[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]


..[ Phrack Magazine ]..
.:: VMS Information ::.

Issues: [ 1 ] [ 2 ] [ 3 ] [ 4 ] [ 5 ] [ 6 ] [ 7 ] [ 8 ] [ 9 ] [ 10 ] [ 11 ] [ 12 ] [ 13 ] [ 14 ] [ 15 ] [ 16 ] [ 17 ] [ 18 ] [ 19 ] [ 20 ] [ 21 ] [ 22 ] [ 23 ] [ 24 ] [ 25 ] [ 26 ] [ 27 ] [ 28 ] [ 29 ] [ 30 ] [ 31 ] [ 32 ] [ 33 ] [ 34 ] [ 35 ] [ 36 ] [ 37 ] [ 38 ] [ 39 ] [ 40 ] [ 41 ] [ 42 ] [ 43 ] [ 44 ] [ 45 ] [ 46 ] [ 47 ] [ 48 ] [ 49 ] [ 50 ] [ 51 ] [ 52 ] [ 53 ] [ 54 ] [ 55 ] [ 56 ] [ 57 ] [ 58 ] [ 59 ] [ 60 ] [ 61 ] [ 62 ] [ 63 ] [ 64 ] [ 65 ] [ 66 ] [ 67 ] [ 68 ] [ 69 ] [ 70 ]
Current issue : #45 | Release date : 1994-03-30 | Editor : Erik Bloodaxe
IntroductionErik Bloodaxe
Phrack Loopback Part IPhrack Staff
Phrack Loopback Part II / EditorialPhrack Staff
Line Noise Part IPhrack Staff
Line Noise Part IIPhrack Staff
Line Noise Part IIIPhrack Staff
Phrack Prophile on Control CControl C
Running a BBS on X.25Seven Up
No Time for GoodbyesEmmanuel Goldstein
Security Guidelinesunknown
Ho Ho Con Miscellanyvarious
Quentin Strikes AgainWhite Knight & The Omega
10th Chaos Computer CongressManny E. Farber
Defcon II informationPhrack Staff
VMS Informationvarious
DCL BBS PROGRAMRaoul
Hollywood-Style Bits & BytesRichard Goodwin
Fraudulent Applications of 900 ServicesCodec
Screwing Over Your Local McDonald'sCharlie X
The Senator Markey Hearing Transcriptsunknown
The Universal Data ConverterMaldoror
BOX.EXE - Box Program for Sound BlasterThe Fixer
Introduction To Octel's ASPENOptik Nerve
Radio Free Berkeley Informationunknown
The MCX7700 PABX SystemDr. Delam
Cellular Debug Mode Commandsvarious
International Scenesvarious
Phrack World NewsDatastream Cowboy
Title : VMS Information
Author : various
                              ==Phrack Magazine==

                 Volume Five, Issue Forty-Five, File 15 of 28

****************************************************************************

                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
                        Some Helpful VAX/VMS utilities

                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Introduction :
^^^^^^^^^^^^
This article contains a brief introduction to some not so often used
utilities, found on the Virtual Address eXtentions/ Virtual Memory System or
better known to us as the VAX/VMS.

Please note that this file is meant for the so called VMS "newbies". It gives
an insight to the processes that are running in the different "Hibernation"
states on VMS, quite similar to the background processes running on UNIX and
its clones. If you have "extensive" experience on VMS as a systems programmer
or a SysOp, you might want to skip it !!

Portions of this file are taken from the ever blabbering VMS HELP, which is
where many of us, myself included, learn about the VAX/VMS. VMS has lots of
secrets. Locations of "hidden" files are a very well kept secret, known
not even to the SysOp but only to the system programmer.

Ok.... Lets get started...


SHOW SYSTEM   :
^^^^^^^^^^^
This command ($Show system) will display information about the
status of the processes running on the system.
There are various options to this command, some of which are listed below.


    /BATCH     /CLUSTER   /FULL      /NETWORK   /NODE      /OUTPUT
    /PROCESS   /SUBPROCESS




         1.  $ SHOW SYSTEM

       VAX/VMS 5.4  on node DARTH 19-APR-1990 17:45:47.78  Uptime  2 21:53:59
         Pid    Process Name   State Pri      I/O       CPU  Page flts Ph.Mem
       27400201 SWAPPER        HIB   16        0  0 00:29:52.05      0      0
       27401E03 DOCBUILD       LEF    4    37530  0 00:05:47.62  96421    601
       27402604 BATCH_789      LEF    4     3106  0 00:00:48.67   4909   2636 B
       27401C05 BATCH_60       LEF    6      248  0 00:00:06.83   1439   1556 B
       27400207 ERRFMT         HIB    8     6332  0 00:00:41.83     89    229
       27400208 CACHE_SERVER   HIB   16     2235  0 00:00:05.85     67    202
       27400209 CLUSTER_SERVER HIB    8     4625  0 00:22:13.28    157    448
       2740020C JOB_CONTROL    HIB   10   270920  0 01:07:47.88   5163   1384
       2740020D CONFIGURE      HIB    9      125  0 00:00:00.53    104    264
        .
        .
        .
       27400E8D Sir Lancelot   LEF    5      226  0 00:00:07.87   4560    697
       2740049A Guenevere      LEF    4      160  0 00:00:02.69    534    477
       27401EA0 BATCH_523      CUR  4 4    17470  0 03:25:49.67   8128   5616 B
       274026AF GAWAIN         CUR  6 4    14045  0 00:02:03.24  20032    397
       274016D5 GAHERIS        LEF    6      427  0 00:00:09.28   5275   1384
       27401ED6 knight_1       HIB    5      935  0 00:00:10.17   3029   2204 S
       274012D7 BATCH_689      LEF    4    49216  0 00:14:18.36   7021   3470 B
       274032D9 DECW$MAIL      LEF    4     2626  0 00:00:51.19   4328   3087 B
       274018E3 SERVER_0021    LEF    6      519  0 00:00:07.07   1500    389 N
       274016E8 NMAIL_0008     HIB    4    10955  0 00:00:55.73   5652    151
       274034EA MORDRED        LEF    4     2132  0 00:00:23.85   5318    452
       274022EB S. Whiplash    CUR  6 4      492  0 00:00:12.15   5181    459
       274018EF DwMail         LEF    5   121386  0 00:28:00.97   7233   4094
       27401AF0 EMACS$RTA43    LEF    4    14727  0 00:03:56.54   8411   4224 S
       27400CF4 TRISTRAM       HIB    5    25104  0 00:06:07.76  37407   1923
       274020F5 Morgan         LEF    7    14726  0 00:02:10.74  34262   1669
       27400CF6 mr. mike       LEF    9    40637  0 00:05:15.63  18454    463

           The information in this example includes the following:

            o Process identification (PID) code-A 32-bit binary value that
              uniquely identifies a process.

            o Process name-A 1- to 15-character string used to identify a
              process.

            o Process state-The activity level of the process, such as COM
              (computing), HIB (hibernation), LEF (local event flag) wait,
              or CUR (if the process is current). If a multiprocessing
              environment exists, the display shows the CPU ID of the
              processor on which any current process is executing.

              Note that the SHOW SYSTEM command examines the processes on
              the system without stopping activity on the system. In this
              example process information changed during the time that the
              SHOW SYSTEM command collected the data to be displayed. As
              a result, this display includes two processes, named GAWAIN
              and S. Whiplash, with the state CUR on the same CPU, CPU ID
              6 in the example.

            o Current priority-The priority level assigned to the process
              (the higher the number, the higher the priority).

            o Total process I/O count-The number of I/O operations
              involved in executing the process. This consists of both
              the direct I/O count and the buffered I/O count.

            o Charged CPU time-The amount of CPU time that a process has
              used thus far.

            o Number of page faults-The number of exceptions generated by
              references to pages that are not in the process's working
              set.

            o Physical memory occupied-The amount of space in physical
              memory that the process is currently occupying.

            o Process indicator-Letter B indicates a batch job; letter
              S indicates a subprocess; letter N indicates a network
              process.

            o User identification code (UIC)-An 8-digit octal number
              assigned to a process. This number is displayed only if the
              /FULL qualifier is specified.



         2.  $ SHOW SYSTEM /CLUSTER


       VAX/VMS V5.4 on node APPLE 19-APR-1990 09:09:58.61  Uptime    0 2:27:11
       Pid       Process Name   State  Pri I/O  CPU           Page flts Ph. Mem
       31E00041  SWAPPER        HIB    16    0  0 00:00:02.42     0       0
       31E00047  CACHE_SERVER   HIB    16   58  0 00:00:00.26    80      36
       31E00048  CLUSTER_SERVER CUR     9  156  0 00:00:58.15  1168      90
       31E00049  OPCOM          HIB     7 8007  0 00:00:33.46  5506     305
       31E0004A  AUDIT_SERVER   HIB     9  651  0 00:00:21.17  2267      22
       31E0004B  JOB_CONTROL    HIB    10 1030  0 00:00:11.02   795     202

          .
          .

           The SHOW SYSTEM command in this example shows all processes on
           all nodes of the cluster.


         3.  $ SHOW SYSTEM /NODE=NEON
       VAX/VMS V5.4 on node NEON 19-APR-1990 09:19:15.33  Uptime    0 02:29:07
       Pid       Process Name   State  Pri  I/O  CPU           Page flts Ph. Mem
       36200041  SWAPPER        HIB    16     0  0 00:00:12.03     0       0
       36200046  ERRFMT         HIB     8   263  0 00:00:05.89   152      87
       36200047  CACHE_SERVER   CUR    16     9  0 00:00:00.26    80      51
       36200048  CLUSTER_SERVER CUR     8    94  0 00:00:30.07   340      68
       36200049  OPCOM          HIB     6  2188  0 00:02:01.04  1999     177
       3620004A  AUDIT_SERVER   HIB    10   346  0 00:00:10.42  1707      72
          .
          .
          .


           The SHOW SYSTEM command in this example shows all processes on
           the node NEON.


                               ----- X -----

   So now that we beat the SHOW SYSTEM command to death, lets take on another
   command. Hmmm..let's see..Ahhhaaaa the MONITOR SYSTEM !!!!!

   This is a pretty neat command and one of my favorite "play" commands. Don't
   get me wrong, there's a lot to be learned from "play" commands like these.
   It really gives us some useful information. The reason why I like this
   utility is because it gives a GRAPHICAL representation of the
   data given by the SHOW SYSTEM. I would have included a short example
   of the graphics, but not everyone receiving this article would be running
   VMS on a terminal with ANSI emulation. So, if you want to see the ANSI
   graphics, follow my instructions...


MONITOR

   Invokes  the  VMS  Monitor  Utility  (MONITOR)  to  monitor  classes  of
   system-wide  performance  data   at  a  specified  interval.  It produces
   three types of optional output:

      o  Recording file
      o  Statistical terminal display
      o  Statistical summary file

   You  can collect data from a running system or from a previously created
   recording file.

   You can execute a single  MONITOR request,  or enter MONITOR interactive
   mode to execute a series of requests.  Interactive mode is entered  when
   the MONITOR command is issued with no parameters or qualifiers.

   A MONITOR request can be terminated by pressing CTRL/C or CTRL/Z. CTRL/C
   causes MONITOR to enter interactive mode; CTRL/Z returns to DCL.


   The  MONITOR  Utility  is described in detail in the VMS Monitor Utility
   Manual.

   Format:
          MONITOR  class-name[,...]

   There are quite a few different options available for the MONITOR utility.
   We are not going to get into too much detail about each option, but I will
   take the time to discuss a few. The different options for MONITOR are....

  ALL_CLASSES           CLUSTER    DECNET     DISK       DLOCK      FCP
  FILE_SYSTEM_CACHE     IO         LOCK       MODES      MSCP_SERVER
  PAGE       POOL       PROCESSES  RMS        SCS        STATES     SYSTEM
  TRANSACTION           VECTOR
  /BEGINNING /BY_NODE   /COMMENT   /DISPLAY   /ENDING    /FLUSH_INTERVAL
  /INPUT     /INTERVAL  /NODE      /RECORD    /SUMMARY   /VIEWING_TIME
  /ALL       /AVERAGE   /CPU       /CURRENT   /FILE      /ITEM      /MAXIMUM


     MONITOR Parameter class-name[,...]

      Specifies one or more classes of performance data to be monitored.
      The available class-names are:

          ALL_CLASSES       All MONITOR classes.
          CLUSTER           Cluster wide information.
          DECNET            DECnet-VAX statistics.
          DISK              Disk I/O statistics.
          DLOCK             Distributed lock management statistics
          FCP               File system primitive statistics.
          FILE_SYSTEM_CACHE File system caching statistics.
          IO                System I/O statistics.
          LOCK              Lock management statistics.
          MODES             Time spent in each of the processor modes.
          MSCP_SERVER       MSCP Server statistics
          PAGE              Page management statistics.
          POOL              Space allocation in the nonpaged dynamic pool.
          PROCESSES         Statistics on all processes.
          RMS               VMS Record Management Services statistics
          SCS               System communication services statistics.
          STATES            Number of processes in each scheduler state.
          SYSTEM            System statistics.
          TRANSACTION       DECdtm services statistics.
          VECTOR            Vector Processor scheduled usage.


MONITOR

  /ALL

   Specifies that a table of current, average, minimum, and  maximum
   statistics is to be included in display and summary output.

   /ALL is the  default for all class-names except MODES, STATES and
   SYSTEM. It may not be used with the PROCESSES class-name.


                         ---- X ----

     Well, I hope this little file helps a few people out, by providing them
 with a better understanding of the background processes running on the system
 and by providing a better perception of the amount of CPU and I/O time taken
 by each process.




DARTH VADER


P.S : Look for a file on ACL (Access Control Listing) in the near future.

------------------------------------------------------------------------------

                        ----------------------------
                        VAX/VMS AUTHORIZATION SYSTEM
                        ----------------------------

Introduction:
------------

Well, since Phrack issues containing VMS articles are pretty rare I will
examine in deep the authorization sub-system on VAXes.

Keep in mind that I will take under consideration that you are probably
under some new VMS version (5.5-X). If you are on some older VMS, don't
worry, commands are the same, just some flags and display was added on
later versions.  The knowledge of the authorization sub-system is of great
importance for a VAX hacker since he must keep himself an access to the
system, and this is the right way to do it.

Also keep in mind that this is just a practical guide oriented to a hacker's
needs and was done to be understandable by and useable by everybody,
even those who are not so familiar with VMS. That's why I included some
references to VMS filesystem, privileges, etc.

AUTHORIZE:
---------

The authorization subsystem is the one that will let you create accounts
under the VMS operating system. The command you need to execute is the:

                        SYS$SYSTEM:AUTHORIZE.EXE

What do you need to execute that program ?

                        READ/WRITE PRIVS over SYSUAF.DAT
                        EXECUTE PRIVS    over SYS$SYSTEM:AUTHORIZE.EXE

How can you check if you got all needed to start creating accounts ?

DIR SYS$SYSTEM:AUTHORIZE.EXE/FULL

Directory SYS$SYSROOT:[SYSEXE] <----- Directory you are listing

AUTHORIZE.EXE;1               File ID:  (2491,5,0)
Size:          164/165        Owner:    [SYSTEM] <---- Owner is Sys Manager
Created:  20-JUL-1990 08:30:34.18  <------- Creation Date of program
Revised:  17-AUG-1992 09:45:36.31 (4) <------ Last modification over program
Expires:   <None specified>    <---- No expiration, will last for ever
Backup:    <No backup recorded>
File organization:  Sequential
File attributes:    Allocation: 165, Extend: 0, Global buffer count: 0
                    No version limit, Contiguous best try
Record format:      Fixed length 512 byte records <--- record organization
Record attributes:  None
RMS attributes:     None
Journaling enabled: None
File protection:    System:RWED, Owner:RWED, Group:R, World: <---- (*)
Access Cntrl List:  None
Total of 1 file, 164/165 blocks.

(*) This is the field that will tell if you are authorized to execute the
    program. In this case if you own a privileged account you
    can run it. That doesn't mean that you will be able to view/modify
    any account found on the SYSUAF.DAT. But 95 % of the time any user
    can execute the AUTHORIZE program even if you don't have READ privilege
    on the SYS$SYSTEM directory. That means that if you do a :

    DIR SYS$SYSTEM

    and you find that you don't have the privilege to view the files contained
    in that directory you may still be able to execute the AUTHORIZATION
    subsystem, of course, you have a real low chance of getting the SYSUAF.DAT
    read or modified.

If you find that the authorize program cannot be executed a good method is
to send it UUENCODED from another VAX where you *DO* have at least read access
to SYS$SYSTEM:AUTHORIZE.EXE . If you are working on the X-25's you can send
it via PSI mailing. If you are on the Internet, just send it using the
normal mail routing method to the user on the VAX you want the AUTHORIZE.EXE
to get executed by.  Once you get it just UUDECODE it and place it in your
SYS$LOGIN directory and execute it!.

The authorize will work as a module, and won't try to overlay any other module
to make it work correctly.  If you can run the authorize you should receive :

"UAF>" prompt.

THE SYSUAF.DAT:
--------------

The SYSUAF.DAT is the most important file of the authorization subsystem.
All the accounts are stored here with their :

        - PASSWORDS     (encrypted)
        - ENVIRONMENT
        - DIR
        - privileges
        - RIGHTS OVER THE FILES
        ... and more

The SYSUAF.DAT is somehow like the /etc/passwd file on Unix OS.
Under UNIX you can take the password file and with an editor add yourself
an account or modify an existing one without problem. Well this is not
possible under VMS. You need a program that knows SYSUAF.DAT record structure
(like AUTHORIZE) to take action over accounting system.

The main difference is that the SYSUAF.DAT is not a PLAIN TEXT FILE, its
a binary file structured to be read only by the AUTHORIZE program.
Another main difference is that is not world readable, can usually be only
read from high privileged accounts or from accounts which can override
system protection flags (will talk about this later).

The SYSUAF.DAT can be found in the same directory as the AUTHORIZE.EXE
program, the SYS$SYSTEM. You will usually find a few versions of this file
but normally with the same protections as the working one.
What can be interesting is that you can usually find files produced by the
output of the LIST command (under AUTHORIZE) which can be WORLD readable where
you will have all the accounts listed with the OWNER/DIR/PRIVS..etc. That will
help you a lot to try to hack some accounts if you still can't run authorize.
Those files are called normally: SYSUAF.LIS, and you might find more than
just one of them. Of course try to get the latest one since the older
ones will contain some expired/deleted accounts.

To check what privilege you have over the SYSUAF.DAT issue :

DIR SYS$SYSTEM:SYSUAF.DAT/FULL

Directory SYS$COMMON:[SYSEXE]
SYSUAF.DAT;1                  File ID:  (228,1,0)
Size:          183/183        Owner:    [SYSTEM]
Created:  20-JUL-1990 08:30:21.50
Revised:  14-JAN-1994 03:33:27.75 (34812) <--- Last Creation/Modification
Expires:   <None specified>
Backup:    <No backup recorded>
File organization:  Indexed, Prolog: 3, Using 4 keys
                             In 3 areas
File attributes:    Allocation: 183, Extend: 3, Maximum bucket size: 3
                    Global buffer count: 0, No version limit
                    Contiguous best try
Record format:      Variable length, maximum 1412 bytes
Record attributes:  None
RMS attributes:     None
Journaling enabled: None
File protection:    System:RWED, Owner:RWED, Group:R, World: (*)
Access Cntrl List:  None

Total of 1 file, 183/183 blocks.

In this case, if you are under a standard user account you won't be
able to READ or/and WRITE the SYSUAF.DAT.  So when you will execute the
AUTHORIZE program, it will quit and kick you back to shell.
IF you have World : R, you will be able to  LIST/SHOW     accounts.
IF you have World : RW, you will be able to CREATE/MODIFY accounts.

But if you happen to have SYSPRIV you will be able CREATE/MODIFY the
SYSUAF.DAT at your pleasure!  Since you can override the system protection
that has been imposed over that file.  Of course, if you have SETPRV
privilege you have ALL privilege, and you can do whatever you want
with the VAX.

Privileges needed to CREATE/MODIFY accounts :

Process privileges:
*SETPRV               may set any privilege bit
Explanation: With this only you can assign yourself all the privileges you
need with a SET PROC/PRIVS=ALL.

*SYSPRV               may access objects via system protection
Explanation: If you have this one you will be able to read the SYSUAF.DAT.

*BYPASS               may bypass all object access controls
Explanation: If you have this one you can read the SYSUAF.DAT since
all the objects (ie:files) will be made accessible to you. I suggest that
if you happen to have some problems, change the files access flags to
let it be WORLD (you) readable/writable. So use :

                 SET FILE/PROT=(w:rwed) SYS$SYSTEM:SYSUAF.DAT

*READALL              may read anything as the owner
Explanation:  Well this is obvious, SYSUAF.DAT will be read without problems
but of course you won't be able to CREATE/MODIFY accounts to your pleasure.
At least you can LIST/SHOW all the accounts as deep as you want.

Entering AUTHORIZE:
------------------
Once you've executed AUTHORIZE you will receive its main prompt:

RUN SYS$SYSTEM:AUTHORIZE

UAF>

UAF stands for User Authorization File.

First of all you will first need to get a list of all the accounts on the
system with some of their settings also. To do this issue the command:

UAF>SHOW USERS/BRIEF

       Owner         Username           UIC       Account  Privs Pri Directory

ALLIN1V24CREATED     A1$XFER_IN      [660,1]               Normal  4 Disuser
ALLIN1V24CREATED     A1$XFER_OUT     [660,2]               Normal  4 Disuser
JOHN_FAVORITE        JFAVORITE       [300,2]      LEDGER   Devour  4 DEV$DUA2
:[ABDURAHMAN]

IBRAHIM ALBHIR       ALBHIR           [60,111]    GOTVOT   Normal  4 DUA2:[ALB
HIR]

ALGHAMDI             ALGHAMDI        [300,1]      LEDGER   Normal  4 DUA2:[ALG
HAMDI]

ALHAJAJ              ALHAJAJ         [325,3]      BUDGET   Devour  4 GOTDEV$DU
A2

Explanation:

1) Owner: Owner of the account

2) Username: This is the guy's login name

3) UIC: User Identification Code. This serves to the OS to recognize you and
        rights you have over files, directory, etc.

4) Account: This is to let the operator know what the group is
            that owns/manages the account.

5) Pri: don't worry about it.

6) Directory: This is the account HOME directory. Where the owner of the
              account will work on.

After you have captured the output of the SHOW command you can start
trying to create yourself some accounts by modifying some already existing
ones (which I suggest strongly).

To create an account issue the following command :

CREATE JOHN/DIR=JOHNS_DIR/DEVICE=SYS$USER/PASSWORD=JOHNS_PASSWORD
/ACCESS=(DIALUP,NETWORK)/PRIVS=(NETMBX,TMPMBX)/DEFPRIVS=(NETMBX,TMPMBX)
/ACCOUNT=USERS/OWNER=JOHN

Effects of this command:

Will create a user called JOHN which will log under the JOHNS_DIR directory,
who will have just normal user privileges (TMPMBX/NETMBX) who, when listed,
will appear to be as part of the group name USERS and the account's owner
will be JOHN.

After you issue this command a NEW UIC will be added to the RIGHTSLIST.DAT
file being assigned to your user.

Explanation:

DIR: can be any directory name you saw on the system. Of course if you are
not using all the privileges, check that its READ/WRITE-able
so you won't have problems at login.

DEVICE: is where the DIR can be found. That means that you have to tell in
which physical/logical device that directory will be found. Since VAXes will
have at least 1 or 2 magnetic supports you must say on which one the directory
can be found. Normally they already have some logical names assigned like
SYS$USER,SYS$SYSTEM,SYS$SPECIFIC,SYS$MANAGER, etc.

PASSWORD: is the password you want for the account which will never be shown
to anyone, so use whatever one you like.

ACCESS: tells the system from where you will authorize logins for this
account. For example I'm sure you've seen this message:

Username: BACKUP
Password:
Cannot login from this source.

Well this is the result of an account being setup with the DIALUP flags in
the access field as NODIALUP.

So if u want to give the account all kind of access just use :
ACCESS=ALL

and this will authorize all login sources for the account.

PRIVS: will setup the privileges on the named account. If you just want it
to be a normal user account use TMPMBX,NETMBX.  If you want it to be
a super-user account you can use ALL. But this is not the right way
if you don't want your account to get discovered fast.

Valid Process privileges:

 CMKRNL               may change mode to kernel
 CMEXEC               may change mode to exec
 SYSNAM               may insert in system logical name table
 GRPNAM               may insert in group logical name table
 ALLSPOOL             may allocate spooled device
 DETACH               may create detached processes
 DIAGNOSE             may diagnose devices
 LOG_IO               may do logical i/o
 GROUP                may affect other processes in same group
 ACNT                 may suppress accounting messages
 PRMCEB               may create permanent common event clusters
 PRMMBX               may create permanent mailbox
 PSWAPM               may change process swap mode
 ALTPRI               may set any priority value
 SETPRV               may set any privilege bit
 TMPMBX               may create temporary mailbox
 WORLD                may affect other processes in the world
 MOUNT                may execute mount acp function
 OPER                 may perform operator functions
 EXQUOTA              may exceed disk quota
 NETMBX               may create network device
 VOLPRO               may override volume protection
 PHY_IO               may do physical i/o
 BUGCHK               may make bug check log entries
 PRMGBL               may create permanent global sections
 SYSGBL               may create system wide global sections
 PFNMAP               may map to specific physical pages
 SHMEM                may create/delete objects in shared memory
 SYSPRV               may access objects via system protection
 BYPASS               may bypass all object access controls
 SYSLCK               may lock system wide resources
 SHARE                may assign channels to non-shared devices
 GRPPRV               may access group objects via system protection
 READALL              may read anything as the owner
 SECURITY             may perform security functions

Check the last section on tips on creating accounts.

ACCOUNT: this is pretty useless and is just for displaying purposes at the
SHOW USER under authorize.

OWNER: This field is also used just at SHOW time but keep in mind to use
an owner that won't catch the eye of the system manager.

You can use the MODIFY command the ame as you used the CREATE. The only
difference is that no account will be created but ALL types of modifications
will affect the specified account.

You can use the LIST command to produce an output of the accounts to a file.
Use this command as you use the SHOW one.

Of course, the authorize sub-system is so huge you can actually set hours of
login for users, expirations, disk quotas, etc., but this is not the purpose
of this article.

Tips to create accounts:
-----------------------
First of all, what I suggest strongly is to MODIFY accounts not to CREATE
new ones. Why this?  Well, new account names can jump out at the operator
and he will kick you off the system very soon.

The best way I think is to get a non-used account, change its privileges
and change the password and use it!.

First of all try to find a never-logged account or at least one account
whose last log comes from few months ago. From the UAF prompt just
do a SH USER/FULL and check out the dates that appear in the *Last Login*
record. If this happens to be a very old one then it can be marked as
valid to take control of. Of course you have to find a non used account
since you will have to change the account's password.

Check the flags field also. This flags can really bother you:

                            Captive     (worst one!)
                            Ctly        (ctrl-y deactivated)
                            Restricted  (OS does more checks than normal)
                            DisUser     (ACCOUNT IS NOT ENABLED!!!)

I suggest you take out all the flag's fields.
just issue: MODIFY JOHN/FLAGS=(NOCAPTIVE,NOCTLY,NORESTRICED,NODISUSER)
If you find an account that is DisUser I suggest not to own it since the
DisUser flags will take on when listing the accounts. If system manager
sees an account that was OFF now ON..well it's a bit suspicious don't
you think ?

Check if the FIELD account is being used. If not own this one since it
already has ALL privileges and will not look suspicious at all. Just change
its password.  (FIELD is the account normally used by Digital Engineers
to check the VAX).

Remember to check also that DIALUP access is permitted or you won't be able
to login your account.

Once you've chosen the perfect account you can now change its password.
Issue: MODIFY JOHN/PASSWORD=MY_PASSWORD. (John is the account name you found)

After you finished just type CTRL-Z and to exit. If you happen to logoff
without exiting AUTHORIZE, don't worry.  Changes to SYSUAF.DAT are done
instantly when the command finishes its execution.

One other advice, under SHELL if you happen to have SECURITY privilege
Issue: SET AUDIT/ALARM/DISABLE=(AUTHORIZE)

If you don't do this, each time you run AUTHORIZE, modified accounts will be
logged into OPERATOR.LOG so remember to do so.

After playing a bit with AUTHORIZE you won't have much problems understanding
it. Hope you have PHUN! ;-)

------------------------------------------------------------------------------

$ ! FACILITY: Mailback     (MAILBACK.COM)
$ !
$ ! ABSTRACT: VAXVMS to VAXVMS file transfer, using the VAX/PSI_MAIL
$ !           utility of VAXPSI, over an X.25 link.
$ !
$ ! ENVIRONMENT: VAX/VMS operating system.
$ !
$! -------------------------------------------------------------------
$ saved_verify := 'f$verify(0)'
$ set noon
$ ws = "write sys$output"
$ ws ""
$ ws "   MAILBACK transfer utility V1.0 (via Backup and PSI_Mail) 21-May-1990"
$ ws ""
$!
$ if f$logical("debug").nes."" then set verify
$ ask_p1:
$ if P1.eqs."" then read/prompt="MailBack> Send or Receive (S/R) : " -
                    sys$command P1
$ P1 = f$edit(P1, "UPCASE,COMPRESS,TRIM")
$!
$!
$ if P1.EQS."" then exit 1+0*f$verify(saved_verify)
$ if P1.EQS."R" then goto receive_file
$ if P1.nes."S" then goto ask_P1
$! -------------------------------------------------------------------
$!
$! Sending File(s)
$! ===============
$ if P2.eqs. "" then -
     read/prompt="MailBack> Recipient mail address (PSI%nnn::user) : " -
     sys$command P2
$ if P2.eqs."" then exit 1+0*f$verify(saved_verify)
$!
$!
$ if P3.eqs."" then read/prompt="MailBack> File(s) : " sys$command P3
$!
$ ws "MailBack> ... Backuping the file(s) ..."
$ Backup/nolog 'P3' sys$scratch:mailbck.tmp/sav/block=2048
$!
$ ws "MailBack> ... Converting format ..."
$ convert/fdl=sys$input sys$scratch:mailbck.tmp sys$scratch:mailbck.tmp
record
 carriage_control carriage_return
$!
$ ws "MailBack> ... Sending a (PSI_)mail ..."
$ on warning then goto error_sending
$ mail/subject="MAILBACK Backup-File" -
      /noself sys$scratch:mailbck.tmp 'P2'
$ ws "MailBack> ... SEND command SUCCESSfully completed."
$!
$ fin_send:
$ delete = "delete"
$ delete/nolog/noconfirm sys$scratch:mailbck.tmp;,;
$ exit  1+0*f$verify(saved_verify)
$!
$ Error_sending:
$ ws "MailBack> Error detected while sending the mail ; ..."
$ ws "MailBack> ... Fix the problem, then retry the whole procedure."
$ goto fin_send
$! -------------------------------------------------------------------
$!
$! Inbound File(s) Processing
$! ==========================
$receive_file:
$!
$ if P2.eqs."" then -
     read/prompt="MailBack> Destination directory (<CR>= []) : " sys$command P2
$ if P2.eqs."" then p2 ="[]"
$!
$!
$!
$ if P3.eqs."" then -
     read/prompt="MailBack> Mail file (<CR>= default mail file) : " -
     sys$command P3
$ gosub build_file
$ ws "MailBack> ... Extracting a (PSI_)mail from the NEWMAIL folder ..."
$ define/exec sys$output nl:            ! ped 18-May-90 (wipe out mail displays)

$ if P3.eqs."" then goto normal_get
$ define/nolog new_mail_file 'p3'
$ define/user sys$command sys$input
$ set message/nofacility/noseverity/notext/noident
$ mail
set file new_mail_file
select NEWMAIL
sear MAILBACK Backup-File
extract/NOHEADER out_file
$ deassign new_mail_file
$ goto clean
$ if P3.nes."" then p2 ="[]"
$!
$!
$ normal_get:
$ define/user sys$command sys$input
$ set message/nofacility/noseverity/notext/noident
$ mail
select NEWMAIL
sear MAILBACK Backup-File
extract/NOHEADER out_file
$!
$ clean:
$ deassign sys$output                           !
$ set message/facility/severity/text/ident
$ if f$search("out_file") .eqs. "" then goto nomessage
$ on warning then goto error_conv
$ ws "MailBack> ... Converting format ..."
$ convert/fdl=sys$input out_file out_file /pad=%x00
 record
 format fixed
 carriage_control none
 size 2048
$!
$ ws "MailBack> ... Restoring file(s) from the backup saveset ..."
$ on warning then goto error_back
$ backup/nolog out_file/save 'P2'*.*
$!
$ delete = "delete"
$ delete/nolog/noconfirm  'file';,;
$ ws "MailBack> ... RECEIVE command SUCCESSfully completed."
$!
$ finish_r:
$ deassign out_file
$ exit  1+0*f$verify(saved_verify)
$! -------------------------------------------------------------------
$ error_conv:
$ ws "MailBack> " + -
     "An error occurred during the fdl convert of the extracted mail ;"
$ ws "MailBack> ... the file ''file' corresponds to " + -
$ ws "MailBack> ... the message extracted from Mail."
$ goto finish_r
$!
$ error_back:
$ ws "MailBack> An error occurred during the file restore phase with BACKUP ;"
$ ws "MailBack> ... the file ''file' corresponds to "
$ ws "MailBack> " + -
     "... the  message extracted from Mail, converted as a backup Saveset."
$ delete/nolog/noconfirm  'file';-1
$ goto finish_r
$!
$ nomessage:
$ ws "MailBack> No mail message has been found in the NEWMAIL folder."
$ goto finish_r
$!
$Build_file:                    ! Build a unique (temporary) file_name
$file = "sys$scratch:mail_" + f$cvtime(f$time(),,"month")+ -
f$cvtime(f$time(),,"day") + f$cvtime(f$time(),,"hour")+ -
f$cvtime(f$time(),,"minute")+ f$cvtime(f$time(),,"second") + ".tmp"
$define/nolog out_file 'file'
$return
[ News ] [ Paper Feed ] [ Issues ] [ Authors ] [ Archives ] [ Contact ]
© Copyleft 1985-2021, Phrack Magazine.