.! +---------------------------------------------------------------------------+ .! | | .! | UTIL$ROOT:[DOC]WHO.RNH On-Line Documentation for the WHO Utility | .! | Scott Bailey, Xerox Corp. RE/GSD/WCO Created June 17, 1986 | .! | | .! | Modification History | .! | 24-JAN-1991 (RSB) Update for /FULL | .! | 17-NOV-1990 (RSB) Update for VMS V5.4, /DATABASE, more output fields | .! | 21-DEC-1989 (RSB) Update for VMS V5.2 - more flag changes | .! | 14-NOV-1988 (RSB) Update for VMS V5.0 - DISFORCE_PWD_CHANGE flag | .! | 31-AUG-1988 (RSB) Add documentation for MANAGER field | .! | 17-FEB-1988 (RSB) Change /COLLECT to /FILTER, minor fixes | .! | 5-FEB-1988 (RSB) /PRIVILEGES, /DEFPRIVILEGES, /FLAGS, /COLLECT added | .! | 27-OCT-1987 (RSB) Add documentation for /STATISTICS qualifier | .! | 10-JUL-1986 (RSB) Add documentation for local fields | .! | 2-JUL-1986 (RSB) Add documentation for another 10 output fields | .! | 1-JUL-1986 (RSB) Add documentation for 10 new output fields | .! | | .! +---------------------------------------------------------------------------+ .! .lm 1 .rm 70 .nopaging .p 0,1,0 .ap .i -1 1 WHO WHO is a utility designed to output useful information about a user if a username or UIC is known. It was originally modelled on the Digital program of the same name which was eliminated during the summer of 1982, but it now provides much more information than the original program. WHO is run using the command: .b .i 10 $ WHO[/qualifier(s)] parameter-list .b where one or more optional qualifiers may be specified in addition to the list of users to find. .i -1 2 /DATABASE The /DATABASE qualifier allows you to search an authorization database other than the active system database, which is the default. You must have read access to the alternate authorization file. Note that identifier-related information always uses the system rights database regardless of the authorization file being scanned. .i -1 2 /FILTER The /FILTER qualifier allows you to filter information for some output fields. If you specify more than one field, you should enclose the list in parentheses: .b _/FILTER=(field=(items)[,field=(items),...]) .b The effect is to suppress display of the items specified for each field; instead, the field's output will be prefixed with an asterisk ("_*") if any of the specified items would otherwise have appeared. This action does not impact the actual presence/location/size of the field; that is controlled by the _/SHOW qualifier. .! .! ========== BEGINNING OF FILTER ELEMENT DOCUMENTATION ========== .! .i -1 3 DEFPRIVILEGES This element controls display of the default privileges field. You may specify any combination of VMS privileges and privilege class specifications. .i -1 3 FLAGS This element controls display of the login flags field. You may specify any combination of valid login flags. .i -1 3 PRIVILEGES This element controls display of the authorized privielges field. You may specify any combination of VMS privileges and privilege class specifications. .i -1 3 Examples The following command might be used to see which non-captive accounts have unusual privileges, and what those privileges are. .b .nf _$ WHO * /SHOW=(HEADER,USERNAME,FLAGS,PRIVILEGES=40) - ___$ /FILTER=(FLAGS=CAPTIVE,PRIVILEGES=(TMPMBX,NETMBX)) .f .b Each captive account will have an asterisk at the beginning of the flags column, and only nonstandard privileges will be displayed. If you wanted a list of all users holding SETPRV privilege, you could use: .b .nf _$ WHO * /SHOW=(USER,PRIV)/FILTER=PRIV=SETPRV/OUTPUT=WHO.TMP _$ SEARCH WHO.TMP "*" .f .i -1 3 Login__Flags The following login flags are currently supported: .b .literal DISCTLY The CTRL/Y key is initially disabled for the user DEFCLI The /CLI login qualifier is ignored if specified LOCKPWD The user's password may not be changed RESTRICTED The account is forced to execute its LGICMD procedure DISUSER The account may not be used DISWELCOME The user will not see the system news message DISNEWMAIL The user will not be notified of pending new mail DISMAIL Mail may not be sent to this user GENPWD The user must use randomly-generated passwords PWD_EXPIRED The user's first password has expired PWD2_EXPIRED The user's second password has expired AUDIT All security-related activities will be audited DISREPORT The user will not be notified of prior login fails DISRECONNECT The user may not reconnect to a disconnected session AUTOLOGIN This account may only be used by autologin terminals DISFORCE_PWD_CHANGE Expired passwords are not automatically changed CAPTIVE The account can not access DCL directly DISIMAGE The account can not use RUN, MCR or foreign commands DISPWDDIC New passwords are not checked in the system dictionary DISPWDHIS New passwords are not checked against old passwords .end literal .i -1 3 VMS__Privileges The following privileges are defined by VAX/VMS V5.4 and understood by the WHO utility. A description of each privilege may be found in appendix A of the "Guide to VMS System Security" -- a part of the extended VAX/VMS documentation set. .b .literal ACNT Disable accounting ALLSPOOL Allocate spooled device ALTPRI Set base priority higher than allotment BUGCHK Make bugcheck error log entries BYPASS Disregard protection CMEXEC Change to executive mode CMKRNL Change to kernel mode DETACH Create detached processes of arbitrary UIC DIAGNOSE Diagnose devices DOWNGRADE (defined but not used) EXQUOTA Exceed disk quotas GROUP Control processes in the same group GRPNAM Insert group logical names in the name table GRPPRV Group access via SYSTEM protection field LOG_IO Issue logical I/O requests MOUNT Execute mount volume QIO NETMBX Create network connections OPER Perform operator functions PFNMAP Map to specific physical pages PHY_IO Issue physical I/O requests PRMCEB Create/delete permanent common event flag clusters PRMGBL Create permanent global sections PRMMBX Create permanent mailboxes PSWAPM Change process swap mode READALL Possess read access to everything SECURITY Perform security-related functions SETPRV Enable any privilege SHARE Access devices allocated to other users SHMEM Create/delete structures in shared memory SYSGBL Create system-wide global sections SYSLCK Lock system-wide resources SYSNAM Insert/delete system logical names in the name table SYSPRV Access objects via SYSTEM protection field TMPMBX Create temporary mailbox UPGRADE (defined but not used) VOLPRO Override volume protection WORLD Control any process .end literal .! .! ========== END OF FILTER ELEMENT DOCUMENTATION ========== .! .i -1 2 /FULL The /FULL qualifier generates a full display for each matched user which is similar to the output generated by the AUTHORIZE utility. This qualifier may not be used in conjunction with the /SHOW qualifier. .i -1 2 /SHOW The /SHOW qualifier allows you to specify the output format used to return information about the users you select. If you specify more than one item, you should enclose the list in parentheses: .b _/SHOW=(field[=width][,field[=width],...]) .b Each list element except HEADER may have a value specified for it. This value, if present, indicates the column width to be used for that field. .b This qualifier may not be used with the /FULL qualifier. .! .! ========== BEGINNING OF SHOW ELEMENT DOCUMENTATION ========== .! .i -1 3 ACCOUNT (D) This entry causes account fields to be displayed. By default, the column width is 8 characters, sufficient for V3-style accounts. V4 allows much longer account names to be used. .i -1 3 ASTLM This entry requests the display of the user's AST limit. This represents the maximum number of ASTs which a process may have queued at any one time. The default column width is 5 characters. .i -1 3 BATCH_ACCESS This field displays a summary of the user's system batch access. It will return "All" if access is allowed, "None" if access is disallowed, or "Some" if access is allowed only during certain hours of the day. If access is different for primary and secondary days (see the PRIMEDAYS field) then the display will report the value for primary days followed by secondary day access. .i -1 3 BIOLM This element displays the buffered I/O limit for the user's processes. This is the maximum number of I/O requests requiring buffering (usually terminal and mailbox I/O) which can be outstanding at any time. The field is 5 characters long by default. .i -1 3 BYTLM This field displays the buffered I/O byte limit for the user's processes. This is the maximum amount of nonpaged memory which can be used at any one time for I/O, mailboxes, file-access windows, etc. The default column width of 6 is sufficient for normal users. .i -1 3 CLASS This field reports the user group class which includes the user. This information is contained in the site-specific part of the authorization record and may not be available for all users. The text "SYSTEM_DEFAULT" will appear when this area is not defined. .i -1 3 CLITABLES This element displays the default command table for the user. Normal users will have DCLTABLES here, so the default column width of 10 will be adequate. .i -1 3 COSTCENTER This field displays the user's Xerox Cost Center. The default column width is 11 characters, to accomodate the header. This information is contained in the site-specific part of the authorization record and may not be available for all users. The text "(n/a)" will appear when this area is not defined. .i -1 3 DEFCLI This entry causes the name of the default command language interpreter to be displayed. The default width of 3 should be great for normal users, who will always have DCL as their CLI. .i -1 3 DEFPRIVILEGES This column displays the default privilege mask for each user. The default field width will probably be insufficient to completely list privileges for privileged accounts; the _/FILTER=DEFPRIVILEGES qualifier can be used to filter this output. A list of legal privileges is contained in the _/FILTER qualifier description. .i -1 3 DIALUP_ACCESS This field displays a summary of the user's interactive dialup access. It will return "All" if access is allowed, "None" if access is disallowed, or "Some" if access is allowed only during certain hours of the day. If access is different for primary and secondary days (see the PRIMEDAYS field) then the display will report the value for primary days followed by secondary day access. .i -1 3 DIOLM This entry causes the user's direct I/O limit to be displayed. This value represents the maximum number of non-buffered I/O (usually disk I/O) requests which can be outstanding for a process at any time. The default width of this field is 5 characters. .i -1 3 DIRECTORY (D) This entry causes the user's default login directory to be displayed. The default column width is 21, which is usually sufficient. A directory specification could be as long as 62 characters. .i -1 3 EMPLOYEE This field displays the user's employee number. The default field width is 8 characters. This information is contained in the site-specific part of the authorization record and may not be available for all users. The text "(n/a)" will appear when this area is not defined. .i -1 3 ENQLM The enqueue limit displayed by this field represents the largest number of locks which can be held simultaneous by the user's process. The default column width is 5, which should be sufficient for all but the most rabid database users. .i -1 3 EXPIRATION This element displays the expiration date for each user. The default field width of 23 characters is sized to accomodate the full standard VMS date/time. .i -1 3 FILLM This entry requests that the user's open file limit be displayed. The value represents the number of files which the user can have opened simultaneously. A value if 0 indicates that there is no limit imposed by the system. The default field width is 5 characters. .i -1 3 FLAGS The FLAGS column contains the user's login flags. The exact output produced may be modified using the _/FILTER=FLAGS qualifier if you want some flags to be suppressed. A list of flags and their meanings appears under the description of the _/FILTER qualifier. .i -1 3 HEADER (D) This entry indicates that column headers should be generated for output field. .i -1 3 IDENTIFIER This entry causes the UIC-based identifier associated with the user to be displayed. The default column width of 14 is adequate for sites with short usernames where group identifiers are not used. .i -1 3 JTQUOTA This field displays the initial size of the user's job-wide logical name table. The default column width is 7 characters. .i -1 3 LASTLOGIN This entry causes the date and time of the user's last interactive login to be displayed. The default column width, 23, is the size of a standard VMS date/time specification. .i -1 3 LASTNONINT This entry causes the date and time of the user's last non-interactive login to be displayed. The default column width, 23, is the size of a standard VMS date/time specification. .i -1 3 LGICMD This element causes the name of the user's login procedure to be displayed. The default column width of 16 will handle most cases, but may truncate longer file specifications; the actual contents may be as long as 31 characters. .i -1 3 LOCAL_ACCESS This field displays a summary of the user's local interactive access. It will return "All" if access is allowed, "None" if access is disallowed, or "Some" if access is allowed only during certain hours of the day. If access is different for primary and secondary days (see the PRIMEDAYS field) then the display will report the value for primary days followed by secondary day access. .i -1 3 LOGFAILS The number of failed login attempts since the last successful login will be displayed by this entry. The default column width is 11, which is more than will ever be used (except for the header.) .i -1 3 MAILSTOP This field contains the user's internal Xerox mailing address. The default column width is 9 characters. This information is contained in the site-specific part of the authorization record and may not be available for all users. The text "(n/a)" will appear when this area is not defined. .i -1 3 MANAGER This field contains the name of the user's manager. The default column width is 25 characters, the same as the owner name field. This information is contained in the site-specific part of the authorization record and may not be available for all users. The text "(n/a)" will appear when this area is not defined. .i -1 3 MAXDETACH This field lists the number of detached processes which can exist simultaneously under the same username. A value of 0 indicates that there is no limit imposed. The default column width is 9 characters. .i -1 3 MAXJOBS This display field will contain the maximum number of "jobs" (interactive + batch + detached) which can be simultaneously active for this username. A value of 0 indicates that there is no limit. The default column width is 7 characters. .i -1 3 NETWORK_ACCESS This field displays a summary of the user's system network server access. It will return "All" if access is allowed, "None" if access is disallowed, or "Some" if access is allowed only during certain hours of the day. If access is different for primary and secondary days (see the PRIMEDAYS field) then the display will report the value for primary days followed by secondary day access. .i -1 3 NODES The corresponding display field will contain a list of VAXcluster nodes which the user is allowed to access interactively. This is based on the Xerox WCO convention that possession of an identifier of the type "CAN__LOGIN__ON__node" implies access to node "node." The default column width of 12 is sufficient for normal users. This field is generally not interesting outside of Xerox WCO. .i -1 3 OWNER (D) This entry causes owner fields to be displayed. By default, the column width is 24 characters; owner names can be as long as 31 characters. .i -1 3 PGFLQUOTA This field displays the maximum number of pages that a process can use in the system paging file. The default column width is 9. .i -1 3 PHONE This field contains the user's phone number; 5-digit numbers are internal Xerox extensions. The default field width is 12 characters, which is sufficient for external numbers as well. This information is contained in the site-specific part of the authorization record and may not be available for all users. The text "(n/a)" will appear when this area is not defined. .i -1 3 PRCLM The corresponding display field contains the maximum number of subprocesses (and sub-subprocesses, etc.) which can be owned by a job under this username. A value of 0 indicates that any number of subprocesses may be created. The default field width is 5. .i -1 3 PRIMEDAYS This field reports the days of the week which are considered normal working days for the user. .i -1 3 PRIORITY This element causes the user's base priority to be displayed. By default, the column width is 4. .i -1 3 PRIVILEGES This column displays the authorized privilege mask for each user. The default field width will probably be insufficient to completely list privileges for privileged accounts; the _/FILTER=PRIVILEGES qualifier can be used to filter this output. A list of valid privileges appears under the _/FILTER qualifier description. .i -1 3 PWDDATE The date at which the primary password for the user was last changed will be displayed. The default field width is 23, the size of a standard VMS date/time. .i -1 3 PWD2DATE The date at which the secondary password for the user was last changed will be displayed. The default field width is 23, the size of a standard VMS date/time. This field is not meaningful for accounts which do not have two passwords. .i -1 3 PWDLIFETIME This entry displays the maximum interval between password changes. The default width is 8, which truncates the full 16-character time, but is sufficient to see days and hours. .i -1 3 PWDMINIMUM This entry displays the minimum required password length for the user. The default column width is 10, to accomodate the header. .i -1 3 QUEPRI This field indicates the default priority at which the user's print or batch jobs are queued. The default column width is 6, but the value here will never be larger than 3 digits. .i -1 3 QUOTA This element requests display of the user's disk quota on their default login device. If disk quotas are not enabled on that disk, the unsigned longword equivalent of -1 is displayed. This will be displayed as a row of asterisks when the default column width of 6 is used; this width is sufficient for unmangled display of intelligently assigned quotas on disks as large as RA81s. .i -1 3 REMOTE_ACCESS This field displays a summary of the user's remote login access. It will return "All" if access is allowed, "None" if access is disallowed, or "Some" if access is allowed only during certain hours of the day. If access is different for primary and secondary days (see the PRIMEDAYS field) then the display will report the value for primary days followed by secondary day access. .i -1 3 TQELM This field contains the maximum number of timer queue entries that the user can have at any time. 5 characters is the default width. .i -1 3 UIC (D) This entry causes the user's UIC to be displayed in numeric format. The default column width is 11 characters, which is sufficient for most UICs. Additional column width is divided evenly between each half of the number. UICs are zero-filled and comma-aligned to allow for easy sorting of output. .i -1 3 USAGE This element requests display of the user's disk usage on their default login device. If disk quotas are not enabled on that disk, the unsigned longword equivalent of -1 is displayed. The default column width of 6 will avoid truncation in normal situations. .i -1 3 USERNAME (D) This entry causes username fields to be displayed. By default, the column width is 12 characters; usernames can be much longer. .i -1 3 WSDEFAULT This field represents the size of the working set list for the user's process when an image is first executed. The default field width of 9 fits the header and will accomodate all legal values. .i -1 3 WSEXTENT This entry displays the maximum number of pages of memory that a process can ever have in its working set. The default column width of 8 characters is more than enough for any legal values. .i -1 3 WSQUOTA This value represents the maximum number of pages of memory that a process is guaranteed to have at any one time. The column width of 7 is sufficient for legal values. .! .! ========== END OF SHOW ELEMENT DOCUMENTATION ========== .! .i -1 2 /STATISTICS This qualifier causes WHO to display run-time statistics. These are displayed at your terminal, regardless of the presence of the /OUTPUT qualifier. .i -1 2 /OUTPUT This qualifier causes WHO to redirect its output to the specified file. By default, WHO sends all output to the terminal. If you specify the /OUTPUT qualifier, you must give a file name. .i -1 2 Parameters WHO accepts a list of user specifications for which it is to search. You may put multiple specifications on a line, in which case the specifications must be separated by commas. Some types of user specifications may contain wildcard characters. During wildcard searches, WHO will return a list of all selected users which your account has list access to. .i -1 3 Usernames Usernames may be fully wildcarded, including multiple uses of the _* and _% characters. Usernames which begin with a wildcard character will cause slower searches, since WHO is unable to take advantage of authorization file indexing. Multiple matches are listed in alphabetical order. .b .nf Examples: .b LSI_% FRODO _*SMITH .f .i -1 3 UICs UICs can be specified explicitly, with a completely wild (_*) group, a completely wild member, or both. The group and member numbers may not be partially wildcarded. Multiple matches are listed in UIC order; users with identical UICs will be listed in arbitrary order. Valid UICs consist of a left bracket, an octal number (or asterisk), a comma, an octal number (or asterisk), and a right bracket. .b .nf Examples: .b _[350,_*_] _[101,2222_] .f .i -1 3 UIC__Identifiers UIC-based identifiers may be used for explicit lookups. They may not be wildcarded, and group identifiers are not supported. (Since group identifiers are really just redundant information anyway, leave them out and everything will work okay.) Lookups are then treated in the same manner as explicit UICs. Valid UIC-based identifiers consist of a left bracket, an alphanumeric string, and a right bracket. .b .nf Example: .b _[SKIPPY_] .f .i -1 3 Owner__Substrings WHO will perform lookups on accounts with a common substring in their owner fields. Comparisons are case-blind and location within the field is not considered. Matching users are output in UIC order. Owner field substrings consist of an alphanumeric string delimited by quotation marks. .b .nf Example: (Both are identical) .b _"smith_" _"SMIth_" .f .i -1 3 Indirect__Files You can direct WHO to accept input from a file instead of or in addition to the command line. The file should consist of valid WHO search specifications, including additional file indirections, one per line. (Recursive indirections will eventually cause your process to exceed its FILLM quota and WHO will terminate.) Indirections are specified by a less-than sign followed by a file specification. The file specification defaults to your current directory and a type of _.DAT if it is not complete. For example, if the file EXAMPLE_.DAT contains the lines: .b .nf JOE FRED B_* .b .f then the command: .b _$ WHO _