Friday, November 27, 2009

User and Group Administration - Part 1

USER ADMINISTRATION


Few Restrictions on the User Name:


1. User names cannot start with a
  • dash or minus sign(-)
  • plus sign (+)
  • At symbol (@)
  • Tilde (~)
 2. User names cannot include
  • colon (:)
  • single or double quotation marks( ' or ")
  • hash symbol (#)
  • comma (')
  • equal sign
  • Back or forward Slashes ( \ or /)
  • Question mark (?)
  • Back quote (`)
  • White space (space or tab)

3. User names cannot be names ALL or default. Becoz those names are reserved for the AIX OS.

4. User names can have max. 8 characters in AIX V 5.2 or earlier. Starting with AIX 5.3, you can have a
max. of 255 characters. You can change this setting by using the below command,

# chdev -l sys0 -a max_logname=255

To view the setting, use any of the below commands

# lsdev -l sys0 -a max_logname
# getconf LOGIN_NAME_MAX


Configuration Files:

/etc/passwd :

        Contains the basic user configuration details like user name, password flag, uid, gid, gecos (description), home directory, shell.

/etc/security/.profile :


It is the template for the user's .profile file. It has been copied to the user's home directory when we create the user.

/etc/security/limits :

 It contains all the resource limits (ulimits) for the users.

Here are the various ulimit values ...

fsize, fsize_hard - Soft and hard limit for the size of a file a user can create
core, core_hard - Soft and hard limit for the Size of core file a user can create
cpu, cpu_hard - Soft and hard limit for the amount of system time allowed
data, data_hard - Soft and hard limit for the size of the process data segment
stack, stack_hard - Soft and hard limit for the size of the process stack segment
rss, rss_hard - Soft and hard limit for the physical memory allowed
nofiles, nofiles_hard - Soft and hard limit for the number of open file descriptors at one time
nproc, nproc_hard - Soft and hard limit for the number of running processes at one time

/etc/security/passwd :

This file contains the user's password information such as password, lastupdate and flags.

Here are the various flags user

ADMIN - It can be set so that only the root user can change the user's password.

ADMCHG - It can be set so that the user is prompted to change his or her password on the next login/su.

NOCHECK - It can be set so that any additional restrictions in /etc/security/user are ignored.


/etc/security/user :  This file contains very very important settings for every user.

Here are the parameters configured in the file for each and every user :

account_locked - To lock the user account. This can takes values TRUE or FALSE

admin - To specify whether the user is admin or not. It can take calues TRUE or FALSE

expires - It is configured to set the expiration date for the user beyond which the user will be locked. It can take values in the format MMDDHHYY.

histexpire - To specify the # of weeks the user can't reuse a password. It can takes values between 0-260

histsize - To specify the # of passwords previously used that can't be reused. It can take values between 0-50

login - To specify whether a user can log in or not. It can take values TRUE or FALSE.

maxage - To specify the # of weeks a password is valid. It can take values between 0-52.

minage - To specify the # of weeks a user must wait before changing his or her password. It can take values between 0-52.

rlogin - To specify whether a user can be accessed remotely via telnet,ssh, ftp. It can take values TRUE or FALSE.

su - To specify whether other user can use su to access this account. It can take values TRUE or FALSE.


/usr/lib/security/mkuser.default :  This file contains the default values that are set while creating an user.


/etc/security/login.cfg : This file contains the message that is displayed whenever you login to the system.
You can always change it using chsec command or by editing this file directly in vi editor.


Here are the few attributes of a user which you may be interested.


id - User Identification Number is a unique i dfor every user. root user's id is always 0.

pgrp - Primary Group of a user

groups - Secondary Groups of a user. An user can belong to maximum 128 groups in AIX 5.3 and 6.1.

home - Home directory to store the user's files

shell - Shell that runs when the user login

gecos - Description or some comments about the user


There are 6 main commands used in the administration of user :

mkuser     - Add a user
chuser      - Change an attribtue of a user
lsuser       - List the attribtues of a user
rmuser     - Remove a user
passwd    - To set password for a user and for various other purposes

These words can also be used as fastpaths for smitty.
For example, # smitty mkuser will open a form to create a user.

For doing the whole user administration, you can use

# smitty user and go thru the menu items for various operations.

Now let us see the commands to administrate users ...

To create a user called 'jack' with default settings and allocate the next available uid :
# mkuser jack

To create a user with home dir as /opt/$username, primay group as 'dba' :
# mkuser home=/opt/jack pgrp=dba jack

To know about the user :
# finger jack

To change the primary group for a user :
# chuser pgrp=oracle jack

To list the attributes of a user in stanza structure :
# lsuser -f jack

To list the attributes of a user delimited by comma :
# lsuser -c jack

To list home and shell attributes for the users jack and tom :
# lsuser -a shell home jack,tom

To set the password for a newly created user :
# passwd jack

To clear the flag ADMCHK for jack :
# pwdadm -c jack

If you dont do this after setting a password for jack, he will be prompted to change his password on the first login.

To change the gecoz for a user :
# passwd -f jack

To change the shell for a user :
# passwd -s jack

To list the last password update date/time and the flags for a user :
# passwd -q jack

To set the ADMIN flag for a user :
# passwd -f ADMIN jack

ADMIN flag ensures that only the root user can change the password for Jack.

To remove the user :
# rmuser jack

Note: rmsuer doesn't remove the home directory for a user.
You have to remove it may be after the backup.

To remove the user along with his password information :
# rmuser -p jack

To list the currently logged in users :
# who
Note: This command will show the contents of /etc/utmp which is a binary file.

To list the login and logout information for the machine :
# last
Note: This command will show the contents of /var/adm/wtmp file, which is a binary file. Over a period of time, this file will occupy the /var file system a lot. Hence nullify the file once in a 6 months or depending upon the # of login/logout actions in the system.

To clear(nullify) the wtmp file, you can use any of the below commands

# cp /dev/null /var/adm/wtmp
# > /var/adm/wtmp

To change the default message(herald) that is shown after user login :
# chsec -f /etc/security/login.cfg -a default -herald

As a user, you have to protect (lock) your terminal whenever you go for a coffee break.
# lock -> To lock your telnet or ssh terminal

If you use XWindowsm you can use the below command
# xlock

20. Sometimes you may want to login as root to execute some admin commands. For this you dont have to logout from current user and login as root.You can use su command to swtich user and execute the commands and say 'exit' to come out of the su window.

To su to root, you can use any of the below commands

# su - root
# su -

To su to other user called tom,
# su - tom
These su operations are logged into /var/adm/sulog file. You have to nullify this file on certain period of time to make some space in /var file system.

How to disable direct root login via telnet and ssh ?
To disable direct root login thru telnet or ssh, you have to set 'rlogin' attribtue for root user to false.

You can use the below command to do so.
# chuser rlogin=false root

How to enforce automatic logoff after certain timeout period ?

To enforce automatic logoff after timeout period of 10 minutes, enter the following line in /etc/security/.profile after the AIX installation.

TMOUT=600 ; TIMEOUT=600 ; export readonly TMOUT TIMEOUT


I will update this blog whenever I come across other commands.

We will talk about group administration in the next part.

Thanks for visiting.

- Raja

12 comments:

Unknown said...

Hi.. I'm Rumesh.. I'm learning AIX for past couple of months..
i think all d information in this blog is useful for beginners & im following this blog..

Thank'u'
Rajarathinam Sivasankaran

முகமூடியணிந்த பேனா!! said...

Hi,

Where can we get some useful videos for AIX ???

can you give some link ???

Thanks in advance....

DAMU

RAGAZA said...

HI
i have a few doubts. how to grant root privilage to the ordinary user.

thanks in advance.
mohanram
mohanram634@gmail.com

Raja said...

@ RAGAZA

You can add the user into SYSTEM group so that he can become a admin user. Or you can specify "-a" flag while creating the user, so that he will be created as an admin user.

Practically we can create duplicated root users, by creating users with UID=0. But this not a recommended way.

Raja said...

@DAMU - You can see few aix videos in my blog or in my youtube site http://youtube/toughindian

Unknown said...

Please add the command to check failed logins.

who -a /etc/security/failedlogin

This blog is simply superb. Almost all the topics have been covered.

Thank you so much.

Regards,
Bala.

Mahesh said...

hi raj

can you tell me how to reset the root password in AIX

i forgot the root password


Thanks
Mahesh

Raja said...

@ Mahesh,

You need to boot from CD/DVD/NIM and follow the below steps

Maintenance
Start Limited Shell
getrootfs hdisk0
vi /etc/security/passwd
then remove the password entry for root.

Now you can reboot your server and login as root with no password.
Don't forget to set a new pasword for root before logging out.

Anonymous said...

Will it work Vi editor on Maintenance Mode with out setting up any terminal

Anonymous said...

Hi

I have small question for vi editor will it work on Maintenance mode.. Because i tried to edit on /etc/filesystems .. but it won't work for me .. After setting up terminal as well

Raja said...

This should work.

export TERM=vt100

Anonymous said...

Hi Raja
Do you provide job support and training on AIX
Regards
justin
usa