Controlling Program Privileges

Previous page
Table of content
Next page

Beyond ACL and UIC privileges, 39 system privileges apply to system utilities and library routines. Two privileges—network mailbox creation permitted (NETMBX) and temporary mailbox creation permitted (TMPMBX)—are granted to all users. Two management policies are used to determine user privileges. The easiest way, which is wrong, is to grant all privileges to all users. This approach subverts many of the OpenVMS mechanisms and puts the system at risk. The right way to assign security privileges is on a user-by-user basis. This takes more effort on the manager's part but protects the system from both accidents and deliberate attacks.

To give the reader a flavor for how privileges interact with OpenVMS, here are some examples. Notice that not all privileges are concerned with file protection; more often, privileges are used to determine how closely a user may emulate management privileges. This is done by degrees and stages, not in a single step.

  • ALTPRI (Alter Priority) permits the user to increase the priority level higher than specified in the SYSUAF. Priority is specified in commands SET PROCESS/PRIO=, RUN/DETACHED/PRIO=, and SUBMIT/PRIO=.

  • EXQUOTA (Exceed Quota) permits the user to exceed disk quota when creating new files.

  • BYPASS permits the user to skip all UIC privilege checks and grant access to any specified file.

  • SETPRV (Set Privilege) permits the user to give him- or herself any privilege.

  • VOLPRO (Volume Protection) permits the user to override volume protection and permits commands such as INITIALIZE to create a pristine volume structure.

Command descriptions in the HELP display and in the Compaq/HP manuals are clear regarding what privileges are required to perform certain functions and/or subfunctions. To emphasize these restrictions, error messages are likewise clear when those privileges are violated (e.g., if I attempt to initialize the system disk as an unprivileged user, the following dialog will result):

     $ initialize dka100: mumble     %INIT-F-NOVOLPRO, operation requires VOLPRO privilege

Obviously, the VOLPRO privilege is required to initialize a disk, which is stated in the INITIALIZE command description.



Previous page
Table of content
Next page
Getting Started with OpenVMS System Management
Getting Started with OpenVMS System Management (HP Technologies)
ISBN: 1555582818
EAN: 2147483647
Year: 2004
Pages: 130
Authors: David Miller
BUY ON AMAZON
Project Management JumpStart
Qshell for iSeries
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
101 Microsoft Visual Basic .NET Applications
What is Lean Six Sigma
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy