USER MANAGEMENT:

User Accounts

Each user has a unique name, numeric ID and password

File ownership is determined by a numeric user ID

The owner is usually the user who created the file, but ownership can be transferred
by root

Default users:

root
super
adm, sys bin. IDs that own system files but cannot be used for login

user

Notes:The security of the system is based on a user being assigned a unique name, user ID
(UID) and password. When the user logs in, the UID is used to validate all requests for file
access. When a file is created, the UID associated with the process that created the file is
assigned to the file. Only the owner or root can change the access permissions.
There are several user accounts automatically created.root , for example, is one. Some user
accounts are not made for login but only to own certain files.adm, sys, and are examples of
that type of account.
Groups:

A group is a set of users, all of whome need access to a given set of files.

Every user is a member of at least one group and can be a member of several groups.

The user has access to files in their groupset. To list the groupset use groups.

The users primary group is used for a file ownership on creation. To change the
primary group use the newgrp.

Default groups:

System administrators

Staff ordinary users

Notes:Users that require shared access to a set of files are placed in groups. A user can
belong to multiple groups. Each group has a unique name and Group ID (GID). The GID is
also assigned to a file when it is created. There are several groups predefined on an AIX
system. For example, the system group is root s group and the staff group is for all ordinary
users.

The creation of groups to organize and differentiate the users of a system or network is part
of systems administration. The guidelines for forming groups should be part of the security
policy. Defining groups for large systems can be quite complex and once a system is
operational, it is very difficult to change the group structure. Investing time and effort in
devising group definitions before your system arrives is recommended.
Groups should be defined as broadly as possible and be consistent with your security policy.
Do not define too many groups because defining groups for every possible combination of
data type and user type can lead to impossible extremes. A group administrator is a user who
is allowed to assign the members and administrators of a group. It does not imply that the
user has any administrative abilities for the system.
There are three types of groups on the system:
1.User Groups
User groups should be made for people who need to share files on the system, such as people
who work in the same department, or people who are working on the same project.
2.System Administrator Groups
System administrators are automatically members of the system group. Membership of this
group allows the administrators to perform some of the system tasks without having to be
the root user.
3.System Defined Groups
Several system-defined groups exist. staffis the default group for all non-administrative users
created in the system. security is another system defined group having limited privileges for
performing security administration. The system-defined groups are used to control certain
subsystems.
Groups:
Notes:
Common groups on the system are:system For most configuration and standard hardware and
software maintenanceprintq For managing queuing. Typical commands which can be run by
members of this group are: enable, disable, qadm, qpri, and so forth.security To handle
most passwords and limits control. Typical commands which can be run by members of this
group are: mkuser, rmuser, pwdadm, chuser,chgroup, and so forth.adm Most monitoring
functions such as performance, cron, accountingstaff Default group assigned to all new
users. You may want to change this in
/usr/lib/security/mkuser.defaults
audit For auditors
shutdown Allows use of the shutdown command.
User Hierarchy:

To protect important users/groups from members of the security groups AIX has
admin users and admin groups.

Only root users can add/remove/change an admin user or admin group

Any user on the system can be defined as an admin user regardless of the group they
are in

Notes:
The ability to perform certain system tasks (like creating users) depends upon the standard
AIX file permissions. Most system admin tasks can be performed by users other than root
by assigning those users to groups such as system, security, printq, cron, adm,
audit orshutdown In particular, a user in thesecurity group can add/remove/change other
users and groups.
To protect important users/groups from users in the security group, AIX has three levels of
user hierarchy: root , admin users/groups and normal users/groups. Only root can
add/remove/change an admin user or admin group. Therefore, you can define a user with a
high level of access, but who is protected from users in the security group.
Controls root s Access:

Restrict access to privileged logins.

root s passwords should be changed on an unannounced schedule by the system

administrator.

Assign different root passwords to different machines

System administrators should always login as themselves first and then su to root
instead of logging in as root . This helps provide an audit trail for root usage.

Do not include unsecured directories in root s PATH

Notes:
If the root password is known by too many people, no one can be held accountable. The root
password should be limited to just two or three administrators. The fewer people who
know root s password the better.
The system administrator should ensure that distinct root passwords are assigned to different
machines. You may allow normal users to have the same passwords on different machines,
but never do this for root .
Attempts to become root through su can be investigated. Successful and unsuccessful
attempts might be logged by the audit system.

root s PATH is used by many implicit system functions, not just by a user logged in as root .
AIX Security configuration files:
/etc/security/environ :
Contains
the
environment
attributes
for
users.
/etc/security/lastlog :
Contain
the
last
login
attributes
for
user.
/etc/security/limits: Contains
process
resources
limits
for
users.
/etc/security/user:
Contains
extends
attributes
for
user.
/usr/lib/security/mkuser.default: Contains the default attributes for new user.
/usr/lib/security/mkuser.sys:
Customizes
new
user
account.
/etc/passwd:
Contain
the
basic
attributes
of
user.
/etc/security/passwd:
Contain
password
information.
/etc/security/login.cfg:
Contain
system
default
login
parameters.
/etc/utmp:
Contain
a
record
of
user
logged
into
the
system.
/var/adm/wtmp:
Contain
connect-time
accounting
records.
/etc/security/failedlogin:
Records
all
failed
login
attempts.
/etc/motd: Contains the message to be displayed every time a user logs in to the system.
/etc/environment: Specifies the basic environment for all the process.
/etc/profile:
Specifies
environment
settings
for
all
users.
$HOME/.profile :
Specifics
environment
settings
for
a
specific
user.
/etc/group:
Contain
the
basic
attributes
of
group.
/etc/security/group: Contains the extended attributes of group.
Permissisons:

Depending on how the umask is set, when a user creates a file, the file permissions will be
set to

read/write for the ownerof the file

read-only forgroup and other

If you look at the permissions using

-rw-rr 1 roger staff 129 Oct 07 10:14 testfile

the ls

roger staff

r w - r - - r - - 1

Owner
Flag
-=ordinary
r w e
e r x
F=remote
a i e
l=symbolic link
d t c
D=directoryb=block e u
B=remote block
t
c=character special
e
p=FIFO
s=socket
Fle Type

Group
Flag
r w e
e r x
a i e
d t c
e u
t
e

Other
Flag
r we
e r x
a i e
d t c
e u
t
e

-l command,

129

you

Oct 7
10:14

Links Owner Group

#
o
fl
i
n
k
s

owner group size date

of file owner of
last
file in written
bytes to

will

see

testfile
filename

A dash under the owner, group, and other fields means that particular attribute (either
read,write or execute) isntpermitted. When a file is created, a mask is applied to the
permission bits to determine what permissions are allowed. The mask can be user defined by
theumask command.
File permission bits are verified when a file is opened. The commands mv (move)
and rm(remove), for example, dont open a file. Thus, its possible to remove a file that you
dont have permissions to open, as long as you have write (w) permission for the directory
containing that file.
Sticky bit :

The Sticky bit is usually associated with world writeable directories, such as the /tmp
directory. This prevents users from deleting files they dont own. Users can write to those
directories but only they can delete or update those files they own. Its commonly used for
scratch directories like /tmp to provide some security for otherwise world-writable
directories.
/etc/security :
The directory /etc/security contains many files used to configure individual user or systemwide security defaults. The files listed below can be modified to enhance system security at
your site:
/etc/security.ids :
Holds the value for the next assignment to a group/user id and group/user admin id. Used
by mkuserandmkgroup commands.
ample contents:4 203 12 200
where

4 = administrative user id (mkuser -a)

203 = user id (mkuser)

12 = administrative group id (mkgroup -a)

200 = group id (mkgroup)

/etc/security/limits :
Set one or more of the following stanzas for each user. All field attributes below default to
512 byte blocks.
Value

What it does

fsize
Largest file size that can be created or extended
core
Largest core file size that can be created
cpu maximum Amount of cpu time to be used by each process. Must log out and back
infor the changes to take affect.
data
Size of data segment Data and stack are tied together. Combined, they
maximum
for a process (malloc can never be greater than 256 MB.
call)
stack
Size of stack segment
maximum
for a process.
rss maximum Set a processs resident set size (working set) may grow. As long as real
memory is available, system will give additional memory to the process
instead of causing the process to page portions of its code.
/etc/security/login.cfg :
Sets system-wide password restrictions (pw_restrictions).
Value
maxage
minage

minalpha
minother
mindiff

maxrepeats

What it does
Value of 4 forces users to change passwords every 4 weeks. Default=0
indicating no maximum age.
Defines the miniumum number of weeks that can pass before a password must
be changed. This option can conflict with the flags field in
/etc/security/passwd. If minage has a value greater than zero and flags =
ADMCHG in the /etc/security/passwd file for that user, then the user will not
be forced to change their password until the number of week(s) has
elapsed.Default=0
Minimum number of alphabetic characters in password. Default=0
Minimum number of non-alphabetic characters in the password. Default=0
Number of characters that must be different from previous password. This
option is recommended since by default, you can reuse previous password
when prompted to ch ange to a new password. This is not positional. If the
new password is xycd and the old password was abcd, then the number of
different characters is one. Default=0
Maximum number of repeatable characters in a password. The repeatable
characters dont have to be consecutive. Default of 8 is used to indicate that
there is no maximum number.

/etc/security/mkuser.default :
Default
user:
group = staff
groups = staff
prog = /bin/ksh

attributes

for

generating

new

user.

home = /u/$USER
admin:
group = system
groups = system
prog = /bin/ksh
home = /u/$USER
/etc/security/passwd :
Holds the encrypted password for each user. Lets assume you have an unhappy worker that is
asked to leave the company. Your afraid that person will attempt to get into the system. You
ask everybody to change their password but arent sure if everyone will follow suite.
To force users to change their password, perform the following procedures.
1. Edit /etc/security/login.cfg and change maxage=1. This will force users, who havent
changed their password in the past week, to do so the next time they login.
2. If some people have changed their password in the past week, review
the lastupdate field for that user. Subtract 604800 (number of seconds in one week)
from the value specified in the lastupdate field . The next time that user logs into the
system, they will be forced to change their password. The lastupdate field represents
the number of seconds passed since Jan 1, 1970.
A simpler way to force a user to change their password the next time they log into the system
is to change that users flag field to ADMCHG. Use the command pwdadm -f ADMCHG
<username>to change the flag.

The next time a login or su command is executed for that user, they will be forced to
change their password, based on the password guidelines specified in the
/etc/security/login.cfg file.

If the user has a password, they will be asked for their original password before being
prompted to change to a new password.

Make
sure
the mindiff attribute
in
the pw_restrictions stanza
of /etc/security/login.cfgis nonzero to force the new password to be different from
the old one.

If flag field for a user is set to llags = NOCHECK, then the /etc/security/login.cfg
restrictions wont apply to that user for new passwords that follow.
Note: If an * appears in the password field ( password = * ), this indicates that no password
has been set for that user and prevents the user from logging in until root user assigns a
password to that account.

If the /etc/passwd has an asterik (*) in the second field, this implies that the account has
been defined to the system but is not an account that can be logged into yet. There will not
be an entry placed into the /etc/security/passwd file until a passwd has been assigned to this
account.
/etc/security/.profile :
System-wide default profile used to copy into the $HOME directory of each user as they are
created on the system. Add to this file to acquire default capabilities that otherwise would
have to be added manually to each $HOME/.profile.
Remember, the /etc/profile file contains commands executed by allusers at login, so if
everyone needs to have certain environmental variables set, set them in that file.
/etc/security/user :
Lists attributes that have changed from the default values for individual users, like whether
that user has rlogin or telnet access, login authentication method and so on. For example, if a
particular user could only log into the system from a particular terminal, the stanza for that
user would read:
roger:
admin = false
ttys = /dev/tty1
Where the only terminal user rogercould log in from would be tty1.
One could also specify that user roger could use any terminal directly connected to the
system but terminal tty5 by stating the following in this file:
roger:
admin = false
ttys = !/dev/tty5, ALL
The chuser command modifies this file.
If the login field is set to false (login = false), that user will be locked out from logging into
the system from a locally attached terminal. There are only two ways to login to that account.
You could su into that account, assumming the SU to user fieldis set to TRUE. The other
way is to log into that system if the telnet or rlogin field is set to true and your system is
connected to a TCP/IP network.
roger:
login = false
telnet = true

rlogin = true
acledit :

Combines aclget and aclput capabilities. Must set the EDITOR variable to the following:
export EDITOR=/usr/bin/vi
Must be owner or ROOT to modify the base or extended permissions of file regardless of
what the extended permissions say. The use of an octal operand (chmod 755 <filename>) will
disable the extended ACL parameters (if any) associated with the file.
Example: acledit mytest
aclget :

Gets the ACL values for a file

Example:aclget mytest(Displays base and extended permissions for file mytest)
aclput :

Sets the ACL for a file

Example:aclget mytest | aclput yourtest (Copies ACL attributes from file mytest to file
yourtest)
chgrp :

Changes the group ownership of a file or directory.

Examples
chgrp staff mgmt.
chgrp -R office /lisa

What it does
Changes group from staff to mgmt
Will recursively descend through the lisa directory and all its
subdirectories to change the group permissions of all files to the
group named office.

chmod :
Change permissioms of a file or directory. Without considering the umask value, when a
directory is created, the permissions are set to rwxrwxrwx; and for a new file, the
permissions are rw-rw-rw. When the umask is applied, directory settings are rwxr-xr-x and

files are rw-rr. To have access to another users directory, that users directory must have
the execute bit set for either group or other (eg., rwxr-xr-x).
Be very careful with the files needed for booting. Other system files should be handled with
care. Accidentally entering chmod 666 / usr/file instead of chmod 666 /usr/file can be
disastrous. The former will instantly render the root file system unusable and unbootable,
since it takes execute (directory search) permission away from the entire file system except
for references relative to the current directory that do not go through the root directory.
Same analogy applies to the /u or /home directory. If execute permissions is removed for
group and other (drwxrr) users other than ROOT will not be able to log into the system.
Examples
chmod go+wr testfile
chmod u-x testfile
chmod 1777 ickfar

What it does
Add read/write to group/others
Remove execute permission from owner
Turns on sticky bit for file named ickfar

tcbck :

Examples
What it does
tcbck -p ALL Checks files specified in /etc/security/tcbck.cfg. Use this command tocheck
the file system anytime you suspect the integrity of the system may have
been compromised
tcbck -t tree All files in the system are checked for correct installation (this may take
several hours to complete)
lsgroup :

List attributes of a group

Example:lsgroup staff (Displays characteristics of the group named staff)
grpck :

Verifies that all users listed as group members are defined as users, that the GID is unique,
and that the group name is correct.
Examples
What it does
grpck -n ALL Reports errors but doesnt fix them.
grpck -t ALL If problems are detected, will ask if they should be fixed
lsuser :

List characteristics of user accounts

Example:lsuser
usrck :

roger (Display

attributes

for

the

user

roger)

Verifies most parameters in the /etc/security/user database.

Each user name listed in the /etc/passwd file has a stanza in

o /etc/security/user
o /etc/security/limits
o /etc/security/passwd

Stanzas will be added for each missing user name as needed.

Also verifies each group name listed in /etc/group has a corresponding stanza in
/etc/security/group.

It may disable a userid by adding an expired expiration date to the /etc/security/user

database.

The users $HOME directory is not effected.

Re-enable account by removing the expiration date in the /etc/security/user database

or via smit chuser

Examples
usrck -n ALL
usrck -t ALL

What it does
Reports errors but doesnt fix them.
if problems are detected, will ask if they should be fixed.

mkpasswd :

Creates a hashed version of the /etc/passwd for faster login capability. This command should
be run every time the /etc/passwd and etc/security/passwd files have changed. If more than
40-50 user accounts are defined to the system, running this command will quicken the time it
takes to login to your account.
Example: mkpasswd -v /etc/passwd(Creates the /etc/passwd.pag and /etc/passwd.dir files.)
pwdck :

Checks authentication stanzas in /etc/passwd and /etc/security/passwd. May not check for
specified password rules such as minalpha, minother, and lastupdate in the
/etc/security/login.cfg file. One drawback to pwdck is that it doesnt report on root
equivalent accounts (accounts with a UID of 0 but a username other than root ).
Examples
What it does
pwdck -n ALL Reports errors but doesnt fix them.
pwdck -t ALL If problems are detected, will ask if they should be fixed.
1)pwdck -y
Will import a BSD or SYSV password file. Use the usrck command to
ALL
create default limit entries.
2)usrck
newgrp :

Switch to another group for users who are members of multiple groups.
Rmuser :
Removes a user from the system. The $HOME directory for this user is left intact. Must
manually remove the directory.
su :
By changing the flag of Another user can SU to user? = no for root , one can disable users
from acquiring ROOT priviledge. The su command wont accept any user name greater than
8 characters.
sysck :

Audits the security state of the system. This command uses the /etc/security/sysck.cfg
configuration file to provide it with the expected security state of the system. The
effectiveness of sysck is directly related to the accuracy of this configuration file.Checks for
file ownership, permissions, acess control lists, and checksums. System directories arent
included, but this info can be easily added via a text editor of your choice.
Examples
sysck -n ALL
sysck -t ALL
tcbck -n ALL
umask :

What it does
Errors are to be reported but not fixed
Errors are to be reported with a prompt asking whether the error should
be fixed
Check for inconsistencies in the system

Sets the default file permissions for files created by a user.

Type in theumask command by itself to show what the current defaults are. This can be
changed
by
thesmit
usercommand
or
by
the umask command
itself.
By default, the umask is set to 022 which means

Dont allow write access for GROUP and OTHER.

When this mask is applied to the system file default of 666 (read/write for everyone),
the result is 644 read/write for owner, and read for group and other).

The math works out as follows 666 022 = 644.

The system default for creating directories is 777 022 = 755, which means the
owner has read/write/execute permissions on that directory, while group and others
only have read and execute permissions.

ulimit :

Quota limits for individual users for memory usage and file size. Doesnt effect the
/etc/security/limits database. Only changes your environment for the current session (not a
permanent change). This command allows the user to change their hard or soft limits.
To raise or lower the soft limit (within the bounds of the hard limit), use the -S option.
To raise or lower the hard limit (within the bounds of the default values specified in the
/etc/security/limits (database), use the -H option.
Examples
ulimit -a

What it does
View current limits
time(seconds) 3600
file(blocks) 2097151
data(kbytes) 65536
stack(kbytes) 4096
memory(kbytes) 32768
coredump(blocks) 2048
Increase file limit to 1000000

ulimit -Sf
1000000
ulimit -d 100000 Data section is now increased to 50 MB. When compiling large C or
FORTRAN programs, you may receive a MALLOC error during link
phase. This is because there is not enough heap space allocated to this
process.