|
HP OpenVMS Systemsask the wizard |
|
The Question is: In what version of OpenVMS did "protected subsystems" (as described in Chapter 13 of the OpenVMS security manual) become available??? thanks for the anticipated reply... The Answer is : Protected subsystem support -- the ability to associate a subsystem access control list entry (ACE) in the access control list (ACL) associated with an executable image, and thus allowing (or disallowing) object access based on the identifier (only) when the image is executing -- is part of OpenVMS V6.0 and later releases. The protected subsystem support provides a finely-grained and flexible way to permit (or deny) access when a particular executable image is running. The access permitted (or denied) is typically far more easily controlled within the application than would be a privilege(s) granted to the image through installation of the executable image with a privilege such as SYSPRV or BYPASS. Unlike the effort needed by a programmer to ensure that a (powerful and general) privilege such as SYSPRV or BYPASS cannot be misused -- that the extra privilege(s) are enabled only when needed and are otherwise disabled within the code executing within an application executable image -- the protected subsystem identifier can be configured to grant (or prevent) access to specified OpenVMS security objects using little more than DCL SET SECURITY commands and object ACLs. With the protected subsystems, the programmer has fewer and typically far more isolated concerns around the potential for misuse of the access granted than are present with an image installed with privilege. NB: There is an ECO kit available for a SS$_SUBTRACED error that can be erroneously returned when protected subsystems are used in conjunction with images that are installed as shareable. This particular error is known to occur only on the earliest of the V6 releases, and only when protected subsystems are used on images also installed as shareable.
|