[Info-vax] VMS Privileges Versus Linux Capabilities

Paul Sture nospam at sture.ch
Wed Jun 22 17:14:53 EDT 2016 

On 2016-06-22, David Froble <davef at tsoft-inc.com> wrote:
> mcleanjoh at gmail.com wrote:
>> On Friday, June 17, 2016 at 10:06:43 AM UTC+10, Stephen Hoffman wrote:
>> 
>>>  UWSS and drivers and execlets and ACPs, and images 
>>> installed with any ALL-class privilege — and other such constructs — 
>>> are already or can become fully privileged, with complete system 
>>> access.
>> 
>> I thought ALL privileges didn't automatically include SECURITY
>> privilege, or does it in some contexts?
>>

That does ring a faint bell.  What version of VMS?
 
>
> Hmmm ....
>
> AS800> set proc/priv=all
> AS800> sho proc/priv
>
> 22-JUN-2016 16:37:17.79   User: DFE              Process ID:   0000012F
>                            Node: AS800            Process name: "DFE"
>
> Authorized privileges:
>   NETMBX       SETPRV       SYSPRV       TMPMBX
>
> Process privileges:
>   ACNT                 may suppress accounting messages
>   ALLSPOOL             may allocate spooled device
>   ALTPRI               may set any priority value
>   AUDIT                may direct audit to system security audit log
>   BUGCHK               may make bug check log entries
>   BYPASS               may bypass all object access controls
>   CMEXEC               may change mode to exec
>   CMKRNL               may change mode to kernel
>   DIAGNOSE             may diagnose devices
>   DOWNGRADE            may downgrade object secrecy
>   EXQUOTA              may exceed disk quota
>   GROUP                may affect other processes in same group
>   GRPNAM               may insert in group logical name table
>   GRPPRV               may access group objects via system protection
>   IMPERSONATE          may impersonate another user
>   IMPORT               may set classification for unlabeled object
>   LOG_IO               may do logical i/o
>   MOUNT                may execute mount acp function
>   NETMBX               may create network device
>   OPER                 may perform operator functions
>   PFNMAP               may map to specific physical pages
>   PHY_IO               may do physical i/o
>   PRMCEB               may create permanent common event clusters
>   PRMGBL               may create permanent global sections
>   PRMMBX               may create permanent mailbox
>   PSWAPM               may change process swap mode
>   READALL              may read anything as the owner
>   SECURITY             may perform security administration functions
>   SETPRV               may set any privilege bit
>   SHARE                may assign channels to non-shared devices
>   SHMEM                may create/delete objects in shared memory
>   SYSGBL               may create system wide global sections
>   SYSLCK               may lock system wide resources
>   SYSNAM               may insert in system logical name table
>   SYSPRV               may access objects via system protection
>   TMPMBX               may create temporary mailbox
>   UPGRADE              may upgrade object integrity
>   VOLPRO               may override volume protection
>   WORLD                may affect other processes in the world
>
> Process rights:
>   DFE                               resource
>   INTERACTIVE
>   REMOTE
>
> System rights:
>   SYS$NODE_AS800
>
> Soft CPU Affinity: off
>
> Yep, there it is, right after READALL and before SETPRV ....

Same behaviour for SECURITY on VAX V7.3-1.

SETPRV is a special one though.  It doesn't actually go away
if you disable it.  Note for the following user SETPRV is enabled
in the default privileges, but not in the authorized ones.

UAF> show fred

...

Authorized Privileges: 
  ALTPRI    CMKRNL    IMPERSONATGRPNAM    NETMBX    OPER      SYSNAM    SYSPRV
  TMPMBX    VOLPRO    WORLD
Default Privileges: 
  ALTPRI    CMKRNL    IMPERSONATGRPNAM    NETMBX    OPER      SETPRV    SYSNAM
  SYSPRV    TMPMBX    VOLPRO    WORLD

And it doesn't show up in the authorized privileges, it is in the current
ones:

$ sh proc/priv

22-JUN-2016 22:56:37.47   User: FRED             Process ID:   00000215
                          Node: SPEEDY           Process name: "FRED"
 
Authorized privileges:
 ALTPRI    CMKRNL    IMPERSONATGRPNAM    NETMBX    OPER      SYSNAM    SYSPRV
 TMPMBX    VOLPRO    WORLD
 
Process privileges:
 ALTPRI               may set any priority value
 CMKRNL               may change mode to kernel
 IMPERSONATE          may impersonate another user
 GRPNAM               may insert in group logical name table
 NETMBX               may create network device
 OPER                 may perform operator functions
 SETPRV               may set any privilege bit
 SYSNAM               may insert in system logical name table
 SYSPRV               may access objects via system protection
 TMPMBX               may create temporary mailbox
 VOLPRO               may override volume protection
 WORLD                may affect other processes in the world

And yes, you can use it in that state.



-- 
There are two hard things in computer science, and they are cache invalidation,
naming, and off-by-one errors.

More information about the Info-vax mailing list