skip book previous and next navigation links
go up to top of book: HP OpenVMS Guide to System Security HP OpenVMS Guide to System Security
go to beginning of part: Security for the System Administrator Security for the System Administrator
go to beginning of appendix: Assigning Privileges Assigning Privileges
go to previous page: BUGCHK Privilege (Devour) BUGCHK Privilege (Devour)
go to next page: CMEXEC Privilege (All)CMEXEC Privilege (All)
end of book navigation links

BYPASS Privilege (All)  



The BYPASS privilege allows the user's process full access to all protected objects, totally bypassing UIC-based protection, access control list (ACL) protection, and mandatory access controls. With the BYPASS privilege, a process has unlimited access to the system. Among the operations that can be performed are

Grant this privilege with extreme caution because it overrides all object protection. It should be reserved for use by well-tested, reliable programs and command procedures. The SYSPRV privilege is adequate for interactive use because it ultimately grants access to all objects while still providing access checks. The READALL privilege is adequate for backup operations.

The BYPASS privilege lets a process perform the following tasks:

Task Interface
Perform file system operations:

Modify file ownership
SET SECURITY/OWNER, $QIO request to F11BXQP
Access a file that is marked for deletion
$QIO request to F11A ACP or F11BXQP
Access a file that is deaccess locked
$QIO request to F11A ACP or F11BXQP
Override creation of an owner ACE on a newly created file
$QIO request to F11BXQP
Clear the directory bit in a directory's file header
$QIO request to F11BXQP
Operate on an extension header
$QIO request to F11BXQP
Acquire or release a volume lock
$QIO request to F11BXQP
Force mount verification on a volume
$QIO request to F11BXQP
Create a file access window with the no access lock bit set
$QIO request to F11BXQP
Specify null lock mode for volume lock
$QIO request to F11BXQP
Access a locked file
$QIO request to F11BXQP
Enable or disable disk quotas on a volume
$QIO request to F11BXQP
Operate on network databases:

Display permanent network database records
NCP
Display permanent DECnet object password
NCP
Display volatile DECnet object password
NCP
Adjust discretionary or mandatory access controls:

Read a user authorization record
$GETUAI
Modify a user authorization record
$SETUAI
Modify mailbox protection
$QIO request request to the mailbox driver (MBDRIVER)
Modify shared memory mailbox protection
$QIO request request to the mailbox driver (MBXDRIVER)
Bypass discretionary or mandatory object protection
$CHKPRO
Miscellaneous:

Initialize a magnetic tape
$INIT_VOL
Unload an InfoServer system
$QIO request to the InfoServer system (DADDRIVER)

go to previous page: BUGCHK Privilege (Devour) BUGCHK Privilege (Devour)
go to next page: CMEXEC Privilege (All)CMEXEC Privilege (All)