[an error occurred while processing this directive]

HP OpenVMS Systems

ask the wizard
Content starts here

Security, Untrusted Privileged Users?

» close window

The Question is:

 
I have a number of privilege users on the system with the following privileges:
 
 ACNT,AUDIT,CMKRNL,EXQUOTA,GROUP,GRPNAM,GRPPRV,
 IMPERSONATE,LOG_IO,MOUNT,NETMBX,OPER,PHY_IO,
 PRMCEB,READALL,SECURITY,SYSGBL,SYSLCK,SYSNAM,   SYSPRV,TMPMBX,VOLPRO,WORLD
 
I want to protect certail system level files and/or utilities. For example, I
 do not want them to get into the UAF utility and add/modify/delete UAF Records.
 
I set the following ACL on the .EXE and the .DAT file, but they still can gain
 access:
 
SYSUAF.DAT;2                                  90/90       6-NOV-2000 18:53:59.64
  [ADMIN,SYSTEM]        (RWED,RWED,,)
          (IDENTIFIER=SECADM,OPTIONS=PROTECTED,ACCESS=READ+WRITE+EXECUTE+DELETE+
          CONTROL)
          (IDENTIFIER=[*,*],ACCESS=NONE)
 
 
 


The Answer is :

 
  The mechanism used to protect files and other objects is the privilege.
 
  You cannot protect against any access by any user with any of the more
  powerful privileges -- any privilege in the "all" category -- by any
  means other than the removal of the privilege(s).
 
  Again, you cannot protect against a privileged user.  Again, you must
  either remove the privilege(s), or you must trust the user -- or the
  two users, in the case of a two-person (two-password) login -- to act
  appropriately.
 
  Please review the OpenVMS security documentation for further information,
  and for privilege and protection recommendations, and for details of
  operating in a secure environment -- see the NCSC Class C2 appendix,
  among other portions of the manual.
 
  Related topics include (5639), (7368), (7813), and others.

answer written or last revised on ( 5-AUG-2002 )

» close window