Re: undefined symbol error while defining account ownership.

shiva27 · ‎02-03-2009

Joseph,

This is generic script for all UAF modification of accounts.

Joseph Huber_1 · ‎02-03-2009

Yes I understand what it does, but find it still weird: it gets as input anything, filters out /PASSWORD and /GENERATE qualifiers, and passes everything else simply to Authorize for execution.
Why then a procedure at all, and not just invoke AUTHORIZE, then the user does whatever he likes.
If he/she is privileged to do anything in authorize, then he certainly can invoke authorize to change passwords.

If on the other side this is part of a captive account procedure for an account administrator, then it is a crazy idea to allow everthing.
In this case better let the procedure ask for specific things like owner string, and let the procedure form the authorize command as I have recommended earlier.

http://www.mpp.mpg.de/~huber

Jan van den Ende · ‎02-03-2009

shiva27,

from your Forum Profile:

I have assigned points to 0 of 77 responses to my questions.

Maybe you can find some time to do some assigning?

http://forums1.itrc.hp.com/service/forums/helptips.do?#33

Mind, I do NOT say you necessarily need to give lots of points. It is fully up to _YOU_ to decide how many. If you consider an answer is not deserving any points, you can also assign 0 ( = zero ) points, and then that answer will no longer be counted as unassigned.
Consider, that every poster took at least the trouble of posting for you!

To easily find your streams with unassigned points, click your own name somewhere.
This will bring up your profile.
Near the bottom of that page, under the caption "My Question(s)" you will find "questions or topics with unassigned points " Clicking that will give all, and only, your questions that still have unassigned postings.

Thanks on behalf of your Forum colleagues.

PS. nothing personal in this. I try to post it to everyone with this kind of assignment ratio in this forum. If you have received a posting like this before please do not take offence none is intended!

PPS. Zero points for THIS entry, please.

Proost.

Have one on me.

jpe

Don't rust yours pelled jacker to fine doll missed aches.

John Gillings · ‎02-03-2009

Shiva,

> This is generic script for all UAF
> modification of accounts

Your script doesn't deal with quotes properly. This is always going to be an issue attempting to build a "meta" DCL script - the level of parsing required to deal with all possible cases of DCL constructs. It's more or less impossible to do it with a sane number of lines of DCL that will execute in a non-geological time.

As written, there are ways to exploit your code to bypass your checks, or do things that you don't want or don't expect. Simple case, try this:

$ hack="/password=newone"
$ robert="+robert'hack'"

now execute your procedure and repeat your test. There won't be an undefined symbol error, nor will your check for /PA be triggered, but your input command:

modify use1/owner="+robert"

WILL change the users' password.

So, your generic script doesn't work, and there's no simple way to do what you want.

There are two basic options... first is to write your own UAF utility in a compiled language, and omit the functions you want to block.

Second is to tell your operators (or whoever uses this command procedure) that all UAF actions are audited, and will be checked for illegal operations. Any that are discovered will lead to disciplinary action.

Ultimately you have to trust people to do the right thing.

A crucible of informative mistakes

shiva27 · ‎02-03-2009

Hi

Below is completed script.When user execute login.com he will get "Security team menu" to select the options.
For changing the ownership of account,he has to select the option "A".once select A option will get the prompt UAF >

UAF>

Note:If i want to change the account ownership without sign "+" this procedure is working fine ,

but if i select "+" it is giving "undefined symbol" error as below screen shot

Requirement: Now we need to change all account ownership with "+" sign with help of this procedure.

can you please suggest how can we accoplish the script in such a way that "+" sign will accept in account ownership.

scree shot
==========
Case I:
=======

$ @LOGIN.COM;

Security team GROUP
*************************************************

A : Activate Authorization file
B : Add VCS users (LONDON only)
C : Remove VCS users (LONDON only)
P : Password Maintenance
PS1 : Primary Password change
PS2 : Secondary Password change
LO : Logout

OPTION : a

UAF>modify user2/owner="+david_loong"
%DCL-W-UNDSYM, undefined symbol - check validity and spelling
\david_loong\
%DCL-W-UNDSYM, undefined symbol - check validity and spelling
\david_loong\
%DCL-E-INVIFNEST, invalid IF-THEN-ELSE nesting structure or data inconsistency

Case II:
========
$ @LOGIN.COM;
%CDU-W-NOSUCHVERB, The CLI table does not contain verb name EDIT

security team GROUP
*************************************************

A : Activate Authorization file
B : Add VCS users (LONDON only)
C : Remove VCS users (LONDON only)
P : Password Maintenance
PS1 : Primary Password change
PS2 : Secondary Password change
LO : Logout

OPTION : a

UAF>modify user2/owner="david_loong"
%UAF-I-MDFYMSG, user record(s) updated

Command Procedure:

--------------------------------------------

$ SET ON
$ set command/delete=(edit)
$ SET PROTECTION=(S:RWED,O:RWED,G:RE,W)/DEFAULT
$ SET NOCONTROL=(T,Y)
$
$ olddef = f$environment("DEFAULT")
$!
$ if .not. f$privilege("SYSPRV") then goto nopriv
$ IF F$MODE() .NES. "INTERACTIVE" THEN GOTO BYPASS
$!
$ SELECT_SYS_OPTION:
$ ON CONTROL_Y THEN GOTO FINISH
$ ON WARNING THEN GOTO SELECT_SYS_OPTION
$ ON ERROR THEN GOTO SELECT_SYS_OPTION
$ ON SEVERE_ERROR THEN GOTO SELECT_SYS_OPTION
$ PAUSE :== "WAIT 00:00:03"
$ DISPLAY :== "TYPE SYS$INPUT "
$ SAY :== "Write sys$output "
$ ASK :== "READ SYS$COMMAND/PROMPT="
$ UAF :== "MC AUTHORIZE"
$!
$ DISPLAY

Security TEAM menu
*************************************************

A : Activate Authorization file
B : Add VCS users (LONDON only)
C : Remove VCS users (LONDON only)
P : Password Maintenance
PS1 : Primary Password change
PS2 : Secondary Password change
LO : Logout

$ p1 = ""
$ ASK " OPTION : " P1
$ P1 = F$EDIT(P1,"UPCASE,COLLAPSE")
$ goto main_sys_loop
$!
$Invalid_option:
$ display

!!! Invalid option !!!

$ pause
$ goto select_sys_option
$!
$MAIN_SYS_LOOP:
$!
$ SYS_OPTION :== Invalid_option
$ NODE_NAME = F$TRNLNM("SYS$NODE")
$ if p1 .eqs. "A" then SYS_OPTION :== RUN_AUTHORIZATION ! Authorization
$ if ((p1 .eqs. "B") .or. (p1 .eqs. "C") ) .and. -
( NODE_NAME .nes. "LONDON::" )
$ then
$ write sys$output "Function valid only in LONDON !!"
$ goto select_sys_option
$ endif
$ if p1 .eqs. "B" then SYS_OPTION :== RUN_ADDVCS ! Add VCS
$ if p1 .eqs. "C" then SYS_OPTION :== RUN_REMVCS ! Remove VCS
$ if p1 .eqs. "P" then SYS_OPTION :== PASS_MAINT ! Password Maintenance
$ if p1 .eqs. "PS1" then SYS_OPTION :== PASS_CHANGE1 ! CGE Primary Pass
$ if p1 .eqs. "PS2" then SYS_OPTION :== PASS_CHANGE2 ! CGE Sec Pass
$ if p1 .eqs. "LO" then SYS_OPTION :== LOG_OUT ! LOGOUT
$!
$ say ""
$ goto 'sys_option'
$!
$LOG_OUT:
$ on warning then continue
$ LOGOUT
$ goto select_sys_option
$!
$RUN_AUTHORIZATION:
$ on warning then continue
$ ask "UAF>" action
$ action = f$edit("''action'","UPCASE")
$ IF (F$EDIT(action,"UPCASE,COLLAPSE") .eqs. "EXIT") .or. (F$EDIT(action,"UPCASE,COLLAPSE") .eqs. "EX") THEN GOTO select_sys_option
$!
$ IF (F$LOCATE( "/PA", "''action'") .ne. F$length("''action'")) .or. (F$LOCATE( "/G", "''action'") .ne. F$length("''action'"))
$ then
$ Say "*** Modifying PASSWORD is not permitted"
$ goto RUN_AUTHORIZATION
$ endif
$!
$ UAF 'action'
$ goto RUN_AUTHORIZATION
$!
$RUN_ADDVCS:
$ on warning then continue
$ read/prompt="please specify Username to be added : " sys$command -
vcsuser
$ set def sys$system
$ define/user_mode sys$input sys$command
$ VCS Edit config add user 'vcsuser/mana/auth=*
$ set def 'olddef'
$ goto select_sys_option
$
$RUN_REMVCS:
$ on warning then continue
$ read/prompt="please specify Username to be removed : " sys$command -
vcsuser
$ set def sys$system
$ define/user_mode sys$input sys$command
$ VCS Edit config remove user 'vcsuser
$ set def 'olddef'
$ goto select_sys_option
$!
$PASS_MAINT:
$ on warning then continue
$ define/user_mode sys$input sys$command
$ say ""
$ ask "User Account (Q-TO QUIT): " username
$ username = F$EDIT(username,"UPCASE,TRIM")
$ IF username .EQS. "Q" THEN GOTO select_sys_option
$ IF username .EQS. "" THEN GOTO PASS_MAINT
$ CHK_UIC = F$IDENTIFIER("''username'","NAME_TO_NUMBER")
$ if CHK_UIC .eqs. 0
$ then
$ say "Username or User Identifier does not exist ..."
$ goto PASS_MAINT
$ endif
$!
$ get_passwd_typ:
$ say ""
$ ask "Specify password type (PRI/SEC) : " passwd_typ
$ passwd_typ = F$EDIT(passwd_typ,"UPCASE,TRIM")
$ if (passwd_typ .nes. "PRI") .and. (passwd_typ .nes. "SEC") then goto get_passwd_typ
$!
$ get_passwd:
$ say ""
$ set term/noecho
$ ask "Enter a 8-Character New Password or to clear the password : " passwd
$ set term/echo
$ passwd = f$edit(passwd,"upcase,collapse")
$ if passwd .eqs. "NULL"
$ then
$ UAF modify 'username'/nopass
$ say ""
$ say "Password cleared for account ''username' ..."
$ say ""
$ goto select_sys_option
$ endif
$!
$ say ""
$ set term/noecho
$ ask "Re-Enter the New Password : " passwd_1
$ set term/echo
$ passwd_1 = f$edit(passwd_1,"upcase,collapse")
$!
$ if passwd .nes. passwd_1
$ then
$ say "New password verification error; please try again"
$ goto get_passwd
$ endif
$!
$ if f$length(passwd) .lt. 8
$ then
$ say "%UAF-I-PWDLESSMIN, new password is shorter than minimum password length (8 Char), Pls re-enter new password"
$ goto get_passwd
$ endif
$!
$ if (passwd_typ .eqs. "PRI") .and. (passwd .nes. "NULL") then UAF modify 'username'/pass=('passwd',"")
$ if (passwd_typ .eqs. "SEC") .and. (passwd .nes. "NULL") then UAF modify 'username'/pass=("",'passwd')
$ say ""
$ say "Password reset completed for ''username', New password will expire upon next logon ..."
$ say ""
$ wait 00:00:03
$ goto select_sys_option
$!
$PASS_CHANGE1:
$ on warning then continue
$ define/user_mode sys$input sys$command
$ set pass
$ goto select_sys_option
$!
$PASS_CHANGE2:
$ on warning then continue
$ define/user_mode sys$input sys$command
$ set pass/sec
$ goto select_sys_option
$!
$FINISH:
$ say " "
$ say "!!! Abnormal condition is detected, Logout forced by System !!!"
$ say " "
$ LOGOUT
$!
$nopriv:
$ say "*** Insufficient privilege to run this procedure ***"
$ PAUSE
$ logout
$!
$BYPASS:
$ LOGOUT

-------------------------------------------

Hakan Zanderau ( Anders · ‎02-03-2009

Shiva,

I don't know if this will break anything else, but.......

A Lexical function translates symbols automatically.

Ex.

$ Action="Modify SYSTEM/PASSW=someting"
$ Write Sys$output f$length(action)
28

You don't have to use "''symbol'" ( f$length("''action'") )

so......

I changed the following lines

$ action = f$edit("''action'","UPCASE")
$ IF (F$EDIT(action,"UPCASE,COLLAPSE") .eqs. "EXIT") .or. (F$EDIT(action,"UPCASE,COLLAPSE") .eqs. "EX") THEN GOTO select_sys_option
$!
$ IF (F$LOCATE( "/PA", "''action'") .ne. F$length("''action'")) .or. (F$LOCATE( "/G", "''action'") .ne. F$length("''action'"))

to

$ action = f$edit(action,"UPCASE")
$ IF (F$EDIT(action,"UPCASE,COLLAPSE") .eqs. "EXIT") .or. (F$EDIT(action,"UPCASE,COLLAPSE") .eqs. "EX") THEN GOTO select_sys_option
$!
$ IF (F$LOCATE( "/PA", action) .ne. F$length(action)) .or. (F$LOCATE( "/G", action) .ne. F$length(action))

and now it works....with SPACEs and "+"

Hakan

Don't make it worse by guessing.........

Joseph Huber_1 · ‎02-04-2009

And still, after Hakans advice not to substitute action in the f$edit calls, the action will fail unless the string entered by the operator contains the right quotes:
If action is "modify user/owner=+robert",
then UAF 'action' will fail.

I still find the whole run_authorize part nonsense.
It lets the operator execute any authorize action. Why not simply invoke authorize and let the operator directly talk to it ?
Why is it trusting the operator to do everything else but just not to change passwords ?
Like allowing "modify user/flag=disuser" or "remove user".

If the operator is not trusted, then this procedure can only be made secure either by writing a restricted authorize utility as suggested, or by making the run_authorize a submenu, which offers only selected actions like changing owner: ask for the new owner string only, not the whole modify command, and then issue the auhtorize command:
authorize modify 'user'/owner="''owner'"

http://www.mpp.mpg.de/~huber

Hakan Zanderau ( Anders · ‎02-04-2009

I totally agree with Joseph,

You are in the hands of the operator(s).
Will they supply data in the right format ?

The code can't check the inputdata for all possible misstakes......

Hakan

Don't make it worse by guessing.........

shiva27 · ‎02-04-2009

Haken/All,

Gr8!!! it's working, Now able to change the ownership successfully.

Thank you very much to all for this help.

Joseph Huber_1 · ‎02-04-2009

And a tip for a customized authorize program:

http://mvb.saic.com/freeware/freewarev40/dwauth/

And I just built the older dwprofile program from one of the 90th VMS SIG tapes to work on VMS 7.3-1:
http://wwwvms.mppmu.mpg.de/vmssig/misc/dwprofile.zip

Both can be modified to disable some of the fields for modification.

http://www.mpp.mpg.de/~huber

Joseph Huber_1 · ‎02-04-2009

Forget the above link for dwprofile, a bit newer and ready for Alpha is in
http://mvb.saic.com/freeware/decwindows/dwprofile24.zip

http://www.mpp.mpg.de/~huber

John Gillings · ‎02-04-2009

Shiva,

>Gr8!!! it's working, Now able to change
>the ownership successfully

Did you read my response? Your procedure is NOT working. It's trivially easy to use it to change passwords without your checks noticing. So you've got a whole lot of very flakey and sensitive DCL code that doesn't achieve what you want. Why bother?

A crucible of informative mistakes

Mike Kier · ‎02-05-2009

Joseph,

I've just seen over on openvms.org that saic have taken down their freeware archive.

Practice Random Acts of VMS Marketing

Joseph Huber_1 · ‎02-05-2009

>> saic have taken down their freeware archive.

What a pity!

http://www.mpp.mpg.de/~huber

Joseph Huber_1 · ‎02-06-2009

Whatever the future of mvb.saic (especially the vms and lt SIG tapes since 1987!) will be,
the above two decw authorize programs are available:

Patrick Moreau's http://membres.lycos.fr/pmoreau/decw/xutils.html

Jur van Burg's http://www.digiater.nl

http://www.mpp.mpg.de/~huber

shiva27 · ‎02-06-2009

Hi John,

Sorry for late reply. Security team verified there menu's options after modified script and confirmed that all options are working as expected.

Now i'm going to implement in all our production servers next week.

Hakan Zanderau ( Anders · ‎02-06-2009

Shiva,

Why don't you listen to what John Gillings is trying say ?

Try this is your script:

UAF> MODIFY SYSTEM/NOPASSWORD

or

UAF> MODIFY SYSTEM / PASSWORD = NEWPASSWORD

Even though you are not authorized to change password, you can do it.

Hakan

Don't make it worse by guessing.........

Hakan Zanderau ( Anders · ‎02-06-2009

OOOppps,....lot of typing errors.

Shiva,

Why don't you listen to what John Gillings tries to say ?

Try this in your script:

UAF> MODIFY SYSTEM/NOPASSWORD

or

UAF> MODIFY SYSTEM / PASSWORD = NEWPASSWORD

( SPACE between "/" and PASSWORD )

Even though you are not authorized to change password, you can do it.

Hakan

Don't make it worse by guessing.........

shiva27 · ‎02-06-2009

Haken,

Sorry for confusion,Actually they are not using this script to accoplish this task.
But most of the options are same as i provided you script.

So i changed "''action'" -->> action
in new script and it is going thru.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Forums

Discussions

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: undefined symbol error while defining account ownership.