HPE Community
Operating System - OpenVMS
1753458 Members
4605 Online
108794 Solutions
New Discussion юеВ

Re: Submit

 
SOLVED
Go to solution
Joseph Huber_1
Honored Contributor

тАО12-09-2008 05:18 AM

тАО12-09-2008 05:18 AM

Re: Submit

Hein's program shows why CMKRNL+"a little bit of programming" puts all CM* privileged users in the SYSUAF "ALL" category.
http://www.mpp.mpg.de/~huber
0 Kudos
Reply
Robert Gezelter
Honored Contributor

тАО12-09-2008 06:05 AM

тАО12-09-2008 06:05 AM

Re: Submit

FOX2,

I thought that I had gotten the confirmation notice on my last post, but it appears not to have actually posted. Strange.

I must disagree with the proposal to use CMKRNL to grant the process SYSPRV. As is demonstrated, CMKRNL gives one SYSPRV in one move (Chess reference: "Mate in one"). WADR, sneaking an enabling of SYSPRV could have serious repercussions if (more accurately, when) it is discovered during an audit or other security review.

The better path is to review why the operator account was granted CMKRNL and CMEXEC, and resolve that issue, then removing both of those DEVOUR-class privileges from the operator account. One of the solutions I commented on earlier, or the one Joseph Huber mentioned in his post address the problem.

A thorough reading of the "OpenVMS Guide to System Security", particularly the sections relating to privileges, is highly recommended. The manual is available from the OpenVMS www site in HTML at http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.HTMl or in PDF at http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.PDF .

- Bob Gezelter, http://www.rlgsc.com
0 Kudos
Reply
John Gillings
Honored Contributor

тАО12-09-2008 12:57 PM

тАО12-09-2008 12:57 PM

Re: Submit

FOX2,

As others have pointed out, CMKRNL gives easy access to all privileges (which should be blindlingly obvious as it allows SUBMIT/USER of an arbirtary user, including SYSTEM, so they user effectively IS SYSTEM)

If the set of SUBMIT/USER commands this user needs to issue is relatively small, write a program which hard codes all possible variants as calls to $SNDJBC. The program can be installed with CMKRNL and SYSPRV, protected to only be executable by authorized persons. Use a menu or similar mechanism to restrict what the user can do with the privileged program. You can then remove CMKRNL from the privileges of this (obviously untrusted!) user.

If your auditors are worried about SYSPRV, but aren't already unhappy about CMKRNL, you should get yourself some auditors who have a clue.
A crucible of informative mistakes
0 Kudos
Reply
Hoff
Honored Contributor

тАО12-09-2008 01:07 PM

тАО12-09-2008 01:07 PM

Re: Submit

Set all the passwords to blank and issue full privileges to everybody. That's at least being intellectually honest about the security and operational problems that clearly exist with this server.
0 Kudos
Reply
Jess Goodman
Esteemed Contributor

тАО12-10-2008 09:50 AM

тАО12-10-2008 09:50 AM

Re: Submit

I think many of you are being too tough on the OP's security policy. His system operators are probably fully trusted not to DELIBERATELY attack the system. For these type of users CMKRNL is safe since they can will not use it give themselves full privs.

However with SYSPRV or BYPASS priv. these users might ACCIDENTALLY delete critical files due to lack of (pick one) training,
experience, typing skills, brains...

I am the system administrator but I do not give even myself BYPASS as a default priv. (I can of course enable it if I wish). I have a few critical files set to no delete access from S,O,G,W just so a mistyped wildcard delete won't get them. If I really want to delete them it takes me an extra step. Most files have S:D access so SYSPRV let's me delete them in one step.
I have one, but it's personal.
0 Kudos
Reply
Jess Goodman
Esteemed Contributor

тАО12-10-2008 09:59 AM

тАО12-10-2008 09:59 AM

Re: Submit

Fox2,

I just realized that no one mentioned READALL privilge. If your operators can be trusted with it then they will be able to SUBMIT jobs using /USER= (along with CMKRNL that they already have).

If they can't be trusted with READALL priv. then I would say they can't be trusted with CMKRNL priv either. You can't accidentally or even deliberately destroy anything with READALL. And if they can't be trusted not to look at stuff they're not supposed to look at, then they can't be trusted not to deliberately attack the system either.
I have one, but it's personal.
0 Kudos
Reply
Paul Jerrom
Valued Contributor

тАО12-11-2008 03:27 PM

тАО12-11-2008 03:27 PM

Re: Submit

Before we go giving everyone in the world full access to this server, can we see the submit command please?

PJ
Have fun,

Peejay
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If it can't be done with a VT220, who needs it?
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.