Users & Groups

Objectives
This PPT introduces the concepts of AIX users and groups, and also the files that contain user account information. Defines the concepts of users and groups, and define how and when these should be allocated on the system Add/Change/Delete user and group accounts Identify the data files associated with users

Security Concepts User Accounts

Each user has a unique name, numeric ID and password File ownership is determined by a numeric user ID The owner is usually the user who created the file, but ownership can be transferred by root Default users: root super user adm, sys, bin IDs that own system files but cannot be used for login

Groups
A group is a set of users, all of whom need access to a given set of files Every user is a member of at least one group and can be a member of several groups The user has access to files in their groupset. To list the groupset use groups The users primary group is used for file ownership on creation.To change the primary group use the newgrp Default groups: -System administrators -staff ordinary users

Groups

User Hierarchy
To protect important users/groups from members of the security group AIX has admin users and admin groups Only root can add/change/remove an admin user or admin group Any user on the system can be defined as an admin user regardless of the group they are in

Security Logs

User Administration Related Files

/etc/security/environ

Contains the environment attributes for users. /etc/security/lastlog Contains the last login attributes for users. /etc/security/limits Contains process resource limits for users. /etc/security/user Contains extended attributes for users. /usr/lib/security/mkuser.default Contains the default attributes for new users. /usr/lib/security/mkuser.sys Customizes new user accounts. /etc/passwd Contains the basic attributes of users. /etc/security/passwd Contains password information.

 /etc/security/login.cfg Contains system default login parameters. /etc/utmp Contains a record of users logged into the system. /var/adm/wtmp Contains connect-time accounting records. /etc/security/failedlogin Records all failed login attempts. /etc/motd Contains the message to be displayed every time a user logs in to the system. /etc/environment Specifies the basic environment for all processes. /etc/profile Specifies additional environment settings for all users. $HOME/.profile Specifies environment settings for a specific user. /etc/group Contains the basic attributes of groups. /etc/security/group Contains the extended attributes of groups.

User Initialization Process

User Commands
mkuser Creates a new user account. passwd Creates or changes the password of a user. chuser Changes user attributes. lsuser Displays user account attributes. Rmuser Removes a user account. chsec Changes the attributes in the security stanza files. login Initiates a user session. who Identifies the users currently logged in. dtconfig Enables or disables the desktop autostart feature.

Add a New User

SYNTAX: mkuser To create the smith account with smith as an administrator, enter: # mkuser -a smith To create the smith user account and set the su attribute to a value of false,enter: # mkuser su=false smith To create a user account, smith, with the default values in the/usr/lib/security/mkuser.default file, enter: # mkuser smith

List users
SYNTAX: lsuser To display the user ID and group-related information for ALL #lsuser a id home ALL To display the user ID and group-related information for the root account in stanza form, enter: # lsuser -f -a id pgrp home root To display all the attributes of user smith in the default format, enter: # lsuser smith To display all the attributes of all the users, enter: # lsuser ALL

Changing User Attributes

SYNTAX: chuser To enable user smith to access this system remotely, enter: # chuser rlogin=true smith To add smith to the group program, enter: #chuser groups=program smith To change the expiration date for the smith user account to 8 a.m., 1 December, 1998, enter: #chuser expires=1201080098 smith

Removing User Accounts

SYNTAX: rmuser To remove a user account smith and its attributes from the local system: # rmuser smith To remove the user smith account and all its attributes, including passwords and other user authentication information in the /etc/security/passwd file: # rmuser -p smith The users home directory is not deleted, therefore you must manually clean up the user directories (remember to backup important files) #rmuser r /home/smith

Creating or Changing User Password

SYNTAX: passwd, pwdadm To change the full name of user smith in the /etc/passwd file, enter: # passwd -f smith To change your password, enter: # passwd To change root or user in security group # pwdadm username

Regaining roots Password

Boot from CD-ROM or a bootable tape Select option 3 from the Installation and Maintenance menu: start Maintenance Mode for System Recovery Follow the options to activate the root volume group and obtain a shell Once a shell is available, execute the passwd command to change roots password. #sync ;sync Reboot the System

Changing Security Attributes of User

SYNTAX: chsec [ -fFile] [ -s Stanza] [ -a Attribute = Value ... ] To change the /dev/tty0 port to automatically lock if five unsuccessful login attempts occur within 60 seconds, enter: # chsec -f /etc/security/login.cfg -s /dev/tty0 -a logindisable=5 a logininterval=60 To unlock the /dev/tty0 port after it has been locked by the system, enter: # chsec -f /etc/security/portlog -s /dev/tty0 -a locktime=0

Displaying currently logged users

SYNTAX : who, who am I To display information about all the users who are logged on to the system: # who To display information about your user name: # who am I To display the run-level of the local system node: # who r To display any active process that was spawned by init: # who -p

Group Commands
mkgroup chgroup lsgroup Rmgroup Creates a new group account. Changes group attributes. Displays selected or all groups on the system. Removes a group account.

 To create the group using smit: #smit mkgroup To create the group administrator (-a) parameter is added with mkgroup: # mkgroup a To change attributes of the group: #smit chgroup To change either the administrators or the members a group for which they are group administrator: #chgrpmem

 To remove a group from the system. This command has no options and the only parameter is the group name. Only the root user can delete an administrative group. #rmgroup To list selected or all groups on the system. The data is presented in line format by default or in colon format (-c) or in stanza format (-f). lsgroup [-c|-f] [-a attribute] {ALL|groupname} #lsgroup c f ALL

Summary
User and groups can be added and deleted from the system SMIT or by high level commands Passwords must be set for all users either using pwdadm or passwd Administrative users and groups can only be administered by root Every user must be in at least one group Certain groups give users additional privileges Security files are located in ACSII text files in /etc and /etc/security

Exercises
The following exercises provide sample topics for self study. 1. Add a new user account (james) and try to log in to the new account. Can you log in without creating a password for this account? 2. Create a password for a newly created user account (james). 3. You want all the users to get the following message when they log in: *************************************************************************** Please assemble in the meeting room at 13:00 hrs on Feb.20,2009 **************************************************************************** Which file needs to be edited to contain this message so that the message is displayed when a user logs in? 4. Move the file /etc/utmp to /etc/wtmp.org. Run the who command. What is the output? 5. Change the password of a user account who does not remember his old password. 6. How can you disable the desktop autostart? 7. Display the attributes of the user account. 8. Permanently change your shell prompt to display the current directory.