|
 HP OpenVMS Guide to System Security |
 Security for the User |
| Protecting Data |
|
| |
Contents of a User's Security Profile
Per-Thread Security
OpenVMS Alpha Version 7.2 includes the implementation of thread-levelsecurity. This feature, known as per-thread security, allows eachexecution thread of a multithreaded process to run an independentsecurity profile without impacting the security profiles of otherthreads in the process.
Security profile information previously contained in variousprocess level data structures and data cells is now stored in asingle data structure, the Persona Security Block (PSB), which isthen bound to a thread of execution. All associated references withinOpenVMS have been redirected accordingly. Every process in the systemhas at least one PSB that is the natural persona ofthe process. The natural persona is created during process creation.
Interaction between a thread manager (for example, the threadmanager incorporated within HP POSIX Threads Library) and the securitysubsystem provides for the automatic switching of profiles whilethreads are scheduled for execution.
PersonaSecurity Block Data Structure (PSB)
The user's security profile (privileges, rights, and identityinformation) has shifted from the process level to the user threadlevel. The security information previously stored in several structures(including the Access Rights Block (ARB), Process Control Block(PCB), Process Header Descriptor (PHD), Job Information Block (JIB),and Control (CTL) region fields) has moved to a new Persona SecurityBlock (PSB) data structure and all references are redirected accordingly.OpenVMS no longer uses some of the fields in these structures. The affectedfields are now considered obsolete. (See the Obsolete Data Cellsand New Location of Security Information table in the HPOpenVMS Release Notes.)
Each process has a persona array containing the addressesof all persona blocks allocated to the process.
The new persona block (PSB) contains the following:
The kernel threads block (KTB) points to the persona blockfor the currently active thread.
PreviousSecurity Model
In previous versions of OpenVMS, the information that constitutesa user's security profile was bound at the process level, commonto all threads of execution within the process. Previous Per-Thread Security Model illustrates this relationship.
| Figure 1 Previous Per-Thread Security Model |
 |
Modifications made to the security profile by one thread arepotentially visible to other threads, depending on how the threadsperform profile management among themselves.
Per-ThreadSecurity Model
In OpenVMS Version 7.2, each thread of execution can sharea security profile with other threads or have a thread-specificsecurity profile. Per-Thread Security Profile Model illustratesthese relationships.
| Figure 2 Per-Thread Security Profile Model |
 |
As is the case in the previous model, modifications to a sharedprofile are potentially visible to all threads that share the profile.However, modifications made to a thread-specific security profileare only applicable to the particular thread.
User Identification Code (UIC)
The first element of a subject's security profile is the useridentification code (UIC). Your UIC tells what system group youbelong to and what your unique identification is within that group.
Format of a UIC
A UIC specification always appears in brackets, but its formatcan differ. Valid formats include the following:
The following table illustrates several UICs in proper UICnotation:
| Type of UIC | Example | Meaning |
|---|---|---|
| Alphanumeric | [USER,FRED] | Group USER, member FRED |
| [EXEC,JONES] | Group EXEC, member JONES | |
| [JONES] | Group EXEC, member JONES | |
| Numeric | [200,10] | Group 200, member 10 |
| [3777,3777] | Group 3777, member 3777 |
Only one user can have the member name JONES; therefore JONESmust belong to the EXEC group.
Guidelines for Creating a UIC
UICs cannot be arbitrarily assigned. A security administratorhas to observe the following guidelines when creating them:
These guidelines exist because the system translates a UICto a 32-bit value that represents a group number and a member number;the high-order 16 bits contain the group number, and the low-order16 bits contain the member number. When translating an alphanumericUIC such as [J_JONES], the operating system equates the member partof the alphanumeric UIC to both the group and member parts of anumeric UIC. The resulting 32-bit numeric UIC is kept in the rightsdatabase (which is a file containing information about identifiers,their attributes, and holders). For example, you could not havethe two UICs [GROUP1,JONES] and [GROUP2,JONES] on the same systembecause the member JONES can have only one associated numeric UIC.The member name of the alphanumeric UIC is normally the same asthe associated login user name.
How Your Process Acquires a UIC
When you log in to a system, the operating system copies yourUIC from your user authorization (UAF) record in the system userauthorization file (SYSUAF.DAT) and assigns it to your process.It serves as an identification for the life of the process.
By default, detached processes (created by the DCL commandSUBMIT or RUN) and subprocesses (created by the DCL command SPAWN)take the same UICs as their creators. If you have IMPERSONATE privilege,you can create a detached process with a different UIC (by usingthe /UIC qualifier of the RUN command).
Rights Identifiers
The second element of a subject's security profile is a setof rights identifiers.
A rights identifier represents an individual user or a groupof users. Using the Authorize utility (AUTHORIZE), security administratorscreate and remove identifiers and assign users to hold these identifiers.Rights identifiers can be a temporary way of identifying a groupof users because users hold certain identifiers only as long asthey are necessary.
Typesof Identifiers
The operating system supports several types of rights identifiers. Major Types of Rights Identifiers shows the identifiers thatare most commonly used in access control.
| Type | Description | Format | Example |
|---|---|---|---|
| Environmental identifiers | Describe differenttypes of users based on their initial entry into the system. | Alphanumericstrings automatically created by the system. See Types of Logins and Login Classes for details. | BATCH, NETWORK, INTERACTIVE,LOCAL, DIALUP, REMOTE |
| General identifiers | Defined bythe security administrator. | Alphanumericstrings of 1 through 31 characters with at least one alphabetic character.Valid characters include numbers 0 through 9, characters A throughZ and a through z, the dollar sign ($) and the underscore (_). | SALES, PERSONNEL, DATA_ENTRY, RESERVE_DESK |
| UIC identifiers | Based on auser's identification code (UIC), which uniquely identifies a useron the system and defines the group to which the user belongs. | AlphanumericUICs, with or without brackets. Valid characters are the same as thosefor a general identifier. | [GROUP1,JONES], [JONES],GROUP1, JONES |
| Facilityidentifiers | Defined by the application. | Same as a general identifier.See the HP OpenVMS Programming Concepts Manual for details. | DBM$MOD_SCHEMA |
In addition to the identifiers listed in Major Types of Rights Identifiers, a system node identifier of the form SYS$NODE_node_name is created by the system startupprocedure (STARTUP.COM in SYS$SYSTEM).
Process and System Rights Lists
Associated with your process is a rights list that containsall the identifiers granted to it. In addition, there is a systemrights list that is shared by all users on the system. The systemmanager or the system software grants identifiers to the systemrights list that are granted to all users currently logged on tothe system.
Displaying the Rights Identifiers of YourProcess
You can display the identifiers for your current process withthe SHOW PROCESS command, for example:
$SHOW PROCESS/ALL25-JUN-2001 15:23:18.08 User: GREG Process ID: 34200094Node: ACCOUNTS Process name: "_TWA2:"Terminal: TWA2:User Identifier: [DOC,GREG][1]
Base priority: 4Default file spec: WORK1:[GREG.FISCAL_91]Devices allocated: ACCOUNTS$TWA2:Process Quotas:Process rights:INTERACTIVE[2]
LOCAL [3] SALES [4] MINDCRIME resource [5]Output from this SHOW PROCESS command displays three typesof identifiers:System rights:SYS$NODE_ACCOUNTS[6]
How Rights Identifiers Appear in the AuditTrail
The rights identifiers of a process also appear in audit records.If a security administrator chooses to audit access to objects,then the operating system can produce a record of which users accessedobjects and when. Although a single audit record rarely tells verymuch, the trail of records can, over a period of time, reveal a patternof behavior that tells a story.
The following audit record shows that user Greg attemptedto delete a file but was prevented from doing so because he holdsthe identifier MINDCRIME. The file 93_FORECAST.DAT has an ACE preventingaccess by processes with the identifier MINDCRIME. (Relevant linesare Event information, Matching ACE, and Status.)
Message from user AUDIT$SERVER on FNORDSecurity alarm (SECURITY) and security audit (SECURITY) on ACCOUNTS, system id: 19662Auditable event: Object deletionEvent information: file deletion request (IO$_DELETE)Event time: 24-APR-2001 13:17:24.59PID: 34200094Process name: _TWA2:Username: GREGProcess owner: [DOC,GREG]Terminal name: TWA2:Image name: DSA2264:[SYS51.SYSCOMMON.][SYSEXE]DELETE.EXEObject class name: FILEObject owner: [SYSTEM]Object protection: SYSTEM:RWEDC, OWNER:RWEDC, GROUP:RE, WORLD:REFile name: _DSA2200:[GREG]93_FORECAST.DAT;1File ID: (17481,6299,1)Access requested: DELETEMatching ACE: (IDENTIFIER=MINDCRIME,ACCESS=NONE)Sequence key: 00008A41Status: %SYSTEM-F-NOPRIV, no privilege for attempted operation
Privileges
A third (optional) element of a subject's security profileis a set of privileges.
Privileges let you use or perform system functions that ordinarilywould be denied to you. Security administrators can grant privilegesto users under special circumstances so they can perform necessarytasks without changing existing protection authorizations.
Privileges vary in power. Some allow normal network operations;for example, NETMBX and TMPMBX let you send and receive mail acrossthe network. But others, such as SYSNAM, grant the ability to influence systemoperations. A user with the SYSNAM privilege can modify the systemlogical name table.
A user's privileges are recorded in the user's UAF recordin a 64-bit privilege mask. When a user logs in to the system, theuser's privilege vector is stored in the subject's (process) securityprofile.
You can use the DCL command SET PROCESS/PRIVILEGES to enableand disable privileges for which you are are authorized, thus controllingthe privileges available to the images you run. Authorized Versus Default Process Privileges shows user Puterman has a largenumber of authorized privileges, which are available for use whennecessary, yet Puterman's process runs by default with only twoprivileges enabled: NETMBX and TMPMBX.
Puterman can enable specific authorized privileges as he needsthem; for example, he needs ALLSPOOL to allocate a spooled deviceand LOG_IO to perform logical I/O operations.
|