Operating System - OpenVMS

Re: priviledge to reset password

 
SOLVED
Go to solution
TMcB
Super Advisor

priviledge to reset password

Hi all

What VMS privileges does a user need to be able to reset other users passwords.
i would like to allow our helpdesk to reset the users passwords - and give them an account to do so with the minimum required priviledges.
Thanks so much
11 REPLIES 11
Richard Brodie_1
Honored Contributor

Re: priviledge to reset password

The AUTHORIZE utility is installed with SYSLCK and AUDIT. Beyond that, access to the SYSUAF (sys$system:sysuaf.dat by default)should be all that is needed.

Creating an ACL on the SYSUAF would do it. Since that would allow you to create extra accounts and change privileges etc also, it would be good practice to not to give a helpdesk account free access to this. The simplest would be making the password changing account a captive account.
TMcB
Super Advisor

Re: priviledge to reset password

Thanks Richard - indeed would use a captive account
Robert Gezelter
Honored Contributor

Re: priviledge to reset password

TMcB,

When using a captive account, be careful to note that the command procedures need to CHECK THE USER-SUPPLIED INPUTS WITH EXTREME CARE.

The same cautionary notes that apply to back-end web scripts (e.g., CGI using DCL and other languages with string substitution), apply as well to captive account command procedures. One needs to beware unchecked string substitution, it can create an unintended attack vector.

For example, can the user supply a string "JJDUFFH/PRIV=CMKRML" as a password. This COULD lead to an unwitting symbol substitution, to wit:
$ AUTHORIZE MODIFY /PASSWORD='NEWPASSWORD' becoming
$ AUTHORIZE MODIFY /PASSWORD=JJDUFMH/PRIV=CMKRNL

Extreme caution is recommended.

- Bob Gezelter, http://www.rlgsc.com
Jan van den Ende
Honored Contributor

Re: priviledge to reset password

TMcB,

Like others noted, all kinds of misuse potential (intentional or not) are easily introduced.

We have made that at least a lot more difficult by making a little utility (only accessible by holders of HELPDESK identifier)
which just takes a username as parameter.
Then it generates a password by concatenating current year - month - day - hour - minute.
This is set as the new password and displayed to the helpdesk person to tell the calling user.
... and of course, usernames are checked, and privileged usernames are NOT accepted!

hth

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Hoff
Honored Contributor
Solution

Re: priviledge to reset password

There is a complete username registration and associated password-reset system available for download here:

http://labs.hoffmanlabs.com/node/1260
John Gillings
Honored Contributor

Re: priviledge to reset password

TMcB,

In this case "minimum required" is an oxymoron. Any of the ALL category privileges should do. According to the System Services Reference Manual, $SETUAI "You must have SYSPRV privilege to set passwords for any user account (including your own)."

Implementing such a mechanism, while protecting against unauthorised privilege amplification requires care, as it would be easy to leave loopholes open.

The simplest, and most obvious case - preventing your helpdesk operators from modifying the password of SYSTEM and thereby taking control of the system is but the tip of the iceberg.

Robert's example of DCL qualifier syntax hacking shows that knocking up a DCL script to feed AUTHORIZE has some unexpected pitfalls.

My recommendation would be a program to be installed with SYSPRV which uses $SETUAI and UAI$_PASSWORD. I'd protect the image with an ACL, filter the input username with both an INCLUDE list AND an EXCLUDE list (remember he program has SYSPRV, so the lists can be hidden), and audit every action, again to a protected file.

With appropriate table driven logic, you could define it so that a given user had a set of usernames they're allowed to modify.

A crucible of informative mistakes
John Gillings
Honored Contributor

Re: priviledge to reset password

TMcB,

Also please note... there is no "d" in the word "Privilege"
A crucible of informative mistakes
TMcB
Super Advisor

Re: priviledge to reset password

Thanks John for pointing out my poor typing skills.

Does anyone know if its possible to allow a user to change the password of a restricted group of users. I'm thinking that I wouldnt want the user to change the system account, but would want him to be able to change our standard users.

Thanks
Robert Gezelter
Honored Contributor

Re: priviledge to reset password

TMcB,

Yes. Check the process' rightslist and/or UIC. For example, Group leader (typically Member 1 of the group is permitted to reset members of their group). Alternatively, holders of an identifier (e.g., GROUPADMIN_nn) can reset passwords of users in UIC group [nn,*].

- Bob Gezelter, http://www.rlgsc.com