AUTHORIZE utility

The next CUSP to cover is AUTHORIZE. This utility is used to manage user accounts on UOS. This is the user interface to the SYSUAF file, which we covered over 100 articles ago. This discussion will take several articles, since this is a very important aspect of system security. There are some differences between UOS and VMS in terms of authentication options (such as MultiFactor Authorization), so there are some important differences between how AUTHORIZE works on UOS. Here is the user documentation:

AUTHORIZE

The AUTHORIZE utility is a system management tool used to control access to the system. The System User Author file (SYSUAF.DAT) contains the definitions of users and which privileges they have. By default, the file is stored in sys$system, however the system administator may move the file elsewhere. If defined, the SYSUAF logical defines the location of the file. If you move the location of the file, you must (re)define SYSUAF to point to the new location.

If SYSUAF.DAT cannot be located, the user will be prompted if a new file should be created. If affirmed, the utility will be created with a default account, a Startup account, and a System account. The SYSUAF.DAT file will be created with an Owner of "System", and the file protections of S:RWED, O:RWED. The SYSUAF.DAT file is backed up after the system configuration and can be restored from that backup with the following command:

COPY SYS$SYSTEM:SYSUAF.TEMPLATE SYS$SYSTEM:SYSUAF.DAT

This should only be done if the file is deleted or corrupted and there is no backup of the file available. Backups should be done regularly.

The process running the utility must have read/write access to SYSUAF (by default this must be a process which is logged into the System account and/or which has the SYSPRV privilege).

The Default account is a template that provides default settings for newly created accounts. No user can log into the default account. The privileges for the default account should be minimal so that newly created accounts are assigned minimal privileges by default.

The System account is intended for system administration. It has all privileges and its default directory is sys$system.

To use AUTHORIZE, use the command:

RUN SYS$SYSTEM:AUTHORIZE

The AUTHORIZE utility will prompt for a command. The following commands are available:

Command Description

ADD Add a new user account.

COPY Creates a new account that matches an existing account.

DEFAULT Modifies the default account.

EXIT Exits the utility.

HELP Displays help for the utility.

LIST Writes a report of selected accounts to a listing file.

MODIFY Modifies an account.

REMOVE Deletes an account.

RENAME Renames an existing account.

SHOW Show information on an account.

AUTHORIZE
ADD

Creates a new user account.

Format

ADD username {qualifiers}

Parameters

username
The name of the new account. This must not match an existing account name. It must be alphanumeric, with underscores and dollar signs allowed. It is recommended that dollar signs not be used since those are used for system accounts. It is also recommended that the first character not be a numeric digit, as some system features may not work with such accounts.

Qualifiers

/ACCESS{=specification}
/NOACCESS{=specification}
Defines access restrictions. If no specification is provided, /ACCESS removes any access restrictions and /NOACCESS essentially disables the account. Specifications are a comma-delimited list of items (or a single item with no commas) that indicates the time restictions/allowances. /NOACCESS will add a restriction for the specified items and /ACCESS will remove restrictions. Each item is an hour indicator, time range specification, or a collective specifier. Collective specifiers are "PRIMARY" or "SECONDARY". If the time is simply a number (no colons or AM/PM), it is interpreted as the hour. Ranges are delimited by a dash. An hour (time without a dash) indicates a full hour range starting at the specified hour. For instance "11" indicates 11:00-11:59 AM, while "20" indicates 8:00-8:59 PM. If no collective specifier is specified, the access applies to both primary and secondary days. Each time specification applies to the previous collective specifier (or to both if no specifier). For example, the following:

/NOACCESS=22,PRIMARY,7-9,11:45 AM-12:15 PM

would restrict access so the account could not log in between 10:00-10:59 PM on any/all days, or between 7:00-9:59 AM on primary days, or between 11:45 AM through 12:15 PM on primary days.

To specify hours for specific forms of access, see the /BATCH, /DIALUP, /INTERACTIVE, /LOCAL, /NETWORK, and /REMOTE qualifiers.

/ACCOUNT=accountname
Indicates that the new user will be given the specified account name, which can be from 1 to 8 characters long. The meaning of this account name is up to the system administrator and could indicate a billing name or number.

/ASTLM=number
Indicates the AST limit for the account, which is the number of concurrent ASTs that a process can have at a time. A value of 0 indicates an unlimited number of ASTs are allowed.

/AUTHENTICATION=type
Indicates the type of authentication required for this account. The default is for a single password. The type is a single authentication specification, or a comma-delimited list of authentication specifications. At login time, the user will need to provide each of the specified authentications in the order they are specified here. Each specification has the following format:
type|prompt{|option{|option...}}
"type" can be a program filename or "PASSWORD". If it is a program filename, that program is executed when that authentication method is reached. Once an authentication step is validated, the next authentication step is performed. If "PASSWORD" is specified, the Login program prompts for the password and validates it. The specified prompt is optional, but if provided is used by Login to prompt the user. Passwords have the following options:

Option Description

|ALGORITHM{=value} The password encryption algorithm to use for this password. The value must be the name of one of the algorithms installed on the system. If no value is specified, the default UOS algorithm is used.

|DISPWDDIC Disable checking password against word dictionary.

|DISPWDHIS Disable checking against old passwords.

|EXPIRED Mark the password as expired.

|FORCECHANGE The user must change the password on the next login.

|GENERATE Generate a random initial password. The generated password will be displayed.

|GENPWD User must always use a generated password.

|LOCKPWD User cannot change this password.

|MINIMUM=value Set the minimum length of the generated password.

|PASSWORD=value Set the current password to the specified value.

|PWDMIX Make password case-sensitive.

/BATCH{=specification}
Indicates the access restrictions for batch jobs. If no specification is provided, any /ACCESS or /NOACCESS qualifiers will apply to batch jobs.

/BIOLM=value
Indicates the Buffered I/O limit for the account, which is the number of concurrent buffered I/O operations (such as terminal I/Os) can be outstanding at a time.

/BYTLM=value
Indicates the maximum number of bytes of non-paged dynamic system memory that can be used by the process. This includes I/O buffering and mailboxes. A value of 0 indicates that there is no limit.

/CLI=name
Indicates the file specification of the initial shell for logged-in processes. The default is UCL.

/CPUTIME=value
Indicates the maximum amount of CPU time, per session, for the user. A value of 0 indicates no limit.

/DEFPRIVILEGES=values
Indicates the privileges the user will have upon logging in. The values indicate a single privilege or a comma-delimited list of privilege names. Any name preceeded by "NO" will indicate that the specified privilege is to be removed from the user. This affects the currently assigned privileges - if a privilege is not specified, the current setting for that privilege is unaffected. NOALL can be used to remove all privileges and ALL can be used to grant all privileges.

/DEVICE=device
Indicates the default device for the user. If not specified, the default device is SYS$SYSDISK. This may be a logical or physical device.

/DIALUP{=specification}
Indicates the access restrictions for dialup jobs. If no specification is provided, any /ACCESS or /NOACCESS qualifiers will apply to dial-up jobs.

/DIOLM=value
Indicates the direct I/O count limit, which is the number of concurrent direct I/O operations (usually disk I/Os) that can be outstanding at one time. A value of 0 indicates no limit.

/DIRECTORY=value
Indicates the default directory for the account when logging in.

/ENQLM=value
Indicates the lock queue limit for the account, which indicates how many locks can be queued up at a time. A value of 0 indicate no limit.

/EXPIRATION=date
/NOEXPIRATION
Specifies the expiration date of the account. Expired accounts cannot be logged in to. /NOEXPIRATION removes any existing expiration date.

/FILLM=value
Indicates the open file limit for the account, which is the maximum number of files that can be concurrently open by a process, including active network links. A value of 0 indicates no limit.

/FLAGS=value{,value}
Indicates the login flags to set for the account. "NO" can be prefixed to any of these to clear the flag.

Flag Meaning

AUDIT Audit the user.

AUTOLOGIN Allow login without authentication.

CAPTIVE Prevents user from changing any defaults on login with any login qualifiers. It also turns off Control-Y and prevents exiting the command script specified for the account, if any.

DEFCLI Prevents the user from specifying a different initial shell.

DISCTLY Disables control-Y on login.

DISIMAGE Disallows the user to run images from the shell.

DISMAIL Disables mail delivery to the user.

DISNEWMAIL Disables notification of new mail upon login. By default the user is notified of the presence of mail received since the last login.

DISRECONNECT Disables automatic reconnection to an existing detached process. By default, the user is reconnected to any detached process.

DISREPORT Disables the report of last login, login failures, etc upon login.

DISUSER Disables the user's account.

DISWELCOME Disables the login welcome message, which is shown by default indicates the name and version number of the operating system that is running and the name of the node onto which the user logged in.

RESTRICTED Prevents the use of options on login and disables Control-Y.

/INTERACTIVE{=specification}
/NOINTERACTIVE
Indicates the access restrictions for interactive jobs. If no specification is provided, any /ACCESS or /NOACCESS qualifiers will apply to interactive jobs. /NOINTERACTIVE removes any and all access restrictions for interactive jobs.

/JTQUOTA=value
Indicates the initial size of the process symbol tables when created on log in.

/LGICMD{=value}
Indicates the filename of the shell script to automatically run after login. If no value is provided, the default login script is executed.

/LOCAL{=specification}
Indicates the access restrictions for logins on local terminals. If no specification is provided, any /ACCESS or /NOACCESS qualifiers will apply to all logins on local terminals.

/MAXACCTJOBS=value
Indicates the maximum total number of concurrent processes for this user account, not counting network connection processes.

/MAXDETACH=value
Indicates the maximum total number of detached processes for this user account. A value of 0 means there is no limit. A value of "NONE" indicates that the user cannot create any detached processes.

/NETWORK{=specification}
Indicates the access restrictions for network connections. If no specification is provided, any /ACCESS or /NOACCESS qualifiers will apply to all network connections for the user.

/MAXJOBS=value
Indicates the maximum total number of concurrent processes for this user account. Unlike /MAXACCTJOBS, this also applies to network connection processes. The first four network connection accounts are not counted toward this limit. A value of 0 indicate no limit.

/OWNER=ownername
Indicates that the new user will be given the specified ownert name, which can be from 1 to 32 characters long. The meaning of this name is up to the system administrator and could indicate a billing name or number.

/PGFLQUOTA=value
Indicates maximum number of pages that a process of the user can use in the system paging file. A value of 0 indicates no limit.

/PRCLIM=value
Indicates maximum number of concurrent processes, of all types, allowed for the user. A value of 0 indicates no limit.

/PRIMEDAYS=value
Indicates which days qualify as PRIMARY for any switches that set login restrictions. By default PRIMARY days are Monday through Friday and SECONDARY days are Saturday and Sunday. The value can be a single day or a comma-delimited list of days. Any day not specified is treated as per the default. Any day prefixed with "NO" is defined as a secondary day for any switches that set login restrictions.

/PRIORITY=value
Indicates the initial priority of a process after login.

/PRIVILEGES=values
Indicates the privileges the user has authorized, but not necessarily upon login. The /DEFPRIVILEGES indicate what privileges the process starts with while /PRIVILEGES indicates those that are available to the user. The values indicate a single privilege or a comma-delimited list of privilege names. Any name preceeded by "NO" will indicate that the specified privilege is to be removed from the user. This affects the currently assigned privileges - if a privilege is not specified, the current setting for that privilege is unaffected. NOALL can be used to remove all privileges and ALL can be used to grant all privileges.

/REMOTE{=specification}
Indicates the access restrictions for remote connections. If no specification is provided, any /ACCESS or /NOACCESS qualifiers will apply to all remote connections for the user.

/SHRFILLM=values
Indicates the maximum number of shared files that the user can have open at one time. A value of 0 indicates no limit.

/TQELM=values
Indicates the maximum number of entries a process for the user can have in the timer queue at one time. A value of 0 indicates no limit.

/UIC=value
Indicates the UIC for the new account. By default, a UIC is automatically assigned, however the UIC can be specifically associated with the account with this qualifier. The UIC specified must not already be assigned to an account.

/WSDEFAULT=value
Indicates the default maximum process memory limit, in memory pages. A process is not allowed to exceed this much memory usage unless there is additional unused memory available. However, if this value is exceeded and then additional memory is required, the space exceeding the WSDEFAULT value is reclaimed from the process. A value of 0 indicates no limit. This amount of memory can be increased via the SET WORKING_SET utility, up to the limit of WSEXTENT.

/WSEXTENT=value
Indicates the maximum process memory limit, in memory pages. A process is not allowed to exceed this much memory usage unless there is additional unused memory available. However, if this value is exceeded and then additional memory is required, the space exceeding the WSEXTENT value is reclaimed from the process. A value of 0 indicates no limit.

/WSQUOTA=value
Indicates the maximum process memory limit, in locked pages. A process is not allowed to exceed this usage of locked memory. This is also the maximum amount of swap space that can be used by the process. A value of 0 indicates no limit.

Description

When a qualifier is not specified, the value from the Default account is used, where applicable, or else a default value is used as described above. When adding an account, specify the values you want to differ from the Default account. Make sure you also create a directory for the user after creating their account.

Example:

UAF> ADD GEORGE/DEVICE=SYS$USER/OWNER="GEORGE WALLACE"/ACCESS=PRIMARY,12-17

In this example, a new user account named "GEORGE" is created who has access on primary days from noon to 5 PM.

AUTHORIZE
COPY

This command creates a new user account, using an existing user account as the template.

Format

COPY oldusername newusername {qualifiers}

Parameters

oldusername
The name of the existing account. This must match an existing account name.

newusername
The name of the new account. This must not match an existing account name. It must be alphanumeric, with underscores and dollar signs allowed. It is recommended that dollar signs not be used since those are used for system accounts. It is also recommended that the first character not be a numeric digit, as some system features may not work with such accounts.

Qualifiers

All of the qualifiers that are valid for ADD are also valid for COPY. See ADD for a detailed description of them.

Description

The ADD command is equivalent to a COPY command using the Default account.

Example:

UAF> COPY GEORGE BARRY/OWNER="BARRY WEST"/ACCESS=7-17

In this example, a new user account named "BARRY" is created who has access on primary days from 7 AM to 5 PM. All other account characteristics match those of the existing account named GEORGE.

AUTHORIZE
DEFAULT

This command modifies the SYSUAF Default account.

Format

DEFAULT {qualifiers}

Parameters

None.

Qualifiers

All of the qualifiers that are valid for ADD are also valid for DEFAULT. See ADD for a detailed description of them.

AUTHORIZE
EXIT

This command exits the AUTHORIZE utility.

Format

EXIT

Parameters

None.

Qualifiers

None.

Description

This command immediately terminates the utility.

AUTHORIZE
HELP

This command provides help on the AUTHORIZE utility.

Format

HELP {keyword{,...}}

Parameters

keyword{,...}
Specified an optional keyword, or multiple keywords, to show help for.

Qualifiers

None.

Description

If no keyword is specified, help shows information about which commands have help available and prompts for a topic. If a keyword is specified, help on that keyword is shown. Responding with ENTER or control-Z will exit help and return to AUTHORIZE.

AUTHORIZE
LIST

This command writes a report on the specified user(s) to a file.

Format

LIST accountspec {qualifiers}

Parameters

accountspec
Specifies which account(s) to report on. This can use a wildcard. For example "*" would report on all users, while "A?" would report on all users whose user names were two characters long and started with "A". Note that the listed users are in sorted into an particular order, although they generally follow the order in which the accounts were created.

Qualifiers

/BRIEF
Writes a brief report. If no output filename is provided, the report is written to sysuaf.lis in the current directory. Brief reports do not list the details of the limits, privileges, login flags, or the command interpreter.

/FULL
Writes a detailed report. If no output filename is provided, the report is written to sysuaf.lis in the sys$system. Full reports list the details of the limits, privileges, login flags, and the command interpreter.

/OUTPUT=filespec
Writes the report to the specified file. The file name defaults to SYSUAF, the extension defaults to .LIS, and the directory defaults to the current directory (if /BRIEF) or sys$system (if /FULL).

Description

If a single user is specified, a report on that user is written. If wildcards are used, a report on each matching user is written out in the order encountered in the SYSUAF.DAT file. The report never includes passwords.

Example:

UAF> LIST */BRIEF/OUTPUT=all_users

This example writes a brief report of all users to the file "all_users.lis" in the current directory.

AUTHORIZE
MODIFY

This command modifies an existing user account.

Format

MODIFY username qualifier{s}

Parameters

username
The name of an existing account.

Qualifiers

All of the qualifiers that are valid for ADD are also valid for MODIFY. See ADD for a detailed description of them. Any qualifier not specified means that the corresponding current setting is not changed in the account.

Discussion

This command modifies the settings of an existing account. Note that any processes for this account that are currently running will not be affected by any changes; however, the next time the user logs in, the new settings will apply.

AUTHORIZE
MODIFY/SYSTEM_PASSWORD

This command changes the system-wide password.

Format

MODIFY/SYSTEM_PASSWORD=password

Parameters

password
The new system password.

Qualifiers

None.

Discussion

Changing the system password requires that all users must supply a system password before any and all other authentications required for an account. Since this password is required before the username is queried, it applies even to autologin accounts. If the new password is not specified (is null), the system password requirement is removed.

Example

UAF> MODIFY/SYSTEM_PASSWORD=XYZZY

AUTHORIZE
REMOVE

This command removes a user from the SYSUAF file. The DEFAULT and SYSTEM accounts cannot be removed.

Format

REMOVE username

Parameters

username
The user whose record is to be removed.

Qualifiers

None.

Discussion

This command deletes the user account from SYSUAF, which prevents that account from being used to log into the system. If the user is currently logged into the system, they are unaffected until they log out or their process otherwise ends. Note that this does not remove the user's files, auditing or accounting information.

Example

UAF> REMOVE BOBBY

AUTHORIZE
RENAME

This command changes an account name in SYSUAF.

Format

RENAME oldusername newusername

Parameters

oldusername
The username of the existing user account to rename.

newusername
The new username for the user account. This must not match an existing account name. It must be alphanumeric, with underscores and dollar signs allowed. It is recommended that dollar signs not be used since those are used for system accounts. It is also recommended that the first character not be a numeric digit, as some system features may not work with such accounts.

Qualifiers

None.

Discussion

This command renames an existing account. None of the other settings of the account are changed. Note that any passwords that used the default UOS encryption may no longer be valid for this account and they should be changed or the user may not be able to log in under the old or new name.

Example

UAF> RENAME BARRY LARRY

AUTHORIZE
SHOW

This command shows information about a user(s).

Format

SHOW username {qualifiers}

Parameters

username
The username of the existing user account to rename. This can contain wildcards in order to show more than one user.

Qualifiers

/BRIEF
Writes a brief report. If no output filename is provided, the report is written to sysuaf.lis in the current directory. Brief reports do not list the details of the limits, privileges, login flags, or the command interpreter. The user directory will show "Disuser" for a disabled account and "Expired" for an expired account.

/FULL (default)
Writes a detailed report. If no output filename is provided, the report is written to sysuaf.lis in the sys$system. Full reports list the details of the limits, privileges, login flags, and the command interpreter.

/WRAP
/NOWRAP (default)
Indicates whether or not to wrap long lines.

Discussion

This command shows a report on UAF record(s).

Example

UAF> SHOW LARRY/FULL

The article is long enough, so we'll end it here. But before we end, I want to address an oversight in the configuration script. I neglected to create the sysuaf.template file at the end of the system configuration script, so we shall add the following to the end of the file (just before the $ exit):

$ copy sys$system:SYSUAF.DAT sys$system:SYSUAF.TEMPLATE

In the next article, we will begin looking at the code for AUTHORIZE.