skip book previous and next navigation links
go up to top of book: HP OpenVMS Guide to System SecurityHP OpenVMS Guide to System Security
go to beginning of part: Security for the System AdministratorSecurity for the System Administrator
go to beginning of appendix: Assigning PrivilegesAssigning Privileges
go to previous page: BUGCHK Privilege (Devour)BUGCHK Privilege (Devour)
go to next page: CMEXEC Privilege (All)CMEXEC Privilege (All)
end of book navigation links

BYPASS Privilege (All)  



The BYPASS privilege allows the user's process full accessto all protected objects, totally bypassing UIC-based protection,access control list (ACL) protection, and mandatory access controls.With the BYPASS privilege, a process has unlimited access to thesystem. Among the operations that can be performed are

Grant this privilege with extreme caution because it overridesall object protection. It should be reserved for use by well-tested,reliable programs and command procedures. The SYSPRV privilege isadequate for interactive use because it ultimately grants accessto all objects while still providing access checks. The READALLprivilege is adequate for backup operations.

The BYPASS privilege lets a process perform the followingtasks:

Task Interface
Perform file system operations:

Modify fileownership
SET SECURITY/OWNER, $QIOrequest to F11BXQP
Access a filethat is marked for deletion
$QIO request to F11A ACPor F11BXQP
Access a filethat is deaccess locked
$QIO request to F11A ACPor F11BXQP
Override creationof an owner ACE on a newly created file
$QIO request to F11BXQP
Clear the directorybit in a directory's file header
$QIO request to F11BXQP
Operate onan extension header
$QIO request to F11BXQP
Acquire orrelease a volume lock
$QIO request to F11BXQP
Force mountverification on a volume
$QIO request to F11BXQP
Create a fileaccess window with the no access lock bit set
$QIO request to F11BXQP
Specify nulllock mode for volume lock
$QIO request to F11BXQP
Access a lockedfile
$QIO request to F11BXQP
Enable or disabledisk quotas on a volume
$QIO request to F11BXQP
Operate on network databases:

Display permanentnetwork database records
NCP
Display permanentDECnet object password
NCP
Display volatileDECnet object password
NCP
Adjust discretionary or mandatory access controls:

Read a userauthorization record
$GETUAI
Modify a userauthorization record
$SETUAI
Modify mailboxprotection
$QIO request request tothe mailbox driver (MBDRIVER)
Modify sharedmemory mailbox protection
$QIO request request tothe mailbox driver (MBXDRIVER)
Bypass discretionaryor mandatory object protection
$CHKPRO
Miscellaneous:

Initializea magnetic tape
$INIT_VOL
Unload an InfoServer system
$QIO request to the InfoServer system (DADDRIVER)

go to previous page: BUGCHK Privilege (Devour)BUGCHK Privilege (Devour)
go to next page: CMEXEC Privilege (All)CMEXEC Privilege (All)