- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - OpenVMS
- >
- Re: priviledge to reset password
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2011 03:49 AM
тАО02-21-2011 03:49 AM
What VMS privileges does a user need to be able to reset other users passwords.
i would like to allow our helpdesk to reset the users passwords - and give them an account to do so with the minimum required priviledges.
Thanks so much
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2011 04:19 AM
тАО02-21-2011 04:19 AM
Re: priviledge to reset password
Creating an ACL on the SYSUAF would do it. Since that would allow you to create extra accounts and change privileges etc also, it would be good practice to not to give a helpdesk account free access to this. The simplest would be making the password changing account a captive account.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2011 04:37 AM
тАО02-21-2011 04:37 AM
Re: priviledge to reset password
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2011 05:21 AM
тАО02-21-2011 05:21 AM
Re: priviledge to reset password
When using a captive account, be careful to note that the command procedures need to CHECK THE USER-SUPPLIED INPUTS WITH EXTREME CARE.
The same cautionary notes that apply to back-end web scripts (e.g., CGI using DCL and other languages with string substitution), apply as well to captive account command procedures. One needs to beware unchecked string substitution, it can create an unintended attack vector.
For example, can the user supply a string "JJDUFFH/PRIV=CMKRML" as a password. This COULD lead to an unwitting symbol substitution, to wit:
$ AUTHORIZE MODIFY
$ AUTHORIZE MODIFY
Extreme caution is recommended.
- Bob Gezelter, http://www.rlgsc.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2011 05:41 AM
тАО02-21-2011 05:41 AM
Re: priviledge to reset password
Like others noted, all kinds of misuse potential (intentional or not) are easily introduced.
We have made that at least a lot more difficult by making a little utility (only accessible by holders of HELPDESK identifier)
which just takes a username as parameter.
Then it generates a password by concatenating current year - month - day - hour - minute.
This is set as the new password and displayed to the helpdesk person to tell the calling user.
... and of course, usernames are checked, and privileged usernames are NOT accepted!
hth
Proost.
Have one on me.
jpe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2011 07:26 AM
тАО02-21-2011 07:26 AM
Solutionhttp://labs.hoffmanlabs.com/node/1260
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2011 02:06 PM
тАО02-21-2011 02:06 PM
Re: priviledge to reset password
In this case "minimum required" is an oxymoron. Any of the ALL category privileges should do. According to the System Services Reference Manual, $SETUAI "You must have SYSPRV privilege to set passwords for any user account (including your own)."
Implementing such a mechanism, while protecting against unauthorised privilege amplification requires care, as it would be easy to leave loopholes open.
The simplest, and most obvious case - preventing your helpdesk operators from modifying the password of SYSTEM and thereby taking control of the system is but the tip of the iceberg.
Robert's example of DCL qualifier syntax hacking shows that knocking up a DCL script to feed AUTHORIZE has some unexpected pitfalls.
My recommendation would be a program to be installed with SYSPRV which uses $SETUAI and UAI$_PASSWORD. I'd protect the image with an ACL, filter the input username with both an INCLUDE list AND an EXCLUDE list (remember he program has SYSPRV, so the lists can be hidden), and audit every action, again to a protected file.
With appropriate table driven logic, you could define it so that a given user had a set of usernames they're allowed to modify.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-21-2011 03:02 PM
тАО02-21-2011 03:02 PM
Re: priviledge to reset password
Also please note... there is no "d" in the word "Privilege"
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-22-2011 02:55 AM
тАО02-22-2011 02:55 AM
Re: priviledge to reset password
Does anyone know if its possible to allow a user to change the password of a restricted group of users. I'm thinking that I wouldnt want the user to change the system account, but would want him to be able to change our standard users.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
тАО02-22-2011 03:26 AM
тАО02-22-2011 03:26 AM
Re: priviledge to reset password
Yes. Check the process' rightslist and/or UIC. For example, Group leader (typically Member 1 of the group is permitted to reset members of their group). Alternatively, holders of an identifier (e.g., GROUPADMIN_nn) can reset passwords of users in UIC group [nn,*].
- Bob Gezelter, http://www.rlgsc.com