HP OpenVMS Guide to System Security > Appendix A Assigning Privileges

SYSPRV Privilege (All)

  Table of Contents

  Glossary

  Index

The SYSPRV privilege lets a process access protected objects by the system protection field and also read and modify the owner (UIC), the UIC-based protection code, and the ACL of an object. Even if an object is protected against system access, a process with SYSPRV privilege can change the object's protection to gain access to it. Any process with SYSPRV privilege can add, modify, or delete entries in the system user authorization file (SYSUAF.DAT).

Exercise caution when granting this privilege. Normally, grant this privilege only to system managers and security administrators. If unqualified users have system access rights, the operating system and service to others can be easily disrupted. Such disruptions can include failure of the system, destruction of all system and user data, and exposure of confidential information.

The SYSPRV privilege also lets a process perform the following tasks:

Task Interface

Modify a file's expiration date

SET FILE/EXPIRATION

Modify the number of interlocked queue retries

$QIO request to an Ethernet 802 driver (DEBNA/NI)

Set the spin-wait time on the port command register

$QIO request to an Ethernet 802 driver (DEBNA)

Set the FROM field in a mail message

MAIL routines

Access a MAIL maintenance record

MAIL

Modify or delete a MAIL database record

MAIL

Modify the group number and password of a local area cluster

CLUSTER_AUTHORIZE component of SYSMAN

Perform transaction recovery, join a transaction as coordinator, transition a transaction

DECdtm software

A process whose group UIC is less than or equal to the system parameter MAXSYSGRP has implied SYSPRV. When a process has SYSPRV or implied SYSPRV, it can also perform the following tasks:

Task Interface

Initialize a magnetic tape

$INIT_VOL

Override creation of an owner ACE on a newly created file

$QIO request to F11BXQP

Clear the directory bit in a directory's file header

$QIO request to the F11BXQP, SET FILE/NODIRECTORY

Acquire or release a volume lock

$QIO request to F11BXQP

Force mount verification on a volume

$QIO request to F11BXQP

Create a file access window with the no access lock bit set

$QIO request to F11BXQP

Specify null lock mode for a volume lock

$QIO request to F11BXQP

Access a locked file

$QIO request to F11BXQP

Disable disk quotas on volume

$QIO request to F11BXQP

Enable disk quotas on volume

$QIO request to F11BXQP