822 lines
33 KiB
Plaintext
822 lines
33 KiB
Plaintext
==Phrack Magazine==
|
|
|
|
Volume Five, Issue Forty-Five, File 15 of 28
|
|
|
|
****************************************************************************
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
Some Helpful VAX/VMS utilities
|
|
|
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|
|
|
|
Introduction :
|
|
^^^^^^^^^^^^
|
|
This article contains a brief introduction to some not so often used
|
|
utilities, found on the Virtual Address eXtentions/ Virtual Memory System or
|
|
better known to us as the VAX/VMS.
|
|
|
|
Please note that this file is meant for the so called VMS "newbies". It gives
|
|
an insight to the processes that are running in the different "Hibernation"
|
|
states on VMS, quite similar to the background processes running on UNIX and
|
|
its clones. If you have "extensive" experience on VMS as a systems programmer
|
|
or a SysOp, you might want to skip it !!
|
|
|
|
Portions of this file are taken from the ever blabbering VMS HELP, which is
|
|
where many of us, myself included, learn about the VAX/VMS. VMS has lots of
|
|
secrets. Locations of "hidden" files are a very well kept secret, known
|
|
not even to the SysOp but only to the system programmer.
|
|
|
|
Ok.... Lets get started...
|
|
|
|
|
|
SHOW SYSTEM :
|
|
^^^^^^^^^^^
|
|
This command ($Show system) will display information about the
|
|
status of the processes running on the system.
|
|
There are various options to this command, some of which are listed below.
|
|
|
|
|
|
/BATCH /CLUSTER /FULL /NETWORK /NODE /OUTPUT
|
|
/PROCESS /SUBPROCESS
|
|
|
|
|
|
|
|
|
|
1. $ SHOW SYSTEM
|
|
|
|
VAX/VMS 5.4 on node DARTH 19-APR-1990 17:45:47.78 Uptime 2 21:53:59
|
|
Pid Process Name State Pri I/O CPU Page flts Ph.Mem
|
|
27400201 SWAPPER HIB 16 0 0 00:29:52.05 0 0
|
|
27401E03 DOCBUILD LEF 4 37530 0 00:05:47.62 96421 601
|
|
27402604 BATCH_789 LEF 4 3106 0 00:00:48.67 4909 2636 B
|
|
27401C05 BATCH_60 LEF 6 248 0 00:00:06.83 1439 1556 B
|
|
27400207 ERRFMT HIB 8 6332 0 00:00:41.83 89 229
|
|
27400208 CACHE_SERVER HIB 16 2235 0 00:00:05.85 67 202
|
|
27400209 CLUSTER_SERVER HIB 8 4625 0 00:22:13.28 157 448
|
|
2740020C JOB_CONTROL HIB 10 270920 0 01:07:47.88 5163 1384
|
|
2740020D CONFIGURE HIB 9 125 0 00:00:00.53 104 264
|
|
.
|
|
.
|
|
.
|
|
27400E8D Sir Lancelot LEF 5 226 0 00:00:07.87 4560 697
|
|
2740049A Guenevere LEF 4 160 0 00:00:02.69 534 477
|
|
27401EA0 BATCH_523 CUR 4 4 17470 0 03:25:49.67 8128 5616 B
|
|
274026AF GAWAIN CUR 6 4 14045 0 00:02:03.24 20032 397
|
|
274016D5 GAHERIS LEF 6 427 0 00:00:09.28 5275 1384
|
|
27401ED6 knight_1 HIB 5 935 0 00:00:10.17 3029 2204 S
|
|
274012D7 BATCH_689 LEF 4 49216 0 00:14:18.36 7021 3470 B
|
|
274032D9 DECW$MAIL LEF 4 2626 0 00:00:51.19 4328 3087 B
|
|
274018E3 SERVER_0021 LEF 6 519 0 00:00:07.07 1500 389 N
|
|
274016E8 NMAIL_0008 HIB 4 10955 0 00:00:55.73 5652 151
|
|
274034EA MORDRED LEF 4 2132 0 00:00:23.85 5318 452
|
|
274022EB S. Whiplash CUR 6 4 492 0 00:00:12.15 5181 459
|
|
274018EF DwMail LEF 5 121386 0 00:28:00.97 7233 4094
|
|
27401AF0 EMACS$RTA43 LEF 4 14727 0 00:03:56.54 8411 4224 S
|
|
27400CF4 TRISTRAM HIB 5 25104 0 00:06:07.76 37407 1923
|
|
274020F5 Morgan LEF 7 14726 0 00:02:10.74 34262 1669
|
|
27400CF6 mr. mike LEF 9 40637 0 00:05:15.63 18454 463
|
|
|
|
The information in this example includes the following:
|
|
|
|
o Process identification (PID) code-A 32-bit binary value that
|
|
uniquely identifies a process.
|
|
|
|
o Process name-A 1- to 15-character string used to identify a
|
|
process.
|
|
|
|
o Process state-The activity level of the process, such as COM
|
|
(computing), HIB (hibernation), LEF (local event flag) wait,
|
|
or CUR (if the process is current). If a multiprocessing
|
|
environment exists, the display shows the CPU ID of the
|
|
processor on which any current process is executing.
|
|
|
|
Note that the SHOW SYSTEM command examines the processes on
|
|
the system without stopping activity on the system. In this
|
|
example process information changed during the time that the
|
|
SHOW SYSTEM command collected the data to be displayed. As
|
|
a result, this display includes two processes, named GAWAIN
|
|
and S. Whiplash, with the state CUR on the same CPU, CPU ID
|
|
6 in the example.
|
|
|
|
o Current priority-The priority level assigned to the process
|
|
(the higher the number, the higher the priority).
|
|
|
|
o Total process I/O count-The number of I/O operations
|
|
involved in executing the process. This consists of both
|
|
the direct I/O count and the buffered I/O count.
|
|
|
|
o Charged CPU time-The amount of CPU time that a process has
|
|
used thus far.
|
|
|
|
o Number of page faults-The number of exceptions generated by
|
|
references to pages that are not in the process's working
|
|
set.
|
|
|
|
o Physical memory occupied-The amount of space in physical
|
|
memory that the process is currently occupying.
|
|
|
|
o Process indicator-Letter B indicates a batch job; letter
|
|
S indicates a subprocess; letter N indicates a network
|
|
process.
|
|
|
|
o User identification code (UIC)-An 8-digit octal number
|
|
assigned to a process. This number is displayed only if the
|
|
/FULL qualifier is specified.
|
|
|
|
|
|
|
|
2. $ SHOW SYSTEM /CLUSTER
|
|
|
|
|
|
VAX/VMS V5.4 on node APPLE 19-APR-1990 09:09:58.61 Uptime 0 2:27:11
|
|
Pid Process Name State Pri I/O CPU Page flts Ph. Mem
|
|
31E00041 SWAPPER HIB 16 0 0 00:00:02.42 0 0
|
|
31E00047 CACHE_SERVER HIB 16 58 0 00:00:00.26 80 36
|
|
31E00048 CLUSTER_SERVER CUR 9 156 0 00:00:58.15 1168 90
|
|
31E00049 OPCOM HIB 7 8007 0 00:00:33.46 5506 305
|
|
31E0004A AUDIT_SERVER HIB 9 651 0 00:00:21.17 2267 22
|
|
31E0004B JOB_CONTROL HIB 10 1030 0 00:00:11.02 795 202
|
|
|
|
.
|
|
.
|
|
|
|
The SHOW SYSTEM command in this example shows all processes on
|
|
all nodes of the cluster.
|
|
|
|
|
|
3. $ SHOW SYSTEM /NODE=NEON
|
|
VAX/VMS V5.4 on node NEON 19-APR-1990 09:19:15.33 Uptime 0 02:29:07
|
|
Pid Process Name State Pri I/O CPU Page flts Ph. Mem
|
|
36200041 SWAPPER HIB 16 0 0 00:00:12.03 0 0
|
|
36200046 ERRFMT HIB 8 263 0 00:00:05.89 152 87
|
|
36200047 CACHE_SERVER CUR 16 9 0 00:00:00.26 80 51
|
|
36200048 CLUSTER_SERVER CUR 8 94 0 00:00:30.07 340 68
|
|
36200049 OPCOM HIB 6 2188 0 00:02:01.04 1999 177
|
|
3620004A AUDIT_SERVER HIB 10 346 0 00:00:10.42 1707 72
|
|
.
|
|
.
|
|
.
|
|
|
|
|
|
The SHOW SYSTEM command in this example shows all processes on
|
|
the node NEON.
|
|
|
|
|
|
----- X -----
|
|
|
|
So now that we beat the SHOW SYSTEM command to death, lets take on another
|
|
command. Hmmm..let's see..Ahhhaaaa the MONITOR SYSTEM !!!!!
|
|
|
|
This is a pretty neat command and one of my favorite "play" commands. Don't
|
|
get me wrong, there's a lot to be learned from "play" commands like these.
|
|
It really gives us some useful information. The reason why I like this
|
|
utility is because it gives a GRAPHICAL representation of the
|
|
data given by the SHOW SYSTEM. I would have included a short example
|
|
of the graphics, but not everyone receiving this article would be running
|
|
VMS on a terminal with ANSI emulation. So, if you want to see the ANSI
|
|
graphics, follow my instructions...
|
|
|
|
|
|
MONITOR
|
|
|
|
Invokes the VMS Monitor Utility (MONITOR) to monitor classes of
|
|
system-wide performance data at a specified interval. It produces
|
|
three types of optional output:
|
|
|
|
o Recording file
|
|
o Statistical terminal display
|
|
o Statistical summary file
|
|
|
|
You can collect data from a running system or from a previously created
|
|
recording file.
|
|
|
|
You can execute a single MONITOR request, or enter MONITOR interactive
|
|
mode to execute a series of requests. Interactive mode is entered when
|
|
the MONITOR command is issued with no parameters or qualifiers.
|
|
|
|
A MONITOR request can be terminated by pressing CTRL/C or CTRL/Z. CTRL/C
|
|
causes MONITOR to enter interactive mode; CTRL/Z returns to DCL.
|
|
|
|
|
|
The MONITOR Utility is described in detail in the VMS Monitor Utility
|
|
Manual.
|
|
|
|
Format:
|
|
MONITOR class-name[,...]
|
|
|
|
There are quite a few different options available for the MONITOR utility.
|
|
We are not going to get into too much detail about each option, but I will
|
|
take the time to discuss a few. The different options for MONITOR are....
|
|
|
|
ALL_CLASSES CLUSTER DECNET DISK DLOCK FCP
|
|
FILE_SYSTEM_CACHE IO LOCK MODES MSCP_SERVER
|
|
PAGE POOL PROCESSES RMS SCS STATES SYSTEM
|
|
TRANSACTION VECTOR
|
|
/BEGINNING /BY_NODE /COMMENT /DISPLAY /ENDING /FLUSH_INTERVAL
|
|
/INPUT /INTERVAL /NODE /RECORD /SUMMARY /VIEWING_TIME
|
|
/ALL /AVERAGE /CPU /CURRENT /FILE /ITEM /MAXIMUM
|
|
|
|
|
|
MONITOR Parameter class-name[,...]
|
|
|
|
Specifies one or more classes of performance data to be monitored.
|
|
The available class-names are:
|
|
|
|
ALL_CLASSES All MONITOR classes.
|
|
CLUSTER Cluster wide information.
|
|
DECNET DECnet-VAX statistics.
|
|
DISK Disk I/O statistics.
|
|
DLOCK Distributed lock management statistics
|
|
FCP File system primitive statistics.
|
|
FILE_SYSTEM_CACHE File system caching statistics.
|
|
IO System I/O statistics.
|
|
LOCK Lock management statistics.
|
|
MODES Time spent in each of the processor modes.
|
|
MSCP_SERVER MSCP Server statistics
|
|
PAGE Page management statistics.
|
|
POOL Space allocation in the nonpaged dynamic pool.
|
|
PROCESSES Statistics on all processes.
|
|
RMS VMS Record Management Services statistics
|
|
SCS System communication services statistics.
|
|
STATES Number of processes in each scheduler state.
|
|
SYSTEM System statistics.
|
|
TRANSACTION DECdtm services statistics.
|
|
VECTOR Vector Processor scheduled usage.
|
|
|
|
|
|
MONITOR
|
|
|
|
/ALL
|
|
|
|
Specifies that a table of current, average, minimum, and maximum
|
|
statistics is to be included in display and summary output.
|
|
|
|
/ALL is the default for all class-names except MODES, STATES and
|
|
SYSTEM. It may not be used with the PROCESSES class-name.
|
|
|
|
|
|
---- X ----
|
|
|
|
Well, I hope this little file helps a few people out, by providing them
|
|
with a better understanding of the background processes running on the system
|
|
and by providing a better perception of the amount of CPU and I/O time taken
|
|
by each process.
|
|
|
|
|
|
|
|
|
|
DARTH VADER
|
|
|
|
|
|
P.S : Look for a file on ACL (Access Control Listing) in the near future.
|
|
|
|
------------------------------------------------------------------------------
|
|
|
|
----------------------------
|
|
VAX/VMS AUTHORIZATION SYSTEM
|
|
----------------------------
|
|
|
|
Introduction:
|
|
------------
|
|
|
|
Well, since Phrack issues containing VMS articles are pretty rare I will
|
|
examine in deep the authorization sub-system on VAXes.
|
|
|
|
Keep in mind that I will take under consideration that you are probably
|
|
under some new VMS version (5.5-X). If you are on some older VMS, don't
|
|
worry, commands are the same, just some flags and display was added on
|
|
later versions. The knowledge of the authorization sub-system is of great
|
|
importance for a VAX hacker since he must keep himself an access to the
|
|
system, and this is the right way to do it.
|
|
|
|
Also keep in mind that this is just a practical guide oriented to a hacker's
|
|
needs and was done to be understandable by and useable by everybody,
|
|
even those who are not so familiar with VMS. That's why I included some
|
|
references to VMS filesystem, privileges, etc.
|
|
|
|
AUTHORIZE:
|
|
---------
|
|
|
|
The authorization subsystem is the one that will let you create accounts
|
|
under the VMS operating system. The command you need to execute is the:
|
|
|
|
SYS$SYSTEM:AUTHORIZE.EXE
|
|
|
|
What do you need to execute that program ?
|
|
|
|
READ/WRITE PRIVS over SYSUAF.DAT
|
|
EXECUTE PRIVS over SYS$SYSTEM:AUTHORIZE.EXE
|
|
|
|
How can you check if you got all needed to start creating accounts ?
|
|
|
|
DIR SYS$SYSTEM:AUTHORIZE.EXE/FULL
|
|
|
|
Directory SYS$SYSROOT:[SYSEXE] <----- Directory you are listing
|
|
|
|
AUTHORIZE.EXE;1 File ID: (2491,5,0)
|
|
Size: 164/165 Owner: [SYSTEM] <---- Owner is Sys Manager
|
|
Created: 20-JUL-1990 08:30:34.18 <------- Creation Date of program
|
|
Revised: 17-AUG-1992 09:45:36.31 (4) <------ Last modification over program
|
|
Expires: <None specified> <---- No expiration, will last for ever
|
|
Backup: <No backup recorded>
|
|
File organization: Sequential
|
|
File attributes: Allocation: 165, Extend: 0, Global buffer count: 0
|
|
No version limit, Contiguous best try
|
|
Record format: Fixed length 512 byte records <--- record organization
|
|
Record attributes: None
|
|
RMS attributes: None
|
|
Journaling enabled: None
|
|
File protection: System:RWED, Owner:RWED, Group:R, World: <---- (*)
|
|
Access Cntrl List: None
|
|
Total of 1 file, 164/165 blocks.
|
|
|
|
(*) This is the field that will tell if you are authorized to execute the
|
|
program. In this case if you own a privileged account you
|
|
can run it. That doesn't mean that you will be able to view/modify
|
|
any account found on the SYSUAF.DAT. But 95 % of the time any user
|
|
can execute the AUTHORIZE program even if you don't have READ privilege
|
|
on the SYS$SYSTEM directory. That means that if you do a :
|
|
|
|
DIR SYS$SYSTEM
|
|
|
|
and you find that you don't have the privilege to view the files contained
|
|
in that directory you may still be able to execute the AUTHORIZATION
|
|
subsystem, of course, you have a real low chance of getting the SYSUAF.DAT
|
|
read or modified.
|
|
|
|
If you find that the authorize program cannot be executed a good method is
|
|
to send it UUENCODED from another VAX where you *DO* have at least read access
|
|
to SYS$SYSTEM:AUTHORIZE.EXE . If you are working on the X-25's you can send
|
|
it via PSI mailing. If you are on the Internet, just send it using the
|
|
normal mail routing method to the user on the VAX you want the AUTHORIZE.EXE
|
|
to get executed by. Once you get it just UUDECODE it and place it in your
|
|
SYS$LOGIN directory and execute it!.
|
|
|
|
The authorize will work as a module, and won't try to overlay any other module
|
|
to make it work correctly. If you can run the authorize you should receive :
|
|
|
|
"UAF>" prompt.
|
|
|
|
THE SYSUAF.DAT:
|
|
--------------
|
|
|
|
The SYSUAF.DAT is the most important file of the authorization subsystem.
|
|
All the accounts are stored here with their :
|
|
|
|
- PASSWORDS (encrypted)
|
|
- ENVIRONMENT
|
|
- DIR
|
|
- privileges
|
|
- RIGHTS OVER THE FILES
|
|
... and more
|
|
|
|
The SYSUAF.DAT is somehow like the /etc/passwd file on Unix OS.
|
|
Under UNIX you can take the password file and with an editor add yourself
|
|
an account or modify an existing one without problem. Well this is not
|
|
possible under VMS. You need a program that knows SYSUAF.DAT record structure
|
|
(like AUTHORIZE) to take action over accounting system.
|
|
|
|
The main difference is that the SYSUAF.DAT is not a PLAIN TEXT FILE, its
|
|
a binary file structured to be read only by the AUTHORIZE program.
|
|
Another main difference is that is not world readable, can usually be only
|
|
read from high privileged accounts or from accounts which can override
|
|
system protection flags (will talk about this later).
|
|
|
|
The SYSUAF.DAT can be found in the same directory as the AUTHORIZE.EXE
|
|
program, the SYS$SYSTEM. You will usually find a few versions of this file
|
|
but normally with the same protections as the working one.
|
|
What can be interesting is that you can usually find files produced by the
|
|
output of the LIST command (under AUTHORIZE) which can be WORLD readable where
|
|
you will have all the accounts listed with the OWNER/DIR/PRIVS..etc. That will
|
|
help you a lot to try to hack some accounts if you still can't run authorize.
|
|
Those files are called normally: SYSUAF.LIS, and you might find more than
|
|
just one of them. Of course try to get the latest one since the older
|
|
ones will contain some expired/deleted accounts.
|
|
|
|
To check what privilege you have over the SYSUAF.DAT issue :
|
|
|
|
DIR SYS$SYSTEM:SYSUAF.DAT/FULL
|
|
|
|
Directory SYS$COMMON:[SYSEXE]
|
|
SYSUAF.DAT;1 File ID: (228,1,0)
|
|
Size: 183/183 Owner: [SYSTEM]
|
|
Created: 20-JUL-1990 08:30:21.50
|
|
Revised: 14-JAN-1994 03:33:27.75 (34812) <--- Last Creation/Modification
|
|
Expires: <None specified>
|
|
Backup: <No backup recorded>
|
|
File organization: Indexed, Prolog: 3, Using 4 keys
|
|
In 3 areas
|
|
File attributes: Allocation: 183, Extend: 3, Maximum bucket size: 3
|
|
Global buffer count: 0, No version limit
|
|
Contiguous best try
|
|
Record format: Variable length, maximum 1412 bytes
|
|
Record attributes: None
|
|
RMS attributes: None
|
|
Journaling enabled: None
|
|
File protection: System:RWED, Owner:RWED, Group:R, World: (*)
|
|
Access Cntrl List: None
|
|
|
|
Total of 1 file, 183/183 blocks.
|
|
|
|
In this case, if you are under a standard user account you won't be
|
|
able to READ or/and WRITE the SYSUAF.DAT. So when you will execute the
|
|
AUTHORIZE program, it will quit and kick you back to shell.
|
|
IF you have World : R, you will be able to LIST/SHOW accounts.
|
|
IF you have World : RW, you will be able to CREATE/MODIFY accounts.
|
|
|
|
But if you happen to have SYSPRIV you will be able CREATE/MODIFY the
|
|
SYSUAF.DAT at your pleasure! Since you can override the system protection
|
|
that has been imposed over that file. Of course, if you have SETPRV
|
|
privilege you have ALL privilege, and you can do whatever you want
|
|
with the VAX.
|
|
|
|
Privileges needed to CREATE/MODIFY accounts :
|
|
|
|
Process privileges:
|
|
*SETPRV may set any privilege bit
|
|
Explanation: With this only you can assign yourself all the privileges you
|
|
need with a SET PROC/PRIVS=ALL.
|
|
|
|
*SYSPRV may access objects via system protection
|
|
Explanation: If you have this one you will be able to read the SYSUAF.DAT.
|
|
|
|
*BYPASS may bypass all object access controls
|
|
Explanation: If you have this one you can read the SYSUAF.DAT since
|
|
all the objects (ie:files) will be made accessible to you. I suggest that
|
|
if you happen to have some problems, change the files access flags to
|
|
let it be WORLD (you) readable/writable. So use :
|
|
|
|
SET FILE/PROT=(w:rwed) SYS$SYSTEM:SYSUAF.DAT
|
|
|
|
*READALL may read anything as the owner
|
|
Explanation: Well this is obvious, SYSUAF.DAT will be read without problems
|
|
but of course you won't be able to CREATE/MODIFY accounts to your pleasure.
|
|
At least you can LIST/SHOW all the accounts as deep as you want.
|
|
|
|
Entering AUTHORIZE:
|
|
------------------
|
|
Once you've executed AUTHORIZE you will receive its main prompt:
|
|
|
|
RUN SYS$SYSTEM:AUTHORIZE
|
|
|
|
UAF>
|
|
|
|
UAF stands for User Authorization File.
|
|
|
|
First of all you will first need to get a list of all the accounts on the
|
|
system with some of their settings also. To do this issue the command:
|
|
|
|
UAF>SHOW USERS/BRIEF
|
|
|
|
Owner Username UIC Account Privs Pri Directory
|
|
|
|
ALLIN1V24CREATED A1$XFER_IN [660,1] Normal 4 Disuser
|
|
ALLIN1V24CREATED A1$XFER_OUT [660,2] Normal 4 Disuser
|
|
JOHN_FAVORITE JFAVORITE [300,2] LEDGER Devour 4 DEV$DUA2
|
|
:[ABDURAHMAN]
|
|
|
|
IBRAHIM ALBHIR ALBHIR [60,111] GOTVOT Normal 4 DUA2:[ALB
|
|
HIR]
|
|
|
|
ALGHAMDI ALGHAMDI [300,1] LEDGER Normal 4 DUA2:[ALG
|
|
HAMDI]
|
|
|
|
ALHAJAJ ALHAJAJ [325,3] BUDGET Devour 4 GOTDEV$DU
|
|
A2
|
|
|
|
Explanation:
|
|
|
|
1) Owner: Owner of the account
|
|
|
|
2) Username: This is the guy's login name
|
|
|
|
3) UIC: User Identification Code. This serves to the OS to recognize you and
|
|
rights you have over files, directory, etc.
|
|
|
|
4) Account: This is to let the operator know what the group is
|
|
that owns/manages the account.
|
|
|
|
5) Pri: don't worry about it.
|
|
|
|
6) Directory: This is the account HOME directory. Where the owner of the
|
|
account will work on.
|
|
|
|
After you have captured the output of the SHOW command you can start
|
|
trying to create yourself some accounts by modifying some already existing
|
|
ones (which I suggest strongly).
|
|
|
|
To create an account issue the following command :
|
|
|
|
CREATE JOHN/DIR=JOHNS_DIR/DEVICE=SYS$USER/PASSWORD=JOHNS_PASSWORD
|
|
/ACCESS=(DIALUP,NETWORK)/PRIVS=(NETMBX,TMPMBX)/DEFPRIVS=(NETMBX,TMPMBX)
|
|
/ACCOUNT=USERS/OWNER=JOHN
|
|
|
|
Effects of this command:
|
|
|
|
Will create a user called JOHN which will log under the JOHNS_DIR directory,
|
|
who will have just normal user privileges (TMPMBX/NETMBX) who, when listed,
|
|
will appear to be as part of the group name USERS and the account's owner
|
|
will be JOHN.
|
|
|
|
After you issue this command a NEW UIC will be added to the RIGHTSLIST.DAT
|
|
file being assigned to your user.
|
|
|
|
Explanation:
|
|
|
|
DIR: can be any directory name you saw on the system. Of course if you are
|
|
not using all the privileges, check that its READ/WRITE-able
|
|
so you won't have problems at login.
|
|
|
|
DEVICE: is where the DIR can be found. That means that you have to tell in
|
|
which physical/logical device that directory will be found. Since VAXes will
|
|
have at least 1 or 2 magnetic supports you must say on which one the directory
|
|
can be found. Normally they already have some logical names assigned like
|
|
SYS$USER,SYS$SYSTEM,SYS$SPECIFIC,SYS$MANAGER, etc.
|
|
|
|
PASSWORD: is the password you want for the account which will never be shown
|
|
to anyone, so use whatever one you like.
|
|
|
|
ACCESS: tells the system from where you will authorize logins for this
|
|
account. For example I'm sure you've seen this message:
|
|
|
|
Username: BACKUP
|
|
Password:
|
|
Cannot login from this source.
|
|
|
|
Well this is the result of an account being setup with the DIALUP flags in
|
|
the access field as NODIALUP.
|
|
|
|
So if u want to give the account all kind of access just use :
|
|
ACCESS=ALL
|
|
|
|
and this will authorize all login sources for the account.
|
|
|
|
PRIVS: will setup the privileges on the named account. If you just want it
|
|
to be a normal user account use TMPMBX,NETMBX. If you want it to be
|
|
a super-user account you can use ALL. But this is not the right way
|
|
if you don't want your account to get discovered fast.
|
|
|
|
Valid Process privileges:
|
|
|
|
CMKRNL may change mode to kernel
|
|
CMEXEC may change mode to exec
|
|
SYSNAM may insert in system logical name table
|
|
GRPNAM may insert in group logical name table
|
|
ALLSPOOL may allocate spooled device
|
|
DETACH may create detached processes
|
|
DIAGNOSE may diagnose devices
|
|
LOG_IO may do logical i/o
|
|
GROUP may affect other processes in same group
|
|
ACNT may suppress accounting messages
|
|
PRMCEB may create permanent common event clusters
|
|
PRMMBX may create permanent mailbox
|
|
PSWAPM may change process swap mode
|
|
ALTPRI may set any priority value
|
|
SETPRV may set any privilege bit
|
|
TMPMBX may create temporary mailbox
|
|
WORLD may affect other processes in the world
|
|
MOUNT may execute mount acp function
|
|
OPER may perform operator functions
|
|
EXQUOTA may exceed disk quota
|
|
NETMBX may create network device
|
|
VOLPRO may override volume protection
|
|
PHY_IO may do physical i/o
|
|
BUGCHK may make bug check log entries
|
|
PRMGBL may create permanent global sections
|
|
SYSGBL may create system wide global sections
|
|
PFNMAP may map to specific physical pages
|
|
SHMEM may create/delete objects in shared memory
|
|
SYSPRV may access objects via system protection
|
|
BYPASS may bypass all object access controls
|
|
SYSLCK may lock system wide resources
|
|
SHARE may assign channels to non-shared devices
|
|
GRPPRV may access group objects via system protection
|
|
READALL may read anything as the owner
|
|
SECURITY may perform security functions
|
|
|
|
Check the last section on tips on creating accounts.
|
|
|
|
ACCOUNT: this is pretty useless and is just for displaying purposes at the
|
|
SHOW USER under authorize.
|
|
|
|
OWNER: This field is also used just at SHOW time but keep in mind to use
|
|
an owner that won't catch the eye of the system manager.
|
|
|
|
You can use the MODIFY command the ame as you used the CREATE. The only
|
|
difference is that no account will be created but ALL types of modifications
|
|
will affect the specified account.
|
|
|
|
You can use the LIST command to produce an output of the accounts to a file.
|
|
Use this command as you use the SHOW one.
|
|
|
|
Of course, the authorize sub-system is so huge you can actually set hours of
|
|
login for users, expirations, disk quotas, etc., but this is not the purpose
|
|
of this article.
|
|
|
|
Tips to create accounts:
|
|
-----------------------
|
|
First of all, what I suggest strongly is to MODIFY accounts not to CREATE
|
|
new ones. Why this? Well, new account names can jump out at the operator
|
|
and he will kick you off the system very soon.
|
|
|
|
The best way I think is to get a non-used account, change its privileges
|
|
and change the password and use it!.
|
|
|
|
First of all try to find a never-logged account or at least one account
|
|
whose last log comes from few months ago. From the UAF prompt just
|
|
do a SH USER/FULL and check out the dates that appear in the *Last Login*
|
|
record. If this happens to be a very old one then it can be marked as
|
|
valid to take control of. Of course you have to find a non used account
|
|
since you will have to change the account's password.
|
|
|
|
Check the flags field also. This flags can really bother you:
|
|
|
|
Captive (worst one!)
|
|
Ctly (ctrl-y deactivated)
|
|
Restricted (OS does more checks than normal)
|
|
DisUser (ACCOUNT IS NOT ENABLED!!!)
|
|
|
|
I suggest you take out all the flag's fields.
|
|
just issue: MODIFY JOHN/FLAGS=(NOCAPTIVE,NOCTLY,NORESTRICED,NODISUSER)
|
|
If you find an account that is DisUser I suggest not to own it since the
|
|
DisUser flags will take on when listing the accounts. If system manager
|
|
sees an account that was OFF now ON..well it's a bit suspicious don't
|
|
you think ?
|
|
|
|
Check if the FIELD account is being used. If not own this one since it
|
|
already has ALL privileges and will not look suspicious at all. Just change
|
|
its password. (FIELD is the account normally used by Digital Engineers
|
|
to check the VAX).
|
|
|
|
Remember to check also that DIALUP access is permitted or you won't be able
|
|
to login your account.
|
|
|
|
Once you've chosen the perfect account you can now change its password.
|
|
Issue: MODIFY JOHN/PASSWORD=MY_PASSWORD. (John is the account name you found)
|
|
|
|
After you finished just type CTRL-Z and to exit. If you happen to logoff
|
|
without exiting AUTHORIZE, don't worry. Changes to SYSUAF.DAT are done
|
|
instantly when the command finishes its execution.
|
|
|
|
One other advice, under SHELL if you happen to have SECURITY privilege
|
|
Issue: SET AUDIT/ALARM/DISABLE=(AUTHORIZE)
|
|
|
|
If you don't do this, each time you run AUTHORIZE, modified accounts will be
|
|
logged into OPERATOR.LOG so remember to do so.
|
|
|
|
After playing a bit with AUTHORIZE you won't have much problems understanding
|
|
it. Hope you have PHUN! ;-)
|
|
|
|
------------------------------------------------------------------------------
|
|
|
|
$ ! FACILITY: Mailback (MAILBACK.COM)
|
|
$ !
|
|
$ ! ABSTRACT: VAXVMS to VAXVMS file transfer, using the VAX/PSI_MAIL
|
|
$ ! utility of VAXPSI, over an X.25 link.
|
|
$ !
|
|
$ ! ENVIRONMENT: VAX/VMS operating system.
|
|
$ !
|
|
$! -------------------------------------------------------------------
|
|
$ saved_verify := 'f$verify(0)'
|
|
$ set noon
|
|
$ ws = "write sys$output"
|
|
$ ws ""
|
|
$ ws " MAILBACK transfer utility V1.0 (via Backup and PSI_Mail) 21-May-1990"
|
|
$ ws ""
|
|
$!
|
|
$ if f$logical("debug").nes."" then set verify
|
|
$ ask_p1:
|
|
$ if P1.eqs."" then read/prompt="MailBack> Send or Receive (S/R) : " -
|
|
sys$command P1
|
|
$ P1 = f$edit(P1, "UPCASE,COMPRESS,TRIM")
|
|
$!
|
|
$!
|
|
$ if P1.EQS."" then exit 1+0*f$verify(saved_verify)
|
|
$ if P1.EQS."R" then goto receive_file
|
|
$ if P1.nes."S" then goto ask_P1
|
|
$! -------------------------------------------------------------------
|
|
$!
|
|
$! Sending File(s)
|
|
$! ===============
|
|
$ if P2.eqs. "" then -
|
|
read/prompt="MailBack> Recipient mail address (PSI%nnn::user) : " -
|
|
sys$command P2
|
|
$ if P2.eqs."" then exit 1+0*f$verify(saved_verify)
|
|
$!
|
|
$!
|
|
$ if P3.eqs."" then read/prompt="MailBack> File(s) : " sys$command P3
|
|
$!
|
|
$ ws "MailBack> ... Backuping the file(s) ..."
|
|
$ Backup/nolog 'P3' sys$scratch:mailbck.tmp/sav/block=2048
|
|
$!
|
|
$ ws "MailBack> ... Converting format ..."
|
|
$ convert/fdl=sys$input sys$scratch:mailbck.tmp sys$scratch:mailbck.tmp
|
|
record
|
|
carriage_control carriage_return
|
|
$!
|
|
$ ws "MailBack> ... Sending a (PSI_)mail ..."
|
|
$ on warning then goto error_sending
|
|
$ mail/subject="MAILBACK Backup-File" -
|
|
/noself sys$scratch:mailbck.tmp 'P2'
|
|
$ ws "MailBack> ... SEND command SUCCESSfully completed."
|
|
$!
|
|
$ fin_send:
|
|
$ delete = "delete"
|
|
$ delete/nolog/noconfirm sys$scratch:mailbck.tmp;,;
|
|
$ exit 1+0*f$verify(saved_verify)
|
|
$!
|
|
$ Error_sending:
|
|
$ ws "MailBack> Error detected while sending the mail ; ..."
|
|
$ ws "MailBack> ... Fix the problem, then retry the whole procedure."
|
|
$ goto fin_send
|
|
$! -------------------------------------------------------------------
|
|
$!
|
|
$! Inbound File(s) Processing
|
|
$! ==========================
|
|
$receive_file:
|
|
$!
|
|
$ if P2.eqs."" then -
|
|
read/prompt="MailBack> Destination directory (<CR>= []) : " sys$command P2
|
|
$ if P2.eqs."" then p2 ="[]"
|
|
$!
|
|
$!
|
|
$!
|
|
$ if P3.eqs."" then -
|
|
read/prompt="MailBack> Mail file (<CR>= default mail file) : " -
|
|
sys$command P3
|
|
$ gosub build_file
|
|
$ ws "MailBack> ... Extracting a (PSI_)mail from the NEWMAIL folder ..."
|
|
$ define/exec sys$output nl: ! ped 18-May-90 (wipe out mail displays)
|
|
|
|
$ if P3.eqs."" then goto normal_get
|
|
$ define/nolog new_mail_file 'p3'
|
|
$ define/user sys$command sys$input
|
|
$ set message/nofacility/noseverity/notext/noident
|
|
$ mail
|
|
set file new_mail_file
|
|
select NEWMAIL
|
|
sear MAILBACK Backup-File
|
|
extract/NOHEADER out_file
|
|
$ deassign new_mail_file
|
|
$ goto clean
|
|
$ if P3.nes."" then p2 ="[]"
|
|
$!
|
|
$!
|
|
$ normal_get:
|
|
$ define/user sys$command sys$input
|
|
$ set message/nofacility/noseverity/notext/noident
|
|
$ mail
|
|
select NEWMAIL
|
|
sear MAILBACK Backup-File
|
|
extract/NOHEADER out_file
|
|
$!
|
|
$ clean:
|
|
$ deassign sys$output !
|
|
$ set message/facility/severity/text/ident
|
|
$ if f$search("out_file") .eqs. "" then goto nomessage
|
|
$ on warning then goto error_conv
|
|
$ ws "MailBack> ... Converting format ..."
|
|
$ convert/fdl=sys$input out_file out_file /pad=%x00
|
|
record
|
|
format fixed
|
|
carriage_control none
|
|
size 2048
|
|
$!
|
|
$ ws "MailBack> ... Restoring file(s) from the backup saveset ..."
|
|
$ on warning then goto error_back
|
|
$ backup/nolog out_file/save 'P2'*.*
|
|
$!
|
|
$ delete = "delete"
|
|
$ delete/nolog/noconfirm 'file';,;
|
|
$ ws "MailBack> ... RECEIVE command SUCCESSfully completed."
|
|
$!
|
|
$ finish_r:
|
|
$ deassign out_file
|
|
$ exit 1+0*f$verify(saved_verify)
|
|
$! -------------------------------------------------------------------
|
|
$ error_conv:
|
|
$ ws "MailBack> " + -
|
|
"An error occurred during the fdl convert of the extracted mail ;"
|
|
$ ws "MailBack> ... the file ''file' corresponds to " + -
|
|
$ ws "MailBack> ... the message extracted from Mail."
|
|
$ goto finish_r
|
|
$!
|
|
$ error_back:
|
|
$ ws "MailBack> An error occurred during the file restore phase with BACKUP ;"
|
|
$ ws "MailBack> ... the file ''file' corresponds to "
|
|
$ ws "MailBack> " + -
|
|
"... the message extracted from Mail, converted as a backup Saveset."
|
|
$ delete/nolog/noconfirm 'file';-1
|
|
$ goto finish_r
|
|
$!
|
|
$ nomessage:
|
|
$ ws "MailBack> No mail message has been found in the NEWMAIL folder."
|
|
$ goto finish_r
|
|
$!
|
|
$Build_file: ! Build a unique (temporary) file_name
|
|
$file = "sys$scratch:mail_" + f$cvtime(f$time(),,"month")+ -
|
|
f$cvtime(f$time(),,"day") + f$cvtime(f$time(),,"hour")+ -
|
|
f$cvtime(f$time(),,"minute")+ f$cvtime(f$time(),,"second") + ".tmp"
|
|
$define/nolog out_file 'file'
|
|
$return
|