So if you can read sysuaf.dat.......
----- Original Message -----
From: "bqt" <bqt at softjar.se>
To: "hecnet" <hecnet at Update.UU.SE>
Sent: Monday, October 12, 2020 9:25:05 PM
Subject: Re: [HECnet] How much should you be allowed to shoot yourself in the foot?
Actually, I seem to remember last time I looked (quite a number of years
ago), there were 36 different privileges in VMS. Definitely more than 32
in any case. But yes, that is a rather nice part in VMS. And you can
assign such rights both to users and programs.
Johnny
On 2020-10-13 03:22, Robert Armstrong wrote:
VMS has a fine grained privilege system - I
haven't counted recently, but I'll bet there are close to 32 individual privileges
that can be enabled or disabled at will. Processes have both an "authorized
privileges" and an "enabled privileges" mask, so an account can have many
privileges authorized but a user can selectively turn them on or off at will. Programs
(really installed images, but that's an executable program for this discussion) also
have a privilege mask and when a user runs one of these the image privileges are ORed with
the process privileges. I'm not aware that specific privileges can be associated with
specific terminals, but you can restrict accounts to only log in on local (hardwired)
terminals, batch jobs, PTYs, network terminals, or even on the CTY only.
There's also an elaborate system of ACLs for files, but that's a different
story.
One VMS privilege bit that I really like is "READALL" - this says that the
process can have read access to any file on the system, regardless of protections. The
process doesn't, however, get any special dispensation for modifying or deleting the
file (there are other privilege bits for that!). Having read access to everything without
having to worry about accidentally screwing something up is really handy.
Bob
--
Johnny Billquist || "I'm on a bus
|| on a psychedelic trip
email: bqt at softjar.se || Reading murder books
pdp is alive! || tryin' to stay hip" - B. Idol