AUTHORIZE , A request for an alias & a new function .

Everything related to the OpenVMS security model, system access, system and data protection, and security auditing.

Topic author
babydr
Valued Contributor
Posts: 66
Joined: Thu Dec 23, 2021 8:02 pm
Reputation: 0
Location: Fairbanks , AK.
Status: Offline

AUTHORIZE , A request for an alias & a new function .

Post by babydr » Thu Nov 16, 2023 9:00 pm

Hello All , at the [url]https://wiki.vmssoftware.com/AUTHORIZE[/url] I was re-introduced to the LIST command within AUTHORIZE , The name of this function is in my opinion a mis-use . It should be EXPORT . Thus I request that EXPORT be added as an alias for LIST .

Now , That leads to my New Function request , IMPORT .

Tia , JimL


craigberry
Active Contributor
Posts: 34
Joined: Fri Nov 17, 2023 11:27 am
Reputation: 1
Status: Offline

Re: AUTHORIZE , A request for an alias & a new function .

Post by craigberry » Sun Nov 26, 2023 8:33 am

Joe Meadows' UAF utility is available:

https://sourceforge.net/projects/jmuaf/

It has lots of options for selecting and listing the contents of UAF records. I updated it some years ago to reflect additions to the UAF record since its original appearance in (I think) the VMS 5.x era. If there have been any more recent changes to UAF I haven't heard about them. The help file (https://sourceforge.net/p/jmuaf/code/ci ... ee/UAF.RNH) gives you an idea of how to use it.


Topic author
babydr
Valued Contributor
Posts: 66
Joined: Thu Dec 23, 2021 8:02 pm
Reputation: 0
Location: Fairbanks , AK.
Status: Offline

Re: AUTHORIZE , A request for an alias & a new function .

Post by babydr » Sun Nov 26, 2023 9:40 pm

@craigberry , Thank You ! I'll definately garner that up too . Tnc , JimL


jonesd
Master
Posts: 108
Joined: Mon Aug 09, 2021 7:59 pm
Reputation: 0
Status: Offline

Re: AUTHORIZE , A request for an alias & a new function .

Post by jonesd » Tue Dec 12, 2023 3:15 pm

arne_v wrote:
Wed Nov 22, 2023 10:48 am
One point though. That Python modules does not use the supported SYS$GETUAI system service, but use the unsupported reading of SYSUAF.DAT as an index-sequential file. I would not worry - I am sure JFP got it right.
I'm toying with making an SQLite virtual table module for viewing the UAF. My cheat is to hijack the ISI from the $GETUAI context longword and construct an RAB for making RMS calls (by way of $CMEXEC).

There are 57 different item codes, not including username, plus record type and version bytes not exposed by $GETUAI.
Relatively few of the non-text fields are straight up numbers signifying limits, among the ways to interpret the binary data:
  • A VMS time, with special cases for 0 and -1
  • Access hours (3 bytes, 1 bit per hour)
  • Days of week (1 byte, 1 bit per day)
  • Account flags (disUser, etc)
  • UIC (2 words)
  • Privilege mask (8 bytes)
  • Password hash
  • algorithm code (AD II, Purdy, etc)
This poses the problem of whether the virtual table column presents the item formatted or in its binary form. The former allows queries such as:

Code: Select all

sqlite> SELECT username,owner,lastlogin_i FROM uaf WHERE lastlogin_i <> '(none)' AND vms$cvtime(lastlogin_i) > '2023-09';
Last edited by jonesd on Tue Dec 12, 2023 3:21 pm, edited 3 times in total.

User avatar

tlovern
Active Contributor
Posts: 40
Joined: Tue Jul 21, 2020 10:44 am
Reputation: 0
Status: Offline

Re: AUTHORIZE , A request for an alias & a new function .

Post by tlovern » Tue Dec 12, 2023 4:37 pm

This might be useful to steal code from, feel free to use it....

Code: Select all

// ----------------------------------------------------------------------------
// rtl_user_authorization
// 
//        This routine fills in a structure that holds metadata about a
//        VMS user. The data comes from the SYSUAF file and is obtianed via
//        a call to sys$getuai.
// 
//        Callers odf this routine will need either GRPPRV or SYSPRV, 
//        unless they have read access to SYSUAF.
// 
// 
// Arguments        Description
// ---------------- ------------------------------------------------------- 
// userName         address of string descriptor holding the name of the
//                  user to look up.
// 
// userSYSUAF       address of structure used to hold the metadata
// 
// 
// Returns          Description
// ---------------- ------------------------------------------------------- 
//   1              Successful call
//                  userSYSUAF is populated with the fetched metadata.
// 
//  -1              Error in call, nothing returned
// 
// 
// 
// ----------------------------------------------------------------------------
// Modification History
// 
// 
// Date        Author           Modification(s)
// ----------- ---------------- ---------------------------------------------
// 27-FEB-2019 Tim Lovern       New module as of this date
// 
// 28-FEB-2019 Tim Lovern       Added lastLogin and lastChange2
// 
// 
// 
// 
// 
// 
// 
// 
// ----------------------------------------------------------------------------

#define __NEW_STARLET 1

#include <stdio.h>
#include <stdlib.h>
#include <ctype.h>
#include <ssdef.h>
#include <stsdef.h>
#include <iledef>
#include <uaidef.h>
#include <descrip.h>
#include <string.h>
#include <gen64def.h>
#include <starlet.h>

#include <hdf:authorize.h>

#define ITEM_COUNT 25

// ----------------------------------------------------------------------------
// 
// ----------------------------------------------------------------------------
long rtl_user_authorization(DSCS *userName, TYPE_AUTHORIZE *userSYSUAF)
{
long	status = 0;

static TYPE_AUTHORIZE	user;

static unsigned short retLen[ITEM_COUNT];

static ILE3	itemList[] =
		{
		{ 32, UAI$_ACCOUNT,          &user.acctName,    &retLen[ 0]},
		{ 32, UAI$_DEFDEV,           &user.defDevice,   &retLen[ 1]},
		{ 64, UAI$_DEFDIR,           &user.defDirect,   &retLen[ 2]},
		{  8, UAI$_DEF_PRIV,         &user.defPrivs,    &retLen[ 3]},
		{  1, UAI$_ENCRYPT,          &user.algorithm1,  &retLen[ 4]},
		{  1, UAI$_ENCRYPT2,         &user.algorithm2,  &retLen[ 5]},
		{  8, UAI$_EXPIRATION,       &user.acctExpires, &retLen[ 6]},
		{  4, UAI$_FLAGS,            &user.acctFlags,   &retLen[ 7]},
		{  8, UAI$_LASTLOGIN_I,      &user.lastLogin,	&retLen[ 8]},
		{ 64, UAI$_LGICMD,           &user.loginCmd,    &retLen[ 9]},
		{  3, UAI$_LOCAL_ACCESS_P,   &user.accTimeP,    &retLen[10]},
		{  3, UAI$_LOCAL_ACCESS_S,   &user.accTimeS,    &retLen[11]},
		{  3, UAI$_NETWORK_ACCESS_P, &user.netAccTimeP, &retLen[12]},
		{  3, UAI$_NETWORK_ACCESS_S, &user.netAccTimeS, &retLen[13]},
		{ 32, UAI$_OWNER,            &user.acctOwner,   &retLen[14]},
		{  1, UAI$_PRIMEDAYS,        &user.primeDays,   &retLen[15]},
		{  8, UAI$_PRIV,             &user.acctPrivs,   &retLen[16]},
		{  8, UAI$_PWD,              &user.pwd1Hash,    &retLen[17]},
		{  8, UAI$_PWD_DATE,         &user.lastChange,  &retLen[18]},
		{  4, UAI$_PWD_LENGTH,       &user.pwdLength,   &retLen[19]},
		{  8, UAI$_PWD2,             &user.pwd2Hash,    &retLen[20]},
		{  8, UAI$_PWD2_DATE,        &user.lastChange2, &retLen[21]},
		{  2, UAI$_SALT,             &user.pwdSalt,     &retLen[22]},
		{  4, UAI$_UIC,              &user.acctUIC,     &retLen[23]},
		{255, UAI$_USER_DATA,        &user.userData,    &retLen[24]},
		{  0, 0,                     NULL,              NULL       }
		};

	// -------------------------------------------------------
	// make the call
	// -------------------------------------------------------

	status = sys$getuai(0,0, userName, itemList, 0, 0, 0);

	if (status != SS$_NORMAL)
		status = -1;

	// -------------------------------------------------------
	// return to the caller
	// -------------------------------------------------------

	memcpy(userSYSUAF, &user, sizeof(user));

	return status;
}

Code: Select all

// ----------------------------------------------------------------------------
// Authorize.h
//
//     This header file contains definitionsed used in conjunction with the
//     rtl_user_authorization and rtl_impersonate* routines.
//
//
// Date        Author           Modification(s)
// ----------- ---------------- ---------------------------------------------
// 27-FEB-2019 Tim Lovern       New module as of this date
 // 28-FEB-2019 Tim Lovern       added lastLogin and lastChange2
//
//  1-MAY-2019 Tim Lovern       added include of userinfo.h, priv to name
//                              mapping, and persona data structures. Improved
//                              internal documentation (a little)
//
//  2-DEC-2019 Tim Lovern       Changed definition of QUADWORD to unsigned
//                              __int64
//
// ----------------------------------------------------------------------------
#ifndef AUTHORIZE_LOADED
#define AUTHORIZE_LOADED 1
#define __NEW_STARLET 1
#include <descrip.h>
#include <gen64def.h>
#include <prvdef.h>
// ---------------------------------------------
// non-system file includes
// ---------------------------------------------
include <hdf:userinfo>
// ---------------------------------------------
// misc type definitions
// ---------------------------------------------
typedef struct dsc$descriptor_s	DSCS;
typedef unsigned __int64		QUADWORD;
// ---------------------------------------------
// structure to hold authorize fields we care
// about
// ---------------------------------------------
typedef struct authorize
{
         char		acctName[32 + 1];		//  1 account name
	char		defDevice[32 + 1];	//  2 default device
	char		defDirect[64 + 1];	//  3 default directory

	QUADWORD		defPrivs;		//  4 default privs
	char		algorithm1;		//  5 pwd encrypt alogirthm
	char		algorithm2;		//  6 pwd encrypt algorithm
	VMSDATE		acctExpires;		//  7 acct expiration date
	long		acctFlags;		//  8 account flags
	VMSDATE		lastLogin;		//  9 last login date
	char		loginCmd[64 + 1];		// 10 login command file
	char		accTimeP[3];		// 11 primary access times
	char		accTimeS[3];		// 12 secondary access times
	char		netAccTimeP[3];		// 13 primary network access times
	char		netAccTimeS[3];		// 14 secondary network access times
	char		acctOwner[32 + 1];	// 15 account owner name
	char		primeDays;		// 16 primary access days
	QUADWORD		acctPrivs;		// 17 privs for the account
	QUADWORD		pwd1Hash;		// 18 hashed primary password
	VMSDATE   	lastChange;		// 19 date of last password change
	long		pwdLength;		// 20 min password length
	QUADWORD		pwd2Hash;		// 21 hashed secondary password
	VMSDATE		lastChange2;		// 19 date of last password 2 change
	unsigned short	pwdSalt;			// 22 random password salt
	unsigned long	acctUIC;			// 23 UIC code
	char		userData[255 + 1];	// 24 optional user data
} TYPE_AUTHORIZE;
// ---------------------------------------------
// structure for mapping privs to names
// ---------------------------------------------
typedef struct priv2Name
{
	QUADWORD mask;
	char *name;
} TYPE_PRIV2NAME;

// ---------------------------------------------
// structure for capturing persona data used
// in the impersonate routines
// ---------------------------------------------

typedef struct personaData
{
	unsigned int	currentPersona,		// persona ID in use
			naturalPersona;		// normal persona

	char		personaUser[33],		// user name for persona
			personaAcct[33],		// account name for persona
			personaPrin[65];		// principal name for persona

	unsigned long	UIC;			// UIC for persona

	QUADWORD		workingPrivs,		// working privilege mask
			authorizedPrivs,		// authorized privilege mask
			permanentPrivs;		// permanent privilege mask

	PROCRIGHTS	*enabledRights,		// root of rights linked list
			*authorizedRights;	// root of rightws linked list
} TYPE_PERSONA_DATA;

#endif


dgordon
VSI Expert
Valued Contributor
Posts: 64
Joined: Tue May 09, 2023 7:57 am
Reputation: 1
Status: Offline

Re: AUTHORIZE , A request for an alias & a new function .

Post by dgordon » Wed Dec 13, 2023 4:29 pm

I strongly recommend sticking with $GETUAI. The UAF record layout is expected to change in future versions.

--Doug
Executive Vice President of InfoServer Engineering at VSI.


jonesd
Master
Posts: 108
Joined: Mon Aug 09, 2021 7:59 pm
Reputation: 0
Status: Offline

Re: AUTHORIZE , A request for an alias & a new function .

Post by jonesd » Wed Dec 13, 2023 5:54 pm

dgordon wrote:
Wed Dec 13, 2023 4:29 pm
I strongly recommend sticking with $GETUAI. The UAF record layout is expected to change in future versions.

--Doug
All I use the cheat for is getting a list of usernames, everything else uses $GETUAI/$SETUAI. As long as usernames index with key 0 as blank-filled text, it should be able to adapt.
Last edited by jonesd on Wed Dec 13, 2023 5:58 pm, edited 1 time in total.

User avatar

arne_v
Senior Member
Posts: 532
Joined: Fri Apr 17, 2020 7:31 pm
Reputation: 0
Location: Rhode Island, USA
Status: Online
Contact:

Re: AUTHORIZE , A request for an alias & a new function .

Post by arne_v » Wed Dec 13, 2023 6:41 pm

jonesd wrote:
Wed Dec 13, 2023 5:54 pm
dgordon wrote:
Wed Dec 13, 2023 4:29 pm
I strongly recommend sticking with $GETUAI. The UAF record layout is expected to change in future versions.
All I use the cheat for is getting a list of usernames, everything else uses $GETUAI/$SETUAI. As long as usernames index with key 0 as blank-filled text, it should be able to adapt.
Are there a problem with the old hack of iterating with sys$idtoasc and discard id's with high bit set (negative if signed)?
Arne
arne@vajhoej.dk
VMS user since 1986


jonesd
Master
Posts: 108
Joined: Mon Aug 09, 2021 7:59 pm
Reputation: 0
Status: Offline

Re: AUTHORIZE , A request for an alias & a new function .

Post by jonesd » Thu Dec 14, 2023 7:22 am

arne_v wrote:
Wed Dec 13, 2023 6:41 pm
Are there a problem with the old hack of iterating with sys$idtoasc and discard id's with high bit set (negative if signed)?
No guarantee of referential intregity.


jonesd
Master
Posts: 108
Joined: Mon Aug 09, 2021 7:59 pm
Reputation: 0
Status: Offline

Re: AUTHORIZE , A request for an alias & a new function .

Post by jonesd » Mon Jan 08, 2024 5:31 pm

jonesd wrote:
Tue Dec 12, 2023 3:15 pm
This poses the problem of whether the virtual table column presents the item formatted or in its binary form. The former allows queries such as:

Code: Select all

sqlite> SELECT username,owner,lastlogin_i FROM uaf WHERE lastlogin_i <> '(none)' AND vms$cvtime(lastlogin_i) > '2023-09';
I decided to go with having the virtual table return the raw binary and use a special formatting function, enc (i.e. ENCode), when a text representation is called for. This allows queries like:

Code: Select all

sqlite> -- Show users with interactive or non-interactive active logins since March 1st.
sqlite> select username,owner,enc(lastlogin_i),enc(lastlogin_n) from uaf where
   ...>    vms$cvtime(max(lastlogin_i,lastlogin_n)) > '2023-03-01';

USERNAME     OWNER              enc(lastlogin_i)         enc(lastlogin_n)
-----------  -----------------  -----------------------  -----------------------
DECNET       DECNET DEFAULT     (none)                   26-APR-2023 08:26:15.21
JONESD       David Jones         7-JAN-2024 15:04:20.14   8-JAN-2024 16:07:53.16
SSH$SSH      SSH$SSH            (none)                    8-JAN-2024 15:59:47.07
SYSTEM       SYSTEM MANAGER      6-JAN-2024 10:17:56.00  23-APR-2023 19:49:32.28
TCPIP$BIND   TCPIP$BIND         (none)                   25-APR-2023 12:36:46.83
TCPIP$FTP    TCPIP$FTP          (none)                    5-JAN-2024 00:07:39.84
TCPIP$NTP    TCPIP$NTP          (none)                    5-JAN-2024 00:07:39.97

sqlite>
Sometimes the enc function allows 2 arguments, env(uic) will return the numeric UIC while enc(uic,'id') will substitute the corresponding rightslist identifiers for group and uic if defined.

User avatar

imiller
Master
Posts: 170
Joined: Fri Jun 28, 2019 8:45 am
Reputation: 0
Location: South Tyneside, UK
Status: Offline
Contact:

Re: AUTHORIZE , A request for an alias & a new function .

Post by imiller » Tue Jan 09, 2024 6:37 am

The virtual table mentioned is available as vms_auth01.zip in the SQLLITE3 section of vms-ports on sourceforge
https://sourceforge.net/projects/vms-po ... s/SQLITE3/
along with other interesting things.
Ian Miller
[ personal opinion only. usual disclaimers apply. Do not taunt happy fun ball ].

Post Reply