HP OpenVMS Systems Documentation
OpenVMS Guide to System Security
A.23 PRMCEB Privilege (Devour)
The PRMCEB privilege lets the user's process create or delete a permanent common event flag cluster by executing the Associate Common Event Flag Cluster ($ASCEFC) or the Delete Common Event Flag Cluster ($DLCEFC) system service. Common event flag clusters enable cooperating processes to communicate with each other and thus synchronize their execution.
Grant this privilege with care. If permanent common event flag clusters
are not explicitly deleted, they tie up space in system dynamic memory,
which may degrade system performance.
The PRMGBL privilege lets the user's process create or delete permanent global sections by executing the Create and Map Section ($CRMPSC) or the Delete Global Section ($DGBLSC) system service. In addition, a process with this privilege (plus CMKRNL and SYSGBL privileges) can use the Install utility (INSTALL).
Global sections are shared structures that can be mapped simultaneously in the virtual address space of many processes. All processes see the same code or data. Global sections are used for reentrant subroutines or data buffers.
Grant this privilege with care. If permanent global sections are not
explicitly deleted, they tie up space in the global section and global
page tables, which are limited resources.
The PRMMBX privilege lets the user's process create or delete a permanent mailbox by executing the Create Mailbox and Assign Channel ($CREMBX) system service or the Delete Mailbox ($DELMBX) system service. The privilege also allows the creation of temporary mailboxes with the $CREMBX service.
Mailboxes are buffers in virtual memory that are treated as if they were record-oriented I/O devices. A mailbox is used for general interprocess communication.
Do not grant PRMMBX to all users of the system. Permanent mailboxes are
not automatically deleted when the creating processes are deleted and,
thus, continue to use a portion of system dynamic memory. System
performance degrades as system dynamic memory becomes scarce.
The PSWAPM privilege lets the user's process control whether it can be swapped out of the balance set by executing the Set Process Swap Mode ($SETSWM) system service. A process must have this privilege to lock itself in the balance set (to disable swapping) or to unlock itself from the balance set (to enable swapping).
With this privilege, a process can create a process that is locked in the balance set (swap mode is disabled) by using an optional argument to the Create Process ($CREPRC) system service or, when the DCL command RUN is used to create a process, by using the /NOSWAPPING qualifier of the RUN command. Furthermore, a process can lock a page or range of pages in physical memory using the Lock Pages in Memory ($LCKPAG) system service.
Grant this privilege only to users who need to lock a process in memory
for performance reasons. Typically, this will be a real-time process.
If unqualified processes have the unrestricted ability to lock
processes in the balance set, physical memory can be held unnecessarily
and thereby degrade system performance.
The READALL privilege lets the process bypass existing restrictions that would otherwise prevent the process from reading an object. However, unlike the BYPASS privilege, which permits writing and deleting, READALL permits only the reading of objects and allows updating of such backup-related file characteristics as the backup date. See the OpenVMS System Management Utilities Reference Manual and the OpenVMS System Manager's Manual for a discussion of backup operations.
READALL is intended to be an adequate privilege for backing up volumes, so grant this privilege to operators so they can perform system backups.
The READALL privilege lets a process perform the following tasks:
A.28 SECURITY Privilege (System)
The SECURITY privilege lets a process perform security-related functions such as modifying the system password with the DCL command SET PASSWORD/SYSTEM or modifying the system alarm and audit settings using the DCL command SET AUDIT. The privilege not only lets a user process start and stop the audit server process with SET AUDIT, it also permits the process to use SET AUDIT to modify the characteristics of the auditing database, including those of the audit server, the system audit journal, the security archive file, resource monitoring, and the audit, alarm, or failure mode.
Grant this privilege only to security administrators. Irresponsible users who obtain this privilege can subvert the system's security mechanisms, lock out users through improper application of system passwords, and disable security auditing.
The SECURITY privilege also lets a process perform the following tasks:
A.29 SETPRV Privilege (All)
The SETPRV privilege lets the user's process create processes whose privileges are greater than its own either by executing the Create Process ($CREPRC) system service with an optional argument or by issuing the DCL command RUN to create a process. A process with this privilege can also execute the DCL command SET PROCESS/PRIVILEGES to obtain any desired privilege.
Exercise the same caution in granting SETPRV as in granting any other
privilege because SETPRV lets a process enable any or all privileges.
The SHARE privilege lets processes assign channels to devices allocated to other processes or to a nonshared device using the Assign I/O Channel ($ASSIGN) system service.
Grant this privilege only to system processes such as print symbionts.
Otherwise, an irresponsible user can interfere with the operation of
devices belonging to other users.
The SHMEM privilege lets the user's process create global sections and mailboxes (permanent and temporary) in memory shared by multiple processors if the process also has appropriate PRMGBL, PRMMBX, SYSGBL, and TMPMBX privileges. Just as in local memory, the space required for a temporary mailbox in multiport memory counts against the buffered I/O byte count limit (BYTLM) of the process.
The privilege also lets a user's process create or delete an event flag
cluster in shared memory using the Associate Common Event Flag Cluster
($ASCEFC) or the Disassociate Common Event Flag Cluster ($DACEFC)
The SYSGBL privilege lets the user's process create or delete system global sections by executing the Create and Map Section ($CRMPSC) or the Delete Global Section ($DGBLSC) system service. In addition, a process with this privilege (plus the CMKRNL and PRMGBL privileges) can use the Install utility (INSTALL).
Exercise caution when granting this privilege. System global sections
require space in the global section and global page tables, which are
The SYSLCK privilege lets the user's process lock systemwide resources with the Enqueue Lock Request ($ENQ) system service or obtain information about a system resource with the Get Lock Information ($GETLKI) system service.
Grant this privilege to users who need to run programs that lock
resources in the systemwide resource namespace. However, exercise
caution when granting this privilege. Users who hold the SYSLCK
privilege can interfere with the synchronization of all system and user
The SYSNAM privilege lets the user's process bypass discretionary access controls and insert names into the system logical name table and delete names from that table by using the Create Logical Name ($CRELNM) and Delete Logical Name ($DELLNM) system services. A process with this privilege can use the DCL commands ASSIGN and DEFINE to add names to the system logical name table in user or executive mode and can use the DEASSIGN command in either mode to delete names from the table.
To mount a system volume or to dismount a system or group volume with the appropriate mount or dismount command or system service, you must have the SYSNAM privilege.
Grant this privilege only to the system operators or to system programmers who need to define system logical names (such as names for user devices, library directories, and the system directory). Note that a process with SYSNAM privilege could redefine such critical system logical names as SYS$SYSTEM and SYSUAF, thus gaining control of the system.
The SYSNAM privilege also lets a process perform the following tasks:
A.35 SYSPRV Privilege (All)
The SYSPRV privilege lets a process access protected objects by the system protection field and also read and modify the owner (UIC), the UIC-based protection code, and the ACL of an object. Even if an object is protected against system access, a process with SYSPRV privilege can change the object's protection to gain access to it. Any process with SYSPRV privilege can add, modify, or delete entries in the system user authorization file (SYSUAF.DAT).
Exercise caution when granting this privilege. Normally, grant this privilege only to system managers and security administrators. If unqualified users have system access rights, the operating system and service to others can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.
The SYSPRV privilege also lets a process perform the following tasks:
A process whose group UIC is less than or equal to the system parameter MAXSYSGRP has implied SYSPRV. When a process has SYSPRV or implied SYSPRV, it can also perform the following tasks:
A.36 TMPMBX Privilege (Normal)
The TMPMBX privilege lets the user's process create a temporary mailbox by executing the Create Mailbox and Assign Channel ($CREMBX) system service.
Mailboxes are buffers in virtual memory that are treated as if they were record-oriented I/O devices. A mailbox is used for general interprocess communication. Unlike a permanent mailbox, which must be explicitly deleted, a temporary mailbox is deleted automatically when it is no longer referenced by any process.
Grant this privilege to all users of the system to facilitate
interprocess communication. System performance is not likely to be
degraded by permitting the creation of temporary mailboxes, because
their number is controlled by limits on the use of system dynamic
memory (BYTLM quota).
The UPGRADE privilege lets a process manipulate mandatory access
controls. The privilege allows a process to write to an object of
higher integrity, in violation of the Biba confinement (*) property.
This privilege is reserved for enhanced security products like SEVMS.
The VOLPRO privilege lets the user's process:
The VOLPRO privilege permits control only over volumes that the user's process can mount or initialize. Volumes mounted with the /SYSTEM qualifier are safe from a process with the VOLPRO privilege as long as the process does not also have the SYSNAM privilege.
Exercise extreme caution when granting the VOLPRO privilege. If unqualified users can override volume protection, the operating system and service to others can be disrupted. Such disruptions can include destruction of the database and exposure of confidential information.
The VOLPRO privilege lets a process perform the following tasks:
A.39 WORLD Privilege (System)
The WORLD privilege lets the user's process affect other processes both inside and outside its group by executing the following process control system services:
Suspend Process ($SUSPND)
The user's process is also allowed to examine processes outside its own group by executing the Get Job/Process Information ($GETJPI) system service. A process with WORLD privilege can issue the SET PROCESS command for all other processes. Any process with WORLD privilege can also obtain information about a lock held by a process in another group using the Get Lock Information ($GETLKI) system service.
To exercise control over subprocesses that it created or to examine these subprocesses, a process needs no special privilege. To affect or examine other processes inside its own group, a process needs only the GROUP privilege. You should, however, grant this privilege to users who need to affect or examine processes outside their own group.