AIX 5L SysAdmin I: (Unit 13 – Part 1) – AIX 5.1 Security and User Administration

Objectives
—————-
1. Define the concepts of users and groups, and define how and when these should be allocated on the system
2. Define ways of controlling root access on the system
3. Define the users of SUID, SGID and SVTX permission bits
4. Add/Change/Delete user and group accounts
5. Identify the data files associated with users and security

Security Concepts:
—————————-
User Accounts
–> Each user has a unique name, numeric ID and password
–> File ownership is determined by a numeric user ID
–>The owner is usually the user who created the file, but ownership can be transferred by root
–> Default users:
root – super user
adm, sys, bin… IDs that own system files but cannot be used for login

UID – User Id – Used to determine file ownership

Groups:
————-
–> A group is a set of users, all of whom need access to a given set of files
–> Every user is a member of at least one group and can be a member of several groups.
–> The user has access to files in their groupset. To list the groupset use “groups”
–>The user’s primary group is used for file ownership on creation. To change the primary group use the “newgrp”
–> Default groups:
System administrators
Staff ordinary users

Groups:
————-
Using groups allows you to control root access. Instead of giving root access you can assign users to specific groups that have limited administrative rights.

system, adm, printq, security, audit, shutdown

User Hierarchy:
———————–
To protect important users/groups from members of the secuirty group AIX has “admin users” and “admin groups”.
Only root can add/remove/change an admin user or admin group
Any user on the system can be defined as an admin user regardless of the group they are in.

root
admin user (admin flag set to true)
normal user

Control root’s Access:
———————————
–> Restrict access to privileged logins
–> root’s passwords should be changed on an unannounced schedule by the system administrator
–> Assign different root passwords to different machines
–> System administrators should always login as themselves first and then su to root instead of logging in as root. This helps provide an audit trail for root usage
–> Do not include unsecured directories in root’s PATH
–> Don’t su to root from someone else’s user account since they might have written a script and called it su to capture the root password

Security Logs:
———————-
/var/adm/sulog – Audit trail of su activity
/var/adm/wtmp – log of successful logins
/etc/utmp – list of users currently logged in
/etc/security/failedlogin – Information on failed login attempts

File/Directory Permissions:
—————————————–
r – read
File – read file contents
Directory – list directory contents

w – write
File – modify file contents
Directory – create/remove files in directory

x – execute
File – use file name to execute as a command
Directory – gives access to directory

SUID – Set User Id
File – run program with effective UID of owner
Directory – ———————

SGID – Set Group Id
File – run program with effective GID of group
Directory – files created in directory inherit the same group as the directory

SVTX – The sticky bit
File – ———————
Directory – must be owner of file to delete files from directory

Reading Permissions
——————————–
owner -r w x(S-SUID only, s-SUID +x)
group – r w x(S-SGID only, s-SGID +x)
other – r w x (T-Sticky bit only, t-Sticky bit +x)

# ls -ld /usr/bin/passwd /usr/bin/crontab /tmp

-r-sr-xr-x root security … /usr/bin/passwd
Note: Ordinary users don’t have access to the passwd file. However, since the SUID is set on the passwd command, it runs with root authority which can change the password file.

-r-sr-sr-x root cron … /usr/bin/crontab
Note: The crontab scheduler can be run because the SIUD and GUID is set.

drwxrwxrwt bin bin … /tmp (sticky bit set so you can remove files)
Note: Everyone can write to the /tmp directory but since the sticky bit is set they cannot remove each others files from /tmp

Changing Permissions:
———————————-
(SUID,SGID,SVTX), owner, group, other

owner – r(4), w(2), x(1) (rwx=7, rw=6)
group – r(4), w(2), x(1)
other – r(4), w(2), x(1)

Note: Add these numbers together when giving multiple permissions.

4 – SUID
2 – SGID
1 – SVTX

# chmod 4777 file1 or chmod u+s file1 = rwsrwxrwx
# chmod 2777 file1 or chmod g+s file1 = rwxrwsrwx
# chmod 1777 file1 or chmod o+t file1 = rwxrwxrws

umask
———–
–> The umask governs permissions on new files and directories
–> System default umask is 022. A umask of 027 is recommended
–> If the umask value is set to 022, then any ordinary files or directories created will inherit the following permissions:
Ordinary file: rw-r–r–
Directory: rwxr-xr-x
–> /etc/security/user – specifies default and individual user umasks

Changing Ownership:
——————————-
chown command

# chown fred file1
# chgrp staff file1
# chown fred:staff file1 or chown fred.staff file1

Note: Only root can excute these two commands.

Lab:
——
cat /etc/group
groups – list the group set for your current login user
pg /var/adm/sulog – check the sulog
who /var/adm/wtmp – show sucessful logins
who /etc/utmp – shows users currently logged in
last wltest – times and dates for wltest login
last root – ” ” ”
who /etc/security/failedlogin
find / -perm -4000 > allsuids
pg allsuids
ls -l /usr/bin/su – look at the su permissions
chmod 555 /usr/bin/su – turn off the sticky bit
exit
su – can’t log on as root because the sticky bit is turned off
exit
login as root
chmod 4555 /usr/bin/su – reset the sticky bit
ls -ld /tmp – check sticky bit on the directory
mkdir stickydir
chmod 1777 stickydir
ls -ld stickydir
touch stickydir/sticky1
exit
login as wltest2
whoami
cd /home/team01/stickydir
ls
touch sticky2
rm sticky1 – Can’t remove other peoples files, only add files

pwdchk ALL – To verify the validity of local authentication information
/etc/security/user – The file that contains password restrictions
The supervisory password is set to prevent unauthorized access to SMS

FAQs:
———–
Q: I tried to log in as user ?bin.?? What is the password?
A: There is no password.? This account is not used for login.? It is there to own certain files and run certain processes.? It is one of the system default user accounts so do not remove it.
?????
Q: I created a user account and placed them in the system group.? I thought system group member could do everything but it appears they can?t do user management.? I tried to add an account using the system account, but it?s not working.? Why?
A: The system group does not do user administration.? This is the security group?s responsibility.? Only root has universal powers on the system.? Each group has the authority to perform a limited scope of activities.

Q: I tried to ?cat? /var/adm/wtmp and all I get is garbage.? What?s the problem?
A: /var/adm/wtmp is not an ascii file.? It can be read with the ?who? command.? Try: ?who /var/adm/wtmp?.? You can also use the command ?last.?? This will give you the listing of all logins on your machine in reverse chronological order.v

Q: I created a shell script and set the SUID bit on it.? It doesn?t appear to have any effect. Why?
A: The SUID bit only works on compiled files.? AIX will allow you to set the SUID bit, but when you run it, it will ignore it.

Q: Will AIX allow me to accidentally duplicate UIDs when setting up users?
A: If you use SMIT the answer is NO.? If you are manually editing files, you can make all the mistakes you want.

Leave a Reply

Your email address will not be published. Required fields are marked *

*