=Creating/Modifying Accounts on a VAX/VMS Operating System= =by Subhuman Punisher= The job of creating, modifying or deleting users is performed via the image AUTHORIZE. This program should be found in the sys$system directory. This job requires the SYSPRV privilege. To show the list of all the privileges your account is set up for, type: $ show proc/priv If you have the SYSPRV privilege, you can go on and add/modify/delete users. Typical accounts which have the SYSPRV privilege are SYSTEM, and FIELD. If your account has the SETPRV privilege, then you can add the SYSPRV privilege to your account by typing: $ set proc/priv=SYSPRV Assuming you have hacked out an account with the required privilege, then this is how you start up AUTHORIZE. $ sd sys$system ; change to sys$system directory $ run authorize ; self-explanatory This will return you the User Authorization File prompt (UAF from now on). UAF> The quick and dirty way to create a new user is: UAF> add [username] /password=[desired_pwd]/priv=[wanted_privileges] For example: UAF> add subhuman /password=whatever/priv=setprv would create a high-privileged user on a system. Of course, you should avoid adding new accounts when possible. The best idea would be to find an inactive user and to change his password to whatever you want. This way, the system operator won't get suspicious. You should also avoid granting all privileges to a particular user. This is very easy to detect from the operator's side. Here are the commands available from the AUTHORIZE program: ADD | Add a new user. See online help for further information. COPY | Allows you to copy any record in the UAF to a new user. CREATE | Allows you to create either the RIGHTSLIST.DAT or NETUAF.DAT | files if they don't already exist. DEFAULT| Allows you to change any item in the DEFAULT record in SYSUAF.DAT EXIT | Terminate authorize and go back to the VMS shell. GRANT | Grants an identifier name to a user UIC LIST | Makes a listing file (SYSUAF.LIS) which gives information | on the records specified. MODIFY | Allows you to modify an existing user. see below. REMOVE | This allows you to delete an existing user record RENAME | This allows you to change the username of a record REVOKE | Revokes an identifier name from a username or UIC identifier SHOW | Allows you to view the records in SYSUAF.DAT, RIGHTSLIST.DAT and | NETUAF.DAT The commands you will be using most from here are SHOW and MODIFY. Show can be used to isolate INACTIVE accounts (based on last login), failed login attempts etc. The MODIFY command will let you change any characteristic in any of the records. Below I will give a short discussion on some of the more important qualifiers that can be specified. Note that exactly the same thing applies to the ADD command: /ACCESS -if the account is set up for no remote access or whatever, just include this qualifier (no parameters) to gain FULL access. /DEFPRIV -your default privileges. These are the privileges that are active upon login /DIR -the directory assigned to you upon login. ie. SYS$LOGIN /LGICMD -the file that is executed upon login. Normal setting would be /LGICMD=login.com /PASSWORD -guess what? your password! /PRIORITY -CPU priority. /PRIV -privileges. see below for a list of all privileges. /PWDMIN -minimum password length /UIC -User Identification Code. Format: [group,member] On many systems you will find a file called ADDUSER.COM which allows the system manager to create new users. It is a DCL file which simplifies the task of creating new users by prompting you for all the necessary parameters. Below is a complete example of the command line. Just type HELP from the UAF> prompt if you are stuck. UAF> add DOEJ /own=John Doe /acco=john_doe /dir=SYS$LOGIN /uic=1, 34534,[privs] /passw=whatever The items here are: DOEJ -the name you will use on the system John Doe -your actual name (of course you don't use your REAL name!) john_doe -your account name, usually used for billing purposes SYS$LOGIN -your login directory. Best to keep an existing one 1,34534 -your User Id Code. format: [group,member] whatever -your account password. [privs] -your account privileges. See below for a complete list of all privileges available. SETPRV gives you manager access. type SHOW PROC/PRIV from the DCL prompt ($) to show your current privileges. PRIVILEGE DESCRIPTION ----------------------------------------------------------------------- --------- NONE no privilege at all NORMAL PRIVS ------------ MOUNT Execute mount volume QIO NETMBX Create network connections (*you need this to outdial!*) TMPMBX Create temporary mailbox GROUP PRIVS ----------- GROUP Control processes in the same group GRPPRV Group access through SYSTEM protection field DEVOUR PRIVS ------------ ACNT Disable accounting ALLSPOOL Allocate spooled devices BUGCHK Make bugcheck error log entries EXQUOTA Exceed disk quotas GRPNAM Insert group logical names n the name table PRMCEB Create/delete permanent common event flag clusters PRMGBL Create permanent global sections PRMMBX Create permanent mailboxes SHMEM Create/delete structures in shared memory SYSTEM PRIVS ------------ ALTPRI Set base priority higher that allotment OPER Perform operator functions PSWAPM Change process swap mode WORLD Control any process SECURITY Perform security related functions SHARE Access devices allocated to other users SYSLCK Lock system-wide resources FILES PRIVS ----------- DIAGNOSE Diagnose devices SYSGBL Create system wide global sections VOLPRO Override volume protection ALL PRIVS --------- BYPASS Disregard protection CMEXEC Change to executive mode CMKRNL Change to kernal mode DETACH Create detached processes of arbitrary UIC LOG_IO Issue logical I/O requests PFNMAP Map to specific physical pages PHY_IO Issue physical I/O requests READALL Possess read access to everything SETPRV *** ENABLE ALL PRIVILEGES!!! *** SYSNAM Insert system logical names in the name table SYSPRV Access objects through SYSTEM protection field. Great one. ============== DCL : Digital Command Language DEC : Digital Equipement Corporation VAX : Virtual Access eXtension VMS : Virtual Memory System ============== =The end=