mirror of
https://github.com/fdiskyou/Zines.git
synced 2025-03-09 00:00:00 +01:00
399 lines
16 KiB
Text
399 lines
16 KiB
Text
|
==Phrack Classic==
|
||
|
|
|
||
|
|
Volume Three, Issue 32, File #8 of 12
|
||
|
|
|
||
|
|
|
||
|
|
+-------------------------------+
|
||
|
|
| Inside the SYSUAF.DAT file of |
|
||
|
|
+-------------------------------+
|
||
|
|
|
||
|
|
+------------------------------------------------------+
|
||
|
|
| Digital Equipment Corporation's VMS Operating System |
|
||
|
|
+------------------------------------------------------+
|
||
|
|
|
||
|
|
-= by =-
|
||
|
|
|
||
|
|
-----:> Pain Hertz <:----
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
Overview
|
||
|
|
~~~~~~~
|
||
|
|
In this file, I will explain what the System User Authorization File
|
||
|
|
is, what information it contains, what the logical and physical characteristics
|
||
|
|
of the file are, and how one can manipulate it to reveal and/or modify its
|
||
|
|
contents.
|
||
|
|
|
||
|
|
Background
|
||
|
|
~~~~~~~~
|
||
|
|
The Virtual Memory System (VMS) Operating System's System User
|
||
|
|
Authorization File (SYSUAF) contains the information that determines a given
|
||
|
|
user's username, password(s), security priviledges, as well as many other
|
||
|
|
similar data which either allow or disallow the user to have the system
|
||
|
|
perform certain tasks.
|
||
|
|
|
||
|
|
Characteristics
|
||
|
|
~~~~~~~~~~~~~~
|
||
|
|
The SYSUAF.DAT file (UAF) is usually located on the system on the
|
||
|
|
device pointed to by the logical SYS$COMMON, and under the [SYSEXE]
|
||
|
|
subdirectory. However, if the logical SYSUAF exists, it will point to the
|
||
|
|
location and name of the UAF.
|
||
|
|
|
||
|
|
The UAF is a binary, indexed data file. It's indexed on 4 keys:
|
||
|
|
username, UIC, extended user identifier, and owner identifier. Using
|
||
|
|
the VMS ANALYZE utility reveals the following about the UAF:
|
||
|
|
|
||
|
|
|
||
|
|
IDENT "01-JAN-1990 13:13:13 VAX/VMS ANALYZE/RMS_FILE Utility"
|
||
|
|
|
||
|
|
SYSTEM
|
||
|
|
SOURCE VAX/VMS
|
||
|
|
|
||
|
|
FILE
|
||
|
|
ALLOCATION 24
|
||
|
|
BEST_TRY_CONTIGUOUS yes
|
||
|
|
BUCKET_SIZE 3
|
||
|
|
CLUSTER_SIZE 3
|
||
|
|
CONTIGUOUS no
|
||
|
|
EXTENSION 3
|
||
|
|
FILE_MONITORING no
|
||
|
|
GLOBAL_BUFFER_COUNT 0
|
||
|
|
NAME "SYS$COMMON:[SYSEXE]SYSUAF.DAT;1"
|
||
|
|
ORGANIZATION indexed
|
||
|
|
OWNER [SYSTEM]
|
||
|
|
PROTECTION (system:RWED, owner:RWED, group:RWED, world:RE)
|
||
|
|
|
||
|
|
RECORD
|
||
|
|
BLOCK_SPAN yes
|
||
|
|
CARRIAGE_CONTROL none
|
||
|
|
FORMAT variable
|
||
|
|
SIZE 1412
|
||
|
|
|
||
|
|
AREA 0
|
||
|
|
ALLOCATION 9
|
||
|
|
BEST_TRY_CONTIGUOUS yes
|
||
|
|
BUCKET_SIZE 3
|
||
|
|
EXTENSION 3
|
||
|
|
|
||
|
|
AREA 1
|
||
|
|
ALLOCATION 3
|
||
|
|
BUCKET_SIZE 3
|
||
|
|
EXTENSION 3
|
||
|
|
|
||
|
|
AREA 2
|
||
|
|
ALLOCATION 12
|
||
|
|
BUCKET_SIZE 2
|
||
|
|
EXTENSION 12
|
||
|
|
|
||
|
|
KEY 0
|
||
|
|
CHANGES no
|
||
|
|
DATA_KEY_COMPRESSION yes
|
||
|
|
DATA_RECORD_COMPRESSION yes
|
||
|
|
DATA_AREA 0
|
||
|
|
DATA_FILL 100
|
||
|
|
DUPLICATES no
|
||
|
|
INDEX_AREA 1
|
||
|
|
INDEX_COMPRESSION yes
|
||
|
|
INDEX_FILL 100
|
||
|
|
LEVEL1_INDEX_AREA 1
|
||
|
|
NAME "Username"
|
||
|
|
NULL_KEY no
|
||
|
|
PROLOG 3
|
||
|
|
SEG0_LENGTH 32
|
||
|
|
SEG0_POSITION 4
|
||
|
|
TYPE string
|
||
|
|
|
||
|
|
KEY 1
|
||
|
|
CHANGES yes
|
||
|
|
DATA_KEY_COMPRESSION no
|
||
|
|
DATA_AREA 2
|
||
|
|
DATA_FILL 100
|
||
|
|
DUPLICATES yes
|
||
|
|
INDEX_AREA 2
|
||
|
|
INDEX_COMPRESSION no
|
||
|
|
INDEX_FILL 100
|
||
|
|
LEVEL1_INDEX_AREA 2
|
||
|
|
NAME "UIC"
|
||
|
|
NULL_KEY no
|
||
|
|
SEG0_LENGTH 4
|
||
|
|
SEG0_POSITION 36
|
||
|
|
TYPE bin4
|
||
|
|
|
||
|
|
KEY 2
|
||
|
|
CHANGES yes
|
||
|
|
DATA_KEY_COMPRESSION no
|
||
|
|
DATA_AREA 2
|
||
|
|
DATA_FILL 100
|
||
|
|
DUPLICATES yes
|
||
|
|
INDEX_AREA 2
|
||
|
|
INDEX_COMPRESSION no
|
||
|
|
INDEX_FILL 100
|
||
|
|
LEVEL1_INDEX_AREA 2
|
||
|
|
NAME "Extended User Identifier"
|
||
|
|
NULL_KEY no
|
||
|
|
SEG0_LENGTH 8
|
||
|
|
SEG0_POSITION 36
|
||
|
|
TYPE bin8
|
||
|
|
|
||
|
|
KEY 3
|
||
|
|
CHANGES yes
|
||
|
|
DATA_KEY_COMPRESSION no
|
||
|
|
DATA_AREA 2
|
||
|
|
DATA_FILL 100
|
||
|
|
DUPLICATES yes
|
||
|
|
INDEX_AREA 2
|
||
|
|
INDEX_COMPRESSION no
|
||
|
|
INDEX_FILL 100
|
||
|
|
LEVEL1_INDEX_AREA 2
|
||
|
|
NAME "Owner Identifier"
|
||
|
|
NULL_KEY yes
|
||
|
|
NULL_VALUE 0
|
||
|
|
SEG0_LENGTH 8
|
||
|
|
SEG0_POSITION 44
|
||
|
|
TYPE bin8
|
||
|
|
|
||
|
|
ANALYSIS_OF_AREA 0
|
||
|
|
RECLAIMED_SPACE 0
|
||
|
|
|
||
|
|
ANALYSIS_OF_AREA 1
|
||
|
|
RECLAIMED_SPACE 0
|
||
|
|
|
||
|
|
ANALYSIS_OF_AREA 2
|
||
|
|
RECLAIMED_SPACE 0
|
||
|
|
|
||
|
|
ANALYSIS_OF_KEY 0
|
||
|
|
DATA_FILL 71
|
||
|
|
DATA_KEY_COMPRESSION 75
|
||
|
|
DATA_RECORD_COMPRESSION 67
|
||
|
|
DATA_RECORD_COUNT 5
|
||
|
|
DATA_SPACE_OCCUPIED 3
|
||
|
|
DEPTH 1
|
||
|
|
INDEX_COMPRESSION 85
|
||
|
|
INDEX_FILL 1
|
||
|
|
INDEX_SPACE_OCCUPIED 3
|
||
|
|
LEVEL1_RECORD_COUNT 1
|
||
|
|
MEAN_DATA_LENGTH 644
|
||
|
|
MEAN_INDEX_LENGTH 34
|
||
|
|
|
||
|
|
ANALYSIS_OF_KEY 1
|
||
|
|
DATA_FILL 7
|
||
|
|
DATA_KEY_COMPRESSION 0
|
||
|
|
DATA_RECORD_COUNT 4
|
||
|
|
DATA_SPACE_OCCUPIED 2
|
||
|
|
DEPTH 1
|
||
|
|
DUPLICATES_PER_SIDR 0
|
||
|
|
INDEX_COMPRESSION 0
|
||
|
|
INDEX_FILL 2
|
||
|
|
INDEX_SPACE_OCCUPIED 2
|
||
|
|
LEVEL1_RECORD_COUNT 1
|
||
|
|
MEAN_DATA_LENGTH 15
|
||
|
|
MEAN_INDEX_LENGTH 6
|
||
|
|
|
||
|
|
ANALYSIS_OF_KEY 2
|
||
|
|
DATA_FILL 8
|
||
|
|
DATA_KEY_COMPRESSION 0
|
||
|
|
DATA_RECORD_COUNT 4
|
||
|
|
DATA_SPACE_OCCUPIED 2
|
||
|
|
DEPTH 1
|
||
|
|
DUPLICATES_PER_SIDR 0
|
||
|
|
INDEX_COMPRESSION 0
|
||
|
|
INDEX_FILL 2
|
||
|
|
INDEX_SPACE_OCCUPIED 2
|
||
|
|
LEVEL1_RECORD_COUNT 1
|
||
|
|
MEAN_DATA_LENGTH 19
|
||
|
|
MEAN_INDEX_LENGTH 10
|
||
|
|
|
||
|
|
ANALYSIS_OF_KEY 3
|
||
|
|
! This index is uninitialized - there are no records.
|
||
|
|
|
||
|
|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|
||
|
|
|
||
|
|
Examination
|
||
|
|
~~~~~~~~~
|
||
|
|
|
||
|
|
Generally, an interactive user would use the AUTHORIZE utility to
|
||
|
|
modify or examine the UAF, while a program would use the $GETUAI system
|
||
|
|
services (get user authorization information service) to examine the file.
|
||
|
|
The $GETUAI system services reference provide an excellent description of what
|
||
|
|
fields the UAF contains, and how many bytes are used within the file to store
|
||
|
|
each of those fields. However, it may not be within your realm of skills to
|
||
|
|
program using system services. It would probably be considerably easier to
|
||
|
|
use a sector editor/browser to locate values within the UAF. You could use a
|
||
|
|
sector editor/browser online (such as VFE.EXE), or you you might choose to
|
||
|
|
download the UAF and use an editor/browse for your personal computer.
|
||
|
|
Regardless of which method you choose, you will have to know the offset of
|
||
|
|
each field within the user authorization file. This is what I have provided
|
||
|
|
for you.
|
||
|
|
|
||
|
|
The contents of the UAF under VMS release 5.3-1 are as follows:
|
||
|
|
|
||
|
|
Offset Description Length
|
||
|
|
-----------------------------------------------------------------------------
|
||
|
|
0 Record Header 4
|
||
|
|
4 Username (loginid) 32
|
||
|
|
36 Member UIC - Mem UIC decimal 1 = 0100 2
|
||
|
|
Mem UIC decimal 10 = 0A00
|
||
|
|
Mem UIC decimal 256 = FF01
|
||
|
|
|
||
|
|
38 Group UIC - Same as format as member UIC 2
|
||
|
|
|
||
|
|
Note: UICs as displayed in the VMS environment
|
||
|
|
are OCTAL. A UIC of [010,001] would be saved as
|
||
|
|
'01000800' in bytes 36-39 (offset).
|
||
|
|
|
||
|
|
40 Nulls 12
|
||
|
|
52 Account name 32
|
||
|
|
84 1 byte - value = length of owner 1
|
||
|
|
85 Owner 31
|
||
|
|
116 1 byte - value = length of device 1
|
||
|
|
117 Device (default disk device) 31
|
||
|
|
148 1 byte - length of default (SYS$LOGIN) directory 1
|
||
|
|
149 Default (SYS$LOGIN) directory name 63
|
||
|
|
212 1 byte - length of default login command file 1
|
||
|
|
213 Default login command file 63
|
||
|
|
276 1 byte - length of default CLI 1
|
||
|
|
277 Default command language interpeter 31
|
||
|
|
|
||
|
|
Note: CLI is assumed to be in SYS$SYSTEM directory
|
||
|
|
and have an .EXE extension.
|
||
|
|
|
||
|
|
308 1 byte - length of user defined CLI tables 1
|
||
|
|
309 User defined CLI table name 31
|
||
|
|
340 Encrypted primary password 8
|
||
|
|
348 Encrypted secondary password 8
|
||
|
|
356 Number of login fails 2
|
||
|
|
358 Password encryption salt 2
|
||
|
|
360 Encryption algorithm code byte - primary password 1
|
||
|
|
361 Encryption algorithm code byte - secondary password 1
|
||
|
|
362 Password minimum length 1
|
||
|
|
363 Filler (1 byte) 1
|
||
|
|
364 Account expiration date 8
|
||
|
|
372 Password lifetime 8
|
||
|
|
380 Password change date/time - primary password 8
|
||
|
|
388 Password change date/time - secondary password 8
|
||
|
|
396 Last interactive login date/time 8
|
||
|
|
404 Last non-interactive login date/time 8
|
||
|
|
412 Authorize priviledges 8
|
||
|
|
420 Default priviledges 8
|
||
|
|
428 Filler (40 bytes) 40
|
||
|
|
|
||
|
|
468 Login Flags bits as follows: 4
|
||
|
|
|
||
|
|
7 6 5 4 3 2 1 0
|
||
|
|
-------------------------
|
||
|
|
| | | | | | | | |
|
||
|
|
-------------------------
|
||
|
|
|
||
|
|
Byte Offset 468:
|
||
|
|
|
||
|
|
Bit 0 - User can not use CTRL-Y
|
||
|
|
Bit 1 - User is restricted to default
|
||
|
|
command interpeter
|
||
|
|
Bit 2 - SET PASSWORD command is disabled
|
||
|
|
Bit 3 - Prevent user from changing any
|
||
|
|
defaults at login
|
||
|
|
Bit 4 - User account is disabled
|
||
|
|
Bit 5 - User will not receive the login
|
||
|
|
welcome message
|
||
|
|
Bit 6 - Announcement of new mail is suppressed
|
||
|
|
Bit 7 - Mail delivery to user is disabled
|
||
|
|
|
||
|
|
Byte Offset 469:
|
||
|
|
|
||
|
|
Bit 0 - User is required to use generated
|
||
|
|
passwords
|
||
|
|
Bit 1 - Primary password is expired
|
||
|
|
Bit 2 - Secondary password is expired
|
||
|
|
Bit 3 - All actions are audited
|
||
|
|
Bit 4 - User will not receive last login
|
||
|
|
messages
|
||
|
|
Bit 5 - User can not reconnect to existing
|
||
|
|
processes
|
||
|
|
Bit 6 - User can only login to terminals
|
||
|
|
defined by the automatic login
|
||
|
|
facility (ALF)
|
||
|
|
Bit 7 - User is required to change expired
|
||
|
|
passwords
|
||
|
|
|
||
|
|
Byte Offset 470:
|
||
|
|
|
||
|
|
Bit 0 - User is restricted to captive account
|
||
|
|
Bit 1 - Prevent user from executing RUN, MCR
|
||
|
|
commands, or foreign commands at the
|
||
|
|
DCL level
|
||
|
|
Bits 2-7 - Reserved for future use
|
||
|
|
|
||
|
|
Byte Offset 471:
|
||
|
|
|
||
|
|
Bits 0-7 - Reserved for future use
|
||
|
|
|
||
|
|
|
||
|
|
Note On Access Bytes:
|
||
|
|
|
||
|
|
Each bit set represents a 1-hour period, from bit 0 as
|
||
|
|
midnight to 1 a.m. to bit 23 as 11 p.m. to midnight.
|
||
|
|
|
||
|
|
472 Network access bytes - primary days 3
|
||
|
|
475 Network access bytes - seconday days 3
|
||
|
|
478 Batch access bytes - primary days 3
|
||
|
|
481 Batch access bytes - seconday days 3
|
||
|
|
484 Local access bytes - primary days 3
|
||
|
|
487 Local access bytes - seconday days 3
|
||
|
|
490 Dialup access bytes - primary days 3
|
||
|
|
493 Dialup access bytes - secondary days 3
|
||
|
|
496 Remote access bytes - primary days 3
|
||
|
|
499 Remote access bytes - seconday days 3
|
||
|
|
|
||
|
|
502 Filler (12 bytes) 12
|
||
|
|
514 Prime days 1
|
||
|
|
|
||
|
|
Bits 0-7 toggled on represents primedays, respective
|
||
|
|
to Mon, Tue, ..., Sun.
|
||
|
|
|
||
|
|
515 Filler (1 byte) 1
|
||
|
|
516 Default base priority 1
|
||
|
|
517 Maximum job queue priority 1
|
||
|
|
518 Active process limit 2
|
||
|
|
520 Max. number of interactive, detached, and batch jobs 2
|
||
|
|
524 Detached process limit 2
|
||
|
|
526 Subprocess creation limit 2
|
||
|
|
528 Buffered I/O count 2
|
||
|
|
530 Timer queue entry limit 2
|
||
|
|
532 AST queue limit 2
|
||
|
|
534 Lock queue limit 2
|
||
|
|
536 Open file limit 4
|
||
|
|
538 Shared file limit 2
|
||
|
|
540 Working set quota 4
|
||
|
|
548 Working set extent 4
|
||
|
|
552 Paging file quota 4
|
||
|
|
556 Maximum CPU time limit (in 10-milliseconds) 4
|
||
|
|
560 Buffered I/O byte limit 4
|
||
|
|
564 Paged buffer I/O byte count limit 4
|
||
|
|
568 Initial byte quota (jobwide logical name table uses) 4
|
||
|
|
572 Filler (72 bytes) 72
|
||
|
|
|
||
|
|
Dates and times are stored as 8 bytes representing the number of
|
||
|
|
seconds elapsed since November 17, 1858, 12:00:00 a.m.
|
||
|
|
|
||
|
|
Earlier versions of the VMS UAF will contain much of the same data,
|
||
|
|
which should be at the same offset as listed above.
|
||
|
|
|
||
|
|
|
||
|
|
Should you decide to attempt to modify the SYSUAF.DAT file, keep in
|
||
|
|
mind that if you download the file, when you upload it, it will not be the
|
||
|
|
same as it was before; it will not be an indexed file. You *might* be able
|
||
|
|
to create an .FDL file (using ANALYZE/RMS/FDL SYSUAF.DAT), and use that .FDL
|
||
|
|
file to convert it back to an indexed file
|
||
|
|
(with CONVERT/FDL=SYSUAF.FDL UPLOAD_UAF.DAT NEW_UAF.DAT), but chances that it
|
||
|
|
will contain the proper indexing and file attributes are slim. Remember when
|
||
|
|
altering the SYSUAF.DAT file to keep a copy around (on the system) in case
|
||
|
|
you need to repair the damage.
|
||
|
|
|
||
|
|
|
||
|
|
-PHz
|
||
|
|
|
||
|
|
Feel free to make any comments or corrections to the following address:
|
||
|
|
|
||
|
|
[phz@judy.indstate.edu]
|
||
|
|
_______________________________________________________________________________
|