Updated: 24 May 2001

OpenVMS Guide to System Security

The SECURITY privilege lets a process perform security-related functions such as modifying the system password with the DCL command SET PASSWORD/SYSTEM or modifying the system alarm and audit settings using the DCL command SET AUDIT. The privilege not only lets a user process start and stop the audit server process with SET AUDIT, it also permits the process to use SET AUDIT to modify the characteristics of the auditing database, including those of the audit server, the system audit journal, the security archive file, resource monitoring, and the audit, alarm, or failure mode.

Grant this privilege only to security administrators. Irresponsible users who obtain this privilege can subvert the system's security mechanisms, can lock out users through improper application of system passwords, and can disable security auditing.

The SECURITY privilege also lets a process perform the following tasks:

Task	Interface
Display system auditing information about the system audit log file, audit server settings, and so on	SHOW AUDIT
Display Hidden ACEs	SHOW SECURITY
Display the system intrusion list or delete a record	SHOW INTRUSION, DELETE/INTRUSION
Enable the security operator terminal	REPLY/ENABLE=SECURITY, $SNDOPR
Enable protected subsystems on a volume	MOUNT/SUBSYSTEM, $MOUNT, SET VOLUME/SUBSYSTEM

A.29 SETPRV Privilege (All)

The SETPRV privilege lets the user's process create processes whose privileges are greater than its own by executing the Create Process ($CREPRC) system service with an optional argument or by issuing the DCL command RUN to create a process. A process with this privilege can also execute the DCL command SET PROCESS/PRIVILEGES to obtain any desired privilege.

Exercise the same caution in granting SETPRV as in granting any other privilege because SETPRV lets a process enable any or all privileges.

A.30 SHARE Privilege (All)

The SHARE privilege lets processes assign channels to devices allocated to other processes or to a nonshared device using the Assign I/O Channel ($ASSIGN) system service.

Grant this privilege only to system processes such as print symbionts. Otherwise, an irresponsible user can interfere with the operation of devices belonging to other users.

A.31 SHMEM Privilege (Devour)

The SHMEM privilege lets the user's process create global sections and mailboxes (permanent and temporary) in memory shared by multiple processors if the process also has appropriate PRMGBL, PRMMBX, SYSGBL, and TMPMBX privileges. Just as in local memory, the space required for a temporary mailbox in multiport memory counts against the buffered I/O byte count limit (BYTLM) of the process.

The privilege also lets a user's process create or delete an event flag cluster in shared memory using the Associate Common Event Flag Cluster ($ASCEFC) or the Disassociate Common Event Flag Cluster ($DACEFC) system service.

A.32 SYSGBL Privilege (Files)

The SYSGBL privilege lets the user's process create or delete system global sections by executing the Create and Map Section ($CRMPSC) or the Delete Global Section ($DGBLSC) system service. In addition, a process with this privilege (plus the CMKRNL and PRMGBL privileges) can use the Install utility (INSTALL).

Exercise caution when granting this privilege. System global sections require space in the global section and global page tables, which are limited resources.

A.33 SYSLCK Privilege (System)

The SYSLCK privilege lets the user's process lock systemwide resources with the Enqueue Lock Request ($ENQ) system service or obtain information about a system resource with the Get Lock Information ($GETLKI) system service.

Grant this privilege to users who need to run programs that lock resources in the systemwide resource namespace. However, exercise caution when granting this privilege. Users who hold the SYSLCK privilege can interfere with the synchronization of all system and user software.

A.34 SYSNAM Privilege (All)

The SYSNAM privilege lets the user's process bypass discretionary access controls and insert names into the system logical name table and delete names from that table by using the Create Logical Name ($CRELNM) and Delete Logical Name ($DELLNM) system services. A process with this privilege can use the DCL commands ASSIGN and DEFINE to add names to the system logical name table in user or executive mode and can use the DEASSIGN command in either mode to delete names from the table.

To mount a system volume or to dismount a system or group volume with the appropriate mount or dismount command or system service, you must have the SYSNAM privilege.

Grant this privilege only to the system operators or to system programmers who need to define system logical names (such as names for user devices, library directories, and the system directory). Note that a process with SYSNAM privilege could redefine such critical system logical names as SYS$SYSTEM and SYSUAF, thus gaining control of the system.

The SYSNAM privilege also lets a process perform the following tasks:

Task	Interface
Access a MAIL maintenance record	MAIL
Modify a MAIL forward record	MAIL
Declare a network object	NETACP
Create an IPC association	$IPC
With CMKRNL, add or remove an identifier to system rights list	SET RIGHTS_LIST/SYSTEM, $GRANTID, $REVOKID

A.35 SYSPRV Privilege (All)

The SYSPRV privilege lets a process access protected objects by the system protection field and also read and modify the owner (UIC), the UIC-based protection code, and the ACL of an object. Even if an object is protected against system access, a process with SYSPRV privilege can change the object's protection to gain access to it. Any process with SYSPRV privilege can add, modify, or delete entries in the system user authorization file (SYSUAF.DAT).

Exercise caution when granting this privilege. Normally, grant this privilege only to system managers and security administrators. If unqualified users have system access rights, the operating system and service to others can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.

The SYSPRV privilege also lets a process perform the following tasks:

Task	Interface
Modify a file's expiration date	SET FILE/EXPIRATION
Modify the number of interlocked queue retries	$QIO request to an Ethernet 802 driver (DEBNA/NI)
Set the spin-wait time on the port command register	$QIO request to an Ethernet 802 driver (DEBNA)
Set the FROM field in a mail message	MAIL routines
Access a MAIL maintenance record	MAIL
Modify or delete a MAIL database record	MAIL
Modify the group number and password of a local area cluster	CLUSTER_AUTHORIZE component of SYSMAN
Perform transaction recovery, join a transaction as coordinator, transition a transaction	DECdtm software

A process whose group UIC is less than or equal to the system parameter MAXSYSGRP has implied SYSPRV. When a process has SYSPRV or implied SYSPRV, it can also perform the following tasks:

Task	Interface
Initialize a magnetic tape	$INIT_VOL
Override creation of an owner ACE on a newly created file	$QIO request to F11BXQP
Clear the directory bit in a directory's file header	$QIO request to the F11BXQP, SET FILE/NODIRECTORY
Acquire or release a volume lock	$QIO request to F11BXQP
Force mount verification on a volume	$QIO request to F11BXQP
Create a file access window with the no access lock bit set	$QIO request to F11BXQP
Specify null lock mode for a volume lock	$QIO request to F11BXQP
Access a locked file	$QIO request to F11BXQP
Disable disk quotas on volume	$QIO request to F11BXQP
Enable disk quotas on volume	$QIO request to F11BXQP

A.36 TMPMBX Privilege (Normal)

The TMPMBX privilege lets the user's process create a temporary mailbox by executing the Create Mailbox and Assign Channel ($CREMBX) system service.

Mailboxes are buffers in virtual memory that are treated as if they were record-oriented I/O devices. A mailbox is used for general interprocess communication. Unlike a permanent mailbox, which must be explicitly deleted, a temporary mailbox is deleted automatically when it is no longer referenced by any process.

Grant this privilege to all users of the system to facilitate interprocess communication. System performance is not likely to be degraded by permitting the creation of temporary mailboxes, because their number is controlled by limits on the use of system dynamic memory (BYTLM quota).

A.37 UPGRADE Privilege (All)

The UPGRADE privilege lets a process manipulate mandatory access controls. The privilege allows a process to write to an object of higher integrity, in violation of the Biba confinement (*) property. This privilege is reserved for enhanced security products like SEVMS.

A.38 VOLPRO Privilege (Objects)

The VOLPRO privilege lets the user's process:

• Initialize a previously used volume with an owner UIC different from the user's own UIC
• Override the expiration date on a tape or disk volume owned by another user
• Use the /FOREIGN qualifier to mount a Files-11 volume owned by another user
• Override the owner UIC protection of a volume

The VOLPRO privilege permits control only over volumes that the user's process can mount or initialize. Volumes mounted with the /SYSTEM qualifier are safe from a process with the VOLPRO privilege as long as the process does not also have the SYSNAM privilege.

Exercise extreme caution when granting the VOLPRO privilege. If unqualified users can override volume protection, the operating system and service to others can be disrupted. Such disruptions can include destruction of the database and exposure of confidential information.

The VOLPRO privilege lets a process perform the following tasks:

Task	Interface
Dismount a volume	DISMOUNT/ABORT, $DISMOU
Initialize a volume	$INIT_VOL
Mount foreign multivolume magnetic tape set	MOUNT/MULTI_VOLUME
Override volume labels or accessibility	$MOUNT
Initialize blank tape	REPLY/BLANK_TAPE, $SNDOPR
Override access while initializing a magnetic tape after a file access error	$INIT_VOL
Override write-locking of volume on errors	$MOUNT
Override write protection of former shadow set member	$MOUNT
Override volume expiration, protection, or ownership	$MOUNT

A.39 WORLD Privilege (System)

The WORLD privilege lets the user's process affect other processes both inside and outside its group by executing the following process control system services:

• Suspend Process ($SUSPND)
• Resume Process ($RESUME)
• Delete Process ($DELPRC)
• Set Priority ($SETPRI)
• Wake ($WAKE)
• Schedule Wakeup ($SCHDWK)
• Cancel Wakeup ($CANWAK)
• Force Exit ($FORCEX)

The user's process is also allowed to examine processes outside its own group by executing the Get Job/Process Information ($GETJPI) system service. A process with WORLD privilege can issue the SET PROCESS command for all other processes. Any process with WORLD privilege can also obtain information about a lock held by a process in another group using the Get Lock Information ($GETLKI) system service.

To exercise control over subprocesses that it created or to examine these subprocesses, a process needs no special privilege. To affect or examine other processes inside its own group, a process needs only the GROUP privilege. You should, however, grant this privilege to users who need to affect or examine processes outside their own group.

This appendix lists OpenVMS VAX system files and their protections so you can monitor them regularly to ensure that no tampering has occurred. Section B.1 identifies the protection codes and ownership assigned to the files and calls out any exceptions. Section B.2 lists the system files supplied on OpenVMS VAX media.

See Chapter 8, particularly Section 8.9.2 for a discussion of how to protect OpenVMS system files.

B.1 Standard Ownership and Protection

The system (SYSTEM) owns all OpenVMS system files except one. The directory MOM$SYSTEM is owned by UIC [376,375].

All files in SYS$DEVICE:[VMS$COMMON], except those listed in Table B-1, have a protection code of S:RWED,O:RWED,G:RWED,W:RE.

Table B-1 Exceptions to Standard OpenVMS VAX System File Protection

Files		Protection
[VMS$COMMON]
DECW$DEFAULTS.DIR	MOM$SYSTEM.DIR	S:RWE,O:RWE,G:RE,W:RE
SYS$KEYMAP.DIR;	SYS$LDR.DIR
SYS$STARTUP.DIR	SYSCBI.DIR
SYSERR.DIR	SYSEXE.DIR
SYSFONT.DIR	SYSHLP.DIR
SYSLIB.DIR	SYSMAINT.DIR
SYSMGR.DIR	SYSMSG.DIR
SYSTEST.DIR	SYSUPD.DIR
VUE$LIBRARY.DIR
[VMS$COMMON.SYS$KEYMAP]
DECW.DIR		S:RWE,O:RWE,G:RE,W:RE
[VMS$COMMON.SYS$KEYMAP.DECW]
SYSTEM.DIR	USER.DIR	S:RWE,O:RWE,G:RE,W:RE
[VMS$COMMON.SYSEXE]
ISL_LVAX_061.SYS	ISL_SVAX_061.SYS	S:RWED,O:RWED,G:RE,W:RE
MSGHLP$MAIN.EXE		S:RE,O:RE,G:RE,W:RE
RIGHTSLIST.DAT		S:RWED,O:RWED,G:R,W
SYSUAF.DAT		S:RWE,O:RWE,G:RWE,W
VMS$OBJECTS.DAT		S:RWE,O:RWE,G:RE,W
[VMS$COMMON.SYSFONT]
DECW.DIR	PS_FONT_METRICS.DIR	S:RWE,O:RWE,G:RE,W:RE
VWS.DIR	XDPS.DIR
[VMS$COMMON.SYSFONT]
DECW.DIR	PS_FONT_METRICS.DIR	S:RWE,O:RWE,G:RE,W:RE
VWS.DIR	XDPS.DIR
[VMS$COMMON.SYSFONT.DECW]
100DPI.DIR	75DPI.DIR	S:RWE,O:RWE,G:RE,W:RE
COMMON.DIR	CURSOR16.DIR
CURSOR32.DIR	USER_100DPI.DIR
USER_75DPI.DIR	USER_COMMON.DIR
USER_CURSOR16.DIR	USER_CURSOR32.DIR
[VMS$COMMON.SYSHLP]
DECW.DIR	VMSDOC.DIR	S:RWE,O:RWE,G:RE,W:RE
MSGHLP$ENGLISH.EXE		S:RE,O:RE,G:RE,W:RE
EXAMPLES.DIR		S:RWE,O:RWE,G:RE,W:RE
[VMS$COMMON.SYSLIB]
CDA$ACCESS.EXE	DECW$DWTLIBSHR.EXE	S:RW,O:RWED,G:R,W:R
DECW$PRINTWGTSHR.EXE	DECW$XLIBSHR.EXE
MSGHLP$ENGLISH.EXE	MSGHLP$SHARE.EXE	S:RE,O:RE,G:RE,W:RE
VMS$PASSWORD_DIC TIONARY.DATA		S:RE,O:RE,G,W
XDPS$DPSBINDINGSSHR.EXE	XDPS$DPSCLIENTSHR.EXE	S:RW,O:RWED,G:R,W:R
XDPS$DPSLIBSHR.EXE	XNL$SHR.EXE
[VMS$COMMON.SYSMGR]
SECURITY.AUDIT$JOURNAL		S:RWED,O:RWED,G:RE,W
VMS$AUDIT_SERVER.DAT		S:RWE,O:RWE,G:RE,W
WELCOME.TEMPLATE	WELCOME.TXT	S:RWED,O:RWED,G:RE,W:RE
[VMS$COMMON.VUE$LIBRARY]
SYSTEM.DIR	USER.DIR	S:RWE,O:RWE,G:RE,W:RE

Copyright © Compaq Computer Corporation 1998. All rights reserved. Legal

6346PRO_033.HTML