With ALTPRI, a process can create a detached process with a priority higher than its own. It creates such a process by using an optional argument to the Create Process ($CREPRC) system service or to the DCL command RUN/PRIORITY.
ALTPRI also lets you adjust the scheduling priority of a job ($SNDJBC) to a value even greater than that established with the system parameter MAXQUEPRI.
Do not grant this privilege widely; if unqualified users have the unrestricted ability to set base priorities, fair and orderly scheduling of processes for execution can easily be disrupted.
The AUDIT privilege allows software to append audit records to the system security audit log file using one of four system services: $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS. In addition, the $AUDIT_EVENT system service allows all components of an audit message to be specified. As a result, this privilege permits the logging of events that appear to have come from the operating system or a user process.
Grant this privilege only to trusted images that need to append audit messages to the system audit log file. Users possessing this privilege can provoke a system failure by attempting to log invalid events with the NSA$M_INTERNAL flag set.
The BUGCHK privilege allows the process to make bugcheck error log entries from user, supervisor, or compatibility mode (EXE$BUG_CHECK) or to send messages to the system error logger ($SNDERR). Restrict this privilege to Digital-supplied system software that uses the Bugcheck facility.
The BYPASS privilege allows the user's process full access to all protected objects, totally bypassing UIC-based protection, access control list (ACL) protection, and mandatory access controls. With the BYPASS privilege, a process has unlimited access to the system. Among the operations that can be performed are
Grant this privilege with extreme caution because it overrides all object protection. It should be reserved for use by well-tested, reliable programs and command procedures. The SYSPRV privilege is adequate for interactive use because it ultimately grants access to all objects while still providing access checks. The READALL privilege is adequate for backup operations.
The BYPASS privilege lets a process perform the following tasks:
Task | Interface |
---|---|
Perform file system operations: | |
Modify file ownership | SET SECURITY/OWNER, $QIO request to F11BXQP |
Access a file that is marked for deletion | $QIO request to F11A ACP or F11BXQP |
Access a file that is deaccess locked | $QIO request to F11A ACP or F11BXQP |
Override creation of an owner ACE on a newly created file | $QIO request to F11BXQP |
Clear the directory bit in a directory's file header | $QIO request to F11BXQP |
Operate on an extension header | $QIO request to F11BXQP |
Acquire or release a volume lock | $QIO request to F11BXQP |
Force mount verification on a volume | $QIO request to F11BXQP |
Create a file access window with the no access lock bit set | $QIO request to F11BXQP |
Specify null lock mode for volume lock | $QIO request to F11BXQP |
Access a locked file | $QIO request to F11BXQP |
Enable or disable disk quotas on a volume | $QIO request to F11BXQP |
Operate on network databases: | |
Display permanent network database records | NCP |
Display permanent DECnet object password | NCP |
Display volatile DECnet object password | NCP |
Adjust discretionary or mandatory access controls: | |
Read a user authorization record | $GETUAI |
Modify a user authorization record | $SETUAI |
Modify mailbox protection | $QIO request request to the mailbox driver (MBDRIVER) |
Modify shared memory mailbox protection | $QIO request request to the mailbox driver (MBXDRIVER) |
Bypass discretionary or mandatory object protection | $CHKPRO |
Miscellaneous: | |
Initialize a magnetic tape | $INIT_VOL |
Unload an InfoServer system | $QIO request to the InfoServer system (DADDRIVER) |
The CMEXEC privilege allows the user's process to execute the Change Mode to Executive ($CMEXEC) system service.
This system service lets a process change its access mode to executive mode, execute a specified routine, and then return to the access mode that was in effect before the system service was called. While in executive mode, the process is allowed to execute the Change Mode to Kernel ($CMKRNL) system service.
Grant this privilege only to users who need to gain access to protected and sensitive data structures and internal functions of the operating system. If unqualified users have unrestricted access to sensitive data structures and functions, the operating system and service to other users can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.
The CMKRNL privilege allows the user's process to execute the Change Mode to Kernel ($CMKRNL) system service.
This system service lets a process change its access mode to kernel mode, execute a specified routine, and then return to the access mode that was in effect before the system service was called. While in kernel mode, a process can enable any system privilege.
A process holding both CMKRNL and SYSNAM can set the system time.
Grant this privilege only to users who need to execute privileged instructions or who need to gain access to the most protected and sensitive data structures and functions of the operating system. If unqualified users have unrestricted use of privileged instructions and unrestricted access to sensitive data structures and functions, the operating system and service to other users can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.
The CMKRNL privilege lets a process perform the following tasks:
Task | Interface |
---|---|
Modify a multiprocessor operation | START/CPU, STOP/CPU |
Modify systemwide RMS defaults | SET RMS/SYSTEM |
Suspend a process in kernel mode | SET PROCESS/SUSPEND=KERNEL |
Modify another process' rights list or its nondynamic identifier attributes | SET RIGHTS_LIST |
Grant an identifier with modified attributes | SET RIGHTS/ATTRIBUTE |
Modify the system rights list | SET RIGHTS_LIST/SYSTEM |
Change a process UIC | SET UIC |
Modify the number of interlocked queue retries | $QIO request to an Ethernet 802 driver (DEBNA/NI) |
Connect to a device interrupt vector | $QIO request to an interrupt vector (CONINTERR) |
Start or modify a line in Genbyte mode | $QIO request to a synchronous communications line (XGDRIVER) |
Set the spin-wait time on the port command register | $QIO request to an Ethernet 802 driver (DEBNA) |
Modify a known image list | INSTALL |
Process the following item codes:
|
Send to Job Controller system service ($SNDJBC) |
Create a detached process with unrestricted quotas | RUN/DETACHED, $CREPRC |
Examine the internals of the running system | ANALYZE/SYSTEM |
Processes can create detached processes that have their own UIC without the DETACH privilege, provided the processes do not exceed their MAXJOBS and MAXDETACH quotas. However, the DETACH privilege becomes valuable when a process wants to specify a different UIC for the detached process. There is no restriction on the UIC that can be specified for a detached process if you have the DETACH privilege. Thus, there are no restrictions on the files, directories, and other objects to which a detached process can gain access. The DETACH privilege also lets a process create a detached process with unrestricted quotas. A process can create detached processes by executing the Create Process ($CREPRC) system service.
In addition, DETACH grants the ability to create a trusted server process using the DCL command RUN/DETACH. Trusted processes are exempt from the normal system security auditing policy.
Detached processes remain in existence even after the user who created them has logged out of the system.
The DIAGNOSE privilege lets a process run online diagnostic programs and intercept and copy all messages written to the error log file.
The DIAGNOSE privilege also lets a process perform the following tasks:
Task | Interface |
---|---|
Issue a $QIO request with associated diagnostic buffer | $QIO |
Modify the number of interlocked queue retries | $QIO request to an Ethernet 802 driver (DEBNA/NI) |
Set the spin-wait time on the port command register | $QIO request to an Ethernet 802 driver (DEBNA) |
Access the Diagnostic and Utilities Protocol (DUP) class driver | $QIO request to the DUP class driver used by SET HOST/HSC (FYDRIVER) |
Execute a special passthrough function in the SCSI generic class driver | $QIO request to the SCSI driver (GKDRIVER) |
Process a diagnostic buffer | $QIO request to a TU58 magnetic tape (TUDRIVER) |
The DOWNGRADE privilege permits a process to manipulate mandatory access controls. The privilege lets a process write to an object of lower secrecy, in violation of the Bell and LaPadula confinement (*) property.¹ This privilege is reserved for enhanced security products like the Security Enhancement Service software (SEVMS).
The EXQUOTA privilege allows the space taken by the user's files on given disk volumes to exceed any usage quotas set for the user (as determined by UIC) on those volumes.
The GROUP privilege allows the user's process to affect other processes in its own group by executing the following process-control system services:
With GROUP privilege, a user's process can control another process in the same group. The user's process is allowed to examine other processes in its own group by executing the Get Job/Process Information ($GETJPI) system service. A process with GROUP privilege can issue the SET PROCESS command for other processes in its group.
GROUP privilege is not needed for a process to exercise control over, or to examine, subprocesses that it created or other detached processes of its UIC. You should, however, grant this privilege to users who need to exercise control over the processes and operations of other members of their UIC group.
The GRPNAM privilege lets the user's process bypass discretionary access controls and insert names into (and delete names from) the logical name table of the group to which the process belongs by the use of the Create Logical Name ($CRELNM) and Delete Logical Name ($DELLNM) system services.
In addition, the privileged process can issue the DCL commands ASSIGN and DEFINE to add names to the group logical name table and the DCL command DEASSIGN to delete names from the table. The privilege allows the use of the /GROUP qualifier with the DCL commands MOUNT and DISMOUNT (as well as the system services $MOUNT and $DISMOUNT) when sharing volumes among group members.
Do not grant this privilege to all users of the system because it allows the user's process to create an unlimited number of group logical names. When unqualified users have the unrestricted ability to create group logical names, excessive use of system dynamic memory can degrade system performance. In addition, a process with the GRPNAM privilege can interfere with the activities of other processes in the same group by creating definitions of commonly used logical names such as SYS$SYSTEM.
When the process's group matches the group of the object owner, the GRPPRV privilege gives a process the access rights provided by the object's system protection field. GRPPRV also lets a process change the protection or the ownership of any object whose owner group matches the process's group by using the DCL commands SET SECURITY.
Grant this privilege only to users who function as group managers. If this privilege is given to unqualified users who have no need for it, they can modify group UAF records to values equal to those of the group manager. They can increase resource allocations and grant privileges for which they are authorized.
The GRPPRV privilege lets a process perform the following tasks:
Task | Interface |
---|---|
Modify object ownership | SET SECURITY/OWNER, $QIO request to F11BXQP |
Read or modify a user authorization record | $GETUAI, $SETUAI |
File system operations: | $QIO request to F11BXQP |
|
The IMPORT privilege lets a process manipulate mandatory access controls. The privilege lets a process mount unlabeled tape volumes. This privilege is reserved for enhanced security products like SEVMS.
The LOG_IO privilege lets the user's process execute the Queue I/O Request ($QIO) system service to perform logical-level I/O operations. LOG_IO privilege is also required for certain device control functions, such as setting permanent terminal characteristics. A process with the typical privileges of NETMBX and TMPMBX that also holds LOG_IO and SYSNAM can reconfigure the Ethernet using the Phase IV network configuration procedure, NICONFIG.COM.
Usually, process I/O requests are handled indirectly by use of an I/O package such as OpenVMS Record Management Services (RMS). However, to increase their control over I/O operations and to improve the efficiency of I/O operations, skilled users sometimes prefer to handle the interface between their process and a system I/O driver program directly. They can do this by executing $QIO; in many instances, the operation called for is a logical-level I/O operation. Note that logical level functions are permitted without LOG_IO privilege on a device mounted with the /FOREIGN qualifier and on non-file-structured devices.
Grant this privilege only to users who need it because it allows a process to access data anywhere on the selected volume without the benefit of any file structuring. If this privilege is given to unqualified users who have no need for it, the operating system and service to other processes can be easily disrupted. Such disruptions can include the destruction of information on the system device, the destruction of user data, and the exposure of confidential information.
The LOG_IO privilege also lets a process perform the following tasks:
Task | Interface |
---|---|
Issue physical I/O calls to a private, non-file-structured device | $QIO |
Modify the following terminal attributes:
HANGUP SET_SPEED SECURE_SERVER |
SET TERMINAL (or TTDRIVER)
/[NO]HANGUP /[NO]SET_SPEED /[NO]SECURE_SERVER |
The MOUNT privilege lets the user's process execute the mount volume QIO function. The use of this function should be restricted to system software supplied by Digital.
The NETMBX privilege lets a process perform functions related to a DECnet computer network. For example, it allows a process to switch a terminal line to an asynchronous DECnet protocol or assign a channel to a network device. Grant this privilege to general users who need to access the network.
The OPER privilege allows a process to use the Operator Communication Manager (OPCOM) process to reply to user's requests, to broadcast messages to all terminals logged in, to designate terminals as operators' terminals and specify the types of messages to be displayed on these operators' terminals, and to initialize and control the log file of operators' messages. In addition, this privilege lets the user spool devices, create and control all queues, and modify the protection and ownership of all non-file-structured devices.
Grant this privilege only to the operators of the system. These are the users who respond to the requests of ordinary users, who tend to the needs of the system's peripheral devices (mounting reels of tape and changing printer forms), and who attend to all the other day-to-day chores of system operation. (A nonprivileged user can log in on the console terminal to respond to operator requests, for example, to mount a tape.)
The OPER privilege lets a process perform the following tasks:
Task | Interface |
---|---|
Modify device protection | SET PROTECTION/DEVICE |
Modify device ownership | SET PROTECTION/DEVICE/OWNER |
Access the System Management utility | SYSMAN |
Perform operator tasks: | |
Issue a broadcast reply | REPLY, $SNDOPR |
Cancel a system operator request | REPLY/ABORT, $SNDOPR |
Initialize the system operator log file | $SNDOPR |
Reply to a pending system operator request | REPLY/TO, REPLY/PENDING, REPLY/INITIALIZE_TAPE, $SNDOPR |
Issue a system operator request | REQUEST, $SNDOPR |
Enable system operator classes | REPLY/ENABLE, $SNDOPR, $SNDMSG |
Disable system operator classes | REPLY/DISABLE, $SNDOPR |
Send a broadcast message | $BRKTHRU, $BRDCST |
Write an event to the operator log | $SNDOPR |
Initialize a system operator log | REPLY/LOG, $SNDOPR |
Close the current operator log | REPLY/NOLOG, $SNDOPR |
Send a message to an operator | REPLY, $SNDOPR |
Enable or disable autostart | $SNDJBC (SJC$_DISABLE_AUTO_START, SJC$_ENABLE_AUTO_START) |
Stop all queues | $SNDJBC (SJC$_STOP_ALL_QUEUES_ON_NODE) |
Modify the characteristics of devices: | |
Modify device availability | SET DEVICE/[NO]AVAILABLE |
Modify device dual-porting | SET DEVICE/[NO]DUAL_PORT |
Modify device error logging | SET DEVICE/[NO]ERROR_LOGGING |
Modify device spooling | SET DEVICE/[NO]SPOOLED |
Modify default definitions of days: | |
Set default day type to PRIMARY | SET DAY/PRIMARY |
Set default day type to SECONDARY | SET DAY/SECONDARY |
Return day type to DEFAULT | SET DAY/DEFAULT |
Modify or override login limits: | |
Modify interactive login limit | SET LOGIN/INTERACTIVE |
Modify network login limit | SET LOGIN/NETWORK |
Modify batch login limit | SET LOGIN/BATCH |
Create and modify queues: | |
Bypass discretionary access to a queue | |
Create a queue | $SNDJBC (SJC$_CREATE_QUEUE) |
Define queue characteristics | $SNDJBC (SJC$_DEFINE_CHARACTERISTICS) |
Define forms | $SNDJBC (SJC$_DEFINE_FORM) |
Delete characteristics | $SNDJBC (SJC$_DELETE_CHARACTERISTICS) |
Delete forms | $SNDJBC (SJC$_DELETE_FORM) |
Set the base priority of batch processes | $SNDJBC (SJC$_BASE_PRIORITY) |
Set the scheduling priority of a job | $SNDJBC (SJC$_PRIORITY) |
Start accounting | SET ACCOUNTING/ENABLE, $SNDJBC (SJC$_START_ACCOUNTING) |
Stop accounting | SET ACCOUNTING/DISABLE, $SNDJBC (SJC$_STOP_ACCOUNTING) |
Operate the LAT device: | |
Transmit LAT solicit information message | $QIO request to a LAT port driver (LTDRIVER) |
Set static rating for LAT service | $QIO request to a LAT port driver (LTDRIVER) |
Read last LAT response message buffer | $QIO request to a LAT port driver (LTDRIVER) |
Change port type from dedicated to application | $QIO request to a LAT port driver (LTDRIVER) |
Change port type from application to dedicated | $QIO request to a LAT port driver (LTDRIVER) |
Modify tape operations: | |
Specify number of file window-mapping pointers | MOUNT/WINDOWS, $MOUNT |
Mount a volume with an alternate ACP | MOUNT/PROCESSOR, $MOUNT |
Mount a volume with alternate cache limits | MOUNT/CACHE, $MOUNT |
Modify write caching for a tape controller | MOUNT/CACHE, $MOUNT |
Modify ODS1 directory FCB cache limit | SET VOLUME/ACCESSED, MOUNT/ACCESSED, $MOUNT |
Perform network operations: | |
Connect to an object while executor state is restricted | |
Read network event-logging buffer | NETACP |
Modify network volatile database | NETACP |
Access the permanent database for an update | DECnet/NML |
Connect to a DECnet circuit | $QIO request to the DECnet downline load and loopback class driver (NDDRIVER) |
Display the permanent DECnet service password | NCP |
Display the volatile DECnet service password | NCP |
Control character conversion by terminals: | |
Load terminal fallback table | TFU, $QIO request to the terminal fallback driver (FBDRIVER) |
Unload terminal fallback table | TFU, $QIO request to the terminal fallback driver (FBDRIVER) |
Establish system default terminal fallback table | TFU, $QIO request to the terminal fallback driver (FBDRIVER) |
Control cluster operations: | |
Request expected votes modification | SET CLUSTER/EXPECTED_VOTES |
Request MSCP serving of a device | SET DEVICE/SERVED |
Request quorum modification | SET CLUSTER/QUORUM |
Add an adapter to the failover list | $QIO request to the DEBNI BI bus NI driver (EFDRIVER) |
Remove an adapter from the failover list | $QIO request to the DEBNI BI bus NI driver (EFDRIVER) |
Set an adapter to be the current adapter | $QIO request to the DEBNI BI bus NI driver (EFDRIVER) |
Set the new adapter test interval | $QIO request to the DEBNI BI bus NI driver (EFDRIVER) |
6346P024.HTM OSSG Documentation 22-NOV-1996 13:05:27.98
Copyright © Digital Equipment Corporation 1996. All Rights Reserved.