|
HP OpenVMS Systemsask the wizard |
|
The Question is:
I have a number of privilege users on the system with the following privileges:
ACNT,AUDIT,CMKRNL,EXQUOTA,GROUP,GRPNAM,GRPPRV,
IMPERSONATE,LOG_IO,MOUNT,NETMBX,OPER,PHY_IO,
PRMCEB,READALL,SECURITY,SYSGBL,SYSLCK,SYSNAM, SYSPRV,TMPMBX,VOLPRO,WORLD
I want to protect certail system level files and/or utilities. For example, I
do not want them to get into the UAF utility and add/modify/delete UAF Records.
I set the following ACL on the .EXE and the .DAT file, but they still can gain
access:
SYSUAF.DAT;2 90/90 6-NOV-2000 18:53:59.64
[ADMIN,SYSTEM] (RWED,RWED,,)
(IDENTIFIER=SECADM,OPTIONS=PROTECTED,ACCESS=READ+WRITE+EXECUTE+DELETE+
CONTROL)
(IDENTIFIER=[*,*],ACCESS=NONE)
The Answer is : The mechanism used to protect files and other objects is the privilege. You cannot protect against any access by any user with any of the more powerful privileges -- any privilege in the "all" category -- by any means other than the removal of the privilege(s). Again, you cannot protect against a privileged user. Again, you must either remove the privilege(s), or you must trust the user -- or the two users, in the case of a two-person (two-password) login -- to act appropriately. Please review the OpenVMS security documentation for further information, and for privilege and protection recommendations, and for details of operating in a secure environment -- see the NCSC Class C2 appendix, among other portions of the manual. Related topics include (5639), (7368), (7813), and others.
|