home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.os.vms
- Path: sparky!uunet!haven.umd.edu!darwin.sura.net!zaphod.mps.ohio-state.edu!sol.ctr.columbia.edu!ira.uka.de!math.fu-berlin.de!news.netmbx.de!Germany.EU.net!rzultr.uni-trier.de!TI.Uni-Trier.DE!bern
- From: bern@Uni-Trier.DE (Jochen Bern)
- Subject: Re: Account creation utilities?
- Message-ID: <bern.722089745@kleopatra>
- Originator: bern@kleopatra
- Sender: news@rzultr.uni-trier.de (USENET News System)
- Organization: Theor. CS, FB IV / CS, Univ. of Trier, Germany (Internet TI.Uni-Trier.DE)
- References: <01GR9BYHRK6O9BW1GZ@SPOCK.FHCRC.ORG> <1992Nov17.173519.3995@arizona.edu>
- Distribution: world,local
- Date: Wed, 18 Nov 1992 12:29:05 GMT
- Lines: 50
-
- In <1992Nov17.173519.3995@arizona.edu> leonard@telcom.arizona.edu (Aaron Leonard) writes:
- >In article <01GR9BYHRK6O9BW1GZ@SPOCK.FHCRC.ORG>, JOE@SPOCK.FHCRC.ORG (Joe Meadows) writes:
- >| > I'm looking for a utility which would allow users who don't
- >| >have write access to SYSUAF.DAT to be able to create and modify
- ^^^^^^^^^^^^^^^^^
- >| >accounts. I know such a beast exists, and I recall someone mentioning
- >| >it, but I can't seem to find it in the VMS software list.
- >|
- >| I'm sorry, I can't help myself, even realizing that a dozen other folks will
- >| probably give the same answer but ....
- >| How about using INSTALL SYS$SYSTEM:AUTHORIZE/PRIV=BYPASS? It sounds like
- >| it would be exactly what you're asking for!
-
- >On a non-facetious note, we once tried doing something like this:
- >- set the protection on AUTHORIZE.EXE to W:none, and put an ACL on
- > the file such that the "special" users had E access
- >- in our startups, install AUTHORIZE with SYSPRV
- >This seemed to meet our perverted needs for a while. Then we upgraded
- >VMS, which took the liberty of setting the protection on the new version of
- >AUTHORIZE to W:RE. Our startups merrily continued to install AUTHORIZE
- >with SYSPRV, leaving us with a security hole big enough to drive a large
- >vehicle thru, till the abashed system manager noticed it several weeks later.
- >So I'd say, just give those users write access to SYSUAF ...
-
- To the original Poster: There's no Way to do LITERALLY what you requested:
- Allow Creation and Modification, but NOT Deletion of ACCOUNTS. Anybody able
- to use AUTHORIZE will be able to delete Accounts (well, not much Difference
- to Modification making them unusable) and to handle the additional Data in
- the SYSUAF (such as Groups etc.). All the Answers I cited include these
- enlarged Possibilities. If this is acceptable for you, read the following
- Paragraph, too.
-
- To Joe Meadows: As far as I remember, there is a Qualifier to AUTHORIZE
- which switches the File accessed to some other File. Give BYPASS to AUTHORIZE
- and AUTHORIZE will be able to destroy ANY File. SYSPRV is only slightly
- better. Both is what we in Germany call "shooting Birds with Cannons". If
- SYSUAF.DAT's Owner is not required to be SYSTEM, simply change the Owner.
- If the Owner has to be fixed, add an ACL to SYSUAF.DAT. (BTW, checking for
- ACLs on SYSUAF.DAT is an often forgotten Security Check.) Yes, I know that
- somebody who can create Accounts can create one for himself with BYPASS
- enabled. But he has to log in as this new User, which would be audited.
- (Our big VAX has all Logins immediately logged on a Hardcopy.)
-
- Greetings,
- J. Bern
- --
- / \ I hate NN rejecting .sigs >4 lines. Even though *I* set up this one. /\
- / J. \ EMail: bern@[TI.]Uni-Trier.DE / ham: DD0KZ / More Infos on me from / \
- \Bern/ X.400 Mail: S=BERN;P=Uni-Trier;A=dbp;C=de / X.400 Directory, see \ /
- \ / Zurmaiener Str. 98-100, D-W-5500 Trier / X.29 # 45050230303. \/
-
