CMKRNL Privilege (All)

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Assigning Privileges

CMEXEC Privilege (All)

DIAGNOSE Privilege (Objects)

CMKRNL Privilege (All)

The CMKRNL privilege allows the user's process to executethe Change Mode to Kernel ($CMKRNL) system service.

This system service lets a process change its access modeto kernel mode, execute a specified routine, and then return tothe access mode that was in effect before the system service wascalled. While in kernel mode, a process can enable any system privilege.

A process holding both CMKRNL and SYSNAM can set the systemtime.

Grant this privilege only to users who need to execute privilegedinstructions or who need to gain access to the most protected andsensitive data structures and functions of the operating system.If unqualified users have unrestricted use of privileged instructionsand unrestricted access to sensitive data structures and functions,the operating system and service to other users can be easily disrupted.Such disruptions can include failure of the system, destructionof all system and user data, and exposure of confidential information.

The CMKRNL privilege lets a process perform the followingtasks:

Task Interface

Modify a multiprocessoroperation
START/CPU, STOP/CPU

Modify systemwideRMS defaults
SET RMS/SYSTEM

Suspend a processin kernel mode
SET PROCESS/SUSPEND=KERNEL

Modify anotherprocess' rights list or its nondynamic identifier attributes
SET RIGHTS_LIST

Grant an identifierwith modified attributes
SET RIGHTS/ATTRIBUTE

Modify thesystem rights list
SET RIGHTS_LIST/SYSTEM

Change a processUIC
SET UIC

Modify thenumber of interlocked queue retries
$QIO request to an Ethernet802 driver (DEBNA/NI)

Connect toa device interrupt vector
$QIO request to an interruptvector (CONINTERR)

Start or modifya line in Genbyte mode
$QIO request to a synchronouscommunications line (XGDRIVER)

Set the spin-waittime on the port command register
$QIO request to an Ethernet802 driver (DEBNA)

Modify a knownimage list
INSTALL

Process thefollowing item codes:
SJC$_ACCOUNT_NAME item

SJC$_UIC

SJC$_USERNAME

Send to Job Controller systemservice ($SNDJBC)

Create a detachedprocess with unrestricted quotas
RUN/DETACHED, $CREPRC

Examine the internals ofthe running system
ANALYZE/SYSTEM

Task	Interface
Modify a multiprocessoroperation	START/CPU, STOP/CPU
Modify systemwideRMS defaults	SET RMS/SYSTEM
Suspend a processin kernel mode	SET PROCESS/SUSPEND=KERNEL
Modify anotherprocess' rights list or its nondynamic identifier attributes	SET RIGHTS_LIST
Grant an identifierwith modified attributes	SET RIGHTS/ATTRIBUTE
Modify thesystem rights list	SET RIGHTS_LIST/SYSTEM
Change a processUIC	SET UIC
Modify thenumber of interlocked queue retries	$QIO request to an Ethernet802 driver (DEBNA/NI)
Connect toa device interrupt vector	$QIO request to an interruptvector (CONINTERR)
Start or modifya line in Genbyte mode	$QIO request to a synchronouscommunications line (XGDRIVER)
Set the spin-waittime on the port command register	$QIO request to an Ethernet802 driver (DEBNA)
Modify a knownimage list	INSTALL
Process thefollowing item codes: SJC$_ACCOUNT_NAME item SJC$_UIC SJC$_USERNAME	Send to Job Controller systemservice ($SNDJBC)
Create a detachedprocess with unrestricted quotas	RUN/DETACHED, $CREPRC
Examine the internals ofthe running system	ANALYZE/SYSTEM

CMEXEC Privilege (All)

DIAGNOSE Privilege (Objects)