Online Expert Day - HPE Data Storage - Live Now
April 24/25 - Online Expert Day - HPE Data Storage - Live Now
Read more
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

SOLVED
Go to solution
Arch_Muthiah
Honored Contributor

comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Hi,

Env: MACRO 32, OpenVMS 7.3 on Alpha DS10.

UAF$Q_PRIV -- references to user's AUTHPRIVileges.
UAF$Q_DEF_PRIV -- references to user's DEFPRIVileges.

I have a predefined-lookup table which has list of certain security related privileges.

Currently I check UAF$Q_PRIV list for each users against the priv in the lookup table, this way my prog will list who are all the users having specific security related AUTHPRIVs.

But as there are possibilities where a user can illegally having certain priv as their DEF PRIV, but not in AUTHPRIV list.

In this case I have to check each user's DEFPRIV also against my lookup table.

I tested my prog successfully by comparing user's priv agianst UAF$Q_PRIV and UAF$Q_DEF_PRIV, but separetly.

My question:
Is there any single symbol in $UAFDEF macro, which points to both AUTHPRIV and DEFPRIV lists of each users?. So instead of testing separetly against UAF$Q_PRIV and UAF$Q_DEF_PRIV, I can that symbol.

OR

Is there any way of using OR or XOR to combine these two lists together, so that I can avoid writing lengthiest MACRO 32 codes.

Thanks in advance
Archunan
Regards
Archie
19 REPLIES
Hein van den Heuvel
Honored Contributor
Solution

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

[admittedly this is a little out of my expertise area, as I tend to ignore or blast through most security for my (performance oriented) work, so be sure to verify my comments even more so than you should verify any comment a stranger makes in a forum]

You could first OR the PRIV and DEFPRIV masks in your program and tehn test the bits. No big deal.

But please consider WHY there might be a difference between DEF and AUTH and I think you will determine that you have no business in checking anything but AUTH.

Please consider your statement: "But as there are possibilities where a user can illegally having certain priv as their DEF PRIV, but not in AUTHPRIV list."

How can that be illegal?
If it is illegal, then fix it!

Surely any 'mismatch' is there intentionally, and designed securely.
Perhaps the DEFPRIV allows an action in (SY)LOGIN.COM, while captive and that priv is revoked before letting the user loose.

KISS!

Regards,
Hein.
Arch_Muthiah
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Hein,
Thanks for your response.
Today I try my ORing AUTH and DEFPRIV and I will you know.

< Please consider your statement: "But as
< there are possibilities where a user can < illegally having certain priv as their
< DEF PRIV, but not in AUTHPRIV list."

< How can that be illegal?
< If it is illegal, then fix it!

Yes, I accept your points, I found in the customer site where few users are with CMKRNL DEFPRIV, but not in AUTHPRIV list. I already asked their sysadmin for the necessary change, but they don't want to do it. So I left with no option than listing those users too.

Thanks again and expecting more clue on this.

Archunan
Regards
Archie
Robert Gezelter
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Archunan,

I second Hein's comments, as I have done exactly what he described (e.g., created accounts with an elevated privilege purely for the use of the SYLOGIN.COM command procedure, which then disables it). This is a one-way trap door, which is extemely useful, albeit one requiring careful configuration and auditing of the system.

As a quick check, ORing the fields together should be ok, but you want to be careful. Situations such as those descibed above will show as security hazards, even though they are not really hazards.

- Bob Gezelter, http://www.rlgsc.com
Chapter Author, "OpenVMS Security", Handbook of Information Security (2005)
Jan van den Ende
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Archunan,

I usually see security assesments as a multi-step activity.
In the first, you .OR. the default & auth privs, and eliminate the bulk of accounts as potential problem accounts.
As a NECESSARY second step, EACH account not eliminated by #1 has to be evaluated, and (hopefully) be shown to NEED the special case, but having other constraints to mitigate the risk (like in Bob's example, switching them OFF in SYLOGIN, but many other situations can be construed).
Another way to treat these situations is to look if they can be eliminated altogether by smart use of IDENTIFIERS, INSTALLed images, or PROTECTED SUBSYSTEMS.

But, the most important thing is, that the situation _IS_ scrutinized and if necessary adapted.
That is all too scarse in our business nowadays!

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Arch_Muthiah
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Hein/Bob/Jan,

Thanks for your time responding for my question.

Hein: I tried ORing those AUTH and DEF PRIVs, I did not get the correct result.

I have tried two ways..

1st way
..
..
MY_VAR: .BLKQ UAF$Q_PRIV!UAF$Q_DEF_PRIV
..
..
MOVAB MY_VAR(R6),R6
MOVAL MY_LOOKUPTABLE,R7

; I have used the following method also
; BISQ3 UAF$Q_PRIV,UAF$Q_DEF_PRIV,MY_VAR
; MOVAB MY_VAR(R6),R6
; MOVAL MY_LOOKUPTABLE,R7
..
..
then traversing thru the bit set to find selective priv. Looks like it cleared most of bits. But
MOVAB UAF$Q_PRIV(R6),R6
MOVAL MY_LOOKUPTABLE,R7
this works fine, even for UAF$Q_DEF_PRIV.

Jan/Bob: I can not ask the customer to change their setup. They somehow want to have this facility to trace all user's DEFPRIV also.

Is there any other MACRO DEFs are there in the system (like $PRTDEF...) which points to all of these PRIV in a single MACRO symbol?

Thanks
Archunan
Regards
Archie
Hein van den Heuvel
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Hmmm,

Seeing the attempt above one seriously wonders why you programming in MACRO.

Is there no language on the box you are more familiar with? This stuff can easily be done in Cobol, Fortran, C, whatever.


Why are you looking at $UAFDEF?
You should be using $UAIDEF $GETAUI and

>>> MY_VAR: .BLKQ UAF$Q_PRIV!UAF$Q_DEF_PRIV

This statement will allocate 444 quadwords = 1 ackward.
This seem hardly what you want or need to do.

You needed something like (untested, and undesirable):

MY_VAR: .QUAD
:
MOVAL record_buffer,R6
:
BISQ3 UAF$Q_PRIV(R6),UAF$Q_DEF_PRIV(R6),MY_VAR
MOVAB MY_VAR, R6
:

Alternatively you could just move the ORred mask into a register and have the routine look in the register directly.

Or you could possibly 'cheat' and just do
BISQ2 UAF$Q_DEV_PRIV(R6),UAF$Q_PRIV(R6)
MOVAB UAF$Q_PRIV(R6),R6


But what you really need to do is to use GETUAI and an itemlist for that. Something along the lines of:

my_priv: .quad
my_def_priv: .quad
:
itemlist: ... UAI$_PRIV .. my_priv ... UAI$DEF_PRIV .. my_def_priv
:
SYS$GETUAI
BLBC R0, error
BISQ2 my_dev_priv,my_priv
MOVAQ my_priv, R6


>> Jan/Bob: I can not ask the customer to change their setup. They somehow want to have this facility to trace all user's DEFPRIV also.

Sure you can! You will probably be doing them a favor

>> Is there any other MACRO DEFs are there in the system (like $PRTDEF...) which points to all of these PRIV in a single MACRO symbol?

Sorry, does not compute.


Hope this helps,
Hein.
Galen Tackett
Valued Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Many, perhaps most, privileges work if you grant them in DEFPRIV but not in AUTHPRIV (though I don't know why one might do this.) Also see the P.S. below.

SETPRV, on the other hand, only works if it's in AUTHPRIV. Its presence it DEFPRIV alone is ineffectual.

I haven't explored this sort of thing exhaustively; I wonder if there are other special cases?

Galen

P.S. For some privileges at least, if you grant them in DEFPRIV but not AUTHPRV, once a user logs in they will be able to use that privilege, though once they SET PROC/PRIV=NOxxx they can't turn it back on. Again, I'm not sure why you'd do this.

Jan van den Ende
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Galen,

re-read Bob Gezelter above for one reason (and there are others along those lines).

About SETPRV: I did not know that! Tested it, and you are right (which you knew, of course).
Never to old to learn eh? :-)

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Galen Tackett
Valued Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Jan,

> re-read Bob Gezelter above for one reason

I just re-read Bob's response. I must have just skimmed it the first time as I missed what he said about temporary privileges. Thanks for pointing me back at it.

Galen
David Jones_21
Trusted Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

I don't know if it is still the case, but a $SETPRV call from kernel mode lets you set any privilege bit except PRV$_SETPRV. Having
CMKNL privilege therefore lets you write a substitute for the "SET PROCESS/PRIVILEGE " command.
I'm looking for marbles all day long.
Arch_Muthiah
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Jan/Hein/Galen/David,

Thanks for your responses.

Hein: I am sorry, the code you suggested does not give the result.

I still need some help to find all the privilieges for a user in a single $MACRO symbol.

I tried with $UAFDEF, $PSBDEF, and $ARBPDEF (absolete in VMS > V7.2), unable to find any variable. Still I belive there should be a symbol to hold all PRIVs.

Galen: Your response was informative. good.
Though I don't want to add any more question within this thread for which still I need your assistance, one small additional question....
< SETPRV, on the other hand, only works if < it's in AUTHPRIV

---this is the case only with SETPRV ?

Note: Yesterday I happened to visit office multiple times in the night to cooperate India branch, so I don't have enough time to go thru your answers. Also I searched the net, I don't find any "MACRO 32 programming manual"?. Any idea? (not VAX instrn reference manual)

Will be back tonight to assign the points.
Thanks.
Archunan
Regards
Archie
Ian Miller.
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

MACRO32 programming manual - I suggest

http://h71000.www7.hp.com/doc/82final/5601/5601PRO.HTML
____________________
Purely Personal Opinion
Hein van den Heuvel
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

>> Hein: I am sorry, the code you suggested does not give the result.

It was just there to show a direction to go into. You'll have to figure out the details.

>> I still need some help to find all the privilieges for a user in a single $MACRO symbol.

There is no single place. You'll have to either run the test against multipel masks, or masks the priv bits together with an OR (BIS)

>> I tried with $UAFDEF, $PSBDEF, and $ARBPDEF (absolete in VMS > V7.2)

UAFDEF is availabel in SYS$LIBRARY:LIB.MLB
But where do you get the data from?
From GETUAI as recommended? (need UAIDEF)
Directly the SYSUAF record?(need UAFDEF)
From the running process live data structures?

< SETPRV, on the other hand, only works if < it's in AUTHPRIV
---this is the case only with SETPRV ?

Yes, best we know. Otherwise it would be too easy to grab setprv.

>> Also I searched the net, I don't find any "MACRO 32 programming manual"?. Any idea? (not VAX instrn reference manual)

What about...
"VAX MACRO and Instruction Set Reference Manual"
http://h71000.www7.hp.com/doc/73final/4515/4515PRO.html

Hein.
Arch_Muthiah
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Thanks for the responses.

Hein:
I get the system info on FAB, RAB, XAB, NAM blocks, using RMS services instead of system services, using UAFDEF symbols directly.
As you have confirmed that there is no single MACRO symbol to get all priv, I guess
I should go ahead use UAF$Q_PRIV and UAF$Q_DEF_PRIV symbols seperately one after another. I was bit reluctant/difficult use this way as I need to track all registers (almost some 10 Registers) to do so many shifting back and forth to point to specfic locations. I am wondering how come there is no facility to get the combined priv in a symbol and UAF$Q_PRIV ! UAF$Q_DEF_PRIV (ORing)is not working for me.

Ian/Hein:
Thanks for the URL for docs. Anyway I have this doc, it is not so helpfull. but there are some individual people authorized to sell out "VAX MACRO Programming guide" related docs, I am trying to find those.

Jan/Wim/Hein/Gillings/Bob/Volker:
Do you know any one from whom I can get some VAX MACRO programming related documents? (HP or private).

I will appreciate any further assistance on my intial question.

Thanks
Archunan
Regards
Archie
Hein van den Heuvel
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

>> I get the system info on FAB, RAB, XAB, NAM blocks, using RMS services instead of system services, using UAFDEF symbols directly.


Right, that's what I suspected.
And you may need the SYSUAF file to get the USERNAME field data. But beyond that you shoudl consider feeding that username into $GETUAI and obtaining individual field data that way.

Anyway, may we assume that the record buffer you use is strictly for this purpose, and that it is pointed to by R6?
In that case you can do as I suggested earlier, just combine the data from the two fields into one of them. To get the ORred mask into PRIV you could use:

BISQ2 UAF$Q_DEV_PRIV(R6),UAF$Q_PRIV(R6)

Of course this destroys the original PRIV value, leaving just that ORred mask.

And then it seems that for the rest of the code you need to point to the mask to use, again with R6? If so:

MOVAB UAF$Q_PRIV(R6),R6

>> I was bit reluctant/difficult use this way as I need to track all registers (almost some 10 Registers) to do so many shifting back and forth to point to specfic locations.

Use the stack, or local data as intermediate storage!


>> Thanks for the URL for docs. Anyway I have this doc, it is not so helpfull. but there are some individual people authorized to sell out "VAX MACRO Programming guide" related docs, I am trying to find those.

Right.. it is not meant as a tutorial, but as a reference document. It seems strange to try to learn macro this day and age. Why not use C or any other language you happen to have available. Then again, I always enjoyed having learned macro (through years of trial and error :-).

Cheers,
Hein.
Arch_Muthiah
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Hein,

Thanks for your continous response to solve my problem. I followed all your uggestions.

Yes, as you said, I can not use BISQ2 as it shifts the actual bits in UAF$Q_PRIV and UAF$Q_DEF_PRIVin wich I need to keep intact throughout the loop for other processing.

I tried with BISQ3 with 3rd Operand, it doesn't give the expected result. Also I use R6 to have UAF$L_UIC plus ^X2E OFFSET, then I should MOVAB UAF$Q_PRIV!UAF$Q_DEF_PRIV + effective address of R6 to R6 Register. This was my idea.

But BISQ3 and UAF$Q_PRIV!UAF$Q_DEF_PRIV does not give the expected result, I have followed other way I said, that is testing UAF$Q_PRIV and UAF$Q_DEF_PRIV separately.

I completed it and it is working now with addition of another Register.

Thanks for your continuous assistance, I learned new things from you, Jan and Galon responses.

Archunan
Regards
Archie
Arch_Muthiah
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Hein/Jan/Ian/Galen/David,

The problem solved with your suggestions and ideas.

I appreciate your responsible continuous assistance with vaious suggestions which really helped me to solve and learn new things.

Archunan
Regards
Archie
Arch_Muthiah
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

Hi all,

I am wondering on no ressponses from Volker, WIM, and Jhon Gillings (Bob gone out of this thread with his single response). Really I always expect some responses from you all.

Anyway Jan,Hein,Ian,Bob, Galen and David helped me.

I have copule of decision making question on moving to Itanium/OpenVMS in the comming days. I want to advance book your timings for that in the comming days.

Archunan
Regards
Archie
Hein van den Heuvel
Honored Contributor

Re: comparing UAF$Q_PRIV and UAF$Q_DEF_PRIV

>> UAF$Q_PRIV!UAF$Q_DEF_PRIV

Now that is scary! :-)
You are ORring the offest (not the data) of one qudword with the offset of an other quadword. The result will be the a more or less random offset, larger than both.

>> I am wondering on no ressponses from Volker, WIM, and Jhon Gillings

^hey were watching and saw you were in good hands :-).

John is reducing his presence in thos forum due to a conflict of interested. He _loves_ to help, but his real work is to provide support through the official channels, notably for Australian/Asian customers. I'm sure you can all appreciate the precarious trade-off between free advice and official, paid-for support. If more folks would use the points more consistently, then he and other HP employees might be able to justify their much appreciated efforts here more easily, but this is not the case.

>> I have copule of decision making question on moving to Itanium/OpenVMS in the comming days. I want to advance book your timings for that in the comming days.

Be sure to keep yuour eyes open for the Itanium porting seminars. They are extremely good values considering the top-notch resources teaching the seminars, and the system you get to take home.
The 2006 seminars are about to be annouced.

Cheers,
Hein.