💾 Archived View for aphrack.org › issues › phrack32 › 8.gmi captured on 2021-12-04 at 18:04:22. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-03)

-=-=-=-=-=-=-

                              ==Phrack Classic==

                     Volume Three, Issue 32, File #8 of 12


                       +-------------------------------+
                       | Inside the SYSUAF.DAT file of |
                       +-------------------------------+

           +------------------------------------------------------+
           | Digital Equipment Corporation's VMS Operating System |
           +------------------------------------------------------+

                                   -= by =-

                         -----:>  Pain Hertz  <:----



Overview
~~~~~~~
        In this file, I will explain what the System User Authorization File
is, what information it contains, what the logical and physical characteristics
of the file are, and how one can manipulate it to reveal and/or modify its
contents.

Background
~~~~~~~~
        The Virtual Memory System (VMS) Operating System's System User
Authorization File (SYSUAF) contains the information that determines a given
user's username, password(s), security priviledges, as well as many other
similar data which either allow or disallow the user to have the system
perform certain tasks.

Characteristics
~~~~~~~~~~~~~~
        The SYSUAF.DAT file (UAF) is usually located on the system on the
device pointed to by the logical SYS$COMMON, and under the [SYSEXE]
subdirectory.  However, if the logical SYSUAF exists, it will point to the
location and name of the UAF.

        The UAF is a binary, indexed data file.  It's indexed on 4 keys:
username, UIC, extended user identifier, and owner identifier.  Using
the VMS ANALYZE utility reveals the following about the UAF:


IDENT   "01-JAN-1990 13:13:13   VAX/VMS ANALYZE/RMS_FILE Utility"

SYSTEM
        SOURCE                  VAX/VMS

FILE
        ALLOCATION              24
        BEST_TRY_CONTIGUOUS     yes
        BUCKET_SIZE             3
        CLUSTER_SIZE            3
        CONTIGUOUS              no
        EXTENSION               3
        FILE_MONITORING         no
        GLOBAL_BUFFER_COUNT     0
        NAME                    "SYS$COMMON:[SYSEXE]SYSUAF.DAT;1"
        ORGANIZATION            indexed
        OWNER                   [SYSTEM]
        PROTECTION              (system:RWED, owner:RWED, group:RWED, world:RE)

RECORD
        BLOCK_SPAN              yes
        CARRIAGE_CONTROL        none
        FORMAT                  variable
        SIZE                    1412

AREA 0
        ALLOCATION              9
        BEST_TRY_CONTIGUOUS     yes
        BUCKET_SIZE             3
        EXTENSION               3

AREA 1
        ALLOCATION              3
        BUCKET_SIZE             3
        EXTENSION               3

AREA 2
        ALLOCATION              12
        BUCKET_SIZE             2
        EXTENSION               12

KEY 0
        CHANGES                 no
        DATA_KEY_COMPRESSION    yes
        DATA_RECORD_COMPRESSION yes
        DATA_AREA               0
        DATA_FILL               100
        DUPLICATES              no
        INDEX_AREA              1
        INDEX_COMPRESSION       yes
        INDEX_FILL              100
        LEVEL1_INDEX_AREA       1
        NAME                    "Username"
        NULL_KEY                no
        PROLOG                  3
        SEG0_LENGTH             32
        SEG0_POSITION           4
        TYPE                    string

KEY 1
        CHANGES                 yes
        DATA_KEY_COMPRESSION    no
        DATA_AREA               2
        DATA_FILL               100
        DUPLICATES              yes
        INDEX_AREA              2
        INDEX_COMPRESSION       no
        INDEX_FILL              100
        LEVEL1_INDEX_AREA       2
        NAME                    "UIC"
        NULL_KEY                no
        SEG0_LENGTH             4
        SEG0_POSITION           36
        TYPE                    bin4

KEY 2
        CHANGES                 yes
        DATA_KEY_COMPRESSION    no
        DATA_AREA               2
        DATA_FILL               100
        DUPLICATES              yes
        INDEX_AREA              2
        INDEX_COMPRESSION       no
        INDEX_FILL              100
        LEVEL1_INDEX_AREA       2
        NAME                    "Extended User Identifier"
        NULL_KEY                no
        SEG0_LENGTH             8
        SEG0_POSITION           36
        TYPE                    bin8

KEY 3
        CHANGES                 yes
        DATA_KEY_COMPRESSION    no
        DATA_AREA               2
        DATA_FILL               100
        DUPLICATES              yes
        INDEX_AREA              2
        INDEX_COMPRESSION       no
        INDEX_FILL              100
        LEVEL1_INDEX_AREA       2
        NAME                    "Owner Identifier"
        NULL_KEY                yes
        NULL_VALUE              0
        SEG0_LENGTH             8
        SEG0_POSITION           44
        TYPE                    bin8

ANALYSIS_OF_AREA 0
        RECLAIMED_SPACE         0

ANALYSIS_OF_AREA 1
        RECLAIMED_SPACE         0

ANALYSIS_OF_AREA 2
        RECLAIMED_SPACE         0

ANALYSIS_OF_KEY 0
        DATA_FILL               71
        DATA_KEY_COMPRESSION    75
        DATA_RECORD_COMPRESSION 67
        DATA_RECORD_COUNT       5
        DATA_SPACE_OCCUPIED     3
        DEPTH                   1
        INDEX_COMPRESSION       85
        INDEX_FILL              1
        INDEX_SPACE_OCCUPIED    3
        LEVEL1_RECORD_COUNT     1
        MEAN_DATA_LENGTH        644
        MEAN_INDEX_LENGTH       34

ANALYSIS_OF_KEY 1
        DATA_FILL               7
        DATA_KEY_COMPRESSION    0
        DATA_RECORD_COUNT       4
        DATA_SPACE_OCCUPIED     2
        DEPTH                   1
        DUPLICATES_PER_SIDR     0
        INDEX_COMPRESSION       0
        INDEX_FILL              2
        INDEX_SPACE_OCCUPIED    2
        LEVEL1_RECORD_COUNT     1
        MEAN_DATA_LENGTH        15
        MEAN_INDEX_LENGTH       6

ANALYSIS_OF_KEY 2
        DATA_FILL               8
        DATA_KEY_COMPRESSION    0
        DATA_RECORD_COUNT       4
        DATA_SPACE_OCCUPIED     2
        DEPTH                   1
        DUPLICATES_PER_SIDR     0
        INDEX_COMPRESSION       0
        INDEX_FILL              2
        INDEX_SPACE_OCCUPIED    2
        LEVEL1_RECORD_COUNT     1
        MEAN_DATA_LENGTH        19
        MEAN_INDEX_LENGTH       10

ANALYSIS_OF_KEY 3
        ! This index is uninitialized - there are no records.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Examination
~~~~~~~~~

        Generally, an interactive user would use the AUTHORIZE utility to
modify or examine the UAF, while a program would use the $GETUAI system
services (get user authorization information service) to examine the file.
The $GETUAI system services reference provide an excellent description of what
fields the UAF contains, and how many bytes are used within the file to store
each of those fields.  However, it may not be within your realm of skills to
program using system services.  It would probably be considerably easier to
use a sector editor/browser to locate values within the UAF.  You could use a
sector editor/browser online (such as VFE.EXE), or you you might choose to
download the UAF and use an editor/browse for your personal computer.
Regardless of which method you choose, you will have to know the offset of
each field within the user authorization file.  This is what I have provided
for you.

        The contents of the UAF under VMS release 5.3-1 are as follows:

Offset   Description                                            Length
-----------------------------------------------------------------------------
   0     Record Header                                             4
   4     Username (loginid)                                       32
  36     Member UIC - Mem UIC decimal   1 = 0100                   2
                      Mem UIC decimal  10 = 0A00
                      Mem UIC decimal 256 = FF01

  38     Group UIC  - Same as format as member UIC                 2

         Note:  UICs as displayed in the VMS environment
         are OCTAL.  A UIC of [010,001] would be saved as
         '01000800' in bytes 36-39 (offset).

  40     Nulls                                                    12
  52     Account name                                             32
  84     1 byte - value = length of owner                          1
  85     Owner                                                    31
 116     1 byte - value = length of device                         1
 117     Device (default disk device)                             31
 148     1 byte - length of default (SYS$LOGIN) directory          1
 149     Default (SYS$LOGIN) directory name                       63
 212     1 byte - length of default login command file             1
 213     Default login command file                               63
 276     1 byte - length of default CLI                            1
 277     Default command language interpeter                      31

         Note: CLI is assumed to be in SYS$SYSTEM directory
         and have an .EXE extension.

 308     1 byte - length of user defined CLI tables                1
 309     User defined CLI table name                              31
 340     Encrypted primary password                                8
 348     Encrypted secondary password                              8
 356     Number of login fails                                     2
 358     Password encryption salt                                  2
 360     Encryption algorithm code byte - primary password         1
 361     Encryption algorithm code byte - secondary password       1
 362     Password minimum length                                   1
 363     Filler (1 byte)                                           1
 364     Account expiration date                                   8
 372     Password lifetime                                         8
 380     Password change date/time - primary password              8
 388     Password change date/time - secondary password            8
 396     Last interactive login date/time                          8
 404     Last non-interactive login date/time                      8
 412     Authorize priviledges                                     8
 420     Default priviledges                                       8
 428     Filler (40 bytes)                                        40

 468     Login Flags bits as follows:                              4

           7  6  5  4  3  2  1  0
         -------------------------
         |  |  |  |  |  |  |  |  |
         -------------------------

         Byte Offset 468:

         Bit 0            - User can not use CTRL-Y
         Bit 1            - User is restricted to default
                            command interpeter
         Bit 2            - SET PASSWORD command is disabled
         Bit 3            - Prevent user from changing any
                            defaults at login
         Bit 4            - User account is disabled
         Bit 5            - User will not receive the login
                            welcome message
         Bit 6            - Announcement of new mail is suppressed
         Bit 7            - Mail delivery to user is disabled

         Byte Offset 469:

         Bit 0            - User is required to use generated
                            passwords
         Bit 1            - Primary password is expired
         Bit 2            - Secondary password is expired
         Bit 3            - All actions are audited
         Bit 4            - User will not receive last login
                            messages
         Bit 5            - User can not reconnect to existing
                            processes
         Bit 6            - User can only login to terminals
                            defined by the automatic login
                            facility (ALF)
         Bit 7            - User is required to change expired
                            passwords

         Byte Offset 470:

         Bit 0            - User is restricted to captive account
         Bit 1            - Prevent user from executing RUN, MCR
                            commands, or foreign commands at the
                            DCL level
         Bits 2-7         - Reserved for future use

         Byte Offset 471:

         Bits 0-7         - Reserved for future use


         Note On Access Bytes:

         Each bit set represents a 1-hour period, from bit 0 as
         midnight to 1 a.m. to bit 23 as 11 p.m. to midnight.

 472     Network access bytes - primary days                       3
 475     Network access bytes - seconday days                      3
 478     Batch access bytes - primary days                         3
 481     Batch access bytes - seconday days                        3
 484     Local access bytes - primary days                         3
 487     Local access bytes - seconday days                        3
 490     Dialup access bytes - primary days                        3
 493     Dialup access bytes - secondary days                      3
 496     Remote access bytes - primary days                        3
 499     Remote access bytes - seconday days                       3

 502     Filler (12 bytes)                                        12
 514     Prime days                                                1

         Bits 0-7 toggled on represents primedays, respective
         to Mon, Tue, ..., Sun.

 515     Filler (1 byte)                                           1
 516     Default base priority                                     1
 517     Maximum job queue priority                                1
 518     Active process limit                                      2
 520     Max. number of interactive, detached, and batch jobs      2
 524     Detached process limit                                    2
 526     Subprocess creation limit                                 2
 528     Buffered I/O count                                        2
 530     Timer queue entry limit                                   2
 532     AST queue limit                                           2
 534     Lock queue limit                                          2
 536     Open file limit                                           4
 538     Shared file limit                                         2
 540     Working set quota                                         4
 548     Working set extent                                        4
 552     Paging file quota                                         4
 556     Maximum CPU time limit (in 10-milliseconds)               4
 560     Buffered I/O byte limit                                   4
 564     Paged buffer I/O byte count limit                         4
 568     Initial byte quota (jobwide logical name table uses)      4
 572     Filler (72 bytes)                                        72

        Dates and times are stored as 8 bytes representing the number of
seconds elapsed since November 17, 1858, 12:00:00 a.m.

        Earlier versions of the VMS UAF will contain much of the same data,
which should be at the same offset as listed above.


        Should you decide to attempt to modify the SYSUAF.DAT file, keep in
mind that if you download the file, when you upload it, it will not be the
same as it was before; it will not be an indexed file.  You *might* be able
to create an .FDL file (using ANALYZE/RMS/FDL SYSUAF.DAT), and use that .FDL
file to convert it back to an indexed file
(with CONVERT/FDL=SYSUAF.FDL UPLOAD_UAF.DAT NEW_UAF.DAT), but chances that it
will contain the proper indexing and file attributes are slim.  Remember when
altering the SYSUAF.DAT file to keep a copy around (on the system) in case
you need to repair the damage.


-PHz

Feel free to make any comments or corrections to the following address:

[phz@judy.indstate.edu]
_______________________________________________________________________________