VMS Help  —  Sys Parameters, SECURITY_POLICY
    SECURITY_POLICY allows a system to run in a C2 or B1
    configuration and to subset out particular pieces of
    functionality-to exclude functionality that is outside the
    evaluated configuration or to preserve compatibility with
    previous versions of the operating system. See the VSI OpenVMS
    Guide to System Security for further information about the C2 and
    B1 evaluated configurations.

    The following bits are defined:

    Bit   Description

    0     Obsolete.

    1     Allows multiple user names to connect to DECW$SERVER.

    2     Allows unevaluated DECwindows transports (such as TCP/IP).

    3     Allows $SIGPRC and $PRCTERM to span job trees.

    4     Allows security profile changes to protected objects on
          a local node when the object server is absent and cannot
          update the cluster database VMS$OBJECTS.DAT.

    5     Allows creation of protected objects on a local node when
          the object server is absent and cannot update the cluster
          database VMS$OBJECTS.DAT.

    6     Allows SPAWN or LIB$SPAWN commands in CAPTIVE accounts.

    7     Reserved to VSI.

    8     Reserved to VSI.

    9     Disables password synchronizations among ACME agents on
          a systemwide pasis. This is functionally equivalent to
          the SYS$SINGLE_SIGNON logical name bit mask value 4 for
          LOGINOUT.

    10    Allows privileged applications to successfully authenticate
          a user whose principal name maps to a SYSUAF record that is
          either expired or whose modal restrictions would otherwise
          prevent the account from being used.

          A SYSUAF record that is disabled or password-expired (in
          the case of traditional OpenVMS authentication) cannot be
          bypassed in this manner.

          An application with SECURITY privilege specifies the
          SYS$ACM ACME$M_NOAUTHORIZE function modifier to override
          authorization checks.

    11    Allows any record in the SYSUAF file to be mapped using
          external authentication.

    12    Allows intrusions on a clusterwide or local basis. (If the
          bit is cleared, intrusions are clusterwide.)

    13    Reserved to VSI.

    14    Allows the internal name and backlink of files and
          directories to be read if the user has either execute or
          read access to the file or directory. If this bit is clear,
          read access is required.

          Setting this bit allows the full POSIX pathname of a file
          or directory to be displayed when some of the directories
          in the path are execute-only to the user. This feature is
          required in the following environments:

          o  POSIX pathnames are in use.

          o  The BASH shell or other GNV components are in use.

          o  Applications are using the realpath(),  getcwd(),
             getpwnam(),  and related C runtime library functions.

    The default value of 7 preserves compatibility with existing
    DECwindows Motif behavior. A value of 0 disables all unevaluated
    configurations.
Close Help