It appears that you're running an Ad-Blocker. This site is monetized by Advertising and by User Donations; we ask that if you find this site helpful that you whitelist us in your Ad-Blocker, or make a Donation to help aid in operating costs.
VAX VMS Authorize Utility · Article
Using the VAX/VMS Authorize Utility
Written by Line Shadow on 09/10/88
A Telecom Computer Security Bulletin File Volume One, Number 1, File 9 of 12
--------------------------------------------------------------------------------
Time to play God with your favorite
___ ___ ___ ___ ___ ___ ___
| | | | | | | |
| d | i | g | i | t | a | l |
|___|___|___|___|___|___|___|
VAX/VMS System
In order to put this article to good use, you will have to acquire a high priviledged VAX account. I'm leaving that up to you, as this article is intended for the more advanced VAX hacker. You can expect another article discussing the tricks of the trade as regards getting an account with priviledges of that sort in future articles. Until then, you're on your own.
This is a reference on how to use a powerful utility within VMS that will allow you to create accounts on a digital VAX system. This utility, called the Authorize Utility is located on every VAX system. It can be found in the
SYS$SYSTEM directory (which is a logical name for SYS$SYSROOT:[SYSEXE) under the filename AUTHORIZE.EXE. This is the actual program and you just RUN it.
Along with tons of other files within SYS$SYSTEM, you will find two other files that are manipulated by the Authorize Utility.
Quick definitions for the Command Syntax:
===============================================================================
Qualifier - A qualifier is an optional extension of a main command
(discussed below) whose format consists of:
command/qualifier
Use of brackets - Use of brackets ('[' and ']') placed around a logical-
name indicates that the enclosed item is optional.
Except in the case of specifying directories which
has to have the brackets around the directory name.
Also note that parenthesis arounf a logical name are
required when noted as such.
file-spec,... - Indicates that additional parameters, values, or
information can be entered.
Command Syntax: UAF> command [parameter]
--------------------------------------------------------------------------------
ADD
/[NO]ACCESS[=(range[,...])]
/ACCOUNT=account-name
/[NO]ADD_IDENTIFIER
/ATTRIBUTES=(keyword[,...])
/[NO]BATCH[=(range[,...])]
/BIOLM=value
/BYTLM=value
/CLI=cli-name
/CLITABLES=clitable-name
/CPUTIME=time
/DEFPRIVILEGES=([NO]privname[,...])
/DEVICE=name
/[NO]DIALUP[=(range[,...])]
/DIOLM=value
/DIRECTORY=directory-name
/ENQLM=value
/EXPIRATION=time
/FILLM=value
/GENERATE_PASSWORD[=keyword]
/FLAGS=([NO]option[,...])
/[NO]INTERACTIVE[=(range[,...])]
/JTQUOTA=value
/LGICMD=file-spec
/[NO]LOCAL[=(range[,...])]
/MAXACCTJOBS=value
/MAXDETACH=value
/MAXJOBS=value
/[NO]NETWORK[=(range[,...])]
/OWNER=owner-name
/[NO]PASSWORD=(password[,password2])
/PFLAGS=([NO]option[,...])
/PGFLQUOTA=value
/PRCLM=value
/P_RESTRICT=(range[,...])
/PRIMEDAYS=([NO]day[,...])
/PRIORITY=value
/PRIVILEGES=([NO]privname[,...])
/[NO]PWDEXPIRED
/[NO]PWDLIFETIME=time
/PWDMINIMUM=value
/QUEPRIORITY=value
/[NO]REMOTE[=(range[,...])]
/SFLAGS=([NO]option[,...])
/SHRFILLM=value
/S_RESTRICT=(range[,...])
/TQELM=value
/UIC=uic
/WSDEFAULT=value
/WSEXTENT=value
/WSQUOTA=value
ADD/IDENTIFIER
/ATTRIBUTES=(keyword[,...])
/USER=user-spec
/VALUE=value-specifier
ADD/PROXY
COPY
(Same qualifiers as ADD)
CREATE/PROXY
CREATE/RIGHTS
DEFAULT
(Same qualifiers as ADD)
EXIT
GRANT/IDENTIFIER
/ATTRIBUTES=(keyword[,...])
HELP
(All commands and qualifiers)
LIST
/BRIEF
/FULL
LIST/IDENTIFIER
/BRIEF
/FULL
/USER=user-spec
/VALUE=value-specifier
LIST/PROXY
LIST/RIGHTS
/USER=user-spec
MODIFY
/[NO]ACCESS[=(range[,...])]
/ACCOUNT=account-name
/ASTLM=value
/[NO]BATCH[=(range[,...])]
/BIOLM=value
/BYTLM=value
/CLI=cli-name
/CLITABLES=clitable-name
/CPUTIME=time
/DEFPRIVILEGES=([NO]privname[,...])
/DEVICE=name
/[NO]DIALUP[=(range[,...])]
/DIOLM=value
/DIRECTORY=directory-name
/ENQLM=value
/EXPIRATION=time
/FILLM=value
/FLAGS=([NO]option[,...])
/[NO]INTERACTIVE[=(range[,...])]
/JTQUOTA=value
/LGICMD=file-spec
/[NO]LOCAL[=(range[,...])]
/MAXACCTJOBS=value
/MAXDETACH=value
/MAXJOBS=value
/[NO]MODIFY_IDENTIFIER
/[NO]NETWORK[=(range[,...])]
/OWNER=owner-name
/PASSWORD=(password[,password2])
/PFLAGS=([NO]option[,...])
/PGFLQUOTA=value
/PRCLM=value
/P_RESTRICT=(range[,...])
/PRIMEDAYS=([NO]day[,...])
/PRIORITY=value
/PRIVILEGES=([NO]privname[,...]!
/[NO]PWDEXPIRED
/[NO]PWDLIFETIME=time
/PWDMINIMUM=value
/QUEPRIORITY=value
/[NO]REMOTE[=(range[,...])]
/SFLAGS=([NO]option[,...])
/SHRFILLM=value
/S_RESTRICT=(range[,...])
/TQELM=value
/UIC=uic
/WSDEFAULT=value
/WSEXTENT=value
/WSQUOTA=value
MODIFY/IDENTIFIER
/ATTRIBUTES=(keyword[,...])
/HOLDER=holder-name
/NAME=id-name
/VALUE=value-specifier
MODIFY/SYSTEM_PASSWORD=system-password
REMOVE
/[NO]REMOVE_IDENTIFIER
REMOVE/PROXY
RENAME
/PASSWORD[=(password[,password2])]
/[NO]MODIFY_IDENTIFIER
RENAME/IDENTIFIER
REVOKE/IDENTIFIER
SHOW
/BRIEF
SHOW/IDENTIFIER
/BRIEF
/FULL
/USER=user-spec
/VALUE=value-specifier
SHOW/PROXY
SHOW/RIGHTS
/USER=user-spec
Description:
--------------------------------------------------------------------------------
Using Authorize, you control access to the system and its resources by
o Creating new records and modifying existing records in the system user authorization file (SYS$SYSTEM:SYSUAF.DAT) and the network user authorization
file (SYS$SYSTEM:NETUAF.DAT)
o Creating new records and modifying existing records in the rights database file (SYS$SYSTEM:RIGHTSLIST.DAT)
Command Summary:
--------------------------------------------------------------------------------
ADD
--------------------------------------------------------------------------------
The ADD command will create a new entry in the user authorization file.
Format for creating new entries in SYSUAF.DAT:
ADD newusername [/qualifiers]
Qualifiers:
/ACCESS
/[NO]ACCESS=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]ACCESS="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Used to specify hours of access for all modes of logins. Specify hours as integers from 0 to 23, inclusive. Hours may be specified as single hours (n),
or as ranges of hours (n-m). If the ending hour of a range is earlier than the starting hour, the range extends from the starting hour through midnight
to the the ending hour. The first set of hours after the keyword PRIMARY specifies hours on primary days; the second set of hours after the keyword
SECONDARY specifies hours on secondary days.
All the list elements are optional. If no hours are specified for a day type, access is permitted the entire day. If only primary hours or only secondary
hours are given, no access is permitted for secondary or primary days, respectively. If hours are given with no day type, they apply to both types of days.
Negating the qualifier by specifying /NOACCESS=(...) completely inverts the sense of the access hours.
Examples:
/ACCESS allows unrestricted access
/NOACCESS=SECONDARY allows access on primary days only
/ACCESS=(9-17) allows access from 9am through 5 pm on all days
/NOACCESS=(PRIMARY, 9-17, SECONDARY, 18-8) allows access from 9 through 5 on secondary days and all but 9 through 5 on primary days
/ACCESS="Primary: 9-16; Secondary: 18-7, 8; Primary: 17"
allows access from 9 through 5 on primary days and all but 9 through 5 on secondary days
To specify access hours for specific types of logins, see the /BATCH, /NETWORK, /INTERACTIVE, /LOCAL, /DIALUP, and /REMOTE qualifiers.
/ACCOUNT
/ACCOUNT=account-name
Specifies a default account name. This field is often used for billing purposes, and should consist of 1 through 8 characters.
/ADD_IDENTIFIER
/[NO]ADD_IDENTIFIER
Controls whether an identifier corresponding to the specified username and UIC is added to the rights database. The default is /ADD_IDENTIFIER.
/ASTLM
/ASTLM=n
Specifies the AST queue limit, which is the total number of asynchronous system trap operations and scheduled wakeup requests that can be outstanding
at one time for the user.
/BATCH
/[NO]BATCH=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]BATCH="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for batch jobs. For a detailed description of the interpretation of the access specification, see the /ACCESS qualifier.
/BIOLM
/BIOLM=n
Specifies the total buffered I/O operations that can be outstanding at one time.
/BYTLM
/BYTLM=n
Total number of bytes that can be specified for transfer in outstanding buffered I/O operations.
/CLI
/CLI=cli-name
Name of the default command interpreter.
/CLITABLES
/CLITABLES=table-name
Name of the default command interpreter tables.
/CPUTIME
/CPUTIME=delta-time
Maximum amount of CPU time a user process can take per session. The unit of time must be in delta format. 0 means infinite.
/DEFPRIVILEGES
/DEFPRIVILEGES=([NO]privname [,...])
Specifies the default privileges for the user (i.e., those enabled at login time). A NO prefix removes this privilege from the user; specifying a
privilege without the NO prefix allows the user that privilege.
There are many privileges available with varying degrees of power and potential system impact. Please see the VAX/VMS System Manager's Reference Manual for a more detailed discussion of the available privileges.
/DEVICE
/DEVICE=device-name
Name of default device (must be a direct access device) from one to fifteen characters. The colon is automatically added if omitted. A blank device
is interpreted as SYS$SYSDISK.
/DIALUP
/[NO]DIALUP=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]DIALUP="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for interactive login via dialup terminals. For a detailed description of the interpretation of the access specification,
see the /ACCESS qualifier.
/DIOLM
/DIOLM=n
Total direct (usually disk) I/O operations that can be outstanding at one time.
/DIRECTORY
/DIRECTORY=directory-name
Name of default login directory. Brackets (either or <>) must be supplied.
/ENQLM
/ENQLM=n
Total number of lock requests which may be outstanding at one time.
/EXPIRATION
/EXPIRATION=time
Expiration date and time of the account. Specify as an absolute or combination time.
/FILLM
/FILLM=n
Total number of files that can be open at one time, including active network logical links.
/FLAGS
/FLAGS=([NO]option[,...])
Login flags for this user. Options which may be specified are:
[NO]AUDIT - [do not] audit all security relevant actions
[NO]AUTOLOGIN - [do not] restrict this account to autologins only
[NO]CAPTIVE - [do not] prevent user
[NO]DEFCLI - [do not] prevent user from changing default CLI or CLI tables
[NO]DISCTLY - [do not] disable <CTRL/Y> interrupts
[NO]DISMAIL - [do not] prevent mail delivery to this user
[NO]DISNEWMAIL - [do not] suppress "New Mail..." announcements [NO]DISRECONNECT-[do not] disable automated reconnections
[NO]DISREPORT - [do not] disable time of last login and other security reports
[NO]DISUSER - [do not] disable this account completely
[NO]DISWELCOME - [do not] suppress "Welcome to..." login message [NO]GENPWD - [do not] require user to use generated passwords
[NO]LOCKPWD - [do not] prevent user from changing password
[NO]PWD_EXPIRED- [do not] mark password as expired
[NO]PWD2_EXPIRED-[do not] mark second password as expired
/GENERATE
/GENERATE
/GENERATE=CURRENT
/GENERATE=PRIMARY
/GENERATE=SECONDARY
/GENERATE=BOTH
/GENERATE=ALL
Generate a random password. The formats of the passwords is the same as for the DCL SET PASSWORD /GENERATE command.
/INTERACTIVE
/[NO]INTERACTIVE=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]INTERACTIVE="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:]
[n][,...]"
Specifies hours of access permitted for interactive login via any terminal. For a detailed description of the interpretation of the /ACCESS qualifier.
/JTQUOTA
/JTQUOTA=n
Specifies the initial byte quota with which the job-wide logical name table is to be created with.
/LGICMD
/LGICMD=filespec
Name of login command file. Default device and directory are used to locate the command file.
/LOCAL
/[NO]LOCAL=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]LOCAL="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for interactive login via local terminals. For a detailed description of the interpretation of the access specification, see the /ACCESS qualifier.
/MAXACCTJOBS
/MAXACCTJOBS=n
Interactive and detached processes which may be active at one time for all users which are on the same account as the user for which the qualifier is present.
/MAXDETACH
/MAXDETACH=n
Specifies the maximum number of detached processes with this username that may be active at one time. Processes which cause this count to be exceeded are
terminated.
/MAXJOBS
/MAXJOBS=n
Maximum number of interactive, batch, and detached processes with this username which can be active at one time. Processes which cause this count to
be exceeded are terminated.
/NETWORK
/[NO]NETWORK=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]NETWORK="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for network jobs. For a detailed description of the interpretation of the access specification, see the /ACCESS
qualifier.
/OWNER
/OWNER=owner-name
Name of owner for billing purposes, etc. May be from one to 31 characters.
/PASSWORD
/PASSWORD=(password [,password2])
/NOPASSWORD
Password(s) for login. Must be from 0 to 31 characters in length, and must be composed of alphanumeric characters, dollar signs, and underscores.
To set the first password with no second password, specify
/PASSWORD=password
To set both passwords, specify
/PASSWORD=(password, password2)
To set only the first password leaving the second alone, specify
/PASSWORD=(password, "")
To set only the second password leaving the first alone, specify
/PASSWORD=("", password2)
To clear the second password leaving the first alone, specify
/PASSWORD=""
To clear both passwords, specify
/NOPASSWORD
/PBYTLM
/PBYTLM=n
Paged pool byte count limit.
/PFLAGS
/PFLAGS=([NO]option[,...])
This qualifier is obsolete and is retained for compatibility purposes. For current usage, see the /ACCESS, etc., qualifiers.
Login flags for primary days. Options are:
[NO]DISDIALUP - [do not] prohibit user from dialing in [NO]DISNETWORK - [do not] prohibit user from logging in via a "SET HOST" command.
/PGFLQUOTA
/PGFLQUOTA=n
Total pages that this process can use in the system paging file. Should be a minimum of 2048 for a typical interactive process.
/P_RESTRICT
/P_RESTRICT=(n-m[,...])
or
/P_RESTRICT=(n[,...])
This qualifier is obsolete and is retained for compatibility purposes. For current usage, see the /ACCESS, etc., qualifiers.
Used to specify hours or ranges of hours to restrict user from logging in on primary days.
/P_RESTRICT=(...) is roughly equivale7t to /NOACCESS=(PRIMARY, ...)
/PRCLM
/PRCLM=n
Total number of subprocesses that can exist at one time.
/PRIMEDAYS
/PRIMEDAYS=([NO]day[,...])
Used to define primary and secondary days. A day prefixed with NO becomes a secondary day, and a day without the NO prefix is defined as a primary day.
Primary and secondary day definitions are used in conjunction with the /ACCESS, etc., qualifiers.
/PRIORITY
/PRIORITY=n
Default base priority for user. The priority should be in the range from 0 - 31, and 4 is the default for a timesharing user.
/PRIVILEGES
/PRIVILEGES=([NO]privname[,...])
Specifies authorized privileges for this user. Privileges which are allowed or disallowed for this user. A NO prefix removes this privalege from the user;
specifying a privilege without the NO prefix allows the user that privilege.
There are many privileges available with varying degrees of power and potential system impact. I will make up a list of the priviledges in a future article, until then...set them to ALL! Heheh...
/PWDEXPIRED
/[NO]PWDEXPIRED
Password is [not] pre-expired. When a password is pre-expired, the user is allowed to log in once, at which time he must change his password or be locked out of the system.
/PWDLIFETIME
/PWDLIFETIME=delta-time
/PWDLIFETIME=NONE
Password lifetime. If the date of last password change is older than the password lifetime, when the user logs in, he is issued a warning message and
the password is marked as expired. If there is no password lifetime, the password never expires.
Delta-time is in the form: [dddd-] [hh:mm:ss.cc]
/PWDMINIMUM
/PWDMINIMUM=n
Minimum password length in characters. Note that this value is only enforced by the SET PASSWORD command; passwords in violation of this value may be
specified to AUTHORIZE.
/QUEPRIORITY
/QUEPRIORITY=n
Maximum priority for queuing batch and print jobs. The priority should be in the range from 0 - 31, and 4 is the default value for a timesharing user.
/REMOTE
/[NO]REMOTE=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]REMOTE="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for interactive login via network remote terminals (i.e., SET HOST). For a detailed description of the interpretation
of the access specification, see the /ACCESS qualifier.
/SFLAGS
/SFLAGS=([NO]option[,...])
This qualifier is obsolete and is retained for compatibility purposes. For current usage, see the /ACCESS, etc., qualifiers.
Login flags for secondary days. Options are:
[NO]DISDIALUP - [do not] prohibit user from dialing in [NO]DISNETWORK - [do not] prohibit user from logging in via a "SET HOST" command.
/S_RESTRICT
/S_RESTRICT=(n-m[,...])
or
/S_RESTRICT=(n[,...])
This qualifier is obsolete and is retained for compatibility purposes. For current usage, see the /ACCESS, etc., qualifiers.
Used to specify hours or ranges of hours to restrict user from logging in on secondary days.
/S_RESTRICT=(...) is roughly equivalent to /NOACCESS=(SECONDARY, ...)
/SHRFILLM
/SHRFILLM=n
Maximum number of shared files allowed to be open at one time.
/TQELM
/TQELM=n
Total entries in the timer queue plus the number of temporary common event flag clusters that the user can have at one time.
/UIC
/UIC=uic
User identification code as explained in the VAX/VMS System Manager's Reference Manual. The UIC should have an octal group number and user number, and be
separated by a comma and enclosed in brackets.
/WSDEFAULT
/WSDEFAULT=n
Initial limit of a working set for the user process.
/WSEXTENT
/WSEXTENT=n
Maximum to which the user's process may raise its working set limit when there is free memory available.
/WSQUOTA
/WSQUOTA=n
Maximum to which the user's process may raise the working set limit when system memory is in demand.
ADD/IDENTIFIER
--------------------------------------------------------------------------------
The ADD/IDENTIFIER command is used to add an identifier to the rights database.
Format:
ADD/IDENTIFIER [id-name]
Parameters:
id-name
specifies the name of the identifier to be added to the rights database. If you omit the name, you must specify the /USER qualifier. The id-name is a string of 1 through 32 alphanumeric characters that may contain underscores and dollar signs. The name must contain at least one non-numeric character.
Qualifiers:
/ATTRIBUTES
/ATTRIBUTES=(keyword)
Specifies attributes to be associated with the new identifier. Valid keywords are:
[NO]DYNAMIC
Indicates whether or not unprivileged holders of the identifier may add or remove the identifier from the process rights list. The default is NODYNAMIC.
[NO]RESOURCE
Indicates whether or not holders of the identifier may charge resources to it. The default is NORESOURCE.
/USER
/USER=user-spec
Scans the UAF record(s) of the specified user(s) and creates the appropriate identifiers(s). Specify user-spec by username or UIC. You can user the asterisk
wildcard to specify multiple usernames or UICs: full user of the asterisk and percent wildcards is permitted for user names.
UICs must be in the form [,], [n,], [,n], or [n,n]. A wildcard username specification (i.e., *) creates identifiers alphabetically by username; a wildcard UIC specification (i.e., [,]) creates them in numerical order by UIC.
/VALUE
/VALUE=value-specifier
Specifies the value to be attached to the identifier. Valid formats for the value-specifier are:
IDENTIFIER:integer
An integer value in the range of 32768 to 268435455, or a hexadecimal number in the range %X00008000 to 0FFFFFF UIC:uic
A uic value in the standard UIC format
Examples:
The following examples illustrate the use of the ADD/IDENTIFIER command.
1.
UAF> ADD/IDENTIFIER/VALUE=UIC:[300,011] INVENTORY
identifier INVENTORY value: [000300,000011] added to RIGHTSLIST.DAT
This command adds to the rights database an identifier named INVENTORY. By default, the identifier is not marked as a resource.
2.
UAF> ADD/IDENTIFIER/ATTRIBUTES=(RESOURCE) -
/VALUE=IDENTIFIER:%X80011 PAYROLL identifier PAYROLL value: %X80080011 added to RIGHTSLIST.DAT
This command adds the identifier PAYROLL and marks it as a resource.
ADD/PROXY
Adds a user record to the network UAF.
Format
ADD/PROXY node::remote-user local-user
Parameters:
node
specifies a node name (1 through 6 alphanumberic characters).
remote-user
specifies the username of a user at a remote node. If you specify an asterisk, all users at the specified node can access files of a user specified on the
local node.
local-user
specifies the username of a user on a local node.
Examples:
1.
UAF> ADD/PROXY MISHA::MARCO *
record successfully added NETUAF.DAT
The command in this example specifies that the user MARCO on the remote node MISHA can only access the files of MARCO on the local node.
2.
UAF> ADD/PROXY MISHA::* MARCO
record successfully added to NETUAF.DAT
The command in this example specifies that any user on the remote node MISHA can access the files of MARCO on the local node.
Parameters:
newusername
"newusername" specifies the name of the user to be added to the user authorization file.
COPY
--------------------------------------------------------------------------------
The COPY command is used to make a copy of a record in SYSUAF.DAT. The full range of qualifiers is available for the command in order to change certain
fields in the process of the copy operation.
Format:
COPY existing-username new-username [/qualifiers]
Parameters:
existing-username new-username
existing-username is the source authorization record; new-username is the destination authorization record.
Qualifiers:
(Same qualifiers as ADD)
CREATE
--------------------------------------------------------------------------------
This command will create a Proxy Login File (NETUAF.DAT) if one does not already exist or the rights database (RIGHTSLIST.DAT).
Qualifiers: /PROXY
Creates and initializes a network UAF, NETUAF.DAT. The /PROXY qualifier is required. The file is created with no records and is assigned the following
protection:
(S:RWED,O:RWED,G:RWE,W)
/RIGHTS
Creates and initializes the rights database, RIGHTSLIST.DAT, If it does not already exist. The file is created with no records and is assigned the following
protection:
(S:RWED,0:RWED,G:RWE,W)
Format
CREATE/RIGHTS
Qualifiers: Format CREAT/(PROXY or RIGHTS)/qualifier
/SYSTEM_ID=(integer list)
Specifies the system ID quadword. Only the first two integers are used. The first integer becomes the first longword of the system ID, and the second
integer the second longword. If only one integer is specified, the second longword is set to 0.
DEFAULT
--------------------------------------------------------------------------------
This command enables the user to change any field(s) in the DEFAULT record in SYSUAF.DAT.
Format:
DEFAULT /qualifier [/qualifiers]
Qualifiers:
(Same qualifiers as ADD)
EXIT
--------------------------------------------------------------------------------
The EXIT command terminates AUTHORIZE and returns the user to command language level.
Format:
EXIT
GRANT
--------------------------------------------------------------------------------
The GRANT command grants an identifier name to a user UIC. The /IDENTIFIER is required.
Format
GRANT/IDENTIFIER id-name user-spec
Parameters:
id-name
Specifies the identifier name (see the ADD/IDENTIFIER command).
user-spec
Is an identifier (UIC or non UIC format) that specifies the user (see the ADD/IDENTIFIER command).
Qualifier:
/ATTRIBUTES
/ATTRIBUTES=(keyword)
See the ADD/IDENTIFIER command.
Example:
UAF> GRANT/IDENTIFIER INVENTORY [300,015]
identifier INVENTORY granted to CRAMER
The command in this example grants the identifier INVENTORY to a user with the UIC [300,015]. The user becomes the holder of the identifier and any resources
associated with it.
HELP
--------------------------------------------------------------------------------
Lists and explains the AUTHORIZE commands and qualifiers.
Format
HELP [commmand-name]
Parameter:
command-name
Name of an AUTHORIZE command.
Qualifier:
qualifier-name
Name of an AUTHORIZE qualifier
LIST
--------------------------------------------------------------------------------
The LIST command outputs a listing file which gives information on the records specified. Unless otherwise specified by qualifiers, UAF records are listed.
Qualifiers:
/BRIEF
This qualifier will give an abbreviated listing of the desired record(s). /BRIEF is equivalent to /NOFULL.
/FULL
This qualifier gives complete information on the desired record(s). /FULL is equivalent to /NOBRIEF. /FULL is the default.
LIST/IDENTIFIER
--------------------------------------------------------------------------------
Creates a listing file (RIGHTLIST.LIS) to which identifier information is written.
Format
LIST/IDENTIFIER [id-name]
Parameter:
id-name
Specifies an identifier name. If you omit the identifier name, you must specify /USER or /VALUE.
Qualifiers:
/USER
/USER=user-spec
Specifies one or more users whose identifiers are to be listed. User-spec may be a username or UIC. You can user the asterisk wildcard to specify multip
le usernames or UICs: full use of the asterisk and percent wildcards is permitted for usernames.
UICs must be in the form [,], [,n], or [n,]. A wildcard username specification (i.e., *) lists identifiers alphabetically by username; a wildcard UIC specification (i.e., [,]) lists them numerically by UIC.
/VALUE
/VALUE=value-specifier
Specifies the value of the identifier to be listed. Valid formats for the value-specifier are:
IDENTIFIER:integer
An integer value in the range of 32768 to 268435455, or a hexadecimal number in the range %X00008000 to 0FFFFFFF UIC:uic
A uic value in the standard UIC format
Examples:
UAF> LIST/IDENTIFIER INVENTORY
writing listing file
listing file RIGHTSLIST.LIS complete
The command in this example generates a full listing for the identifier INVENTORY, including its value (in hexadecimal), holders, and attributes.
UAF> LIST/IDENTIFIER/USER=ANDERSON
writing listing file
listing file SYSUAF.LIS complete
This command lists an identifier associated with the user ANDERSON, along with its value and attributes. Note, however, that this is the same result you
would produce had you specified ANDERSON's UIC with the following forms of the command:
UAF> LIST/IDENTIFIER/USER=[300,015]
or
UAF> LIST/IDENTIFIER/VALUE=UIC:[300,015]
LIST/PROXY
--------------------------------------------------------------------------------
Creates a listing file of all the network UAF records. The /PROXY qualifier is required.
Format
LIST/PROXY
Example:
UAF> LIST/PROXY
writing listing file
listing file NETUAF.LIS complete
The command in this example creates a listing file of all the network UAF records.
LIST/RIGHTS
--------------------------------------------------------------------------------
Lists the holders of the specified identifier, or, if /USER is specified, all identifiers held by the specified user(s).
Format
LIST/RIGHTS [id-name]
Parameter:
id-name
This is the name of the identifier (usually the username) associated with the user. If id-name is omitted, you must specify the /USER qualifier.
Qualifier:
/USER
/USER=user-spec
Specifies a user whose identifiers are to be listed. User-spec may be a username or UIC. You can use the asterisk wildcard to specify multiple usernames
or UICs: full user of the asterisk and percent wildcards is permitted for usernames.
UICs must be in the form [,], [n,], [n,n] or [,n]. A wildcard username specification (i.e., *) or wildcard UIC specification (i.e., [,]) lists all identifiers held by users. The wildcard username specification lists holders' usernames alphabetically; the wildcard UIC specification lists them in the numerical order of their UICs.
Example:
UAF> LIST/RIGHTS PAYROLL writing listing file listing file RIGHTSLIST.LIS is complete
The command is this example creates a listing file of all holders of the identifier PAYROLL.
MODIFY
--------------------------------------------------------------------------------
This command allows the user to change any field(s) in any user authorization record(s). Wildcarding of usernames or UICs is allowed.
Format:
MODIFY user-spec /qualifier [/qualifiers]
Qualifier's:
The MODIFY qualifiers are very similar to the ADD qualifiers with the following exceptions:
/[NO]MODIFY_IDENTIFIER rather than /[NO]ADD_IDENTIFIER with the same
parameters
/ASTLM
/ASTLM=value
Specifies the AST queue limit, which is the total number of asynchronous system trap operations and scheduled wakeup requests that can be outstanding at
one time for the user.
MODIFY/IDENTIFIER
Modifies an identifier in the rights database.
Format
MODIFY/IDENTIFIER id-name
Parameter:
id-name
Specifies the name of an identifier to be modified
Qualifiers: /ATTRIBUTES
/ATTRIBUTES=(keyword)
Specifies attributes to be associated with the modified identifier. Valid keywords are:
[NO]DYNAMIC
Indicates whether or not unprivileged holders of the identifier may add or remove the identifier from the process rights list. The default is NODYNAMIC.
[NO]RESOURCE Indicates whether or not holders of the identifier may charge resources to it. The default is NORESOURCE.
If you specify RESOURCE, a holder named with the /HOLDER qualifier gains the right to charge resources to the identifier. If you specify /NORESOURCE, the holder loses the right to charge resources. If you specify NORESOURCE and do not name any holder (if /HOLDER is not specified), all holders lose the right to charge resources.
/HOLDER
/HOLDER=username
Specifies the holder of an identifier whose attributes are to modified. /HOLDER is used only in conjunction with /ATTRIBUTES qualifier. If you specify /HOLDER, the /NAME and /VALUE qualifiers are ignored.
/NAME
/NAME=id-name
Specifies a new id-name to be associated with the identifier.
/VALUE
/VALUE=value-specifier
Specifies a new identifier value. Note, however, that an identifier value cannot be modified from a UIC to a non UIC format or vice versa. Valid formats for the value-specifier are:
IDENTIFIER:integer
An integer value in the range of 32768 to 268435455, or a hexadecimal number in the range %X00008000 to 0FFFFFFF UIC:uic
A uic value in the standard UIC format
Examples:
UAF> MODIFY/IDENTIFIER/VALUE=UIC:[300,21] ACCOUNTING
identifier ACCOUNTING modified
The command in this example changes the old UIC value of the identifier ACCOUNTING to a new value.
UAF> MODIFY/IDENTIFIER/ATTRIBUTES=NORESOURCE/HOLDER=ALLISON ACCOUNTING
identifier ACCOUNTING modified
The command in this example associates the attribute NORESOURCE with the identifier ACCOUNTING in ALLISON's holder record.
MODIFY/SYSTEM_PASSWORD
Sets the system password.
Format
MODIFY/SYSTEM_PASSWORD=system-password
Parameters:
user-spec
The record(s) to be modified may be specified in a variety of ways:
1) wildcarded username (standard DCL wildcarding)
2) wildcarded UIC, as
a) [,]
b) [*,n]
c) [n,*]
3) specific username
4) specific UIC
REMOVE
--------------------------------------------------------------------------------
This command will remove a user authorization record from SYSUAF.DAT.
Format for removing a record from SYSUAF.DAT:
REMOVE username
Parameters:
username
username is the name of the authorization record to be removed from SYSUAF.DAT.
Qualifiers:
/REMOVE_IDENTIFIER
/[NO]REMOVE_IDENTIFIER
Controls whether the identifier corresponding to the specified username in the rights database is removed. The default is /REMOVE_IDENTIFIER.
REMOVE/IDENTIFIER
Removes an identifier from the rights database.
Format
REMOVE/IDENTIFIER id-name
Parameter:
id-name
Specifies the name of an identifier in the rights database.
Example:
UAF> REMOVE/IDENTIFIER Q1SALES
record removed from RIGHTSLIST.DAT
The command in this example deletes the identifier Q1SALES from the rights database.
REMOVE/PROXY
--------------------------------------------------------------------------------
This qualifier changes the context of REMOVE command. Its presence indicates that the intention is to remove a record from the Proxy Login File, NETUAF.DAT.
The format for removing a record from NETUAF.DAT is
REMOVE/PROXY node::remoteusername
Where "node::remoteusername" is an entry in NETUAF.DAT for the local node.
RENAME
This command will change the username for a record in the user authorization file, SYSUAF.DAT. The only parameter qualifier allowed for the RENAME command
is the /PASSWORD qualifier.
Format:
RENAME old-username new-username [/PASSWORD=password]
Qualifiers: /GENERATE
/GENERATE
/GENERATE=CURRENT
/GENERATE=PRIMARY
/GENERATE=SECONDARY
/GENERATE=BOTH
/GENERATE=ALL
Generate a random password. The formats of the passwords is the same as for the DCL SET PASSWORD /GENERATE command.
/MODIFY_IDENTIFIER
/[NO]MODIFY_IDENTIFIER
Controls whether the identifier corresponding to the specified username in the rights database is modified. The default is /MODIFY_IDENTIFIER.
/PASSWORD
/PASSWORD=(password [,password2])
/NOPASSWORD
Password(s) for login. Must be from 0 to 31 characters in length, and must be composed of alphanumeric characters, dollar signs, and underscores.
To set the first password with no second password, specify
/PASSWORD=password
To set both passwords, specify
/PASSWORD=(password, password2)
To set only the first password leaving the second alone, specify
/PASSWORD=(password, "")
To set only the second password leaving the first alone, specify
/PASSWORD=("", password2)
To clear the second password leaving the first alone, specify
/PASSWORD=""
To clear both passwords, specify
/NOPASSWORD
It is important to specify new passwords for a renamed record. Since the user name is taken as part of the input for password verification, the old password
with the new user name will not yield the same result as the original password and user name, and the verification will fail.
RENAME/IDENTIFIER
Renames an identifier in the rights database.
Format
RENAME/IDENTIFIER old-id-name new-id-name
Parameters:
old-id-name
Specifies the name of an identifier to be renamed.
new-id-name
Specifies the new identifier name.
Example:
UAF> RENAME/IDENTIFIER Q1SALES Q2SALES
identifier Q1SALES renamed
The command in this example renames the identifier Q1SALES to Q2SALES.
Parameters
old-username new-username
"old-username" is the username for the authorization record which is to be renamed. "new-username" is the new username for the record.
REVOKE
--------------------------------------------------------------------------------
Revokes an identifier name from a username or UIC identifier. The /IDENTIFIER qualifier is required.
Format
REVOKE/IDENTIFIER id-name user-spec
Parameters:
id-name
Specifies the identifier name (see the ADD/IDENTIFIER command).
user-spec
Is an identifier (UIC or non UIC format) that specifies the user (see the ADD/IDENTIFIER command).
SHOW
--------------------------------------------------------------------------------
The SHOW command outputs a listing of the specified authorization record(s) to the user's terminal. Unless otherwise specified by qualifiers, UAF records are listed.
Format for the authorization file:
SHOW [/qualifiers] user-spec
Qualifiers: /BRIEF
This qualifier will give an abbreviated listing of the desired record(s). /BRIEF is equivalent to /NOFULL. /BRIEF is the default.
/FULL
This qualifier gives complete information on the desired record(s). /FULL is equivalent to /NOBRIEF.
SHOW/IDENTIFIER
--------------------------------------------------------------------------------
Displays information about the identifier on the current
SYS$OUTPUT device.
Format
SHOW/IDENTIFIER [id-name]
Parameter:
id-name
Specifies an identifier name. If you omit the identifier name, you must specify /USER or /VALUE.
Qualifiers: /BRIEF
This qualifier will give an abbreviated listing of the desired record(s). /BRIEF is equivalent to /NOFULL. /BRIEF is the default.
/FULL
This qualifier gives complete information on the desired record(s). /FULL is equivalent to /NOBRIEF.
/USER
/USER=user-spec
Specifies one or more users whose identifiers are to be displayed. User-spec may be XH].+++lKU%9@You can use the asterisk wildcard to specify multiple usernames or UICs: full use of the asterisk and percent wildcards is permitted for usernames.
UICs must be in the form [,], [,n], [n,], or [n,n]. A wildcard username specification (i.e., *) displays identifiers alphabetically by username; a wildcard UIC specification (i.e., [,]) displays them numerically by UIC.
/VALUE
/VALUE=value-specifier
Specifies the value of the identifier to be listed. Valid formats for the value-specifier are:
IDENTIFIER:integer
An integer value in the range of
32768 to 268435455, or a hexadecimal number in the range %X00008000 to 0FFFFFFF
UIC:uic
A uic value in the standard UIC
format
SHOW/PROXY
Displays one or all records in the network UAF. The /PROXY qualifier is required.
Format
SHOW/PROXY node::remote-user
Parameters:
node
Specifies the name of a network node in the network UAF. The asterisk wildcard is permitted in the node specification.
remote-user
Specifies the name of a user on a remote node. The asterisk wildcard is permitted in the remote-user specification.
SHOW/RIGHTS
Displays the names, values, and attributes of all identifiers held by the specified user(s).
Format
SHOW/RIGHTS [user-spec]
Parameter:
user-spec
Is the name of the identifier (usually the username) associated with the user in SYSUAF.DAT. If user-spec is omitted, you must specify the /USER qualifier.
Qualifier: /USER
/USER=user-spec
Specifies one or more users whose identifiers are to be displayed. User-spec may be a username or UIC. You can use the asterisk wildcard to specify multiple usernames or UICs:
full use of the asterisk and percent wildcards is permitted for usernames; UICs must be in the form [,], [,n], [n,], or [n,n].
A wildcard username specification (i.e., *) displays identifiers alphabetically by username; a wildcard UIC specification (i.e., [,]) displays them numerically by UIC.
Parameters:
If a listing is generated from SYSUAF.DAT, then the user may specify "user-spec" in a variety of ways:
1) wildcarded username (standard DCL wildcarding)
2) wildcarded UIC, as
a) [,]
b) [*,n]
c) [n,*]
3) specific username
4) specific UIC.
Phew! After all that, you should be doing just fine using the Authorize
Utility. You can expect summaries of VMS commands, DCL, and other VAX infor- mation in future articles. Now, happy hacking and go play God for a while!
Posted on October 6th, 2009 · Updated on December 31st, 2010
Written by Line Shadow on 09/10/88
A Telecom Computer Security Bulletin File Volume One, Number 1, File 9 of 12
--------------------------------------------------------------------------------
Time to play God with your favorite
___ ___ ___ ___ ___ ___ ___
| | | | | | | |
| d | i | g | i | t | a | l |
|___|___|___|___|___|___|___|
VAX/VMS System
In order to put this article to good use, you will have to acquire a high priviledged VAX account. I'm leaving that up to you, as this article is intended for the more advanced VAX hacker. You can expect another article discussing the tricks of the trade as regards getting an account with priviledges of that sort in future articles. Until then, you're on your own.
This is a reference on how to use a powerful utility within VMS that will allow you to create accounts on a digital VAX system. This utility, called the Authorize Utility is located on every VAX system. It can be found in the
SYS$SYSTEM directory (which is a logical name for SYS$SYSROOT:[SYSEXE
Along with tons of other files within SYS$SYSTEM, you will find two other files that are manipulated by the Authorize Utility.
Quick definitions for the Command Syntax:
===============================================================================
Qualifier - A qualifier is an optional extension of a main command
(discussed below) whose format consists of:
command/qualifier
Use of brackets - Use of brackets ('[' and ']') placed around a logical-
name indicates that the enclosed item is optional.
Except in the case of specifying directories which
has to have the brackets around the directory name.
Also note that parenthesis arounf a logical name are
required when noted as such.
file-spec,... - Indicates that additional parameters, values, or
information can be entered.
Command Syntax: UAF> command [parameter]
--------------------------------------------------------------------------------
ADD
/[NO]ACCESS[=(range[,...])]
/ACCOUNT=account-name
/[NO]ADD_IDENTIFIER
/ATTRIBUTES=(keyword[,...])
/[NO]BATCH[=(range[,...])]
/BIOLM=value
/BYTLM=value
/CLI=cli-name
/CLITABLES=clitable-name
/CPUTIME=time
/DEFPRIVILEGES=([NO]privname[,...])
/DEVICE=name
/[NO]DIALUP[=(range[,...])]
/DIOLM=value
/DIRECTORY=directory-name
/ENQLM=value
/EXPIRATION=time
/FILLM=value
/GENERATE_PASSWORD[=keyword]
/FLAGS=([NO]option[,...])
/[NO]INTERACTIVE[=(range[,...])]
/JTQUOTA=value
/LGICMD=file-spec
/[NO]LOCAL[=(range[,...])]
/MAXACCTJOBS=value
/MAXDETACH=value
/MAXJOBS=value
/[NO]NETWORK[=(range[,...])]
/OWNER=owner-name
/[NO]PASSWORD=(password[,password2])
/PFLAGS=([NO]option[,...])
/PGFLQUOTA=value
/PRCLM=value
/P_RESTRICT=(range[,...])
/PRIMEDAYS=([NO]day[,...])
/PRIORITY=value
/PRIVILEGES=([NO]privname[,...])
/[NO]PWDEXPIRED
/[NO]PWDLIFETIME=time
/PWDMINIMUM=value
/QUEPRIORITY=value
/[NO]REMOTE[=(range[,...])]
/SFLAGS=([NO]option[,...])
/SHRFILLM=value
/S_RESTRICT=(range[,...])
/TQELM=value
/UIC=uic
/WSDEFAULT=value
/WSEXTENT=value
/WSQUOTA=value
ADD/IDENTIFIER
/ATTRIBUTES=(keyword[,...])
/USER=user-spec
/VALUE=value-specifier
ADD/PROXY
COPY
(Same qualifiers as ADD)
CREATE/PROXY
CREATE/RIGHTS
DEFAULT
(Same qualifiers as ADD)
EXIT
GRANT/IDENTIFIER
/ATTRIBUTES=(keyword[,...])
HELP
(All commands and qualifiers)
LIST
/BRIEF
/FULL
LIST/IDENTIFIER
/BRIEF
/FULL
/USER=user-spec
/VALUE=value-specifier
LIST/PROXY
LIST/RIGHTS
/USER=user-spec
MODIFY
/[NO]ACCESS[=(range[,...])]
/ACCOUNT=account-name
/ASTLM=value
/[NO]BATCH[=(range[,...])]
/BIOLM=value
/BYTLM=value
/CLI=cli-name
/CLITABLES=clitable-name
/CPUTIME=time
/DEFPRIVILEGES=([NO]privname[,...])
/DEVICE=name
/[NO]DIALUP[=(range[,...])]
/DIOLM=value
/DIRECTORY=directory-name
/ENQLM=value
/EXPIRATION=time
/FILLM=value
/FLAGS=([NO]option[,...])
/[NO]INTERACTIVE[=(range[,...])]
/JTQUOTA=value
/LGICMD=file-spec
/[NO]LOCAL[=(range[,...])]
/MAXACCTJOBS=value
/MAXDETACH=value
/MAXJOBS=value
/[NO]MODIFY_IDENTIFIER
/[NO]NETWORK[=(range[,...])]
/OWNER=owner-name
/PASSWORD=(password[,password2])
/PFLAGS=([NO]option[,...])
/PGFLQUOTA=value
/PRCLM=value
/P_RESTRICT=(range[,...])
/PRIMEDAYS=([NO]day[,...])
/PRIORITY=value
/PRIVILEGES=([NO]privname[,...]!
/[NO]PWDEXPIRED
/[NO]PWDLIFETIME=time
/PWDMINIMUM=value
/QUEPRIORITY=value
/[NO]REMOTE[=(range[,...])]
/SFLAGS=([NO]option[,...])
/SHRFILLM=value
/S_RESTRICT=(range[,...])
/TQELM=value
/UIC=uic
/WSDEFAULT=value
/WSEXTENT=value
/WSQUOTA=value
MODIFY/IDENTIFIER
/ATTRIBUTES=(keyword[,...])
/HOLDER=holder-name
/NAME=id-name
/VALUE=value-specifier
MODIFY/SYSTEM_PASSWORD=system-password
REMOVE
/[NO]REMOVE_IDENTIFIER
REMOVE/PROXY
RENAME
/PASSWORD[=(password[,password2])]
/[NO]MODIFY_IDENTIFIER
RENAME/IDENTIFIER
REVOKE/IDENTIFIER
SHOW
/BRIEF
SHOW/IDENTIFIER
/BRIEF
/FULL
/USER=user-spec
/VALUE=value-specifier
SHOW/PROXY
SHOW/RIGHTS
/USER=user-spec
Description:
--------------------------------------------------------------------------------
Using Authorize, you control access to the system and its resources by
o Creating new records and modifying existing records in the system user authorization file (SYS$SYSTEM:SYSUAF.DAT) and the network user authorization
file (SYS$SYSTEM:NETUAF.DAT)
o Creating new records and modifying existing records in the rights database file (SYS$SYSTEM:RIGHTSLIST.DAT)
Command Summary:
--------------------------------------------------------------------------------
ADD
--------------------------------------------------------------------------------
The ADD command will create a new entry in the user authorization file.
Format for creating new entries in SYSUAF.DAT:
ADD newusername [/qualifiers]
Qualifiers:
/ACCESS
/[NO]ACCESS=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]ACCESS="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Used to specify hours of access for all modes of logins. Specify hours as integers from 0 to 23, inclusive. Hours may be specified as single hours (n),
or as ranges of hours (n-m). If the ending hour of a range is earlier than the starting hour, the range extends from the starting hour through midnight
to the the ending hour. The first set of hours after the keyword PRIMARY specifies hours on primary days; the second set of hours after the keyword
SECONDARY specifies hours on secondary days.
All the list elements are optional. If no hours are specified for a day type, access is permitted the entire day. If only primary hours or only secondary
hours are given, no access is permitted for secondary or primary days, respectively. If hours are given with no day type, they apply to both types of days.
Negating the qualifier by specifying /NOACCESS=(...) completely inverts the sense of the access hours.
Examples:
/ACCESS allows unrestricted access
/NOACCESS=SECONDARY allows access on primary days only
/ACCESS=(9-17) allows access from 9am through 5 pm on all days
/NOACCESS=(PRIMARY, 9-17, SECONDARY, 18-8) allows access from 9 through 5 on secondary days and all but 9 through 5 on primary days
/ACCESS="Primary: 9-16; Secondary: 18-7, 8; Primary: 17"
allows access from 9 through 5 on primary days and all but 9 through 5 on secondary days
To specify access hours for specific types of logins, see the /BATCH, /NETWORK, /INTERACTIVE, /LOCAL, /DIALUP, and /REMOTE qualifiers.
/ACCOUNT
/ACCOUNT=account-name
Specifies a default account name. This field is often used for billing purposes, and should consist of 1 through 8 characters.
/ADD_IDENTIFIER
/[NO]ADD_IDENTIFIER
Controls whether an identifier corresponding to the specified username and UIC is added to the rights database. The default is /ADD_IDENTIFIER.
/ASTLM
/ASTLM=n
Specifies the AST queue limit, which is the total number of asynchronous system trap operations and scheduled wakeup requests that can be outstanding
at one time for the user.
/BATCH
/[NO]BATCH=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]BATCH="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for batch jobs. For a detailed description of the interpretation of the access specification, see the /ACCESS qualifier.
/BIOLM
/BIOLM=n
Specifies the total buffered I/O operations that can be outstanding at one time.
/BYTLM
/BYTLM=n
Total number of bytes that can be specified for transfer in outstanding buffered I/O operations.
/CLI
/CLI=cli-name
Name of the default command interpreter.
/CLITABLES
/CLITABLES=table-name
Name of the default command interpreter tables.
/CPUTIME
/CPUTIME=delta-time
Maximum amount of CPU time a user process can take per session. The unit of time must be in delta format. 0 means infinite.
/DEFPRIVILEGES
/DEFPRIVILEGES=([NO]privname [,...])
Specifies the default privileges for the user (i.e., those enabled at login time). A NO prefix removes this privilege from the user; specifying a
privilege without the NO prefix allows the user that privilege.
There are many privileges available with varying degrees of power and potential system impact. Please see the VAX/VMS System Manager's Reference Manual for a more detailed discussion of the available privileges.
/DEVICE
/DEVICE=device-name
Name of default device (must be a direct access device) from one to fifteen characters. The colon is automatically added if omitted. A blank device
is interpreted as SYS$SYSDISK.
/DIALUP
/[NO]DIALUP=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]DIALUP="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for interactive login via dialup terminals. For a detailed description of the interpretation of the access specification,
see the /ACCESS qualifier.
/DIOLM
/DIOLM=n
Total direct (usually disk) I/O operations that can be outstanding at one time.
/DIRECTORY
/DIRECTORY=directory-name
Name of default login directory. Brackets (either
/ENQLM
/ENQLM=n
Total number of lock requests which may be outstanding at one time.
/EXPIRATION
/EXPIRATION=time
Expiration date and time of the account. Specify as an absolute or combination time.
/FILLM
/FILLM=n
Total number of files that can be open at one time, including active network logical links.
/FLAGS
/FLAGS=([NO]option[,...])
Login flags for this user. Options which may be specified are:
[NO]AUDIT - [do not] audit all security relevant actions
[NO]AUTOLOGIN - [do not] restrict this account to autologins only
[NO]CAPTIVE - [do not] prevent user
[NO]DEFCLI - [do not] prevent user from changing default CLI or CLI tables
[NO]DISCTLY - [do not] disable <CTRL/Y> interrupts
[NO]DISMAIL - [do not] prevent mail delivery to this user
[NO]DISNEWMAIL - [do not] suppress "New Mail..." announcements [NO]DISRECONNECT-[do not] disable automated reconnections
[NO]DISREPORT - [do not] disable time of last login and other security reports
[NO]DISUSER - [do not] disable this account completely
[NO]DISWELCOME - [do not] suppress "Welcome to..." login message [NO]GENPWD - [do not] require user to use generated passwords
[NO]LOCKPWD - [do not] prevent user from changing password
[NO]PWD_EXPIRED- [do not] mark password as expired
[NO]PWD2_EXPIRED-[do not] mark second password as expired
/GENERATE
/GENERATE
/GENERATE=CURRENT
/GENERATE=PRIMARY
/GENERATE=SECONDARY
/GENERATE=BOTH
/GENERATE=ALL
Generate a random password. The formats of the passwords is the same as for the DCL SET PASSWORD /GENERATE command.
/INTERACTIVE
/[NO]INTERACTIVE=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]INTERACTIVE="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:]
[n][,...]"
Specifies hours of access permitted for interactive login via any terminal. For a detailed description of the interpretation of the /ACCESS qualifier.
/JTQUOTA
/JTQUOTA=n
Specifies the initial byte quota with which the job-wide logical name table is to be created with.
/LGICMD
/LGICMD=filespec
Name of login command file. Default device and directory are used to locate the command file.
/LOCAL
/[NO]LOCAL=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]LOCAL="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for interactive login via local terminals. For a detailed description of the interpretation of the access specification, see the /ACCESS qualifier.
/MAXACCTJOBS
/MAXACCTJOBS=n
Interactive and detached processes which may be active at one time for all users which are on the same account as the user for which the qualifier is present.
/MAXDETACH
/MAXDETACH=n
Specifies the maximum number of detached processes with this username that may be active at one time. Processes which cause this count to be exceeded are
terminated.
/MAXJOBS
/MAXJOBS=n
Maximum number of interactive, batch, and detached processes with this username which can be active at one time. Processes which cause this count to
be exceeded are terminated.
/NETWORK
/[NO]NETWORK=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]NETWORK="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for network jobs. For a detailed description of the interpretation of the access specification, see the /ACCESS
qualifier.
/OWNER
/OWNER=owner-name
Name of owner for billing purposes, etc. May be from one to 31 characters.
/PASSWORD
/PASSWORD=(password [,password2])
/NOPASSWORD
Password(s) for login. Must be from 0 to 31 characters in length, and must be composed of alphanumeric characters, dollar signs, and underscores.
To set the first password with no second password, specify
/PASSWORD=password
To set both passwords, specify
/PASSWORD=(password, password2)
To set only the first password leaving the second alone, specify
/PASSWORD=(password, "")
To set only the second password leaving the first alone, specify
/PASSWORD=("", password2)
To clear the second password leaving the first alone, specify
/PASSWORD=""
To clear both passwords, specify
/NOPASSWORD
/PBYTLM
/PBYTLM=n
Paged pool byte count limit.
/PFLAGS
/PFLAGS=([NO]option[,...])
This qualifier is obsolete and is retained for compatibility purposes. For current usage, see the /ACCESS, etc., qualifiers.
Login flags for primary days. Options are:
[NO]DISDIALUP - [do not] prohibit user from dialing in [NO]DISNETWORK - [do not] prohibit user from logging in via a "SET HOST" command.
/PGFLQUOTA
/PGFLQUOTA=n
Total pages that this process can use in the system paging file. Should be a minimum of 2048 for a typical interactive process.
/P_RESTRICT
/P_RESTRICT=(n-m[,...])
or
/P_RESTRICT=(n[,...])
This qualifier is obsolete and is retained for compatibility purposes. For current usage, see the /ACCESS, etc., qualifiers.
Used to specify hours or ranges of hours to restrict user from logging in on primary days.
/P_RESTRICT=(...) is roughly equivale7t to /NOACCESS=(PRIMARY, ...)
/PRCLM
/PRCLM=n
Total number of subprocesses that can exist at one time.
/PRIMEDAYS
/PRIMEDAYS=([NO]day[,...])
Used to define primary and secondary days. A day prefixed with NO becomes a secondary day, and a day without the NO prefix is defined as a primary day.
Primary and secondary day definitions are used in conjunction with the /ACCESS, etc., qualifiers.
/PRIORITY
/PRIORITY=n
Default base priority for user. The priority should be in the range from 0 - 31, and 4 is the default for a timesharing user.
/PRIVILEGES
/PRIVILEGES=([NO]privname[,...])
Specifies authorized privileges for this user. Privileges which are allowed or disallowed for this user. A NO prefix removes this privalege from the user;
specifying a privilege without the NO prefix allows the user that privilege.
There are many privileges available with varying degrees of power and potential system impact. I will make up a list of the priviledges in a future article, until then...set them to ALL! Heheh...
/PWDEXPIRED
/[NO]PWDEXPIRED
Password is [not] pre-expired. When a password is pre-expired, the user is allowed to log in once, at which time he must change his password or be locked out of the system.
/PWDLIFETIME
/PWDLIFETIME=delta-time
/PWDLIFETIME=NONE
Password lifetime. If the date of last password change is older than the password lifetime, when the user logs in, he is issued a warning message and
the password is marked as expired. If there is no password lifetime, the password never expires.
Delta-time is in the form: [dddd-] [hh:mm:ss.cc]
/PWDMINIMUM
/PWDMINIMUM=n
Minimum password length in characters. Note that this value is only enforced by the SET PASSWORD command; passwords in violation of this value may be
specified to AUTHORIZE.
/QUEPRIORITY
/QUEPRIORITY=n
Maximum priority for queuing batch and print jobs. The priority should be in the range from 0 - 31, and 4 is the default value for a timesharing user.
/REMOTE
/[NO]REMOTE=([PRIMARY], [n-m], [n] [,...] [SECONDARY], [n-m], [n] [,...]) /[NO]REMOTE="[PRIMARY][:] [n-m][,] [n][,...][;] [SECONDARY][:] [n-m][,...]"
Specifies hours of access permitted for interactive login via network remote terminals (i.e., SET HOST). For a detailed description of the interpretation
of the access specification, see the /ACCESS qualifier.
/SFLAGS
/SFLAGS=([NO]option[,...])
This qualifier is obsolete and is retained for compatibility purposes. For current usage, see the /ACCESS, etc., qualifiers.
Login flags for secondary days. Options are:
[NO]DISDIALUP - [do not] prohibit user from dialing in [NO]DISNETWORK - [do not] prohibit user from logging in via a "SET HOST" command.
/S_RESTRICT
/S_RESTRICT=(n-m[,...])
or
/S_RESTRICT=(n[,...])
This qualifier is obsolete and is retained for compatibility purposes. For current usage, see the /ACCESS, etc., qualifiers.
Used to specify hours or ranges of hours to restrict user from logging in on secondary days.
/S_RESTRICT=(...) is roughly equivalent to /NOACCESS=(SECONDARY, ...)
/SHRFILLM
/SHRFILLM=n
Maximum number of shared files allowed to be open at one time.
/TQELM
/TQELM=n
Total entries in the timer queue plus the number of temporary common event flag clusters that the user can have at one time.
/UIC
/UIC=uic
User identification code as explained in the VAX/VMS System Manager's Reference Manual. The UIC should have an octal group number and user number, and be
separated by a comma and enclosed in brackets.
/WSDEFAULT
/WSDEFAULT=n
Initial limit of a working set for the user process.
/WSEXTENT
/WSEXTENT=n
Maximum to which the user's process may raise its working set limit when there is free memory available.
/WSQUOTA
/WSQUOTA=n
Maximum to which the user's process may raise the working set limit when system memory is in demand.
ADD/IDENTIFIER
--------------------------------------------------------------------------------
The ADD/IDENTIFIER command is used to add an identifier to the rights database.
Format:
ADD/IDENTIFIER [id-name]
Parameters:
id-name
specifies the name of the identifier to be added to the rights database. If you omit the name, you must specify the /USER qualifier. The id-name is a string of 1 through 32 alphanumeric characters that may contain underscores and dollar signs. The name must contain at least one non-numeric character.
Qualifiers:
/ATTRIBUTES
/ATTRIBUTES=(keyword)
Specifies attributes to be associated with the new identifier. Valid keywords are:
[NO]DYNAMIC
Indicates whether or not unprivileged holders of the identifier may add or remove the identifier from the process rights list. The default is NODYNAMIC.
[NO]RESOURCE
Indicates whether or not holders of the identifier may charge resources to it. The default is NORESOURCE.
/USER
/USER=user-spec
Scans the UAF record(s) of the specified user(s) and creates the appropriate identifiers(s). Specify user-spec by username or UIC. You can user the asterisk
wildcard to specify multiple usernames or UICs: full user of the asterisk and percent wildcards is permitted for user names.
UICs must be in the form [,], [n,], [,n], or [n,n]. A wildcard username specification (i.e., *) creates identifiers alphabetically by username; a wildcard UIC specification (i.e., [,]) creates them in numerical order by UIC.
/VALUE
/VALUE=value-specifier
Specifies the value to be attached to the identifier. Valid formats for the value-specifier are:
IDENTIFIER:integer
An integer value in the range of 32768 to 268435455, or a hexadecimal number in the range %X00008000 to 0FFFFFF UIC:uic
A uic value in the standard UIC format
Examples:
The following examples illustrate the use of the ADD/IDENTIFIER command.
1.
UAF> ADD/IDENTIFIER/VALUE=UIC:[300,011] INVENTORY
identifier INVENTORY value: [000300,000011] added to RIGHTSLIST.DAT
This command adds to the rights database an identifier named INVENTORY. By default, the identifier is not marked as a resource.
2.
UAF> ADD/IDENTIFIER/ATTRIBUTES=(RESOURCE) -
/VALUE=IDENTIFIER:%X80011 PAYROLL identifier PAYROLL value: %X80080011 added to RIGHTSLIST.DAT
This command adds the identifier PAYROLL and marks it as a resource.
ADD/PROXY
Adds a user record to the network UAF.
Format
ADD/PROXY node::remote-user local-user
Parameters:
node
specifies a node name (1 through 6 alphanumberic characters).
remote-user
specifies the username of a user at a remote node. If you specify an asterisk, all users at the specified node can access files of a user specified on the
local node.
local-user
specifies the username of a user on a local node.
Examples:
1.
UAF> ADD/PROXY MISHA::MARCO *
record successfully added NETUAF.DAT
The command in this example specifies that the user MARCO on the remote node MISHA can only access the files of MARCO on the local node.
2.
UAF> ADD/PROXY MISHA::* MARCO
record successfully added to NETUAF.DAT
The command in this example specifies that any user on the remote node MISHA can access the files of MARCO on the local node.
Parameters:
newusername
"newusername" specifies the name of the user to be added to the user authorization file.
COPY
--------------------------------------------------------------------------------
The COPY command is used to make a copy of a record in SYSUAF.DAT. The full range of qualifiers is available for the command in order to change certain
fields in the process of the copy operation.
Format:
COPY existing-username new-username [/qualifiers]
Parameters:
existing-username new-username
existing-username is the source authorization record; new-username is the destination authorization record.
Qualifiers:
(Same qualifiers as ADD)
CREATE
--------------------------------------------------------------------------------
This command will create a Proxy Login File (NETUAF.DAT) if one does not already exist or the rights database (RIGHTSLIST.DAT).
Qualifiers: /PROXY
Creates and initializes a network UAF, NETUAF.DAT. The /PROXY qualifier is required. The file is created with no records and is assigned the following
protection:
(S:RWED,O:RWED,G:RWE,W)
/RIGHTS
Creates and initializes the rights database, RIGHTSLIST.DAT, If it does not already exist. The file is created with no records and is assigned the following
protection:
(S:RWED,0:RWED,G:RWE,W)
Format
CREATE/RIGHTS
Qualifiers: Format CREAT/(PROXY or RIGHTS)/qualifier
/SYSTEM_ID=(integer list)
Specifies the system ID quadword. Only the first two integers are used. The first integer becomes the first longword of the system ID, and the second
integer the second longword. If only one integer is specified, the second longword is set to 0.
DEFAULT
--------------------------------------------------------------------------------
This command enables the user to change any field(s) in the DEFAULT record in SYSUAF.DAT.
Format:
DEFAULT /qualifier [/qualifiers]
Qualifiers:
(Same qualifiers as ADD)
EXIT
--------------------------------------------------------------------------------
The EXIT command terminates AUTHORIZE and returns the user to command language level.
Format:
EXIT
GRANT
--------------------------------------------------------------------------------
The GRANT command grants an identifier name to a user UIC. The /IDENTIFIER is required.
Format
GRANT/IDENTIFIER id-name user-spec
Parameters:
id-name
Specifies the identifier name (see the ADD/IDENTIFIER command).
user-spec
Is an identifier (UIC or non UIC format) that specifies the user (see the ADD/IDENTIFIER command).
Qualifier:
/ATTRIBUTES
/ATTRIBUTES=(keyword)
See the ADD/IDENTIFIER command.
Example:
UAF> GRANT/IDENTIFIER INVENTORY [300,015]
identifier INVENTORY granted to CRAMER
The command in this example grants the identifier INVENTORY to a user with the UIC [300,015]. The user becomes the holder of the identifier and any resources
associated with it.
HELP
--------------------------------------------------------------------------------
Lists and explains the AUTHORIZE commands and qualifiers.
Format
HELP [commmand-name]
Parameter:
command-name
Name of an AUTHORIZE command.
Qualifier:
qualifier-name
Name of an AUTHORIZE qualifier
LIST
--------------------------------------------------------------------------------
The LIST command outputs a listing file which gives information on the records specified. Unless otherwise specified by qualifiers, UAF records are listed.
Qualifiers:
/BRIEF
This qualifier will give an abbreviated listing of the desired record(s). /BRIEF is equivalent to /NOFULL.
/FULL
This qualifier gives complete information on the desired record(s). /FULL is equivalent to /NOBRIEF. /FULL is the default.
LIST/IDENTIFIER
--------------------------------------------------------------------------------
Creates a listing file (RIGHTLIST.LIS) to which identifier information is written.
Format
LIST/IDENTIFIER [id-name]
Parameter:
id-name
Specifies an identifier name. If you omit the identifier name, you must specify /USER or /VALUE.
Qualifiers:
/USER
/USER=user-spec
Specifies one or more users whose identifiers are to be listed. User-spec may be a username or UIC. You can user the asterisk wildcard to specify multip
le usernames or UICs: full use of the asterisk and percent wildcards is permitted for usernames.
UICs must be in the form [,], [,n], or [n,]. A wildcard username specification (i.e., *) lists identifiers alphabetically by username; a wildcard UIC specification (i.e., [,]) lists them numerically by UIC.
/VALUE
/VALUE=value-specifier
Specifies the value of the identifier to be listed. Valid formats for the value-specifier are:
IDENTIFIER:integer
An integer value in the range of 32768 to 268435455, or a hexadecimal number in the range %X00008000 to 0FFFFFFF UIC:uic
A uic value in the standard UIC format
Examples:
UAF> LIST/IDENTIFIER INVENTORY
writing listing file
listing file RIGHTSLIST.LIS complete
The command in this example generates a full listing for the identifier INVENTORY, including its value (in hexadecimal), holders, and attributes.
UAF> LIST/IDENTIFIER/USER=ANDERSON
writing listing file
listing file SYSUAF.LIS complete
This command lists an identifier associated with the user ANDERSON, along with its value and attributes. Note, however, that this is the same result you
would produce had you specified ANDERSON's UIC with the following forms of the command:
UAF> LIST/IDENTIFIER/USER=[300,015]
or
UAF> LIST/IDENTIFIER/VALUE=UIC:[300,015]
LIST/PROXY
--------------------------------------------------------------------------------
Creates a listing file of all the network UAF records. The /PROXY qualifier is required.
Format
LIST/PROXY
Example:
UAF> LIST/PROXY
writing listing file
listing file NETUAF.LIS complete
The command in this example creates a listing file of all the network UAF records.
LIST/RIGHTS
--------------------------------------------------------------------------------
Lists the holders of the specified identifier, or, if /USER is specified, all identifiers held by the specified user(s).
Format
LIST/RIGHTS [id-name]
Parameter:
id-name
This is the name of the identifier (usually the username) associated with the user. If id-name is omitted, you must specify the /USER qualifier.
Qualifier:
/USER
/USER=user-spec
Specifies a user whose identifiers are to be listed. User-spec may be a username or UIC. You can use the asterisk wildcard to specify multiple usernames
or UICs: full user of the asterisk and percent wildcards is permitted for usernames.
UICs must be in the form [,], [n,], [n,n] or [,n]. A wildcard username specification (i.e., *) or wildcard UIC specification (i.e., [,]) lists all identifiers held by users. The wildcard username specification lists holders' usernames alphabetically; the wildcard UIC specification lists them in the numerical order of their UICs.
Example:
UAF> LIST/RIGHTS PAYROLL writing listing file listing file RIGHTSLIST.LIS is complete
The command is this example creates a listing file of all holders of the identifier PAYROLL.
MODIFY
--------------------------------------------------------------------------------
This command allows the user to change any field(s) in any user authorization record(s). Wildcarding of usernames or UICs is allowed.
Format:
MODIFY user-spec /qualifier [/qualifiers]
Qualifier's:
The MODIFY qualifiers are very similar to the ADD qualifiers with the following exceptions:
/[NO]MODIFY_IDENTIFIER rather than /[NO]ADD_IDENTIFIER with the same
parameters
/ASTLM
/ASTLM=value
Specifies the AST queue limit, which is the total number of asynchronous system trap operations and scheduled wakeup requests that can be outstanding at
one time for the user.
MODIFY/IDENTIFIER
Modifies an identifier in the rights database.
Format
MODIFY/IDENTIFIER id-name
Parameter:
id-name
Specifies the name of an identifier to be modified
Qualifiers: /ATTRIBUTES
/ATTRIBUTES=(keyword)
Specifies attributes to be associated with the modified identifier. Valid keywords are:
[NO]DYNAMIC
Indicates whether or not unprivileged holders of the identifier may add or remove the identifier from the process rights list. The default is NODYNAMIC.
[NO]RESOURCE Indicates whether or not holders of the identifier may charge resources to it. The default is NORESOURCE.
If you specify RESOURCE, a holder named with the /HOLDER qualifier gains the right to charge resources to the identifier. If you specify /NORESOURCE, the holder loses the right to charge resources. If you specify NORESOURCE and do not name any holder (if /HOLDER is not specified), all holders lose the right to charge resources.
/HOLDER
/HOLDER=username
Specifies the holder of an identifier whose attributes are to modified. /HOLDER is used only in conjunction with /ATTRIBUTES qualifier. If you specify /HOLDER, the /NAME and /VALUE qualifiers are ignored.
/NAME
/NAME=id-name
Specifies a new id-name to be associated with the identifier.
/VALUE
/VALUE=value-specifier
Specifies a new identifier value. Note, however, that an identifier value cannot be modified from a UIC to a non UIC format or vice versa. Valid formats for the value-specifier are:
IDENTIFIER:integer
An integer value in the range of 32768 to 268435455, or a hexadecimal number in the range %X00008000 to 0FFFFFFF UIC:uic
A uic value in the standard UIC format
Examples:
UAF> MODIFY/IDENTIFIER/VALUE=UIC:[300,21] ACCOUNTING
identifier ACCOUNTING modified
The command in this example changes the old UIC value of the identifier ACCOUNTING to a new value.
UAF> MODIFY/IDENTIFIER/ATTRIBUTES=NORESOURCE/HOLDER=ALLISON ACCOUNTING
identifier ACCOUNTING modified
The command in this example associates the attribute NORESOURCE with the identifier ACCOUNTING in ALLISON's holder record.
MODIFY/SYSTEM_PASSWORD
Sets the system password.
Format
MODIFY/SYSTEM_PASSWORD=system-password
Parameters:
user-spec
The record(s) to be modified may be specified in a variety of ways:
1) wildcarded username (standard DCL wildcarding)
2) wildcarded UIC, as
a) [,]
b) [*,n]
c) [n,*]
3) specific username
4) specific UIC
REMOVE
--------------------------------------------------------------------------------
This command will remove a user authorization record from SYSUAF.DAT.
Format for removing a record from SYSUAF.DAT:
REMOVE username
Parameters:
username
username is the name of the authorization record to be removed from SYSUAF.DAT.
Qualifiers:
/REMOVE_IDENTIFIER
/[NO]REMOVE_IDENTIFIER
Controls whether the identifier corresponding to the specified username in the rights database is removed. The default is /REMOVE_IDENTIFIER.
REMOVE/IDENTIFIER
Removes an identifier from the rights database.
Format
REMOVE/IDENTIFIER id-name
Parameter:
id-name
Specifies the name of an identifier in the rights database.
Example:
UAF> REMOVE/IDENTIFIER Q1SALES
record removed from RIGHTSLIST.DAT
The command in this example deletes the identifier Q1SALES from the rights database.
REMOVE/PROXY
--------------------------------------------------------------------------------
This qualifier changes the context of REMOVE command. Its presence indicates that the intention is to remove a record from the Proxy Login File, NETUAF.DAT.
The format for removing a record from NETUAF.DAT is
REMOVE/PROXY node::remoteusername
Where "node::remoteusername" is an entry in NETUAF.DAT for the local node.
RENAME
This command will change the username for a record in the user authorization file, SYSUAF.DAT. The only parameter qualifier allowed for the RENAME command
is the /PASSWORD qualifier.
Format:
RENAME old-username new-username [/PASSWORD=password]
Qualifiers: /GENERATE
/GENERATE
/GENERATE=CURRENT
/GENERATE=PRIMARY
/GENERATE=SECONDARY
/GENERATE=BOTH
/GENERATE=ALL
Generate a random password. The formats of the passwords is the same as for the DCL SET PASSWORD /GENERATE command.
/MODIFY_IDENTIFIER
/[NO]MODIFY_IDENTIFIER
Controls whether the identifier corresponding to the specified username in the rights database is modified. The default is /MODIFY_IDENTIFIER.
/PASSWORD
/PASSWORD=(password [,password2])
/NOPASSWORD
Password(s) for login. Must be from 0 to 31 characters in length, and must be composed of alphanumeric characters, dollar signs, and underscores.
To set the first password with no second password, specify
/PASSWORD=password
To set both passwords, specify
/PASSWORD=(password, password2)
To set only the first password leaving the second alone, specify
/PASSWORD=(password, "")
To set only the second password leaving the first alone, specify
/PASSWORD=("", password2)
To clear the second password leaving the first alone, specify
/PASSWORD=""
To clear both passwords, specify
/NOPASSWORD
It is important to specify new passwords for a renamed record. Since the user name is taken as part of the input for password verification, the old password
with the new user name will not yield the same result as the original password and user name, and the verification will fail.
RENAME/IDENTIFIER
Renames an identifier in the rights database.
Format
RENAME/IDENTIFIER old-id-name new-id-name
Parameters:
old-id-name
Specifies the name of an identifier to be renamed.
new-id-name
Specifies the new identifier name.
Example:
UAF> RENAME/IDENTIFIER Q1SALES Q2SALES
identifier Q1SALES renamed
The command in this example renames the identifier Q1SALES to Q2SALES.
Parameters
old-username new-username
"old-username" is the username for the authorization record which is to be renamed. "new-username" is the new username for the record.
REVOKE
--------------------------------------------------------------------------------
Revokes an identifier name from a username or UIC identifier. The /IDENTIFIER qualifier is required.
Format
REVOKE/IDENTIFIER id-name user-spec
Parameters:
id-name
Specifies the identifier name (see the ADD/IDENTIFIER command).
user-spec
Is an identifier (UIC or non UIC format) that specifies the user (see the ADD/IDENTIFIER command).
SHOW
--------------------------------------------------------------------------------
The SHOW command outputs a listing of the specified authorization record(s) to the user's terminal. Unless otherwise specified by qualifiers, UAF records are listed.
Format for the authorization file:
SHOW [/qualifiers] user-spec
Qualifiers: /BRIEF
This qualifier will give an abbreviated listing of the desired record(s). /BRIEF is equivalent to /NOFULL. /BRIEF is the default.
/FULL
This qualifier gives complete information on the desired record(s). /FULL is equivalent to /NOBRIEF.
SHOW/IDENTIFIER
--------------------------------------------------------------------------------
Displays information about the identifier on the current
SYS$OUTPUT device.
Format
SHOW/IDENTIFIER [id-name]
Parameter:
id-name
Specifies an identifier name. If you omit the identifier name, you must specify /USER or /VALUE.
Qualifiers: /BRIEF
This qualifier will give an abbreviated listing of the desired record(s). /BRIEF is equivalent to /NOFULL. /BRIEF is the default.
/FULL
This qualifier gives complete information on the desired record(s). /FULL is equivalent to /NOBRIEF.
/USER
/USER=user-spec
Specifies one or more users whose identifiers are to be displayed. User-spec may be XH].+++lKU%9@You can use the asterisk wildcard to specify multiple usernames or UICs: full use of the asterisk and percent wildcards is permitted for usernames.
UICs must be in the form [,], [,n], [n,], or [n,n]. A wildcard username specification (i.e., *) displays identifiers alphabetically by username; a wildcard UIC specification (i.e., [,]) displays them numerically by UIC.
/VALUE
/VALUE=value-specifier
Specifies the value of the identifier to be listed. Valid formats for the value-specifier are:
IDENTIFIER:integer
An integer value in the range of
32768 to 268435455, or a hexadecimal number in the range %X00008000 to 0FFFFFFF
UIC:uic
A uic value in the standard UIC
format
SHOW/PROXY
Displays one or all records in the network UAF. The /PROXY qualifier is required.
Format
SHOW/PROXY node::remote-user
Parameters:
node
Specifies the name of a network node in the network UAF. The asterisk wildcard is permitted in the node specification.
remote-user
Specifies the name of a user on a remote node. The asterisk wildcard is permitted in the remote-user specification.
SHOW/RIGHTS
Displays the names, values, and attributes of all identifiers held by the specified user(s).
Format
SHOW/RIGHTS [user-spec]
Parameter:
user-spec
Is the name of the identifier (usually the username) associated with the user in SYSUAF.DAT. If user-spec is omitted, you must specify the /USER qualifier.
Qualifier: /USER
/USER=user-spec
Specifies one or more users whose identifiers are to be displayed. User-spec may be a username or UIC. You can use the asterisk wildcard to specify multiple usernames or UICs:
full use of the asterisk and percent wildcards is permitted for usernames; UICs must be in the form [,], [,n], [n,], or [n,n].
A wildcard username specification (i.e., *) displays identifiers alphabetically by username; a wildcard UIC specification (i.e., [,]) displays them numerically by UIC.
Parameters:
If a listing is generated from SYSUAF.DAT, then the user may specify "user-spec" in a variety of ways:
1) wildcarded username (standard DCL wildcarding)
2) wildcarded UIC, as
a) [,]
b) [*,n]
c) [n,*]
3) specific username
4) specific UIC.
Phew! After all that, you should be doing just fine using the Authorize
Utility. You can expect summaries of VMS commands, DCL, and other VAX infor- mation in future articles. Now, happy hacking and go play God for a while!
Posted on October 6th, 2009 · Updated on December 31st, 2010
▼ Sponsored Links ▼
▲ Sponsored Links ▲
▲ Sponsored Links ▲
Comments and Attributions
Line Shadow
Comments
(Related Products
▼ Sponsored Links ▼
▲ Sponsored Links ▲
▲ Sponsored Links ▲