Title : Inside the SYSUAF.DAT File
Author : Pain Hertz
==Phrack Classic==
Volume Three, Issue 32, File #8 of 12
+-------------------------------+
| Inside the SYSUAF.DAT file of |
+-------------------------------+
+------------------------------------------------------+
| Digital Equipment Corporation's VMS Operating System |
+------------------------------------------------------+
-= by =-
-----:> Pain Hertz <:----
Overview
~~~~~~~
In this file, I will explain what the System User Authorization File
is, what information it contains, what the logical and physical characteristics
of the file are, and how one can manipulate it to reveal and/or modify its
contents.
Background
~~~~~~~~
The Virtual Memory System (VMS) Operating System's System User
Authorization File (SYSUAF) contains the information that determines a given
user's username, password(s), security priviledges, as well as many other
similar data which either allow or disallow the user to have the system
perform certain tasks.
Characteristics
~~~~~~~~~~~~~~
The SYSUAF.DAT file (UAF) is usually located on the system on the
device pointed to by the logical SYS$COMMON, and under the [SYSEXE]
subdirectory. However, if the logical SYSUAF exists, it will point to the
location and name of the UAF.
The UAF is a binary, indexed data file. It's indexed on 4 keys:
username, UIC, extended user identifier, and owner identifier. Using
the VMS ANALYZE utility reveals the following about the UAF:
IDENT "01-JAN-1990 13:13:13 VAX/VMS ANALYZE/RMS_FILE Utility"
SYSTEM
SOURCE VAX/VMS
FILE
ALLOCATION 24
BEST_TRY_CONTIGUOUS yes
BUCKET_SIZE 3
CLUSTER_SIZE 3
CONTIGUOUS no
EXTENSION 3
FILE_MONITORING no
GLOBAL_BUFFER_COUNT 0
NAME "SYS$COMMON:[SYSEXE]SYSUAF.DAT;1"
ORGANIZATION indexed
OWNER [SYSTEM]
PROTECTION (system:RWED, owner:RWED, group:RWED, world:RE)
RECORD
BLOCK_SPAN yes
CARRIAGE_CONTROL none
FORMAT variable
SIZE 1412
AREA 0
ALLOCATION 9
BEST_TRY_CONTIGUOUS yes
BUCKET_SIZE 3
EXTENSION 3
AREA 1
ALLOCATION 3
BUCKET_SIZE 3
EXTENSION 3
AREA 2
ALLOCATION 12
BUCKET_SIZE 2
EXTENSION 12
KEY 0
CHANGES no
DATA_KEY_COMPRESSION yes
DATA_RECORD_COMPRESSION yes
DATA_AREA 0
DATA_FILL 100
DUPLICATES no
INDEX_AREA 1
INDEX_COMPRESSION yes
INDEX_FILL 100
LEVEL1_INDEX_AREA 1
NAME "Username"
NULL_KEY no
PROLOG 3
SEG0_LENGTH 32
SEG0_POSITION 4
TYPE string
KEY 1
CHANGES yes
DATA_KEY_COMPRESSION no
DATA_AREA 2
DATA_FILL 100
DUPLICATES yes
INDEX_AREA 2
INDEX_COMPRESSION no
INDEX_FILL 100
LEVEL1_INDEX_AREA 2
NAME "UIC"
NULL_KEY no
SEG0_LENGTH 4
SEG0_POSITION 36
TYPE bin4
KEY 2
CHANGES yes
DATA_KEY_COMPRESSION no
DATA_AREA 2
DATA_FILL 100
DUPLICATES yes
INDEX_AREA 2
INDEX_COMPRESSION no
INDEX_FILL 100
LEVEL1_INDEX_AREA 2
NAME "Extended User Identifier"
NULL_KEY no
SEG0_LENGTH 8
SEG0_POSITION 36
TYPE bin8
KEY 3
CHANGES yes
DATA_KEY_COMPRESSION no
DATA_AREA 2
DATA_FILL 100
DUPLICATES yes
INDEX_AREA 2
INDEX_COMPRESSION no
INDEX_FILL 100
LEVEL1_INDEX_AREA 2
NAME "Owner Identifier"
NULL_KEY yes
NULL_VALUE 0
SEG0_LENGTH 8
SEG0_POSITION 44
TYPE bin8
ANALYSIS_OF_AREA 0
RECLAIMED_SPACE 0
ANALYSIS_OF_AREA 1
RECLAIMED_SPACE 0
ANALYSIS_OF_AREA 2
RECLAIMED_SPACE 0
ANALYSIS_OF_KEY 0
DATA_FILL 71
DATA_KEY_COMPRESSION 75
DATA_RECORD_COMPRESSION 67
DATA_RECORD_COUNT 5
DATA_SPACE_OCCUPIED 3
DEPTH 1
INDEX_COMPRESSION 85
INDEX_FILL 1
INDEX_SPACE_OCCUPIED 3
LEVEL1_RECORD_COUNT 1
MEAN_DATA_LENGTH 644
MEAN_INDEX_LENGTH 34
ANALYSIS_OF_KEY 1
DATA_FILL 7
DATA_KEY_COMPRESSION 0
DATA_RECORD_COUNT 4
DATA_SPACE_OCCUPIED 2
DEPTH 1
DUPLICATES_PER_SIDR 0
INDEX_COMPRESSION 0
INDEX_FILL 2
INDEX_SPACE_OCCUPIED 2
LEVEL1_RECORD_COUNT 1
MEAN_DATA_LENGTH 15
MEAN_INDEX_LENGTH 6
ANALYSIS_OF_KEY 2
DATA_FILL 8
DATA_KEY_COMPRESSION 0
DATA_RECORD_COUNT 4
DATA_SPACE_OCCUPIED 2
DEPTH 1
DUPLICATES_PER_SIDR 0
INDEX_COMPRESSION 0
INDEX_FILL 2
INDEX_SPACE_OCCUPIED 2
LEVEL1_RECORD_COUNT 1
MEAN_DATA_LENGTH 19
MEAN_INDEX_LENGTH 10
ANALYSIS_OF_KEY 3
! This index is uninitialized - there are no records.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Examination
~~~~~~~~~
Generally, an interactive user would use the AUTHORIZE utility to
modify or examine the UAF, while a program would use the $GETUAI system
services (get user authorization information service) to examine the file.
The $GETUAI system services reference provide an excellent description of what
fields the UAF contains, and how many bytes are used within the file to store
each of those fields. However, it may not be within your realm of skills to
program using system services. It would probably be considerably easier to
use a sector editor/browser to locate values within the UAF. You could use a
sector editor/browser online (such as VFE.EXE), or you you might choose to
download the UAF and use an editor/browse for your personal computer.
Regardless of which method you choose, you will have to know the offset of
each field within the user authorization file. This is what I have provided
for you.
The contents of the UAF under VMS release 5.3-1 are as follows:
Offset Description Length
-----------------------------------------------------------------------------
0 Record Header 4
4 Username (loginid) 32
36 Member UIC - Mem UIC decimal 1 = 0100 2
Mem UIC decimal 10 = 0A00
Mem UIC decimal 256 = FF01
38 Group UIC - Same as format as member UIC 2
Note: UICs as displayed in the VMS environment
are OCTAL. A UIC of [010,001] would be saved as
'01000800' in bytes 36-39 (offset).
40 Nulls 12
52 Account name 32
84 1 byte - value = length of owner 1
85 Owner 31
116 1 byte - value = length of device 1
117 Device (default disk device) 31
148 1 byte - length of default (SYS$LOGIN) directory 1
149 Default (SYS$LOGIN) directory name 63
212 1 byte - length of default login command file 1
213 Default login command file 63
276 1 byte - length of default CLI 1
277 Default command language interpeter 31
Note: CLI is assumed to be in SYS$SYSTEM directory
and have an .EXE extension.
308 1 byte - length of user defined CLI tables 1
309 User defined CLI table name 31
340 Encrypted primary password 8
348 Encrypted secondary password 8
356 Number of login fails 2
358 Password encryption salt 2
360 Encryption algorithm code byte - primary password 1
361 Encryption algorithm code byte - secondary password 1
362 Password minimum length 1
363 Filler (1 byte) 1
364 Account expiration date 8
372 Password lifetime 8
380 Password change date/time - primary password 8
388 Password change date/time - secondary password 8
396 Last interactive login date/time 8
404 Last non-interactive login date/time 8
412 Authorize priviledges 8
420 Default priviledges 8
428 Filler (40 bytes) 40
468 Login Flags bits as follows: 4
7 6 5 4 3 2 1 0
-------------------------
| | | | | | | | |
-------------------------
Byte Offset 468:
Bit 0 - User can not use CTRL-Y
Bit 1 - User is restricted to default
command interpeter
Bit 2 - SET PASSWORD command is disabled
Bit 3 - Prevent user from changing any
defaults at login
Bit 4 - User account is disabled
Bit 5 - User will not receive the login
welcome message
Bit 6 - Announcement of new mail is suppressed
Bit 7 - Mail delivery to user is disabled
Byte Offset 469:
Bit 0 - User is required to use generated
passwords
Bit 1 - Primary password is expired
Bit 2 - Secondary password is expired
Bit 3 - All actions are audited
Bit 4 - User will not receive last login
messages
Bit 5 - User can not reconnect to existing
processes
Bit 6 - User can only login to terminals
defined by the automatic login
facility (ALF)
Bit 7 - User is required to change expired
passwords
Byte Offset 470:
Bit 0 - User is restricted to captive account
Bit 1 - Prevent user from executing RUN, MCR
commands, or foreign commands at the
DCL level
Bits 2-7 - Reserved for future use
Byte Offset 471:
Bits 0-7 - Reserved for future use
Note On Access Bytes:
Each bit set represents a 1-hour period, from bit 0 as
midnight to 1 a.m. to bit 23 as 11 p.m. to midnight.
472 Network access bytes - primary days 3
475 Network access bytes - seconday days 3
478 Batch access bytes - primary days 3
481 Batch access bytes - seconday days 3
484 Local access bytes - primary days 3
487 Local access bytes - seconday days 3
490 Dialup access bytes - primary days 3
493 Dialup access bytes - secondary days 3
496 Remote access bytes - primary days 3
499 Remote access bytes - seconday days 3
502 Filler (12 bytes) 12
514 Prime days 1
Bits 0-7 toggled on represents primedays, respective
to Mon, Tue, ..., Sun.
515 Filler (1 byte) 1
516 Default base priority 1
517 Maximum job queue priority 1
518 Active process limit 2
520 Max. number of interactive, detached, and batch jobs 2
524 Detached process limit 2
526 Subprocess creation limit 2
528 Buffered I/O count 2
530 Timer queue entry limit 2
532 AST queue limit 2
534 Lock queue limit 2
536 Open file limit 4
538 Shared file limit 2
540 Working set quota 4
548 Working set extent 4
552 Paging file quota 4
556 Maximum CPU time limit (in 10-milliseconds) 4
560 Buffered I/O byte limit 4
564 Paged buffer I/O byte count limit 4
568 Initial byte quota (jobwide logical name table uses) 4
572 Filler (72 bytes) 72
Dates and times are stored as 8 bytes representing the number of
seconds elapsed since November 17, 1858, 12:00:00 a.m.
Earlier versions of the VMS UAF will contain much of the same data,
which should be at the same offset as listed above.
Should you decide to attempt to modify the SYSUAF.DAT file, keep in
mind that if you download the file, when you upload it, it will not be the
same as it was before; it will not be an indexed file. You *might* be able
to create an .FDL file (using ANALYZE/RMS/FDL SYSUAF.DAT), and use that .FDL
file to convert it back to an indexed file
(with CONVERT/FDL=SYSUAF.FDL UPLOAD_UAF.DAT NEW_UAF.DAT), but chances that it
will contain the proper indexing and file attributes are slim. Remember when
altering the SYSUAF.DAT file to keep a copy around (on the system) in case
you need to repair the damage.
-PHz
Feel free to make any comments or corrections to the following address:
[[email protected]]
_______________________________________________________________________________