AUTHORIZE , A request for an alias & a new function .
-
Topic author - Valued Contributor
- Posts: 66
- Joined: Thu Dec 23, 2021 8:02 pm
- Reputation: 0
- Location: Fairbanks , AK.
- Status: Offline
AUTHORIZE , A request for an alias & a new function .
Hello All , at the [url]https://wiki.vmssoftware.com/AUTHORIZE[/url] I was re-introduced to the LIST command within AUTHORIZE , The name of this function is in my opinion a mis-use . It should be EXPORT . Thus I request that EXPORT be added as an alias for LIST .
Now , That leads to my New Function request , IMPORT .
Tia , JimL
Now , That leads to my New Function request , IMPORT .
Tia , JimL
-
- Active Contributor
- Posts: 34
- Joined: Fri Nov 17, 2023 11:27 am
- Reputation: 1
- Status: Offline
Re: AUTHORIZE , A request for an alias & a new function .
Joe Meadows' UAF utility is available:
https://sourceforge.net/projects/jmuaf/
It has lots of options for selecting and listing the contents of UAF records. I updated it some years ago to reflect additions to the UAF record since its original appearance in (I think) the VMS 5.x era. If there have been any more recent changes to UAF I haven't heard about them. The help file (https://sourceforge.net/p/jmuaf/code/ci ... ee/UAF.RNH) gives you an idea of how to use it.
https://sourceforge.net/projects/jmuaf/
It has lots of options for selecting and listing the contents of UAF records. I updated it some years ago to reflect additions to the UAF record since its original appearance in (I think) the VMS 5.x era. If there have been any more recent changes to UAF I haven't heard about them. The help file (https://sourceforge.net/p/jmuaf/code/ci ... ee/UAF.RNH) gives you an idea of how to use it.
-
Topic author - Valued Contributor
- Posts: 66
- Joined: Thu Dec 23, 2021 8:02 pm
- Reputation: 0
- Location: Fairbanks , AK.
- Status: Offline
Re: AUTHORIZE , A request for an alias & a new function .
@craigberry , Thank You ! I'll definately garner that up too . Tnc , JimL
Re: AUTHORIZE , A request for an alias & a new function .
I'm toying with making an SQLite virtual table module for viewing the UAF. My cheat is to hijack the ISI from the $GETUAI context longword and construct an RAB for making RMS calls (by way of $CMEXEC).
There are 57 different item codes, not including username, plus record type and version bytes not exposed by $GETUAI.
Relatively few of the non-text fields are straight up numbers signifying limits, among the ways to interpret the binary data:
- A VMS time, with special cases for 0 and -1
- Access hours (3 bytes, 1 bit per hour)
- Days of week (1 byte, 1 bit per day)
- Account flags (disUser, etc)
- UIC (2 words)
- Privilege mask (8 bytes)
- Password hash
- algorithm code (AD II, Purdy, etc)
Code: Select all
sqlite> SELECT username,owner,lastlogin_i FROM uaf WHERE lastlogin_i <> '(none)' AND vms$cvtime(lastlogin_i) > '2023-09';
Last edited by jonesd on Tue Dec 12, 2023 3:21 pm, edited 3 times in total.
-
- Active Contributor
- Posts: 40
- Joined: Tue Jul 21, 2020 10:44 am
- Reputation: 0
- Status: Offline
Re: AUTHORIZE , A request for an alias & a new function .
This might be useful to steal code from, feel free to use it....
Code: Select all
// ----------------------------------------------------------------------------
// rtl_user_authorization
//
// This routine fills in a structure that holds metadata about a
// VMS user. The data comes from the SYSUAF file and is obtianed via
// a call to sys$getuai.
//
// Callers odf this routine will need either GRPPRV or SYSPRV,
// unless they have read access to SYSUAF.
//
//
// Arguments Description
// ---------------- -------------------------------------------------------
// userName address of string descriptor holding the name of the
// user to look up.
//
// userSYSUAF address of structure used to hold the metadata
//
//
// Returns Description
// ---------------- -------------------------------------------------------
// 1 Successful call
// userSYSUAF is populated with the fetched metadata.
//
// -1 Error in call, nothing returned
//
//
//
// ----------------------------------------------------------------------------
// Modification History
//
//
// Date Author Modification(s)
// ----------- ---------------- ---------------------------------------------
// 27-FEB-2019 Tim Lovern New module as of this date
//
// 28-FEB-2019 Tim Lovern Added lastLogin and lastChange2
//
//
//
//
//
//
//
//
// ----------------------------------------------------------------------------
#define __NEW_STARLET 1
#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <ssdef.h>
#include <stsdef.h>
#include <iledef>
#include <uaidef.h>
#include <descrip.h>
#include <string.h>
#include <gen64def.h>
#include <starlet.h>
#include <hdf:authorize.h>
#define ITEM_COUNT 25
// ----------------------------------------------------------------------------
//
// ----------------------------------------------------------------------------
long rtl_user_authorization(DSCS *userName, TYPE_AUTHORIZE *userSYSUAF)
{
long status = 0;
static TYPE_AUTHORIZE user;
static unsigned short retLen[ITEM_COUNT];
static ILE3 itemList[] =
{
{ 32, UAI$_ACCOUNT, &user.acctName, &retLen[ 0]},
{ 32, UAI$_DEFDEV, &user.defDevice, &retLen[ 1]},
{ 64, UAI$_DEFDIR, &user.defDirect, &retLen[ 2]},
{ 8, UAI$_DEF_PRIV, &user.defPrivs, &retLen[ 3]},
{ 1, UAI$_ENCRYPT, &user.algorithm1, &retLen[ 4]},
{ 1, UAI$_ENCRYPT2, &user.algorithm2, &retLen[ 5]},
{ 8, UAI$_EXPIRATION, &user.acctExpires, &retLen[ 6]},
{ 4, UAI$_FLAGS, &user.acctFlags, &retLen[ 7]},
{ 8, UAI$_LASTLOGIN_I, &user.lastLogin, &retLen[ 8]},
{ 64, UAI$_LGICMD, &user.loginCmd, &retLen[ 9]},
{ 3, UAI$_LOCAL_ACCESS_P, &user.accTimeP, &retLen[10]},
{ 3, UAI$_LOCAL_ACCESS_S, &user.accTimeS, &retLen[11]},
{ 3, UAI$_NETWORK_ACCESS_P, &user.netAccTimeP, &retLen[12]},
{ 3, UAI$_NETWORK_ACCESS_S, &user.netAccTimeS, &retLen[13]},
{ 32, UAI$_OWNER, &user.acctOwner, &retLen[14]},
{ 1, UAI$_PRIMEDAYS, &user.primeDays, &retLen[15]},
{ 8, UAI$_PRIV, &user.acctPrivs, &retLen[16]},
{ 8, UAI$_PWD, &user.pwd1Hash, &retLen[17]},
{ 8, UAI$_PWD_DATE, &user.lastChange, &retLen[18]},
{ 4, UAI$_PWD_LENGTH, &user.pwdLength, &retLen[19]},
{ 8, UAI$_PWD2, &user.pwd2Hash, &retLen[20]},
{ 8, UAI$_PWD2_DATE, &user.lastChange2, &retLen[21]},
{ 2, UAI$_SALT, &user.pwdSalt, &retLen[22]},
{ 4, UAI$_UIC, &user.acctUIC, &retLen[23]},
{255, UAI$_USER_DATA, &user.userData, &retLen[24]},
{ 0, 0, NULL, NULL }
};
// -------------------------------------------------------
// make the call
// -------------------------------------------------------
status = sys$getuai(0,0, userName, itemList, 0, 0, 0);
if (status != SS$_NORMAL)
status = -1;
// -------------------------------------------------------
// return to the caller
// -------------------------------------------------------
memcpy(userSYSUAF, &user, sizeof(user));
return status;
}
Code: Select all
// ----------------------------------------------------------------------------
// Authorize.h
//
// This header file contains definitionsed used in conjunction with the
// rtl_user_authorization and rtl_impersonate* routines.
//
//
// Date Author Modification(s)
// ----------- ---------------- ---------------------------------------------
// 27-FEB-2019 Tim Lovern New module as of this date
// 28-FEB-2019 Tim Lovern added lastLogin and lastChange2
//
// 1-MAY-2019 Tim Lovern added include of userinfo.h, priv to name
// mapping, and persona data structures. Improved
// internal documentation (a little)
//
// 2-DEC-2019 Tim Lovern Changed definition of QUADWORD to unsigned
// __int64
//
// ----------------------------------------------------------------------------
#ifndef AUTHORIZE_LOADED
#define AUTHORIZE_LOADED 1
#define __NEW_STARLET 1
#include <descrip.h>
#include <gen64def.h>
#include <prvdef.h>
// ---------------------------------------------
// non-system file includes
// ---------------------------------------------
include <hdf:userinfo>
// ---------------------------------------------
// misc type definitions
// ---------------------------------------------
typedef struct dsc$descriptor_s DSCS;
typedef unsigned __int64 QUADWORD;
// ---------------------------------------------
// structure to hold authorize fields we care
// about
// ---------------------------------------------
typedef struct authorize
{
char acctName[32 + 1]; // 1 account name
char defDevice[32 + 1]; // 2 default device
char defDirect[64 + 1]; // 3 default directory
QUADWORD defPrivs; // 4 default privs
char algorithm1; // 5 pwd encrypt alogirthm
char algorithm2; // 6 pwd encrypt algorithm
VMSDATE acctExpires; // 7 acct expiration date
long acctFlags; // 8 account flags
VMSDATE lastLogin; // 9 last login date
char loginCmd[64 + 1]; // 10 login command file
char accTimeP[3]; // 11 primary access times
char accTimeS[3]; // 12 secondary access times
char netAccTimeP[3]; // 13 primary network access times
char netAccTimeS[3]; // 14 secondary network access times
char acctOwner[32 + 1]; // 15 account owner name
char primeDays; // 16 primary access days
QUADWORD acctPrivs; // 17 privs for the account
QUADWORD pwd1Hash; // 18 hashed primary password
VMSDATE lastChange; // 19 date of last password change
long pwdLength; // 20 min password length
QUADWORD pwd2Hash; // 21 hashed secondary password
VMSDATE lastChange2; // 19 date of last password 2 change
unsigned short pwdSalt; // 22 random password salt
unsigned long acctUIC; // 23 UIC code
char userData[255 + 1]; // 24 optional user data
} TYPE_AUTHORIZE;
// ---------------------------------------------
// structure for mapping privs to names
// ---------------------------------------------
typedef struct priv2Name
{
QUADWORD mask;
char *name;
} TYPE_PRIV2NAME;
// ---------------------------------------------
// structure for capturing persona data used
// in the impersonate routines
// ---------------------------------------------
typedef struct personaData
{
unsigned int currentPersona, // persona ID in use
naturalPersona; // normal persona
char personaUser[33], // user name for persona
personaAcct[33], // account name for persona
personaPrin[65]; // principal name for persona
unsigned long UIC; // UIC for persona
QUADWORD workingPrivs, // working privilege mask
authorizedPrivs, // authorized privilege mask
permanentPrivs; // permanent privilege mask
PROCRIGHTS *enabledRights, // root of rights linked list
*authorizedRights; // root of rightws linked list
} TYPE_PERSONA_DATA;
#endif
-
- VSI Expert
- Valued Contributor
- Posts: 64
- Joined: Tue May 09, 2023 7:57 am
- Reputation: 1
- Status: Offline
Re: AUTHORIZE , A request for an alias & a new function .
I strongly recommend sticking with $GETUAI. The UAF record layout is expected to change in future versions.
--Doug
--Doug
Executive Vice President of InfoServer Engineering at VSI.
Re: AUTHORIZE , A request for an alias & a new function .
All I use the cheat for is getting a list of usernames, everything else uses $GETUAI/$SETUAI. As long as usernames index with key 0 as blank-filled text, it should be able to adapt.
Last edited by jonesd on Wed Dec 13, 2023 5:58 pm, edited 1 time in total.
-
- Senior Member
- Posts: 532
- Joined: Fri Apr 17, 2020 7:31 pm
- Reputation: 0
- Location: Rhode Island, USA
- Status: Online
- Contact:
Re: AUTHORIZE , A request for an alias & a new function .
Are there a problem with the old hack of iterating with sys$idtoasc and discard id's with high bit set (negative if signed)?
Re: AUTHORIZE , A request for an alias & a new function .
I decided to go with having the virtual table return the raw binary and use a special formatting function, enc (i.e. ENCode), when a text representation is called for. This allows queries like:jonesd wrote: ↑Tue Dec 12, 2023 3:15 pmThis poses the problem of whether the virtual table column presents the item formatted or in its binary form. The former allows queries such as:Code: Select all
sqlite> SELECT username,owner,lastlogin_i FROM uaf WHERE lastlogin_i <> '(none)' AND vms$cvtime(lastlogin_i) > '2023-09';
Code: Select all
sqlite> -- Show users with interactive or non-interactive active logins since March 1st.
sqlite> select username,owner,enc(lastlogin_i),enc(lastlogin_n) from uaf where
...> vms$cvtime(max(lastlogin_i,lastlogin_n)) > '2023-03-01';
USERNAME OWNER enc(lastlogin_i) enc(lastlogin_n)
----------- ----------------- ----------------------- -----------------------
DECNET DECNET DEFAULT (none) 26-APR-2023 08:26:15.21
JONESD David Jones 7-JAN-2024 15:04:20.14 8-JAN-2024 16:07:53.16
SSH$SSH SSH$SSH (none) 8-JAN-2024 15:59:47.07
SYSTEM SYSTEM MANAGER 6-JAN-2024 10:17:56.00 23-APR-2023 19:49:32.28
TCPIP$BIND TCPIP$BIND (none) 25-APR-2023 12:36:46.83
TCPIP$FTP TCPIP$FTP (none) 5-JAN-2024 00:07:39.84
TCPIP$NTP TCPIP$NTP (none) 5-JAN-2024 00:07:39.97
sqlite>
-
- Master
- Posts: 170
- Joined: Fri Jun 28, 2019 8:45 am
- Reputation: 0
- Location: South Tyneside, UK
- Status: Offline
- Contact:
Re: AUTHORIZE , A request for an alias & a new function .
The virtual table mentioned is available as vms_auth01.zip in the SQLLITE3 section of vms-ports on sourceforge
https://sourceforge.net/projects/vms-po ... s/SQLITE3/
along with other interesting things.
https://sourceforge.net/projects/vms-po ... s/SQLITE3/
along with other interesting things.
Ian Miller
[ personal opinion only. usual disclaimers apply. Do not taunt happy fun ball ].
[ personal opinion only. usual disclaimers apply. Do not taunt happy fun ball ].