Giving Users Privileges

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Controlling Access to System Data and Resources

Populating the Rights Database

Setting Default Protection and Ownership

Giving Users Privileges

Some system activities are limited to users who hold specificprivileges. These restrictions protect the integrity of the operatingsystem's performance and, thus, the integrity of service providedto users. Grant privileges to each user on the basis of two factors:(a) whether the user has a legitimate need for the privilege and(b) whether the user has the skill and experience to use the privilegewithout disrupting the system.

A user's privilegesare recorded in the user's UAF record in two privilege vectors.One vector stores the authorized privileges, and the other vectorstores the default privileges. The default privileges are the subset ofauthorized privileges that a user process receives at login.

Whena user logs in to the system, the user's privilege vector is storedin the header of the user's process. In this way, the user's privilegesare passed on to the process created for the user. Users can usethe DCL command SET PROCESS/PRIVILEGES to enable and disable privilegesfor which they are authorized.

The operating system monitors and audits the use of privilege.You can enable auditing for specific privileges and examine theaudit log file to see what privileges were used to execute DCL commandsor system services. See Security Auditing for further information.

Categoriesof Privilege

Privileges are divided into the following seven categoriesaccording to the damage that the user possessing them could causethe system:

None: No privileges

Normal: Minimum privileges to effectively use thesystem

Group: Potential to interfere with members of thesame group

Devour: Potential to consume noncritical systemwideresources

System: Potential to interfere with normal systemoperation

Objects: Potential to compromise object security

All: Potential to control the system

OpenVMS Privileges categorizesthe privileges and includes a brief definition of the powers associatedwith each privilege.

Table 2 OpenVMS Privileges
Category Privilege Activity Permitted

None
None
Deny activities requiringprivileges

Normal
NETMBX TMPMBX
Create network connectionsCreate temporary mailbox

Group
GROUP GRPPRV
Control processes in thesame group Gain access through the system protection field of thegroup's objects

Devour
ACNT ALLSPOOLBUGCHK EXQUOTA GRPNAM PRMCEB PRMGBL PRMMBX SHMEM
Disable accounting Allocatespooled devices Make bugcheck error log entries Exceed disk quotasInsert group logical names in the name table Create/delete permanentcommon event flag clusters Create permanent global sections Createpermanent mailboxes Create/delete structures in shared memory

System
ALTPRI AUDITOPER PSWAPM WORLD SECURITY SYSLCK
Set base priority higherthan allotment Generate audit records Perform operator functionsChange process swap mode Control any process Perform security-relatedfunctions Lock systemwide resources

Objects
DIAGNOSE IMPORTMOUNT READALL SYSGBL VOLPRO
Diagnose devices Mount anonlabeled tape volume Execute mount volume QIO Possess read accessto all system objects Create systemwide global sections Overridevolume protection

All
BYPASS CMEXEC CMKRNL IMPERSONATEDOWNGRADE LOG_IO PFNMAP PHY_IO SETPRV SHARE SYSNAM SYSPRV UPGRADE
Disregard protection Change to executivemode Change to kernel mode Create detached processes of arbitrary UICWrite to a lower secrecy object or lower an object's classificationIssue logical I/O requests Map to specific physical pages Issuephysical I/O requests Enable any privilege Access devices allocatedto other users Insert system logical names in the name table Accessobjects through the system protection field Write to a higher integrityobject or raise an object's integrity level

**Table 2** **OpenVMS Privileges**
Category	Privilege	Activity Permitted
None	None	Deny activities requiringprivileges
Normal	NETMBX TMPMBX	Create network connectionsCreate temporary mailbox
Group	GROUP GRPPRV	Control processes in thesame group Gain access through the system protection field of thegroup's objects
Devour	ACNT ALLSPOOLBUGCHK EXQUOTA GRPNAM PRMCEB PRMGBL PRMMBX SHMEM	Disable accounting Allocatespooled devices Make bugcheck error log entries Exceed disk quotasInsert group logical names in the name table Create/delete permanentcommon event flag clusters Create permanent global sections Createpermanent mailboxes Create/delete structures in shared memory
System	ALTPRI AUDITOPER PSWAPM WORLD SECURITY SYSLCK	Set base priority higherthan allotment Generate audit records Perform operator functionsChange process swap mode Control any process Perform security-relatedfunctions Lock systemwide resources
Objects	DIAGNOSE IMPORTMOUNT READALL SYSGBL VOLPRO	Diagnose devices Mount anonlabeled tape volume Execute mount volume QIO Possess read accessto all system objects Create systemwide global sections Overridevolume protection
All	BYPASS CMEXEC CMKRNL IMPERSONATEDOWNGRADE LOG_IO PFNMAP PHY_IO SETPRV SHARE SYSNAM SYSPRV UPGRADE	Disregard protection Change to executivemode Change to kernel mode Create detached processes of arbitrary UICWrite to a lower secrecy object or lower an object's classificationIssue logical I/O requests Map to specific physical pages Issuephysical I/O requests Enable any privilege Access devices allocatedto other users Insert system logical names in the name table Accessobjects through the system protection field Write to a higher integrityobject or raise an object's integrity level

SuggestedPrivilege Allocations

Assigning Privileges lists all userprivileges and includes recommendations on when to grant them. Whenallocating user privileges, be conservative.

The summary guidelines in Minimum Privileges for System Users indicate the minimum privilege requirements forcommon classes of system users.

Table 3 Minimum Privileges for System Users
Type of User Minimum Privileges

General
TMPMBX, NETMBX

Operator
OPER

Group manager
GROUP, GRPPRV

System manager/administrator
SYSPRV, OPER, SYSNAM, CMKRNL¹

Security administrator
SECURITY, AUDIT, READALL

**Table 3** **Minimum Privileges for System Users**
Type of User	Minimum Privileges
General	TMPMBX, NETMBX
Operator	OPER
Group manager	GROUP, GRPPRV
System manager/administrator	SYSPRV, OPER, SYSNAM, CMKRNL¹
Security administrator	SECURITY, AUDIT, READALL

Limiting User Privileges

Granting privileges allows users those privileges until youremove them. To avoid such blanket permission, you may want to grantprivileges on an as-needed basis. For example, certain users mayneed to run a program requiring one of the more powerful privileges.You can install the program with the necessary privilege by usingthe Install utility (INSTALL). Installing Images with Privilege discusses installing privileged images in moredetail.

Analternative to granting blanket privileges is to set up emergencyor specialized privileged accounts. Users would log in to theseprivileged accounts only to perform specific functions. You havetwo options with this technique:

Establish a limited group of userswho know about the account and are informed how to use it.

Create two accounts for the user, giving the privilegesto one account but not to the other. In this case, the user wouldhave the same UIC and the same default directory in each account.(This is the only case where HP recommends shared UICs, becausethere is still only one actual user.) If you decide to adopt thisdual account practice, avoid obvious user names that reveal whichaccount is the privileged account.

With both options, you can place special restrictions on theprivileged account, such as long passwords, brief password lifetimes,restricted hours, and limited modes of operation (no dialup, network,remote, or batch logins). In addition, limited account durationswould force frequent consideration of privilege requirements.

Yet another alternative is to use protected subsystems, whichare described in Using Protected Subsystems,and thereby eliminate the need for any system privileges.

Installing Images with Privilege

A user cannot execute an image that requires a privilege theuser does not possess unless the image is installed as a known imagewith the privilege in question. (See the HP OpenVMS SystemManagement Utilities Reference Manual for instructionson installing known images.) Execution of a known image with privilegesgrants those privileges to the user process executing the imagefor the duration of the image's execution. Thus, you should installimages with amplified privileges (other than the normal HP-supplied configuration)only after ensuring that the privileges are required by the image'sfunction and that the image operates safely. Also consider restrictingaccess to the image to a selected set of users.

Images installed with privileges are activated with all amplifiedprivileges enabled. For maximum safety, images designed to run withamplified privilege should use the $SETPRV system service to disableall amplified privileges immediately on activation, and enable themonly when they are needed.

Following is an example of installing an image with privilege.The System Dump Analyzer utility (SDA) requires CMKRNL privilegeto analyze the running system.

Install SDA.EXEwith the CMKRNL privilege, as follows:
```
$ INSTALL SDA.EXE /PRIVILEGED=CMKRNL
```

Place an ACL on SDA.EXE, and also set the UIC-basedprotection to deny all access to the world category of users, asfollows:

$ SET SECURITY/ACL=(IDENTIFIER=SDA,ACCESS=EXECUTE)-_$ SYS$SYSTEM:SDA.EXE$ SET SECURITY/PROTECTION=(WORLD) SYS$SYSTEM:SDA.EXE

Use the AUTHORIZE command to confirm that the userswho hold the SDA identifier are those intended to run the program.If necessary, make adjustments to this list of users.

All images that you install with privilege must be linkedwith the /NOTRACEBACK qualifier to prevent online debugging andtraceback.

HP ensures that all system programs that are supplied withthe operating system (such as the SDA) are linked with the /NOTRACEBACKqualifier to prevent online debugging or traceback.

Restricting Command Output

Some DCL commands behave differently depending on the privilegesthat the user holds.

For example,unless a user holds the GROUP or WORLD privilege, the SHOW PROCESScommand limits the display of process information to the user'sprocess. A user with GROUP privilege can display other processesin the user's UIC group; a user with WORLD privilege can displayany process on the system.

Footnotes

1 The general purpose system manager often needsan authorized privilege set consisting of all privileges exceptBYPASS.

( Number takes you back )

Populating the Rights Database

Setting Default Protection and Ownership