topic Re: about the privilege for AUTHORIZE in Operating System - OpenVMS

about the privilege for AUTHORIZE

Davor_7 — Mon, 15 Aug 2005 01:40:58 GMT

folks

one account need access to UAF via MC AUTHORIZE, but i donot wanna give it more system privilege.

is there any privilege in category for this request ?

Re: about the privilege for AUTHORIZE

Karl Rohwedder — Mon, 15 Aug 2005 02:36:28 GMT

There are good reasons for the fact, that the SYSUAF... files are protected against access by 'normal' users.

What are you trying to acomplish?

regards Kalle

Re: about the privilege for AUTHORIZE

Davor_7 — Mon, 15 Aug 2005 02:56:11 GMT

my aim is to let the guy have enough privilege to show the user profile. and also, prevent him from doing some harmful command such as shutdown :)

Re: about the privilege for AUTHORIZE

Martin Vorlaender — Mon, 15 Aug 2005 03:07:27 GMT

The privilege needed for access to SYSUAF is SYSPRV - but that also grants access to all other files to the user.

The best way would probably be to add an ACL on SYSUAF.DAT that allows the user to read it.

cu,
Martin

Re: about the privilege for AUTHORIZE

Jeroen Hartgers_3 — Mon, 15 Aug 2005 03:08:34 GMT

This is always a difficult. If you can diplay the sys uaf you can also change the sysuaf (priv: oper and security).

An other option is to make a special account for this work. Where everything id done true a menu and the account has a captive flag. This way the can never work on the prompt.

Re: about the privilege for AUTHORIZE

Davor_7 — Mon, 15 Aug 2005 03:13:47 GMT

thanks men~ i know it

another question: where can i check the history password retention value?
UAF>help default
just /pwdlifetime, /pwdminimum, /pwdexpired qualifiers in it.
i want to check and modify the value defined before. how can i do?

i'm a new manager, excuse me :)

Re: about the privilege for AUTHORIZE

Karl Rohwedder — Mon, 15 Aug 2005 03:34:52 GMT

The password history lifetime and limit are controlled by the logical names:

System Logical Name Default Min Max Units
SYS$PASSWORD_HISTORY_LIFETIME
365
1
28000
Days
SYS$PASSWORD_HISTORY_LIMIT
60
1
2000
Absolute count

see in the 'Guide to Security'.

regards kalle

Re: about the privilege for AUTHORIZE

Martin Vorlaender — Mon, 15 Aug 2005 03:35:16 GMT

>>>
another question: where can i check the history password retention value?
<<<

AFAIK, there's no such thing. The last 60 passwords are recorded, you can only enable or disable the check upon entering of a new password (see UAF flag DISPWDHIS).

cu,
Martin

Re: about the privilege for AUTHORIZE

Davor_7 — Mon, 15 Aug 2005 03:41:20 GMT

Martin

you mean that we just can enable/disable the password history function. but cannot define the value for system about how many pwd should be recorded ?

Re: about the privilege for AUTHORIZE

Antoniov. — Mon, 15 Aug 2005 03:42:49 GMT

Davor,
welcome to vms forum :-)

I'm with Davor. For my user, I create a special user with a menu and Ctrl + Y disabled. They can see sysuaf but they cannot modify nothing.

About default, you can nest into help reading examples
UAF>HELP DEFAULT EXAMPLE

DEFAULT

example

UAF>DEFAULT -
/DEVICE=SYS$USER-
/LGICMD=SYS$MANAGER:SECURELGN -
/PRIVILEGES=(TMPMBX,GRPNAM,GROUP)
%UAF-I-MDFYMSG, user record(s) updated

The command in this example modifies the DEFAULT record,
changing the default device, default login command file, and default privileges.

Antonio Vigliotti

Re: about the privilege for AUTHORIZE

Karl Rohwedder — Mon, 15 Aug 2005 04:11:55 GMT

Davor,

pls. see my last message, those limits can be modified with the mentioned logical names.

The lifetime specifies, how long passwords are stored in the history file, the limit defines the number of different passwords a user can use, if he needs more passwords, he will be switched to generated passwords.
That means, if you prolong the lifetime, you must also increase the limit. But this is all descibed in more better words in the 'Guide to system security':
http://h71000.www7.hp.com/doc/732FINAL/aa-rscub-te/aa-rscub-te.HTMl

regards Kalle

Re: about the privilege for AUTHORIZE

Karl Rohwedder — Mon, 15 Aug 2005 04:13:44 GMT

Sorry, I clicked the wrong link, the 'Guide to system security'can be found at:
http://h71000.www7.hp.com/doc/732FINAL/aa-q2hlg-te/aa-q2hlg-te.HTMl

regards Kalle

Re: about the privilege for AUTHORIZE

Martin Vorlaender — Mon, 15 Aug 2005 05:10:35 GMT

I stand corrected. Kalle is right (of course ;-).

cu,
Martin

Re: about the privilege for AUTHORIZE

Davor_7 — Mon, 15 Aug 2005 08:31:47 GMT

thanks all !!

maybe i have a long way to go :)
need your help in the future ^_-

Re: about the privilege for AUTHORIZE

Martin Vorlaender — Mon, 15 Aug 2005 09:28:39 GMT

Davor,

if the answers satisfied your needs, you cn show your appreciation of this free support by assigning points.

cu,
Martin

Re: about the privilege for AUTHORIZE

Robert_Boyd — Tue, 16 Aug 2005 09:07:02 GMT

Davor,

I think you'll want to check out the GETUAI utility (Freeware).

The reason I say that is this:
the documentation for the SYS$GETUAI service says that a user always has the right to call this service to get information about their own username.

Robert

Here is an excerpt:

Description

The Get User Authorization Information service returns authorization information about a specified user.

The contxt value returned by $GETUAI should never be used as a value to the $SETUAI system service.

You examine for a valid login by checking the bits of UAI$V_PWD_EXPIRED and UAI$V_DISUSER, and by doing a comparison of the UAI$_PWD_DATE item code against the UAI$_PWD_LIFETIME item code.

The UAI$V_PWD_EXPIRED bit is only set by the system when the bit UAI$V_DISFORCE_PWD_CHANGE is set in the user's SYSUAF record and the comparison between the UAI$_PWD_DATE and UAI$_PWD_LIFETIME indicates a password is past its valid life.

During a normal login when the UAI$V_DISFORCE_PWD_CHANGE bit is not set, the system compares VAI$_PWD_DATE against UAI$_PWD_LIFETIME and, if expired, forces the user to change the password. With this configuration, the UAI$V_PWD_EXPIRED bit is not set.

During a normal login when the VAI$V_DISFORCE_PWD_EXPIRED is set, the system compares UAI$_PWD_DATE against UAI$_PWD_LIFETIME and, if expired, sets the UAI$_PWD_EXPIRED bit and notifies the user to change the now-expired password. In this case, the user is not forced to change the password.

Required Access or Privileges

Use the following list to determine the privileges required to use the $GETUAI service:

* BYPASS or SYSPRV---Allows access to any record in the user authorization file (UAF).
* GRPPRV---Allows access to any record in the UAF whose UIC group matches that of the requester.
* No privilege---Allows access to any UAF record whose UIC matches that of the requester.
You need read access to the UAF to look up any information other than your own.

Required Quota

None

Related Services

$SETUAI