HP OpenVMS Guide to System Security > Appendix A Assigning Privileges

BYPASS Privilege (All)

  Table of Contents

  Glossary

  Index

The BYPASS privilege allows the user's process full access to all protected objects, totally bypassing UIC-based protection, access control list (ACL) protection, and mandatory access controls. With the BYPASS privilege, a process has unlimited access to the system. Among the operations that can be performed are

  • Modification of all user authorization records (SYSUAF.DAT)

  • Modification of all rights identifier and holder records (RIGHTSLIST.DAT)

  • Modification of all network proxy records (NETPROXY.DAT or NET$PROXY.DAT [VAX only])

  • Modification of all DECnet object passwords and accounts (NETOBJECT.DAT)

  • Unlimited access to all files on all volumes

Grant this privilege with extreme caution because it overrides all object protection. It should be reserved for use by well-tested, reliable programs and command procedures. The SYSPRV privilege is adequate for interactive use because it ultimately grants access to all objects while still providing access checks. The READALL privilege is adequate for backup operations.

The BYPASS privilege lets a process perform the following tasks:

Task Interface

Perform file system operations:

 

Modify file ownership

SET SECURITY/OWNER, $QIO request to F11BXQP

Access a file that is marked for deletion

$QIO request to F11A ACP or F11BXQP

Access a file that is deaccess locked

$QIO request to F11A ACP or F11BXQP

Override creation of an owner ACE on a newly created file

$QIO request to F11BXQP

Clear the directory bit in a directory's file header

$QIO request to F11BXQP

Operate on an extension header

$QIO request to F11BXQP

Acquire or release a volume lock

$QIO request to F11BXQP

Force mount verification on a volume

$QIO request to F11BXQP

Create a file access window with the no access lock bit set

$QIO request to F11BXQP

Specify null lock mode for volume lock

$QIO request to F11BXQP

Access a locked file

$QIO request to F11BXQP

Enable or disable disk quotas on a volume

$QIO request to F11BXQP

Operate on network databases:

 

Display permanent network database records

NCP

Display permanent DECnet object password

NCP

Display volatile DECnet object password

NCP

Adjust discretionary or mandatory access controls:

 

Read a user authorization record

$GETUAI

Modify a user authorization record

$SETUAI

Modify mailbox protection

$QIO request request to the mailbox driver (MBDRIVER)

Modify shared memory mailbox protection

$QIO request request to the mailbox driver (MBXDRIVER)

Bypass discretionary or mandatory object protection

$CHKPRO

Miscellaneous:

 

Initialize a magnetic tape

$INIT_VOL

Unload an InfoServer system

$QIO request to the InfoServer system (DADDRIVER)