library directories, and the system directory). Note that a process with SYSNAM privilege could redefine such critical system logical names as SYS$SYSTEM and SYSUAF, thus gaining control of the system.

The SYSNAM privilege also lets a process perform the following tasks:

Task	Interface
Access a MAIL maintenance record	MAIL
Modify a MAIL forward record	MAIL
Declare a network object	NETACP
Create an IPC association	$IPC
With CMKRNL, add or remove an identifier to system rights list	SET RIGHTS_LIST/SYSTEM, $GRANTID, $REVOKID

A.35 SYSPRV Privilege (All)

The SYSPRV privilege lets a process access protected objects by the system protection field and also read and modify the owner (UIC), the UIC-based protection code, and the ACL of an object. Even if an object is protected against system access, a process with SYSPRV privilege can change the object's protection to gain access to it. Any process with SYSPRV privilege can add, modify, or delete entries in the system user authorization file (SYSUAF.DAT).

Exercise caution when granting this privilege. Normally, grant this privilege only to system managers and security administrators. If unqualified users have system access rights, the operating system and service to others can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.

The SYSPRV privilege also lets a process perform the following tasks:

Task	Interface
Modify a file's expiration date	SET FILE/EXPIRATION
Modify the number of interlocked queue retries	$QIO request to an Ethernet 802 driver (DEBNA/NI)
Set the spin-wait time on the port command register	$QIO request to an Ethernet 802 driver (DEBNA)
Set the FROM field in a mail message	MAIL routines
Access a MAIL maintenance record	MAIL
Modify or delete a MAIL database record	MAIL
Modify the group number and password of a local area cluster	CLUSTER_AUTHORIZE component of SYSMAN
Perform transaction recovery, join a transaction as coordinator, transition a transaction	DECdtm software

A process whose group UIC is less than or equal to the system parameter MAXSYSGRP has implied SYSPRV. When a process has SYSPRV or implied SYSPRV, it can also perform the following tasks:

Task	Interface
Initialize a magnetic tape	$INIT_VOL
Override creation of an owner ACE on a newly created file	$QIO request to F11BXQP
Clear the directory bit in a directory's file header	$QIO request to the F11BXQP, SET FILE/NODIRECTORY
Acquire or release a volume lock	$QIO request to F11BXQP
Force mount verification on a volume	$QIO request to F11BXQP
Create a file access window with the no access lock bit set	$QIO request to F11BXQP
Specify null lock mode for a volume lock	$QIO request to F11BXQP
Access a locked file	$QIO request to F11BXQP
Disable disk quotas on volume	$QIO request to F11BXQP
Enable disk quotas on volume	$QIO request to F11BXQP

A.36 TMPMBX Privilege (Normal)

The TMPMBX privilege lets the user's process create a temporary mailbox by executing the Create Mailbox and Assign Channel ($CREMBX) system service.

Mailboxes are buffers in virtual memory that are treated as if they were record-oriented I/O devices. A mailbox is used for general interprocess communication. Unlike a permanent mailbox, which must be explicitly deleted, a temporary mailbox is deleted automatically when it is no longer referenced by any process.

Grant this privilege to all users of the system to facilitate interprocess communication. System performance is not likely to be degraded by permitting the creation of temporary mailboxes, because their number is controlled by limits on the use of system dynamic memory (BYTLM quota).

A.37 UPGRADE Privilege (All)

The UPGRADE privilege lets a process manipulate mandatory access controls. The privilege allows a process to write to an object of higher integrity, in violation of the Biba confinement (*) property. This privilege is reserved for enhanced security products like SEVMS.

A.38 VOLPRO Privilege (Objects)

The VOLPRO privilege lets the user's process:

Initialize a previously used volume with an owner UIC different from the user's own UIC
Override the expiration date on a tape or disk volume owned by another user
Use the /FOREIGN qualifier to mount a Files-11 volume owned by another user
Override the owner UIC protection of a volume

The VOLPRO privilege permits control only over volumes that the user's process can mount or initialize. Volumes mounted with the /SYSTEM qualifier are safe from a process with the VOLPRO privilege as long as the process does not also have the SYSNAM privilege.

Exercise extreme caution when granting the VOLPRO privilege. If unqualified users can override volume protection, the operating system and service to others can be disrupted. Such disruptions can include destruction of the database and exposure of confidential information.

The VOLPRO privilege lets a process perform the following tasks:

Task	Interface
Dismount a volume	DISMOUNT/ABORT, $DISMOU
Initialize a volume	$INIT_VOL
Mount foreign multivolume magnetic tape set	MOUNT/MULTI_VOLUME
Override volume labels or accessibility	$MOUNT
Initialize blank tape	REPLY/BLANK_TAPE, $SNDOPR
Override access while initializing a magnetic tape after a file access error	$INIT_VOL
Override write-locking of volume on errors	$MOUNT
Override write protection of former shadow set member	$MOUNT
Override volume expiration, protection, or ownership	$MOUNT

A.39 WORLD Privilege (System)

The WORLD privilege lets the user's process affect other processes both inside and outside its group by executing the following process control system services:

Suspend Process ($SUSPND)
Resume Process ($RESUME)
Delete Process ($DELPRC)
Set Priority ($SETPRI)
Wake ($WAKE)
Schedule Wakeup ($SCHDWK)
Cancel Wakeup ($CANWAK)
Force Exit ($FORCEX)

The user's process is also allowed to examine processes outside its own group by executing the Get Job/Process Information ($GETJPI) system service. A process with WORLD privilege can issue the SET PROCESS command for all other processes. Any process with WORLD privilege can also obtain information about a lock held by a process in another group using the Get Lock Information ($GETLKI) system service.

To exercise control over subprocesses that it created or to examine these subprocesses, a process needs no special privilege. To affect or examine other processes inside its own group, a process needs only the GROUP privilege. You should, however, grant this privilege to users who need to affect or examine processes outside their own group.

Contents

Index