- SCANUAF - VAX/VMS SYSTEM USER AUTHORIZATION FILE SCANNER TABLE OF CONTENTS 1.0 INTRODUCTION 2.0 PROGRAM OVERVIEW 2.1 ACTIVATION 2.2 INPUT 2.3 PROCESSING 2.4 OUTPUT 2.5 SPECIAL INPUT COMMANDS 2.6 TERMINATION 2.7 INTERRUPT PROCESSING 2.8 SCANUAF.NODES 3.0 COMMAND SYNTAX 4.0 PARAMETER CATAGORIES 4.1 INTEGER 4.2 STRING 4.3 ABSOLUTE TIME 4.4 DELTA TIME 4.5 PRIVILEGE 4.6 HOUR OF DAY 4.7 DAY OF WEEK 4.8 LOGIN FLAG 4.9 INACCESSIBLE 1.0 INTRODUCTION SCANUAF is a program designed to allow a VAX system manager to examine the system User Authorization File(s) SYSUAF.DAT on one or more VAX systems. The files can be accessed directly or via DECnet. There are several Digital utilities (such as AUTHORIZE) and third-party utilities that allow the examining of various UAF parameters for a specified user (that is, for a specified record of the UAF file). SCANUAF, on the other hand, is designed to display all users that satisfy a specified set of parameters. For example, to display all users that have the SYSPRV authorized privilege, the input command would be: SCANUAF> PRIV=SYSPRV Input commands to SCANUAF consist of sets of parameter-value pairs. (In the above example, PRIV is the parameter, SYSPRV is the value). A parameter-value pair is connected by a comparison character of "=", "\", "<", or ">", which signifies that the check should be for users whose UAF value is equal to, not equal to, less than, or greater than, the value specified. The input line can be up to 255 characters long, specifying up to 64 parameter-value pairs. Each parameter-value pair must be separated by a logical operator & (logical AND) or | (logical OR), which dictates the logic SCANUAF is to use to search the authorization file. SCANUAF also supports multi-level parentheses nesting of parameter-value pairs. This allows you to define elaborate logic for SCANUAF to use in searching the authorization file. Parameter-value pairs _cannot_ contain embedded blanks. Blanks can be embedded elsewhere in the input line to improve readability. For example, to display all users not in UIC group 20 that have SYSPRV authorized privilege and have not logged in interactively since the beginning of 1987, enter the command: SCANUAF> GROUP\20 & PRIV=SYSPRV & LOGINT<01-JAN-1987 The following command will display all users who have a BIOLM between 10 and 20 or a DIOLM between 10 and 20: SCANUAF> (BIOLM>9 & BIOLM<21) | (DIOLM>9 & DIOLM<21) The following command will display all users who are in a UIC group of 10 or less, or who are in UIC groups 20 or 30 and have a base priority greater than 4: SCANUAF> GROUP<11 | ((GROUP=20|GROUP=30)&PRIORITY>4) 2.0 PROGRAM OVERVIEW 2.1 ACTIVATION The image SCANUAF.EXE resides in SYS$SYSTEM. The program uses an associated file SYS$SYSTEM:SCANUAF.NODES (see section 2.8). The image may be invoked in the standard manner for an image that resides in SYS$SYSTEM: $ RUN SYS$SYSTEM:SCANUAF or $ MCR SCANUAF The program will respond with a SCANUAF> prompt. 2.2 INPUT Input to SCANUAF consists of sets of parameter-value pairs, separated by logical operators, optionally nested with parentheses. When an input line is entered, then for each username in the authorization file, SCANUAF first logically evaluates each parameter-value pair by comparing the condition specified by the parameter-value pair with the data from the authorization file. SCANUAF then uses the logical result of each parameter-value pair to logically evaluates the entire input line according to the operators and parentheses nesting specified on the input line. If this composite logical value is TRUE for a given username record, then that username is output by SCANUAF, optionally including the data that resulted in the input line evaluating TRUE. A given parameter or value can be abbreviated to a sufficient number of characters to make the entry unique. The number of characters required for each particular entry is noted in the lists in sections 4.0 through 4.9 (in the lists, the "*" denotes the uniqueness point). More information on program input is provided in section 3.0. There are also some special input commands to SCANUAF. These commands are outlined in section 2.5. 2.3 PROCESSING Program processing involves sequentially searching each record of each SYSUAF.DAT file for the system node(s). The data from each UAF record is compared with the input specification line, and the result is either TRUE or FALSE. If the result is TRUE, then the appropriate data is output to the user (see section 2.4). 2.4 OUTPUT Program output consists of a list of all users in the UAF file(s) whose UAF record contained data that resulted in the input specification line having a (composite) logical value of TRUE. For each such user, the program provides the UAF record username and (optionally) the input parameter(s) and value(s) that caused the (composite) logical value to be TRUE. For each node processed, the node name is displayed at the beginning of the list of username-parameter-value sets. 2.5 SPECIAL INPUT COMMANDS Special input commands are commands that the program checks for before it validates parameter-value pair(s) on the input line. In order to use a special input command, it must be the first command on the line; data on the input line after a special input input command is ignored. The commands may be entered in upper or lower case. The special input commands, which CANNOT be abbreviated, are as follows: a) SET NODE This command will restrict subsequent file searches to the specified node. In addition, can be any of ALL, CLUSTER, or DECNET. ALL, which is the program default, results in all nodes that the program is aware of, as specified in the file SCANUAF.NODES (see section 2.8) being searched. CLUSTER results in the UAF files in SCANUAF.NODES that are not accessed via DECnet being searched. DECNET results in the UAF files in SCANUAF.NODES that are accessed via DECnet being searched. If is omitted, ALL is assumed. b) SET REPORT This command is used to specify how much output is generated for each username that is printed. can be FULL or BRIEF. FULL results in the username, plus the UAF data that caused the input line to evaluate to TRUE being printed; BRIEF results in only the username being printed. If is omitted, FULL is assumed. FULL is the program default. c) SET OUTPUT This command will cause subsequent program output to be printed to the file specified by . If is specified as SYS$OUTPUT, or omitted, then subsequent output is printed to SYS$OUTPUT. If the file specified by cannot be opened, then subsequent output is printed to SYS$OUTPUT. The program default is SYS$OUTPUT. can be a maximum of 60 characters. d) SHOW This command displays a list of the current settings for , , and from (a)-(c) above, plus a list of the available nodes and the type of access (CLUSTER or DECNET) the program sees for the nodes. e) AUTHORIZE This command will spawn a subprocess to run the AUTHORIZE system utility. If the current node (as specified by the SET NODE command) is a particular system node, then that node is the one whose UAF file is processed by AUTHORIZE. If the current node is ALL, CLUSTER, or DECNET, then the user is prompted for a particular system node to be processed by AUTHORIZE (note that this DOES NOT change the current node from ALL, CLUSTER, or DECNET to the entered node; the entered node is used only for the AUTHORIZE run). *** Warning: In running the AUTHORIZE utility from within SCANUAF for a remote node, use caution in modifying the rightlist file and/or the DECnet proxy file. SCANUAF will use the remote node's authorization file, but it will use the local node's rightslist file and DECnet proxy file, which may not be the same as those of the remote node. f) HELP This command is used to obtain on-line help. g) EXIT This command can be used to terminate the program (see section 2.6). 2.6 TERMINATION The program may be terminated in either of two ways: a) By entering the command EXIT at the prompt; or b) By entering an end-of-file (CONTROL-Z) at the prompt. 2.7 INTERRUPT PROCESSING If a ^C (control-C) is entered during a search, the user will be given a choice of: a) Continuing as if the ^C was not entered; or b) Aborting the search for the node that the program processing, and skipping to the next node; or c) Aborting the search entirely. 2.8 SCANUAF.NODES SCANUAF employs a text file named SYS$SYSTEM:SCANUAF.NODES that contains a list of nodenames and the locations of the corresponding authorization files for the nodes. SCANUAF.NODES can be maintained with a regular VAX editor (such as EDT). The file format, while straightforward, is rigid: - Each record contains the specification for one node. - The nodename for a node is specified in the first 15 characters of a record. If the nodename is less than 15 characters long, the specification MUST be blank-filled (no tabs!) to 15 characters. A nodename CANNOT be ALL, CLUSTER, or DECNET. - One (and only one) blank space follows the 15-character nodename. - The UAF location for a node is specified starting in column 17 of a record. The specification can be up to 60 characters long, but does not have to be blank-filled if it is less than 60 characters. The specification can be any legal VAX/VMS file specification (including any legal DECnet specification). - Characters can be in upper or lower case; the program converts everything to upper case. - A maximum of 50 nodes/UAF specifications may be entered. - SCANUAF.NODES should contain only valid data (that is, you should not include any in-line documentation). 3.0 COMMAND SYNTAX Regular (that is, non-special) input commands to SCANUAF consist of sets of parameter-value pairs, connected by a comparison character, and separated by operators & or |, and optionally enclosed in nested parentheses. Blank spaces can be embedded anywhere in the input line _except_ in a parameter-value pair. Blanks _cannot_ be embedded in a parameter-value pair. Parameters include those listed in section 4.0. Each parameter can be abbreviated to a sufficient number of characters to make the entry unique. The number of characters required for each parameter is noted in the list in section 4.0. Entries for the value field of the parameter-value pair depend on the catagory into which the parameter falls (see section 4.0). Where applicable, value entries can be abbreviated. See sections 4.1 through 4.9 for more information on value abbreviations for each parameter catagory. A parameter-value pair must be connected by a character of "=", "\", "<", or ">", depending on if the check should be for users whose UAF value is equal to, not equal to, less than, or greater than, the value specified. Since blank space(s) cannot be embedded in parameter-value pairs, values that contain blank spaces must be enclosed in double quotes ("). For example, to show all users whose login command file UAF entry is not blank, the input command would be: SCANUAF> LGICMD\" " The user may enter up to 64 parameter-value pairs, taking up to 255 characters. Entries may be in upper or lower case. 4.0 PARAMETER CATAGORIES Each UAF parameter falls in one of nine (9) catagories: 1) INTEGER 2) STRING 3) ABSOLUTE TIME 4) DELTA TIME 5) PRIVILEGE 6) HOUR OF DAY 7) DAY OF WEEK 8) LOGIN FLAG 9) INACCESSIBLE The catagories are described in detail in sections 4.1 through 4.9. The list of parameters, along with the abbreviation requirements (the characters before the "*") for each, a description of each and the catagory into which each one falls, is as follows: PARAMETER DESCRIPTION CATAGORY ------------- -------------------------------------- -------------- RT*YPE UAF record type INTEGER V*ERSION UAF format version INTEGER USR*DATOFF Offset of counted string of user data INTEGER USE*RNAME Username of account STRING ME*MBER UIC member subfield INTEGER G*ROUP UIC group subfield INTEGER SUBI*D User sub-identifier INTEGER PA*RENTID Identifier of account owner INACCESSIBLE AC*COUNT Account name STRING O*WNER Owners name STRING DEV*ICE Default device STRING DIR*ECTORY Default directory STRING LG*ICMD Login command file STRING CLI* Default command interpreter STRING CLIT*ABLES User CLI tables STRING PASSWORD* Primary password INACCESSIBLE PASSWORD2* Secondary password INACCESSIBLE LOGF*AILS Login failures INTEGER SA*LT Random password salt INTEGER ENCRYPT* Encryption algorithm for prim pwd INTEGER ENCRYPT2* Encryption algorithm for sec pwd INTEGER PWDM*INIMUM Minimum password length INTEGER EX*PIRATION Expiration date for account ABSOLUTE TIME PWDL*IFETIME Password lifetime DELTA TIME PWDDATE* Date of primary password change ABSOLUTE TIME PWDDATE2* Date of secondary password change ABSOLUTE TIME LOGI*NT Date of last interactive login ABSOULTE TIME LOGN*ONINT Date of last non-interactive login ABSOLUTE TIME PRIV*ILEGE Authorized privileges PRIVILEGE DEF*PRIVILEGE Default privileges PRIVILEGE MI*NCLASS Minimum security class STRING MAXC*LASS Maximum security class STRING FL*AGS Login flags LOGIN FLAG NETWORKP*RIME Hourly network access, primary HOUR OF DAY NETWORKS*EC Hourly network access, secondary HOUR OF DAY BATCHP*RIME Hourly batch access, primary HOUR OF DAY BATCHS*EC Hourly batch access, secondary HOUR OF DAY LOCALP*RIME Hourly local access, primary HOUR OF DAY LOCALS*EC Hourly local access, secondary HOUR OF DAY DIALUPP*RIME Hourly dialup access, primary HOUR OF DAY DIALUPS*EC Hourly dialup access, secondary HOUR OF DAY REMOTEP*RIME Hourly remote access, primary HOUR OF DAY REMOTES*EC Hourly remote access, secondary HOUR OF DAY PRIM*EDAYS Primary days DAY OF WEEK PRIO*RITY Base process priority INTEGER Q*UEPRI Maximum job queuing priority INTEGER MAXJ*OBS Maximum jobs for UIC allowed INTEGER MAXA*CCTJOBS Maximum jobs for account allowed INTEGER MAXD*ETACH Maximum detached processes for UIC INTEGER PRC*LM Subprocess creation limit INTEGER BI*OLM Buffered I/O limit INTEGER DIO*LM Direct I/O limit INTEGER T*QELM Timer queue entry limit INTEGER AS*TLM AST queue limit INTEGER ENQ*LM Enqueue limit INTEGER FI*LLM Open file limit INTEGER SH*RFILLM Shared file limit INTEGER WSQ*UOTA Working set size quota INTEGER WSD*EFAULT Default working set size INTEGER WSE*XTENT Working set size limit INTEGER PG*FLQUOTA Page file quota INTEGER CP*UTIME CPU time quota INTEGER BY*TLM Buffered I/O byte count limit INTEGER PB*YTLM Paged buffer I/O byte count limit INTEGER J*TQUOTA Job-wide log name table creation quota INTEGER PROXYL*IM Number of proxies user can grant INTEGER PROXYU*SE Number of proxies granted INTEGER SUBACCL*IM Number of sub-accounts allowed INTEGER SUBACCU*SE Number of sub-accounts in use INTEGER 4.1 INTEGER Parameters in this catagory have integer values. All comparison characters ("=", "\", "<", ">") are valid for these parameters. The usage of each comparison character is as follows: "=" will display all users who have a UAF value for the specified parameter that is equal to the specified value. "\" will display all users who have a UAF value for the specified parameter that is not equal to the specified value. "<" will display all users who have a UAF value for the specified parameter that is less than the specified value. ">" will display all users who have a UAF value for the specified parameter that is greater than the specified value. Values for INTEGER parameters have no abbreviation requirements. 4.2 STRING Parameters in this catagory have character string values. All comparison characters ("=", "\", "<", ">") are valid for these parameters. The usage of each comparison character is as follows: "=" will display all users who have a UAF value for the specified parameter that is equal to the specified value. "\" will display all users who have a UAF value for the specified parameter that is not equal to the specified value. "<" will display all users who have a UAF value for the specified parameter that is less than the specified value. ">" will display all users who have a UAF value for the specified parameter that is greater than the specified value. Values for STRING parameters have no abbreviation requirements. 4.3 ABSOLUTE TIME Parameters in this catagory have VAX standard absolute time formatted values. Absolute time format is as follows: dd-mmm-yyyy hh:mm:ss.cc All comparison characters ("=", "\", "<", ">") are valid for these parameters. The usage of each comparison character is as follows: "=" will display all users who have a UAF value for the specified parameter that is equal to the specified time. "\" will display all users who have a UAF value for the specified parameter that is not equal to the specified time. "<" will display all users who have a UAF value for the specified parameter that is earlier than the specified time. ">" will display all users who have a UAF value for the specified parameter that is later than the specified time. Values for ABSOLUTE TIME parameters may be abbreviated any way that is allowed for VAX standard absolute time format. 4.4 DELTA TIME Parameters in this catagory have VAX standard delta time formatted values. Delta time format is as follows: dddd hh:mm:ss.cc All comparison characters ("=", "\", "<", ">") are valid for these parameters. The usage of each comparison character is as follows: "=" will display all users who have a UAF value for the specified parameter that is equal to the specified time. "\" will display all users who have a UAF value for the specified parameter that is not equal to the specified time. "<" will display all users who have a UAF value for the specified parameter that is less than the specified time. ">" will display all users who have a UAF value for the specified parameter that is greater than the specified time. Values for DELTA TIME parameters may be abbreviated any way that is allowed for VAX standard delta time format. 4.5 PRIVILEGE Parameters in this catagory have character string values. A character string must be a standard VAX process privilege specification, as follows: (privilege[,...]) If only one privilege is specified, the parentheses can be omitted. Any specified privilege can be preceded by "NO". A value of ALL may be specified, which is shorthand for (ACNT,ALLSPOOL,...,WORLD). A value of NOALL is shorthand for (NOACNT,NOALLSPOOL,...,NOWORLD). The only comparison characters allowed for these parameters are "=" and "\". If the "=" comparison character is used with a list of privileges, then the privileges are ANDed. If the "\" comparison character is used, then the privileges are negated and ORed. For example, SCANUAF> PRIV=(ALTPRI,SYSPRV) will display all users who have ALTPRI and SYSPRV authorized privileges, whereas SCANUAF> PRIV\(ALTPRI,SYSPRV) will display all users who have NOALTPRI or NOSYSPRV authorized privilege. You should take note of the subtleties involved with the comparison characters and the use of NO and ALL. For example, SCANUAF> PRIV=ALL will display users who have all privileges; SCANUAF> PRIV=NOALL will display users who have no privileges; SCANUAF> PRIV\ALL will display users who have no or some, but not all, privileges; SCANUAF> PRIV\NOALL will display users who some or all privileges. Using the "*" to show the minimum required number of characters, the following list provides the abbreviation requirements for values for PRIVILEGE parameters: ALL* DI*AGNOSE PF*NMAP SHA*RE AC*NT E*XQUOTA PH*Y_IO SHM*EM ALLS*POOL GRO*UP PRMC*EB SYSG*BL ALT*PRI GRPN*AM PRMG*BL SYSL*CM BU*GCHK GRPP*RV PRMM*BX SYSN*AM BY*PASS L*OG_IO PS*WAPM SYSP*RV CME*XEC M*OUNT R*EADALL T*MPMBX CMK*RNL N*ETMBX SEC*URITY V*OLPRO DE*TACH O*PER SET*PRV W*ORLD 4.6 HOUR OF DAY Parameters in this catagory have character string values. A character string must be a standard VAX hour mask specification, as follows: ([n],[n-m],[,...]) If only one hour range is specified, the parentheses can be omitted. Hours specified must be integers from 0 to 23, inclusive. All comparison characters ("=", "\", "<", ">") are valid for these parameters. The usage of each comparison character is as follows: "=" will display all users who have an hour of day mask that includes the hours specified. "\" will display all users who have an hour of day mask that does not include at least one of the hours specified. "<" will display all users who have an hour of day mask that includes an hour earlier than the earliest hour specified. ">" will display all users who have an hour of day mask that includes an hour later than the earliest hour specified. When using the "=" or "\" comparison character, a value string of "()" may be specified. This string is equivalent to "no hours". 4.7 DAY OF WEEK Parameters in this catagory have character string values. A character string must be a standard VAX day of the week specification, as follows: (day[,...]) If only one day is specified, the parentheses can be omitted. Any specified day can be preceded by "NO". A value of ALL may be specified, which is shorthand for (MONDAY,TUESDAY,...,SUNDAY). A value of NOALL is shorthand for (NOMONDAY,NOTUESDAY,...,NOSUNDAY). The only comparison characters allowed for these parameters are "=" and "\". If the "=" comparison character is used with a list of days, then the days are ANDed. If the "\" comparison character is used, then the days are negated and ORed. For example, SCANUAF> PRIME=(MONDAY,TUESDAY) will display all users who have MONDAY and TUESDAY as prime days, whereas SCANUAF> PRIME\(MONDAY,TUESDAY) will display all users who have MONDAY or TUESDAY as secondary days. You should take note of the subtleties involved with the comparison characters and the use of NO and ALL. For example, SCANUAF> PRIME=ALL will display users who have all days as primary days; SCANUAF> PRIME=NOALL will display users who have no days as primary days; SCANUAF> PRIME\ALL will display users who have no or some, but not all, days as primary days; SCANUAF> PRIME\NOALL will display users who some or all days as primary days. Using the "*" to show the minimum required number of characters, the following list provides the abbreviation requirements for values for DAY OF WEEK parameters: A*LL M*ONDAY TU*ESDAY W*EDNESDAY TH*URSDAY F*RIDAY SA*TURDAY SU*NDAY 4.8 LOGIN FLAG Parameters in this catagory have character string values. A character string must be a standard VAX login flag specification, as follows: (flag[,...]) If only one flag is specified, the parentheses can be omitted. Any specified flag can be preceded by "NO". A value of ALL may be specified, which is shorthand for (DISCTLY,DEFCLI,...,DISRECONNECT). A value of NOALL is shorthand for (NODISCTLY,NODEFCLI,...,NODISRECONNECT). The only comparison characters allowed for these parameters are "=" and "\". If the "=" comparison character is used with a list of flags, then the flags are ANDed. If the "\" comparison character is used, then the flags are negated and ORed. For example, SCANUAF> FLAG=(DISUSER,LOCKPWD) will display all users who have DISUSER and LOCKPWD login flags, whereas SCANUAF> FLAG\(DISUSER,LOCKPWD) will display all users who have NODISUSER or NOLOCKPWD login flags. You should take note of the subtleties involved with the comparison characters and the use of NO and ALL. For example, SCANUAF> FLAG=ALL will display users who have all login flags; SCANUAF> FLAG=NOALL will display users who have no login flags; SCANUAF> FLAG\ALL will display users who have no or some, but not all, login flags; SCANUAF> FLAG\NOALL will display users who some or all login flags. Using the "*" to show the minimum required number of characters, the following list provides the abbreviation requirements for values for the LOGIN FLAG parameters: AL*L DISN*EWMAIL DISC*TLY G*ENPWD DE*FCLI PWDE*XPIRED L*OCKPWD PWD2*_EXPIRED C*APTIVE A*UDIT DISU*SER DISREP*ORT DISW*ELCOME DISREC*ONNECT DISM*AIL 4.9 INACCESSIBLE Parameters in this catagory are inaccessible to the user. No matter what value is supplied for a parameter in this catagory, the result of the parameter-value evaluation will be FALSE.