[Info-vax] VMS Privileges Versus Linux Capabilities

David Froble davef at tsoft-inc.com
Wed Jun 22 16:39:21 EDT 2016 

mcleanjoh at gmail.com wrote:
> On Friday, June 17, 2016 at 10:06:43 AM UTC+10, Stephen Hoffman wrote:
> 
>>  UWSS and drivers and execlets and ACPs, and images 
>> installed with any ALL-class privilege — and other such constructs — 
>> are already or can become fully privileged, with complete system 
>> access.
> 
> I thought ALL privileges didn't automatically include SECURITY privilege, or does it in some contexts?
> 

Hmmm ....

AS800> set proc/priv=all
AS800> sho proc/priv

22-JUN-2016 16:37:17.79   User: DFE              Process ID:   0000012F
                           Node: AS800            Process name: "DFE"

Authorized privileges:
  NETMBX       SETPRV       SYSPRV       TMPMBX

Process privileges:
  ACNT                 may suppress accounting messages
  ALLSPOOL             may allocate spooled device
  ALTPRI               may set any priority value
  AUDIT                may direct audit to system security audit log
  BUGCHK               may make bug check log entries
  BYPASS               may bypass all object access controls
  CMEXEC               may change mode to exec
  CMKRNL               may change mode to kernel
  DIAGNOSE             may diagnose devices
  DOWNGRADE            may downgrade object secrecy
  EXQUOTA              may exceed disk quota
  GROUP                may affect other processes in same group
  GRPNAM               may insert in group logical name table
  GRPPRV               may access group objects via system protection
  IMPERSONATE          may impersonate another user
  IMPORT               may set classification for unlabeled object
  LOG_IO               may do logical i/o
  MOUNT                may execute mount acp function
  NETMBX               may create network device
  OPER                 may perform operator functions
  PFNMAP               may map to specific physical pages
  PHY_IO               may do physical i/o
  PRMCEB               may create permanent common event clusters
  PRMGBL               may create permanent global sections
  PRMMBX               may create permanent mailbox
  PSWAPM               may change process swap mode
  READALL              may read anything as the owner
  SECURITY             may perform security administration functions
  SETPRV               may set any privilege bit
  SHARE                may assign channels to non-shared devices
  SHMEM                may create/delete objects in shared memory
  SYSGBL               may create system wide global sections
  SYSLCK               may lock system wide resources
  SYSNAM               may insert in system logical name table
  SYSPRV               may access objects via system protection
  TMPMBX               may create temporary mailbox
  UPGRADE              may upgrade object integrity
  VOLPRO               may override volume protection
  WORLD                may affect other processes in the world

Process rights:
  DFE                               resource
  INTERACTIVE
  REMOTE

System rights:
  SYS$NODE_AS800

Soft CPU Affinity: off

Yep, there it is, right after READALL and before SETPRV ....

More information about the Info-vax mailing list