 |
The Question is:
I have a number of privilege users on the system with the following privileges:
ACNT,AUDIT,CMKRNL,EXQUOTA,GROUP,GRPNAM,GRPPRV,
IMPERSONATE,LOG_IO,MOUNT,NETMBX,OPER,PHY_IO,
PRMCEB,READALL,SECURITY,SYSGBL,SYSLCK,SYSNAM, SYSPRV,TMPMBX,VOLPRO,WORLD
I want to protect certail system level files and/or utilities. For example, I
do not want them to get into the UAF utility and add/modify/delete UAF Records.
I set the following ACL on the .EXE and the .DAT file, but they still can gain
access:
SYSUAF.DAT;2 90/90 6-NOV-2000 18:53:59.64
[ADMIN,SYSTEM] (RWED,RWED,,)
(IDENTIFIER=SECADM,OPTIONS=PROTECTED,ACCESS=READ+WRITE+EXECUTE+DELETE+
CONTROL)
(IDENTIFIER=[*,*],ACCESS=NONE)
The Answer is :
The mechanism used to protect files and other objects is the privilege.
You cannot protect against any access by any user with any of the more
powerful privileges -- any privilege in the "all" category -- by any
means other than the removal of the privilege(s).
Again, you cannot protect against a privileged user. Again, you must
either remove the privilege(s), or you must trust the user -- or the
two users, in the case of a two-person (two-password) login -- to act
appropriately.
Please review the OpenVMS security documentation for further information,
and for privilege and protection recommendations, and for details of
operating in a secure environment -- see the NCSC Class C2 appendix,
among other portions of the manual.
Related topics include (5639), (7368), (7813), and others.
|
