HP OpenVMS Guide to System Security

Security for the User

Descriptions of Object Classes

Devices

Global Sections

Files  

The file object differs from other protected objects in oneimportant way: because files provide more flexibility than any otherobject class, files do not acquire their profiles from a template. Profile Assignment describes the rulesthe operating system applies in assigning a profile.

NamingRules  

A file specification is a string of 1 to 255 characters. Seethe HP OpenVMS User's Manual for a full description.

Types of Access  

The file class supports the following types of access:

Read	Gives you the right to read,print, or copy a disk file. With directory files, read access givesyou the right to read or list a file and use a file name with wildcardcharacters to look up files. Read access implies execute access.
Write	Gives you the right to writeto or change the contents of a file but not delete it. Write accessallows modification of the file elements that describe the contentsof the file. Write access allows creation of a new version of an existingfile's primary name. With directory files, write access gives youthe right to make or delete an entry in the catalog of files.
Execute	Gives you the right to executea file that contains an executable program image or DCL commandprocedure. With a directory file, execute access gives you the rightto look up files whose names you know.
Delete	Gives you the right to deletea file. To delete a file, you must have delete access to the fileand write access to the directory that contains the file. To removeor rename a file's primary name also requires delete access.
Control	Gives you the right to change the protectioncode and ACL. You need to satisfy one of the following conditionsto change the owner: Hold both theold and the new owner identifier. Hold the Resource attribute to the identifier thatowns the object while also being allowed control access to the objectthrough an ACL on the object. Qualify as a system user, hold SYSPRV or BYPASSprivilege, or hold a UIC that matches that of the owner of the volumecontaining the file or directory. Hold the GRPPRV privilege while also holding a UICin the same group as the object owner.

Access Requirements  

The following conditions apply to file access:

• General rules
  
  To access a file, you must have permission to access the fileand the volume on which it resides. When attempting to access afile by name, you must have read or execute access to the directorycontaining the file. An access check of the volume is required beforeeither a directory or a file access is considered. The protectionof a directory file can restrict access to files in the directory,so even though a group of users has access to a file, they can beprevented from accessing it by name if they lack proper access tothe directory in which the file is located.

  ---

  You can access a file by its file identifier. When usersdo so, they bypass the directory file protection. Therefore, youmust not rely entirely on directory file protection to control accessto a file.

  ---




• For write access
  
  To write to a file, the operating system requires that youhave both read and write access.



• File ownership changes
  
  To change the ownership of a file, you must have control accessand hold both the old and new identifiers with the Resource attribute.(Your own UIC identifier always carries the Resource attribute.)

CreationRequirements  

Before you can create a file, the operating system checksto see that you have satisfied the following conditions:

• You must have adequate disk space.This includes both available disk blocks and sufficient disk quota (assumingquotas are enabled).



• You have read and write access to the previous fileversion. You must also have delete access to the oldest file versionif the file has a nonzero version limit and the new version wouldexceed this number.



• You have write access to the directory where thefile is being created.



• You have read, write, and create access to the volumeon which the file is to be stored.

Profile Assignment  

The new file obtains its owner, protection code, and ACL froma number of sources. The ownership assignment of a new file is doneindependently of protection and ACL.

Rules for Assigning Ownership  

If any of the following conditions are true, then you canassign an identifier as the owner of a file:

• The identifier matches your processUIC.



• You hold the identifier with the Resource attribute.



• You hold GRPPRV privilege and the identifier's groupnumber matches your UIC group.



• You hold SYSPRV privilege.

A file receives its owner identifier from the first applicablesource that you are allowed to assign:

• The explicit assignment of an ownerat creation with the /OWNER_UIC qualifier to the CREATE or COPYcommand



• The previous version



• The parent directory



• The process UIC

See Setting Defaults for a Directory Owned by a Resource Identifier fora description of how resource identifiers can own files and directories.

Rules for Assigning a Protection Code andACL  

The sources of a new file's protection code and ACL are similarto those of ownership and are considered in the same order. Thesystem assigns a file's protection code and ACL from one of thefollowing sources:

1. The explicit assignment of elements at creation
   
   You can create a file with the CREATE command or the COPYcommand. You use the CREATE/DIRECTORY command in the case of a directory.
   
   To assign a protection code when creating a file, add the/PROTECTION qualifier to the COPY or CREATE command. After creatingthe file, you can use the SECURITY/ACL command to add an ACL.
   
   For example, the following command copies a file from thedevice USE1 to the default disk directory. The protection code definesthe protection for the newly created file PAYSORT.DAT so that userswith system UICs can read and write to the file. The owner has alltypes of access, and other users in the owner's group can read andwrite to the file. All other users have no access through the protectioncode.

   $ COPY USE1:[PAYDATA]PAYROLL.DAT  PAYSORT.DAT -_$ /PROTECTION=(SYSTEM:RW,OWNER:RWED,GROUP:RW,WORLD)

2. The profile of the previous version of the file,if one exists
   
   Whenever you create a new version of the file, the new versionis created with the protection code and ACL of the earlier version(unless, of course, you make an explicit assignment).
3. A Default Protection ACE and Default ACL on theparent directory
   
   Without either an explicit assignment or a previous versionof a file, the operating system looks at the directory where thefile is being created.
   
   With data files, the system looks for a Default ProtectionACE and assigns the protection code specified by that ACE. (See Providing a Default Protection Code for a Directory Structure for an example.)If any ACE in the directory's ACL has the Default attribute, thenthe file inherits that ACE as well. (Refer to Establishing an Inheritance Scheme for Files for an example.)
   
   With directory files, the system assigns the protection codeof the parent directory, less any delete access. If the directoryhappens to be a top-level directory, the protection is taken fromthe master file directory (MFD). Newly created subdirectories inheritthe ACL of the parent directory, even ACEs with the Default attribute.Only ACEs with the Nopropagate attribute are omitted.
4. The UIC and protection defaults of the process issuingthe command
   
   If the directory ACL does not have a Default Protection ACE,the default process protection is used. The system parameter RMS_FILEPROTestablishes this value, and the operating system assigns it to your processduring login. However, the value derived at login may be changedwith the DCL command SET PROTECTION/DEFAULT. (For example, you canput this command in your login command procedure to set defaultprotection.) Usethe DCL command SHOW PROTECTION to display the default process protection.
5. One of the above with provision for the user creatingthe file
   
   When you create a file in a directory owned by a resourceidentifier and you hold the identifier with the Resource attribute,the new file inherits its protection code and ACL in the same wayas any other file.
   
   The operating system modifies the file's ACL in some casesto provide the creator with access to the new file. If the directoryACL has a Creator ACE, that ACE defines the access the creator hasto the file. If the Creator ACE specifies no access, no additionalACE is created. Without such an ACE, the operating system adds anACE to the file's ACL that gives the creator control access plusthe access specified in the owner field of the file's protectioncode.

Using the COPY and RENAME Commands  

The output file of a COPY command is treated as a newly createdfile and so is assigned a new security profile. The security profilesof the input files are immaterial.

However, a renamed file by default retains its existing securityprofile. To assign a new security profile, as if the file were newlycreated, use the DCL command RENAME/INHERIT_SECURITY. This causesthe file to be assigned a security profile.

Rules for Assigning Ownership and Rules for Assigning a Protection Code and ACL explain how a security profileis assigned.

Kinds of Auditing Performed  

The following types of events can be audited, provided thesecurity administrator enables auditing for the appropriate eventclass:

Event Audited	When Audit Occurs
Access	When a process opens, reads,writes, or executes a file or inquires about its attributes
Creation	When a process creates afile
Deaccess	When a process closes afile
Deletion	When a process deletes a file

Protecting Information When Disk Space IsReassigned  

Ordinary file protection mechanisms control who can accessa file, but they do not address the problem of protecting old datathat remains on disk after a file is deleted.

When a file is deleted, its header is removed from the directory,but its contents remain intact on disk until it is overwritten.Because data exists on a disk, it is necessary to protect deletedor purged file information from disk scavenging.

The OpenVMS operating system solves the problem of disk scavengingwith the combination of the two following techniques:

• Overwriting disk blocks before theyare allocated



• Setting a high-water mark on allocated blocks

Overwriting Disk Blocks  

A security administrator or user can apply an erasure patternto individual files on a volume or to a complete volume. An erasurepattern is a repeated sequence of bits written over a file whenthe file is deleted or purged.

The security administrator can ensure that every block ona volume starts off with the erasure pattern by specifying the /ERASEqualifier when the volume is initialized, as follows: INITIALIZE/ERASE device-name[:] volume-label

If the volume is mounted, the security administrator can automaticallyapply the erasure pattern to the space occupied by a file when itis deleted by specifying the /ERASE_ON_DELETE qualifier, as follows: SET VOLUME/ERASE_ON_DELETE device-spec[:]

Note that this technique has no effect on existing files.

Alternatively, the security administrator may ask users tospecify the erasure pattern on a file-by-file basis by using the/ERASE qualifier when entering the DCL commands SET FILE, DELETE,and PURGE.

Security administrators can also write an erase routine byusing the $ERAPAT system service. The routine specifies to the systemthe erasure pattern and number of passes to be used to erase diskblocks.

Setting a High-water Mark  

When the operating system allocates disk blocks for a file,it automatically sets a high-water mark.The high-water mark indicates how far the file has been writtenin its allotted space on the disk. All blocks in the file up tothe high-water mark are guaranteed to have been written since theywere allocated to the file. Users are not permitted to read beyondthe high-water mark and thus cannot read stale data that they didnot actually write.

A more conservative but costly technique is to erase all diskblocks before allocation. The erase-on-allocate techniqueis used when the file is open allowing any form of shared accessor nonsequential access. When blocks are erased on allocation, thefile's high-water mark is set to point to the end of the newly allocatedand erased space.

By default, high-water marking is enabled when the volumeis initialized. The security administrator can disable high-watermarking for a specific volume by using the DCL command SET VOLUME/NOHIGHWATER_MARKING.

Accessibility of Data in a File  

Once the file system allocates disk blocks for a file, userscan read or write to them at any time. The high-water mark identifiesthe physical end of file, beyond which the user cannot read. However,an application can reposition the logical end-of-file mark and leavedata in the area between the logical and the physical end of thefile. Any block of file data can later be read, regardless of thelogical end-of-file mark.

An application largely determines how allocated disk blocksare managed. For example, OpenVMS RMS services shorten a sequentialfile by resetting the logical end-of-file position to the beginningof the current record. It does not deallocate space between theend-of-file position and the physical end of the file, nor doesit overwrite the records between the end-of-file position and thephysical end of the file with an erase pattern.

Thus, blocks written to a file can remain available regardlessof the end-of-file mark. If you want to erase the data between thelogical end of the file and the physical end of the file, your applicationprogram must overwrite the data you want deleted. On OpenVMS systems,a common way to accomplish this is to create a new version of thefile using the DCL command COPY.

Suggestions for Optimizing File Security  

Use the following precautions to protect your files and directories:

• Purge your files regularly. Deleteunnecessary files. This keeps your directories to a minimum and simplifiesthe task of regularly checking the protection and ownership on yourfiles.



• Use the DCL command DIRECTORY/SECURITY regularlyto monitor the ownership, protection code, and ACLs on your files.A user who succeeds in obtaining sufficient privilege may changethe protection or ownership on your files, allowing access immediatelyand in the future. If you perform these checks frequently, you candetect and report unexplained changes in file protection or ownership.



• Pay special attention to the protection on yourmail files; normally, they should be accessible only to you andthe system (for mail delivery and backups).



• When you place ACLs on your files, be sure you knowexactly which users hold the identifiers you have specified. (Thisgenerally requires consultation with your site security administrator.)



• Follow your site security administrator's recommendationsto prevent disk scavenging. You may be requested to use the /ERASEqualifier on the SET FILE, DELETE, and PURGE commands for some orall of your files.



• Always protect files and directories that containcommand procedures and executable programs. Carefully control thegranting of write access to these directories and files. This isparticularly important if you have any of the more powerful privilegesor access to sensitive files.

Do not run a command procedure or program given toyou by another user unless you inspect it. Inspect a program orprocedure to see if it tries to exercise your special privilegesor access sensitive files. Test the software in an unprivilegedaccount. Programs or command procedures offered under one guise,when actually intended to penetrate your defenses and disrupt your systemsecurity, are sometimes called Trojan horse programs.

Devices

Global Sections