ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD?
3 Founded By: 3 : Network Information Access : 3 Mother Earth BBS 3
3 Guardian Of Time 3D: 12APR90 :D3 NUP:> DECnet 3
3 Judge Dredd 3 : Guardian Of Time : 3Text File Archives3
@DDDDDDDDBDDDDDDDDDY : File 27 : @DDDDDDDDDBDDDDDDDDY
3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3
3 IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; 3
@DDDDDDDDDDDD: VMS: System Manager's Manual :DDDDDDDDDDY
: Chapter 4.11 :
HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
Here is Chapter 4 of 11 Chapters, concerning the VMS: System Manager's
Manual. Once you have download all 11 chapters, you will be able to
enter a Vax system and hack your own accounts with the greatest of ease.
MANAGING USERS
As a system manager, it is your job to create and maintain user accounts
on the system. To create accounts for users and effectively manage the
use of the system, you must determine which users need access to the
system and what system resources they require.
Once you understand user needs, you can establish controls that customize
the system appropriately.
The VMS operating system provides the Authorize Utility (AUTHORIZE) to
authorize and control the use of system resources by individual users.
This chapter describes the use of AUTHORIZE to do the following:
: Add a user account
: Modify a user account
: Remove a user account
: List the user accounts
See the Authorize Utility chapter in the Reference section for some
information on AUTHORIZE.
4.1 THE USER AUTHORIZATION FILE (UAF)
You manage VMS users by creating and maintaining user accounts, which
control who can log in to the system and how it can be used. Use the
Authorize Utility (AUTHORIZE) to do the following:
: Create new records and modify existing records in the system user
authorization file (SYS$SYSTEM:SYSUAF.DAT) and the network user
authorization file (SYS$SYSTEM:NETPROXY.DAT)
: Create new records and modify existing records in the rights
database file (SYS$SYSTEM:RIGHTSLIST.DAT)
Whenever a user logs in, the system uses the information contained in the
user authorization file (UAF) to validate the login attempt, establish the
account's environment, and create a process with appropriate attributes. In
this way, the system restricts users to the resources you assign to each
account.
As system manager, you may want to create a private copy of SYSUAF. DAT
in a directory other than SYS$SYSTEM as an emergency backup for the system
SYSUAF.DAT file. Note that, to have an effect on user processes, any
private version of SYSUAF.DAT must be copied to the SYS$SYSTEM directory
and have the system user identification code (UIC).
Because certain images (such as MAIL and SET) require access to the system
UAF and are normally installed with the SYSPRV privilege, make certain that
you always grant system access to SYSUAF.DAT. The authorization files are
created with the following default protection:
SYSUAF.DAT S:RWED, 0:RWED, G, W
NETPROXY.DAT S:RWED, 0:RWED, G:RWED, W
RIGHTSLIST.DAT S:RWED, 0:RWED, G:RWE, W:R
If you need to maximize the protection for SYSUAF.DAT or NETPROXY.DAT, use
the following DCL command (note, however, that RIGHTSLIST.DAT MUST BE
WORLD-READABLE);
$ SET PROTECTION=(S:RWED, O,G,W)SYSTEM$SYSTEM: FILENAME
Using the Authorize Utility, you create and maintain UAF records by
assigning values to various fields within each record. The values you
assign identify the user, define the user's work environment, and control
use of system resources.
EXAMPLE 4-1 presents a typical UAF record for a nonprivileged user
account.
To gain access to a specific user record, set the default directory to
SYS$SYSTEM, enter the command RUN AUTHORIZE to invoke the Authorize
Utility, and enter the command SHOW username at the UAF> prompt. You can
then enter AUTHORIZE commands and such as ADD and MODIFY to create new
user accounts or change the information in the fields of an existing UAF
account.
EXAMPLE 4-1: SAMPLE UAF RECORD DISPLAY
$ SET DEFAULT SYS$SYSTEM
$ RUN AUTHORIZE
UAF> SHOW WELCH
USERNAME: WELCH OWNER: ROB WELCH
ACCOUNT: INVOICE UIC: [21.51 ([INV.WELCH])
CLI: DCL TABLES: DCTABLES
DEFAULT: USER3: [WELCH]
LGICMD:
LOGIN FLAGS:
PRIMARY DAYS: MON TUE WED THU FRI
SECONDARY DAYS: SAT SUN
NO ACCESS RESTRICTIONS
EXPIRATION: (NONE) PWDIMINIMUM: 6 LOGIN FAILS: 0
PWDLIFETIME: (NONE) PWCHANGE: 15APR88 13:58
LAST LOGIN: (NONE) (INTERACTIVE), (NONE) (NON-INTERACTIVE)
MAXJOBS: 0 FILLM: 20 BYTLM: 8192
MAXACCTJOBS: 0 SHRFILLM: 0 PBYTOLM: 0
MAXDETACH: 0 BIOLM: 10 JTQUOTA: 1024
PRCLM: 2 DIOLM: 10 WSDEF: 150
PRIO: 4 ASTLM: 10 WSQUO: 256
QUEPRIO: 4 TQELM: 10 QSEXTENT: 512
CPU: (NONE) enqlm: 10 pgflquo: 10240
Authorized Privileges:
TMPMBX NETMBX
Default Privileges:
TMPMBX NETMBX
4.1.1 SYSTEM-SUPPLIED UAF RECORDS
The Authorize Utility proves a set of commands and qualifiers to assign
values to any field in a UAF record. The software distribution with a new
VMS system contains a UAF of four records:
: DEFAULT - Serves as a template for creating user records in the
UAF. A new user record is assigned the values of the DEFAULT
record except where you explicitly override those values. Thus,
whenever you add a new account, you need only specify values for
fields that you want to be different. For example, the following
AUTHORIZE command creates a new record having the same values as the
DEFAULT RECORD, except that the password, UIC, and default directory
fields are changed.
UAF> ADD MARCONI/PASSWORD=QLP6YT9A/UIC=[033, 004]-
_UAF> /DIRECTORY=[MARCONI]
Section 4.2 gives an example of how to use AUTHORIZE to add a user
account.
NOTE: the default record cannot be renamed or deleted from the UAF.
: FIELD - Permits DIGITAL Field Service personnel to check out a new
system. The FIELD record should be disabled once the system is
installed.
: SYSTEM - Provides a means for you to log in with full privileges.
The SYSTEM record can be modified but cannot be renamed or deleted
from the UAF.
CAUTION: Do not change the SYSTEM account UAF record fields for the
default device and directory, and privileges. Installation of VMS
maintenance releases and optional software products depends on
certain values in these fields.
: SYSTEST - Provides an appropriate environment for running the User
Environment Test Package (UETP). The SYSTEST record should be
disabled once the system is installed.
4.1.2 GENERAL MAINTENANCE OF THE UAF
Usually, you use the UAF supplied with the distribution kit. (You can,
however, rename the UAF with the DCL command RENAME, and then create a new
UAF with AUTHORIZE.) You should limit any kind of access to this file to
the SYSTEM account. Furthermore, each time you modify the file, create a
backup copy so that in case of a system failure you do not lost the
modifications. See Chapter 8 for procedures for backing up files.
The UAF is access as a shared file, and updates to the UAF are made on a
per record basis, which eliminates the need for both a temporary UAF and a
new version of the UAF after each AUTHORIZE session. Updates become
effective as soon as AUTHORIZE commands are entered, not after the
termination of AUTHORIZE. (For this reason, you should not enter
temporary values with the intent of fixing them later in the session.)
After installing the system, you should make the following modifications
to the UAF:
: SYSTEM, FIELD, & SYSTEST ACCOUNTS: If the passwords on these accounts
are not secure or if they have not been changed recently, be sure to
change the passwords. Use obscure passwords of six characters or more
and continue to change them on a regular basis. You should not permit
general users access to these accounts.
In addition to changing the password, you can disable an account,
especially if it is used infrequently. To disable an account, specify
the following AUTHORIZE command:
UAF> MODIFY username /FLAGS=DISUSER
The login flag DISUSER disables the account and prevents anyone from
logging into the account. To enable the account when it is needed, run
AUTHORIZE and specify MODIFY users /FLAGS=NODISUSER. However, you
should be cautious about disabling the SYSTEM account, because some
optional software and some command procedures may not start up properly
if the SYSTEM account is disabled.
CAUTION: Be careful not to disable all of your privileged system
accounts. If you inadvertently do so, you can recover by setting the
UAFALTERNATE SYSGEN parameter during a conversational bootstrap
operation. See Chapter 2 for information on emergency startup
procedures.
: DEFAULT ACCOUNT: You may want to change several fields in this account.
For example:
UAF> MODIFY DEFAULT/DEVICE=DISK$USER/WSQUO=750
The default device is set to the name most commonly used for user
accounts that will be added. Likewise the working set value is set to
a value appropriate for most users on the system.
Use the SYSTEM account only for system functions such as performing
backups and installing maintenance updates. The account comes to you with
full privileges, so exercise caution in using it. For example, because
you have BYPASS privilege. the system will allow you to delete any file
no matter what its protection. If you type an incorrect name or spurious
asterisk, you may destroy files that you or other users need to keep. For
this reason, use another account with fewer privileges for day-to-day system
management activities.
If you want to receive mail sent to the system account,>
Transfer interrupted!