HP OpenVMS Guide to System Security > Appendix A Assigning Privileges

CMKRNL Privilege (All)

  Table of Contents

  Glossary

  Index

The CMKRNL privilege allows the user's process to execute the Change Mode to Kernel ($CMKRNL) system service.

This system service lets a process change its access mode to kernel mode, execute a specified routine, and then return to the access mode that was in effect before the system service was called. While in kernel mode, a process can enable any system privilege.

A process holding both CMKRNL and SYSNAM can set the system time.

Grant this privilege only to users who need to execute privileged instructions or who need to gain access to the most protected and sensitive data structures and functions of the operating system. If unqualified users have unrestricted use of privileged instructions and unrestricted access to sensitive data structures and functions, the operating system and service to other users can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.

The CMKRNL privilege lets a process perform the following tasks:

Task Interface

Modify a multiprocessor operation

START/CPU, STOP/CPU

Modify systemwide RMS defaults

SET RMS/SYSTEM

Suspend a process in kernel mode

SET PROCESS/SUSPEND=KERNEL

Modify another process' rights list or its nondynamic identifier attributes

SET RIGHTS_LIST

Grant an identifier with modified attributes

SET RIGHTS/ATTRIBUTE

Modify the system rights list

SET RIGHTS_LIST/SYSTEM

Change a process UIC

SET UIC

Modify the number of interlocked queue retries

$QIO request to an Ethernet 802 driver (DEBNA/NI)

Connect to a device interrupt vector

$QIO request to an interrupt vector (CONINTERR)

Start or modify a line in Genbyte mode

$QIO request to a synchronous communications line (XGDRIVER)

Set the spin-wait time on the port command register

$QIO request to an Ethernet 802 driver (DEBNA)

Modify a known image list

INSTALL

Process the following item codes:

SJC$_ACCOUNT_NAME item
SJC$_UIC
SJC$_USERNAME

Send to Job Controller system service ($SNDJBC)

Create a detached process with unrestricted quotas

RUN/DETACHED, $CREPRC

Examine the internals of the running system

ANALYZE/SYSTEM