- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: Rightslist.dat
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 05:56 AM
тАО12-20-2007 05:56 AM
Rightslist.dat
Just need to know what impact will there be if the protection is changed from (RWED,RWED,R,R) to (RWED,RWED,,).
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 06:20 AM
тАО12-20-2007 06:20 AM
Re: Rightslist.dat
A quick check of some of my systems seems to indicate that removing World access (the last "R") is not a problem. The other standalone "R" (in the third position) is for Group access. Since RIGHTSLIST.DAT is probably owned by SYSTEM, Group access is roughly equivalent to System access (the first RWED).
Personally, since the default appears to be [RWED, RWED, R, ], I would probably recommend setting it to that.
For an overview of the actual file protection check, see the OpenVMS Guide to System Security (available from the OpenVMS www site at http://www.hp.com/go/openvms ) or the reproduced diagram in my chapter in the Handbook of Information Security (H. Bidgoli, Ed, Wiley, 2005).
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 06:32 AM
тАО12-20-2007 06:32 AM
Re: Rightslist.dat
but what if an user with an identifier logs in,will he be able to get all access he holds ?
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 06:52 AM
тАО12-20-2007 06:52 AM
Re: Rightslist.dat
A good and reasonable question. The best answer would be to review the code or the Internals and Data Structures manual, but I will try to give a simplified explanation.
The components that access RIGHTSLIST operate with System protection as part of the login process (and some other situations). They do not operate as part of the user's protection context.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 07:54 AM
тАО12-20-2007 07:54 AM
Re: Rightslist.dat
>>>
but what if an user with an identifier logs in,will he be able to get all access he holds ?
<<<
For you info, our RIGHTSLIST has the default protection (as shown by Bob), and we DO make extensive use of identifiers.
NO user can access ANY application without holding the relevant ident.
Yes, the default access is entirely adequat.
And giving World READ access just might compromise your security...
hth
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 08:27 AM
тАО12-20-2007 08:27 AM
Re: Rightslist.dat
Changing off the official mask is problematic in terms of support. It might work, it might not. It might throw an extra audit or such. Or something might eventually go off the rails.
The HP-specified protection mask for this file is RWED,RWED,R,R, and the file is owned by SYSTEM. Which means that the G:R might cut down on the need to use the SYSTEM mask to access the file, though it certainly doesn't alter the ability of a SYSTEM accessor to access the file. This per the Security Manual, and its list of files and protections. (And what's in the manual was the NCSC Class C2 security settings.)
I'd recommend against changing this protection without a massively good reason, and no security auditor I've encountered has managed to convincingly make that case.
As to what might go wrong, go try it. Probably nothing. But as to the future, who knows.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 10:38 AM
тАО12-20-2007 10:38 AM
Re: Rightslist.dat
It seem to recall that the default file protection for rightslist.dat was initially world readable but later changed to no world access for security reasons. If rightlist.dat is readable, it can reveal a list of valid usernames on the system.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 12:45 PM
тАО12-20-2007 12:45 PM
Re: Rightslist.dat
At login, the login process checking the user's credentials and setting the environment is not trunning as an ordinary user - it's a SYSTEM matter. So Read access isn't needed.
If a user requires extra identifiers, bet keep it under program control, but the image should be installed with sufficient privilege to access the file (READALL might do?).
OpenVMS Developer & System Manager
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 12:59 PM
тАО12-20-2007 12:59 PM
Re: Rightslist.dat
As others have noted, it's probably best to keep the default protection. Though I'm not sure we've clearly established what that is! I believe it SHOULD be (RWED,RWED,,) for reasons that will become apparent.
For RIGHTSLIST the SOGW protection is not very relevant because the file isn't normally accessed directly through RMS. All accesses to RIGHTSLIST should be through system services $IDTOASC or $ASCTOID, so even unprivileged users access the file via the SYSTEM mask (albeit in a controlled manner).
Even if there is no read access to the FILE an unprivileged user can translate rights identifiers in either direction using the system services (or lexical function jacket F$IDENTIFIER). They can also perform a wildcard search with $IDTOASX.
The one exception - identifiers with the NAME_HIDDEN attribute can only be translated by holders of the identifier, or with READ access to RIGHTSLIST. Thus, the only real consequence of granting world READ access to RIGHTSLIST is to negate the NAME_HIDDEN attribute. (Although it's not documented as such, I'd expect this also affects HOLDER_HIDDEN. Personally I can't see much use for NAME_HIDDEN, but I can see that HOLDER_HIDDEN might be useful - asking "what is the arbitrary name of this object" doesn't really help security, but preventing the question "who can use this access right" most definitely does).
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО12-20-2007 04:14 PM
тАО12-20-2007 04:14 PM
Re: Rightslist.dat
>I'd expect this also affects
>HOLDER_HIDDEN.
I was looking in the wrong place. This IS documented under $FIND_HOLDER:
"Read access to the rights database is required to obtain information about identifiers marked HOLDER_HIDDEN"
Also, $FIND_HELD says:
"Read access to the rights database is required to obtain information about identifiers held by other users."
My conclusion is that RIGHTSLIST should NOT have WORLD:R access. GROUP doesn't really matter as it's the SYSTEM group anyway.