SYSPRV

From VSI OpenVMS Wiki
Jump to: navigation, search

SYSPRV is a privilege that lets a process access protected objects by the system protection field and also read and modify the owner (UIC), the UIC-based protection code, and the ACL of an object. Due to its potential to control the system, SYSPRV belongs to the All group of privileges. Even if an object is protected against system access, a process with SYSPRV privilege can change the object's protection to gain access to it. Any process with SYSPRV privilege can add, modify, or delete entries in the system user authorization file (SYSUAF.DAT). Exercise caution when granting this privilege. Normally, grant this privilege only to system managers and security administrators. If unqualified users have system access rights, the operating system and service to others can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information. The SYSPRV privilege also lets a process perform the following tasks:

Task Interface
Modify a file's expiration date SET FILE/EXPIRATION
Modify the number of interlocked queue retries $QIO request to an Ethernet 802 driver (DEBNA/NI)
Set the spin-wait time on the port command register $QIO request to an Ethernet 802 driver (DEBNA)
Set the FROM field in a mail message MAIL routines
Access a MAIL maintenance record MAIL
Modify or delete a MAIL database record MAIL
Modify the group number and password of a local area cluster CLUSTER_AUTHORIZE component of SYSMAN
Perform transaction recovery, join a transaction as coordinator, transition a transaction DECdtm software

A process whose group UIC is less than or equal to the system parameter MAXSYSGRP has implied SYSPRV. When a process has SYSPRV or implied SYSPRV, it can also perform the following tasks:

Task Interface
Initialize a magnetic tape $INIT_VOL
Override creation of an owner ACE on a newly created file $QIO request to F11BXQP
Clear the directory bit in a directory's file header $QIO request to the F11BXQP, SET FILE/NODIRECTORY
Acquire or release a volume lock $QIO request to F11BXQP
Force mount verification on a volume $QIO request to F11BXQP
Create a file access window with the no access lock bit set $QIO request to F11BXQP
Specify null lock mode for a volume lock $QIO request to F11BXQP
Access a locked file $QIO request to F11BXQP
Disable disk quotas on volume $QIO request to F11BXQP
Enable disk quotas on volume $QIO request to F11BXQP