CMKRNL Privilege (All)

If both a Table of Contents and Search form are not displayed in separate frames along with this one, you may wish to redisplay this book in a frameset, beginning with the first page.

HP OpenVMS Guide to System Security

Security for the System Administrator

Assigning Privileges

CMEXEC Privilege (All)

DIAGNOSE Privilege (Objects)

CMKRNL Privilege (All)

The CMKRNL privilege allows the user's process to execute the Change Mode to Kernel ($CMKRNL) system service.

This system service lets a process change its access mode to kernel mode, execute a specified routine, and then return to the access mode that was in effect before the system service was called. While in kernel mode, a process can enable any system privilege.

A process holding both CMKRNL and SYSNAM can set the system time.

Grant this privilege only to users who need to execute privileged instructions or who need to gain access to the most protected and sensitive data structures and functions of the operating system. If unqualified users have unrestricted use of privileged instructions and unrestricted access to sensitive data structures and functions, the operating system and service to other users can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.

The CMKRNL privilege lets a process perform the following tasks:

Task Interface

Modify a multiprocessor operation
START/CPU, STOP/CPU

Modify systemwide RMS defaults
SET RMS/SYSTEM

Suspend a process in kernel mode
SET PROCESS/SUSPEND=KERNEL

Modify another process' rights list or its nondynamic identifier attributes
SET RIGHTS_LIST

Grant an identifier with modified attributes
SET RIGHTS/ATTRIBUTE

Modify the system rights list
SET RIGHTS_LIST/SYSTEM

Change a process UIC
SET UIC

Modify the number of interlocked queue retries
$QIO request to an Ethernet 802 driver (DEBNA/NI)

Connect to a device interrupt vector
$QIO request to an interrupt vector (CONINTERR)

Start or modify a line in Genbyte mode
$QIO request to a synchronous communications line (XGDRIVER)

Set the spin-wait time on the port command register
$QIO request to an Ethernet 802 driver (DEBNA)

Modify a known image list
INSTALL

Process the following item codes:
SJC$_ACCOUNT_NAME item

SJC$_UIC

SJC$_USERNAME

Send to Job Controller system service ($SNDJBC)

Create a detached process with unrestricted quotas
RUN/DETACHED, $CREPRC

Examine the internals of the running system
ANALYZE/SYSTEM

Task	Interface
Modify a multiprocessor operation	START/CPU, STOP/CPU
Modify systemwide RMS defaults	SET RMS/SYSTEM
Suspend a process in kernel mode	SET PROCESS/SUSPEND=KERNEL
Modify another process' rights list or its nondynamic identifier attributes	SET RIGHTS_LIST
Grant an identifier with modified attributes	SET RIGHTS/ATTRIBUTE
Modify the system rights list	SET RIGHTS_LIST/SYSTEM
Change a process UIC	SET UIC
Modify the number of interlocked queue retries	$QIO request to an Ethernet 802 driver (DEBNA/NI)
Connect to a device interrupt vector	$QIO request to an interrupt vector (CONINTERR)
Start or modify a line in Genbyte mode	$QIO request to a synchronous communications line (XGDRIVER)
Set the spin-wait time on the port command register	$QIO request to an Ethernet 802 driver (DEBNA)
Modify a known image list	INSTALL
Process the following item codes: SJC$_ACCOUNT_NAME item SJC$_UIC SJC$_USERNAME	Send to Job Controller system service ($SNDJBC)
Create a detached process with unrestricted quotas	RUN/DETACHED, $CREPRC
Examine the internals of the running system	ANALYZE/SYSTEM

CMEXEC Privilege (All)

DIAGNOSE Privilege (Objects)