topic Re: INSTALL installed with privileges? in Operating System - OpenVMS

INSTALL installed with privileges?

Bart Zorn_1 — Fri, 03 Feb 2006 05:11:49 GMT

Does anybody know why INSTALL.EXE is installed with /PRIV=(CMKRNL,SYSGBL,PRMGBL,SHMEM,AUDIT) ?

I would expect a tool like that to rely on the process privileges of the system manager!

Bart Zorn

Re: INSTALL installed with privileges?

Volker Halle — Fri, 03 Feb 2006 12:48:01 GMT

Bart,

maybe to allow users without CMKRNL to use INSTALL LIST commands to obtain information about installed images etc. ?

To actually install any images, you need CMKRNL anyway (INSTALL checks for that).

Volker.

Re: INSTALL installed with privileges?

John Gillings — Sun, 05 Feb 2006 14:55:27 GMT

Bart,

The INSTALL utility is documented to require CMKRNL privilege. Some of the functions require other privileges. For example, LIST requires AUDIT privilege.

Rather than stipulate the specific combinations of privilege required for each command, the image is installed with the complete set. Some commands (like LIST) are permitted even for unprivileged users, others require CMKRNL.

Naturally INSTALL will work without being installed (otherwise, how could it get installed?), but then relies entirely on the privileges of the process which activated it, and will require more than just CMKRNL for some functions. To see what INSTALL does without being installed with privileges try:

$ MCR INSTALL.EXE;
INSTALL> /LIST
-SYSTEM-F-NOAUDIT, operation requires AUDIT privilege

(note that in this mode it uses the archaic command syntax which requires all commands to start with "/").

Re: INSTALL installed with privileges?

Wim Van den Wyngaert — Mon, 06 Feb 2006 02:13:26 GMT

I wonder how anyone knows what privs were given for which reason when they enherit a system.

Audit = may direct audit to system security audit log

What has install list to do with that ?

Wim

Re: INSTALL installed with privileges?

Bart Zorn_1 — Mon, 06 Feb 2006 03:03:03 GMT

I know about the required privileges for the various functions of INSTALL, as documented. But that does not explain why the INSTALL image would need to be installed with those privileges. Checking for these privileges does not require them in the first place!

And indeed, requiring AUDIT privilege for /LIST does not seem appropriate. Something like SYSPRV or CMKRNL looks more to the point.

Thanks for your thoughts!

Bart

Re: INSTALL installed with privileges?

Wim Van den Wyngaert — Mon, 06 Feb 2006 03:40:00 GMT

Did you notice the other installed stuff :

AUTHORIZE : AUDIT
MAIL_SERVER : SYSPRV
NCP : AUDIT (strange, we use NCL but NCL is not installed with privs while showing the same kind of info)
PHONE : SYSNAM, OPER
SET : BYPASS
SYSGEN : AUDIT
SYSMAN : AUDIT
TCPIP$FTP_CLIENT : OPER, PSWAPM (never saw this one before : may change process swap mode)
...
It seems that the author decides who can use the image for free.

This is what the manual says about AUDIT :

The AUDIT privilege allows software to append audit records to the system security audit log file using one of four system services: $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS. In addition, the $AUDIT_EVENT system service allows all components of an audit message to be specified. As a result, this privilege permits the logging of events that appear to have come from the operating system or a user process.

Not quite correct I would say.

Wim

Re: INSTALL installed with privileges?

Jan van den Ende — Mon, 06 Feb 2006 06:57:11 GMT

Re Wim:

well, the use of AUDIT makes sense to me:

"The AUDIT privilege allows software to append audit records to the system security audit log file using one of four system services: $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS"

This is exactly what you are doing when AUDIT is SET for use of privs for access, or for signaling access failure etc.

So, makes sense after all?

my EUR 0.02

Proost.

Have one on me.

jpe

Re: INSTALL installed with privileges?

Wim Van den Wyngaert — Mon, 06 Feb 2006 07:10:32 GMT

Jan,

So, I need AUDIT to use authorize so it can write messages to the audit file.

But when I have a file access failure and audit is enabled for file access failures, an audit message is written without requiring AUDIT from the process that had the active image.

?

Wim

Re: INSTALL installed with privileges?

John Gillings — Mon, 06 Feb 2006 21:35:46 GMT

>It seems that the author decides who
>can use the image for free.

Precisely! For example: Normally an unprivileged user cannot get information about other processes through (say) $GETJPI. But the SHOW SYSTEM command can display that (privileged) information for any unprivileged user. Why? Because SHOW.EXE is installed with, among other things, WORLD privilege.

Installing an image with privilege allows you to permit unprivileged users to perform privileged tasks in a controlled, and, hopefully, safe manner. Typically the image needs to explicitly enable and disable privilege as required to prevent loopholes where privilege can be exploited.

So, INSTALL will allow an unprivileged user to issue a LIST command and get output, BUT it won't allow the same unprivileged user to INSTALL ADD an image. INSTALL checks for privileges for some operations, but not for others.

>But when I have a file access failure
>and audit is enabled for file access
>failures, an audit message is written
>without requiring AUDIT from the process
>that had the active image.

Yes, the code thread issuing the message is either executing in a privileged image, or is in kernel mode, where all privileges are enabled. The important thing is entry into privileged images or modes is controlled to prevent abuse.

Re: INSTALL installed with privileges?

Wim Van den Wyngaert — Tue, 07 Feb 2006 02:07:11 GMT

>It seems that the author decides who
>can use the image for free.

And if the author decided to give it for free anyone can do it (show sys), if not you need privs (show proc).

If the rule is that you need privs for watching processes not belonging to you, show sys should adjust the output too. A bit like decservers that have even help adjusted according to privs.

Wim

Re: INSTALL installed with privileges?

Bart Zorn_1 — Tue, 07 Feb 2006 02:46:06 GMT

Again, thank you for your thoughts! I am closing this thread because it tends to steer off topic.

I have seen several other lines in VMSIMAGES.DAT which raised my eyebrows, but the one for INSTALL made me post the question.

Regards,

Bart Zorn