Operating System - OpenVMS
1828391 Members
2918 Online
109977 Solutions
New Discussion

Re: INSTALL installed with privileges?

 
Bart Zorn_1
Trusted Contributor

INSTALL installed with privileges?

Does anybody know why INSTALL.EXE is installed with /PRIV=(CMKRNL,SYSGBL,PRMGBL,SHMEM,AUDIT) ?

I would expect a tool like that to rely on the process privileges of the system manager!

Bart Zorn
10 REPLIES 10
Volker Halle
Honored Contributor

Re: INSTALL installed with privileges?

Bart,

maybe to allow users without CMKRNL to use INSTALL LIST commands to obtain information about installed images etc. ?

To actually install any images, you need CMKRNL anyway (INSTALL checks for that).

Volker.
John Gillings
Honored Contributor

Re: INSTALL installed with privileges?

Bart,

The INSTALL utility is documented to require CMKRNL privilege. Some of the functions require other privileges. For example, LIST requires AUDIT privilege.

Rather than stipulate the specific combinations of privilege required for each command, the image is installed with the complete set. Some commands (like LIST) are permitted even for unprivileged users, others require CMKRNL.

Naturally INSTALL will work without being installed (otherwise, how could it get installed?), but then relies entirely on the privileges of the process which activated it, and will require more than just CMKRNL for some functions. To see what INSTALL does without being installed with privileges try:

$ MCR INSTALL.EXE;
INSTALL> /LIST
-SYSTEM-F-NOAUDIT, operation requires AUDIT privilege

(note that in this mode it uses the archaic command syntax which requires all commands to start with "/").
A crucible of informative mistakes
Wim Van den Wyngaert
Honored Contributor

Re: INSTALL installed with privileges?

I wonder how anyone knows what privs were given for which reason when they enherit a system.

Audit = may direct audit to system security audit log

What has install list to do with that ?

Wim
Wim
Bart Zorn_1
Trusted Contributor

Re: INSTALL installed with privileges?

I know about the required privileges for the various functions of INSTALL, as documented. But that does not explain why the INSTALL image would need to be installed with those privileges. Checking for these privileges does not require them in the first place!

And indeed, requiring AUDIT privilege for /LIST does not seem appropriate. Something like SYSPRV or CMKRNL looks more to the point.

Thanks for your thoughts!

Bart
Wim Van den Wyngaert
Honored Contributor

Re: INSTALL installed with privileges?

Did you notice the other installed stuff :

AUTHORIZE : AUDIT
MAIL_SERVER : SYSPRV
NCP : AUDIT (strange, we use NCL but NCL is not installed with privs while showing the same kind of info)
PHONE : SYSNAM, OPER
SET : BYPASS
SYSGEN : AUDIT
SYSMAN : AUDIT
TCPIP$FTP_CLIENT : OPER, PSWAPM (never saw this one before : may change process swap mode)
...
It seems that the author decides who can use the image for free.

This is what the manual says about AUDIT :

The AUDIT privilege allows software to append audit records to the system security audit log file using one of four system services: $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS. In addition, the $AUDIT_EVENT system service allows all components of an audit message to be specified. As a result, this privilege permits the logging of events that appear to have come from the operating system or a user process.

Not quite correct I would say.

Wim
Wim
Jan van den Ende
Honored Contributor

Re: INSTALL installed with privileges?

Re Wim:

well, the use of AUDIT makes sense to me:

"The AUDIT privilege allows software to append audit records to the system security audit log file using one of four system services: $AUDIT_EVENT, $CHECK_PRIVILEGE, $CHKPRO, or $CHECK_ACCESS"

This is exactly what you are doing when AUDIT is SET for use of privs for access, or for signaling access failure etc.

So, makes sense after all?

my EUR 0.02

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Wim Van den Wyngaert
Honored Contributor

Re: INSTALL installed with privileges?

Jan,

So, I need AUDIT to use authorize so it can write messages to the audit file.

But when I have a file access failure and audit is enabled for file access failures, an audit message is written without requiring AUDIT from the process that had the active image.

?

Wim
Wim
John Gillings
Honored Contributor

Re: INSTALL installed with privileges?

>It seems that the author decides who
>can use the image for free.

Precisely! For example: Normally an unprivileged user cannot get information about other processes through (say) $GETJPI. But the SHOW SYSTEM command can display that (privileged) information for any unprivileged user. Why? Because SHOW.EXE is installed with, among other things, WORLD privilege.

Installing an image with privilege allows you to permit unprivileged users to perform privileged tasks in a controlled, and, hopefully, safe manner. Typically the image needs to explicitly enable and disable privilege as required to prevent loopholes where privilege can be exploited.

So, INSTALL will allow an unprivileged user to issue a LIST command and get output, BUT it won't allow the same unprivileged user to INSTALL ADD an image. INSTALL checks for privileges for some operations, but not for others.

>But when I have a file access failure
>and audit is enabled for file access
>failures, an audit message is written
>without requiring AUDIT from the process
>that had the active image.

Yes, the code thread issuing the message is either executing in a privileged image, or is in kernel mode, where all privileges are enabled. The important thing is entry into privileged images or modes is controlled to prevent abuse.
A crucible of informative mistakes
Wim Van den Wyngaert
Honored Contributor

Re: INSTALL installed with privileges?

>It seems that the author decides who
>can use the image for free.

And if the author decided to give it for free anyone can do it (show sys), if not you need privs (show proc).

If the rule is that you need privs for watching processes not belonging to you, show sys should adjust the output too. A bit like decservers that have even help adjusted according to privs.

Wim
Wim
Bart Zorn_1
Trusted Contributor

Re: INSTALL installed with privileges?

Again, thank you for your thoughts! I am closing this thread because it tends to steer off topic.

I have seen several other lines in VMSIMAGES.DAT which raised my eyebrows, but the one for INSTALL made me post the question.

Regards,

Bart Zorn