Disk Quotas

Your system manager may elect to enable disk quotas. Disk quotas place limits on the consumption of disk storage space on a per-disk, per- user basis.

Use SHOW QUOTA [/DISK=disk] to examine your disk-space restrictions on a given disk. A message indicating that quotas are not enabled means that there are no limits other than the free space available on the disk.

Privileges

Privileges grant a user the ability to do things a typical user cannot. Privileges are required, for example, to set the system time, to examine the system security logs, or to read any file regardless of its protection.

The most basic user accounts have only the TMPMBX and NETMBX privileges, which are adequate for most ordinary purposes. Your system manager will grant additional privileges on an as-needed basis.

For reference, the full list of privileges (taken from OpenVMS VAX version V7.3) is as follows :

ACNT	may suppress accounting messages
ALLSPOOL	may allocate spooled device
ALTPRI	may set any priority value
AUDIT	may direct audit to system security audit log
BUGCHK	may make bug check log entries
BYPASS	may bypass all object access controls
CMEXEC	may change mode to exec
CMKRNL	may change mode to kernel
DIAGNOSE	may diagnose devices
DOWNGRADE	may downgrade object secrecy
EXQUOTA	may exceed disk quota
GROUP	may affect other processes in same group
GRPNAM	may insert in group logical name table
GRPPRV	may access group objects via system protection
IMPERSONATE	may impersonate another user
IMPORT	may set classification for unlabeled object
LOG_IO	may do logical i/o
MOUNT	may execute mount acp function
NETMBX	may create network device
OPER	may perform operator functions
PFNMAP	may map to specific physical pages
PHY_IO	may do physical i/o
PRMCEB	may create permanent common event clusters
PRMGBL	may create permanent global sections
PRMMBX	may create permanent mailbox
PSWAPM	may change process swap mode
READALL	may read anything as the owner
SECURITY	may perform security administration functions
SETPRV	may set any privilege bit
SHARE	may assign channels to non-shared devices
SHMEM	may create/delete objects in shared memory
SYSGBL	may create system wide global sections
SYSLCK	may lock system wide resources
SYSNAM	may insert in system logical name table
SYSPRV	may access objects via system protection
TMPMBX	may create temporary mailbox
UPGRADE	may upgrade object integrity
VOLPRO	may override volume protection
WORLD	may affect other processes in the world

Note

On older versions of OpenVMS, the IMPERSONATE privilege was called DETACH. Historically, it was used to create detached processes under the User Identification Code (introduced in the next section) of another user. Over time, the power granted by DETACH grew until a name change to IMPERSONATE was warranted.

User Identification Codes

A User Identification Code (UIC) is associated with each user account. A UIC is the combination of a group number and a member number.

A UIC takes the format "[group,member]." If you are member 100 of group 35, your UIC is [35,100]. These numbers are displayed in octal format, so they may contain only the digits 0 through 7. UICs may be displayed as alphanumeric names rather than numbers (see "Identifiers," below).

A system manager usually defines UIC groups to associate users who are related in some way, such as the faculty as opposed to the students at a university or all the employees in a given department of a corporation—say, the accounting department.

Your UIC is used to grant or deny access to system objects, such as files. When a file is created, the UIC of the owner is associated with the file. Later, when some user requests access to the file, his or her UIC is used to determine whether access will be allowed. File protection is divided into four categories, based on the requesting user's classification:

SYSTEM user . The requestor is either OpenVMS itself, the system manager, or another user with a SYSTEM UIC, as defined by the system manager. The system manager may assign an arbitrary number of users to this category, usually system operators or those who perform system backups .
File OWNER . The requestor's UIC exactly matches the UIC attached to the file.
GROUP member . The requestor is in the same UIC group as the file owner.
WORLD user . This category includes every other user not mentioned above.

Each of these four categories may be granted or denied the ability to read (examine), write (modify), execute (if the file is a program or procedure), or delete the file.

The ability to change the protection of the file (CONTROL access) is granted automatically to the OWNER and SYSTEM categories. As a practical matter, this means you cannot accidentally deny yourself access to your files (as you can always grant yourself access again), nor can you prevent SYSTEM users from gaining access. You can also grant other users CONTROL access via Access Control Lists (ACLs).

File protections and ACLs are described further in Chapter 7, "The User Environment."