HP OpenVMS Systems Documentation
OpenVMS Guide to System Security
A.13 GRPNAM Privilege (Devour)
The GRPNAM privilege lets the user's process bypass discretionary access controls and insert names into (and delete names from) the logical name table of the group to which the process belongs by the use of the Create Logical Name ($CRELNM) and Delete Logical Name ($DELLNM) system services.
In addition, the privileged process can issue the DCL commands ASSIGN and DEFINE to add names to the group logical name table and the DCL command DEASSIGN to delete names from the table. The privilege allows the use of the /GROUP qualifier with the DCL commands MOUNT and DISMOUNT (as well as the system services $MOUNT and $DISMOUNT) when sharing volumes among group members.
Do not grant this privilege to all users of the system because it
allows the user's process to create an unlimited number of group
logical names. When unqualified users have the unrestricted ability to
create group logical names, excessive use of system dynamic memory can
degrade system performance. In addition, a process with the GRPNAM
privilege can interfere with the activities of other processes in the
same group by creating definitions of commonly used logical names such
When the process's group matches the group of the object owner, the GRPPRV privilege gives a process the access rights provided by the object's system protection field. GRPPRV also lets a process change the protection or the ownership of any object whose owner group matches the process's group by using the DCL commands SET SECURITY.
Grant this privilege only to users who function as group managers. If this privilege is given to unqualified users who have no need for it, they can modify group UAF records to values equal to those of the group manager. They can increase resource allocations and grant privileges for which they are authorized.
The GRPPRV privilege lets a process perform the following tasks:
A.15 IMPERSONATE Privilege (All) (Formerly DETACH)
Processes can create detached processes that have their own UIC without the IMPERSONATE privilege, provided the processes do not exceed their MAXJOBS and MAXDETACH quotas. However, the IMPERSONATE privilege becomes valuable when a process wants to specify a different UIC for the detached process. There is no restriction on the UIC that can be specified for a detached process if you have the IMPERSONATE privilege. Thus, there are no restrictions on the files, directories, and other objects to which a detached process can gain access. The IMPERSONATE privilege also lets a process create a detached process with unrestricted quotas. A process can create detached processes by executing the Create Process ($CREPRC) system service.
In addition, IMPERSONATE grants the ability to create a trusted server process using the DCL command RUN/DETACH. Trusted processes are exempt from the normal system security auditing policy.
Detached processes remain in existence even after the user who created them has logged out of the system.
A.16 IMPORT Privilege (Objects)
The IMPORT privilege lets a process manipulate mandatory access
controls. The privilege lets a process mount unlabeled tape volumes.
This privilege is reserved for enhanced security products like SEVMS.
The LOG_IO privilege lets the user's process execute the Queue I/O Request ($QIO) system service to perform logical-level I/O operations. LOG_IO privilege is also required for certain device control functions, such as setting permanent terminal characteristics. A process with the typical privileges of NETMBX and TMPMBX that also holds LOG_IO and SYSNAM can reconfigure the Ethernet using the Phase IV network configuration procedure, NICONFIG.COM.
Usually, process I/O requests are handled indirectly by use of an I/O package such as OpenVMS Record Management Services (RMS). However, to increase their control over I/O operations and to improve the efficiency of I/O operations, skilled users sometimes prefer to handle the interface between their process and a system I/O driver program directly. They can do this by executing $QIO; in many instances, the operation called for is a logical-level I/O operation. Note that logical level functions are permitted without LOG_IO privilege on a device mounted with the /FOREIGN qualifier and on non-file-structured devices.
Grant this privilege only to users who need it because it allows a process to access data anywhere on the selected volume without the benefit of any file structuring. If this privilege is given to unqualified users who have no need for it, the operating system and service to other processes can be easily disrupted. Such disruptions can include the destruction of information on the system device, the destruction of user data, and the exposure of confidential information.
The LOG_IO privilege also lets a process perform the following tasks:
A.18 MOUNT Privilege (Normal)
The MOUNT privilege lets the user's process execute the mount volume
QIO function. The use of this function should be restricted to system
software supplied by Compaq.
The NETMBX privilege lets a process perform functions related to a
DECnet computer network. For example, it allows a process to switch a
terminal line to an asynchronous DECnet protocol or assign a channel to
a network device. Grant this privilege to general users who need to
access the network.
The OPER privilege allows a process to use the Operator Communication Manager (OPCOM) process to reply to user's requests, to broadcast messages to all terminals logged in, to designate terminals as operators' terminals and specify the types of messages to be displayed on these operators' terminals, and to initialize and control the log file of operators' messages. In addition, this privilege lets the user spool devices, create and control all queues, and modify the protection and ownership of all non-file-structured devices.
Grant this privilege only to the operators of the system. These are the users who respond to the requests of ordinary users, who tend to the needs of the system's peripheral devices (mounting reels of tape and changing printer forms), and who attend to all the other day-to-day chores of system operation. (A nonprivileged user can log in on the console terminal to respond to operator requests, for example, to mount a tape.)
The OPER privilege lets a process perform the following tasks:
Used in combination with other privileges, OPER lets processes perform the following tasks:
A.21 PFNMAP Privilege (All)
The PFNMAP privilege lets a user's process create and map page frame number (PFN) global sections to specific pages of physical memory or I/O device registers, no matter who is using the pages or registers. Such a privileged process can also delete PFN-based global sections with the system service $DGBLSC.
Exercise caution when granting this privilege. If unqualified user
processes have unrestricted access to physical memory, the operating
system and service to other processes can be easily disrupted. Such
disruptions can include failure of the system, destruction of all
system and user data, and exposure of confidential information.
The PHY_IO privilege lets the user's process execute the Queue I/O Request ($QIO) system service to perform physical-level I/O operations.
Usually, process I/O requests are handled indirectly by use of an I/O package such as OpenVMS Record Management Services (RMS). However, to increase their control over I/O operations and to improve the efficiency of their applications, skilled users sometimes prefer to handle directly the interface between their process and a system I/O driver program. They can do this by executing the $QIO system service; in many instances, the operation called for is a physical-level I/O operation.
Grant the PHY_IO privilege only to users who need it; grant this privilege even more carefully than the LOG_IO privilege. If this privilege is given to unqualified users who have no need for it, the operating system and service to other users can be easily disrupted. Such disruptions can include the destruction of information on the system device, the destruction of user data, and the exposure of confidential information.
The PHY_IO privilege also lets a process perform the following tasks: