|
|
A user's privilegesare recorded in the user's UAF record in two privilege vectors.One vector stores the authorized privileges, and the other vectorstores the default privileges. The default privileges are the subset ofauthorized privileges that a user process receives at login.
Whena user logs in to the system, the user's privilege vector is storedin the header of the user's process. In this way, the user's privilegesare passed on to the process created for the user. Users can usethe DCL command SET PROCESS/PRIVILEGES to enable and disable privilegesfor which they are authorized.
The operating system monitors and audits the use of privilege.You can enable auditing for specific privileges and examine theaudit log file to see what privileges were used to execute DCL commandsor system services. See Security Auditing for further information.
Categoriesof Privilege
Privileges are divided into the following seven categoriesaccording to the damage that the user possessing them could causethe system:
OpenVMS Privileges categorizesthe privileges and includes a brief definition of the powers associatedwith each privilege.
SuggestedPrivilege Allocations
Assigning Privileges lists all userprivileges and includes recommendations on when to grant them. Whenallocating user privileges, be conservative.
The summary guidelines in Minimum Privileges for System Users indicate the minimum privilege requirements forcommon classes of system users.
Type of User | Minimum Privileges |
---|---|
General | TMPMBX, NETMBX |
Operator | OPER |
Group manager | GROUP, GRPPRV |
System manager/administrator | SYSPRV, OPER, SYSNAM, CMKRNL1 |
Security administrator | SECURITY, AUDIT, READALL |
Limiting User Privileges
Granting privileges allows users those privileges until youremove them. To avoid such blanket permission, you may want to grantprivileges on an as-needed basis. For example, certain users mayneed to run a program requiring one of the more powerful privileges.You can install the program with the necessary privilege by usingthe Install utility (INSTALL). Installing Images with Privilege discusses installing privileged images in moredetail.
Analternative to granting blanket privileges is to set up emergencyor specialized privileged accounts. Users would log in to theseprivileged accounts only to perform specific functions. You havetwo options with this technique:
With both options, you can place special restrictions on theprivileged account, such as long passwords, brief password lifetimes,restricted hours, and limited modes of operation (no dialup, network,remote, or batch logins). In addition, limited account durationswould force frequent consideration of privilege requirements.
Yet another alternative is to use protected subsystems, whichare described in Using Protected Subsystems,and thereby eliminate the need for any system privileges.
Installing Images with Privilege
A user cannot execute an image that requires a privilege theuser does not possess unless the image is installed as a known imagewith the privilege in question. (See the HP OpenVMS SystemManagement Utilities Reference Manual for instructionson installing known images.) Execution of a known image with privilegesgrants those privileges to the user process executing the imagefor the duration of the image's execution. Thus, you should installimages with amplified privileges (other than the normal HP-supplied configuration)only after ensuring that the privileges are required by the image'sfunction and that the image operates safely. Also consider restrictingaccess to the image to a selected set of users.
Images installed with privileges are activated with all amplifiedprivileges enabled. For maximum safety, images designed to run withamplified privilege should use the $SETPRV system service to disableall amplified privileges immediately on activation, and enable themonly when they are needed.
Following is an example of installing an image with privilege.The System Dump Analyzer utility (SDA) requires CMKRNL privilegeto analyze the running system.
$
INSTALL SDA.EXE /PRIVILEGED=CMKRNL
$
SET SECURITY/ACL=(IDENTIFIER=SDA,ACCESS=EXECUTE)-
_$
SYS$SYSTEM:SDA.EXE
$
SET SECURITY/PROTECTION=(WORLD) SYS$SYSTEM:SDA.EXE
Restricting Command Output
Some DCL commands behave differently depending on the privilegesthat the user holds.
For example,unless a user holds the GROUP or WORLD privilege, the SHOW PROCESScommand limits the display of process information to the user'sprocess. A user with GROUP privilege can display other processesin the user's UIC group; a user with WORLD privilege can displayany process on the system.
1 The general purpose system manager often needsan authorized privilege set consisting of all privileges exceptBYPASS.
( Number takes you back )
|
|