Re: Minimum Privs for Changing Password

From: Hans Vlems (hvlems.nieuw_at_zonnet.nl)
Date: 01/18/04

  • Next message: Hans Vlems: "Re: openvms error message "no operating system selection found"" 
    Date: Sun, 18 Jan 2004 11:32:42 +0100

    Correct, provided that MAXSYSGROUP was not modified.

    "konabear" <maurert@ameritech.net> schreef in bericht
    news:aZWNb.30469$P%1.24874821@newssvr28.news.prodigy.com...
    > All the is needed to modify a password using authorize is write access to
    > SYSUAF.DAT. That's it. So an ACL to allow a user write access means they
    > need no privs.
    >
    > HOWEVER once write access is granted to SYSUAF, more than passwords can be
    > changed. New users and be added, old ones removed, privileges granted to
    > the very nonpriv'd account that the ACL was added for. So the ACL route
    > isn't any more secure than granting SYSPRV.
    >
    > BTW, one could also give the nonpriv'd user's account a UIC group number
    > less than Octal 10. So the account will have no privileges. However any
    > process with a group number less than Octal 10 has equivalent of SYSPRV
    > granted.
    >
    > Todd
    > "Rick Dyson" <rick-dyson@uiowa.edu> wrote in message
    > news:HrLBDu.DGq@sysadm.physics.uiowa.edu...
    > > This is a fundamental question and I am embarassed to have to ask, but I
    > > am in a hurry. :)
    > >
    > > What minimum privs would a user need to be able to change someone else's
    > > password via Authorize?
    > >
    > > Does anyone have any quick suggestions on a method for this that does
    > > not need to elevate a low user to SYSPRV (or such)? Something that
    > > could be up and running right away?
    > >
    > > Thanks!
    > > rick
    > >
    >
    >

  • Next message: Hans Vlems: "Re: openvms error message "no operating system selection found""

    Relevant Pages

    • Re: Minimum Privs for Changing Password
      ... All the is needed to modify a password using authorize is write access to ... the very nonpriv'd account that the ACL was added for. ... one could also give the nonpriv'd user's account a UIC group number ... process with a group number less than Octal 10 has equivalent of SYSPRV ...
      (comp.os.vms)
    • Re: Win2k - Account Operator not working properly
      ... You very likely have other ACL issues other than what was mentioned and I can point them out here for you for free or you can pay someone $200-500 an hour to come check it out. ... In order for that to result in inheritence protection it means the schema had to be modified. ... set the account in the GUI to inherit from its parents. ... Used the delegation wizard, on the top level OU, to assign the desired permissions. ...
      (microsoft.public.windows.server.active_directory)
    • RE: Norton antivirus fails to scan files
      ... any groups that SYSTEM is a member of then it will fail as well. ... I've removed all other users from the ACL that have no business to ... NAV is started as system account as defined in control ... Also, are you referring to the local administrators> group, or the local administrator account? ...
      (Vuln-Dev)
    • Re: exempt a machine from a group policy
      ... The computer name in an ACL normally only gets used when there is an attempt ... implicity authorize Modify access by the machine account. ... the script is NOT executed *by* a machine. ...
      (microsoft.public.windows.group_policy)
    • Re: Bizarre User Creation Problem
      ... When you have made the copy, the rights are not duplicate. ... Sorry what's an ACL? ... any accounts I make from this account do! ... >read only so I removed that on the server. ...
      (microsoft.public.windows.server.general)