Monday 27 July 2015

AIX User Attributes In Depth

I have gone through a good article by Brian to distinguish the difference between the user set and default attriubutes of an AIX user accounts . Here are the details about the article.

Every account in AIX has several attributes.   These can be shown with the lsuser command:
 # lsuser surya
app01 id=204 pgrp=staff groups=staff home=/home/app01 shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=
These attributes are stored in several files including /etc/passwd, /etc/security/user, /etc/security/passwd, and /etc/security/limits.  All of these files except for /etc/passwd are in the AIX stanza format which looks like:
root:
        admin = true
        SYSTEM = "compat"
        registry = files
        loginretries = 0
        account_locked = false

daemon:
        admin = true
        expires = 0101000070
Each stanza starts with a account name followed by a colon.  The attributes for that account are on the lines below and indented.

At the top of each of these files (/etc/security/user, /etc/security/passwd, and /etc/security/limits) is a "default" stanza.   This stanza defines the default attributes for that file that will be applied for users who don't have the attribute set themselves.

For example, here is part of the /etc/security/user file:
default:
        admin = false
        login = true
        su = true
        daemon = true
        rlogin = true
        sugroups = ALL
        admgroups =
        ttys = ALL
        auth1 = SYSTEM
        auth2 = NONE
        tpath = nosak
        umask = 022
        expires = 0
        SYSTEM = "compat"
        logintimes =
        pwdwarntime = 0
        account_locked = false
        loginretries = 0
        histexpire = 0
        histsize = 0
        minage = 0
        maxage = 0
        maxexpired = -1
        minalpha = 0
        minother = 0
        minlen = 0
        mindiff = 0
        maxrepeats = 8
        dictionlist =
        pwdchecks =
        default_roles =

root:
        admin = true
        SYSTEM = "compat"
        registry = files
        loginretries = 0
        account_locked = false
Notice that the "default" stanza has more attributes defined than the "root" user.  Any attributes not defined for the root user (for example maxage) will take on the value of the default attribute.   If the root user had maxage set, then it would override the default value.

Any time a default attribute is changed it takes effect for all users who don't have the attribute defined for themselves.  In the above example if we changed the default maxage to be 26, then the root user would automatically have its maxage be 26 since the root user doesn't have a maxage attribute defined.   If another account had a maxage defined, changing the default value would have no affect on that account.

In general you want to have as many users as possible use the default values so that if you ever need to change a setting you can just change the default and have it apply to everyone.

You can set a default attribute with the chsec command using a command such as:
chsec -f /etc/security/user -s default -a maxage=26
This would change the default attribute for maxage to be 26.

If a user has a attribute defined (such as maxage) and you want to change them to use the default value, you can run "chuser maxage= app01".   Since a value wasn't defined in the chuser command for maxage it has app01 use the default attribute.

There are some difficult questions to answer though when it comes to users and default attributes:
  • When I'm looking at a user, which attributes are actually set for the user and which are getting defaults?
  • If I change a default attribute, which users will it apply to?  
Below is a script called "userattr" that can answer these questions.  
#!/usr/bin/ksh
#userattr
#Copyright 2012 Brian Smith

tab=`printf "\t"`

if [ -n "$1" ]; then
  printf "# \033[37mDEFAULT For User  \033[32m SET For User  \033[33m Unknown";
  lsuser -f $* | grep -v "^$" | while read line; do
    if echo "$line" | grep ":$" >/dev/null; then
      printf "\n\033[0m$line " | tr -d ":"
      user=`echo "$line"  | tr -d ":"`
      continue
    fi

    if echo "$line" | egrep "id=|pgrp=|groups=|home=|shell=|gecos=" > /dev/null && ! echo "$line" | egrep "sugroups|admgroups" >/dev/null; then
      printf "\033[32m$line "
      continue
    fi

    if echo "$line" | egrep "time_last_login=|time_last_unsuccessful_login=|tty_last_login=|tty_last_unsuccessful_login=|host_last_login=|host_last_unsuccessful_login=|unsuccessful_login_count" > /dev/null; then
      continue
    fi

    #lsuser umask doesn't show umask with padded zeros, so add these in for comparison
    if echo "$line" | grep "umask=" > /dev/null; then
      mask=`echo $line | awk -F= '{print $2}'`
      line=`printf "umask=%03d" $mask`
    fi
    if cat /etc/security/user /etc/security/passwd /etc/security/limits | sed "s/[ $tab]=[ $tab]*/=/g" | grep -p "^${user}:" | tr -d '"' | grep "$line$" >/dev/null; then
      printf "\033[32m$line "  #Set
    else
      if cat /etc/security/user /etc/security/passwd /etc/security/limits | sed "s/[ $tab]=[ $tab]*/=/g" | grep -p "^default:" | tr -d '"' | grep "$line$" >/dev/null; then
        printf "\033[37m$line "  #default
      else
        printf "\033[33m$line "  #other
      fi
    fi
  done
printf "\033[0m\n";
else
  printf "\033[0m\n";
  printf "Specify user account or ALL\n"
fi
This script filters through the lsuser output and color codes what attributes are set for a user and which are being defaulted.

For example, if you run "./userattr surya" it shows this:


Anything in green is an attribute that has been explicitly set for this account.   Anything in white is any attribute that is a default attribute.   Anything in orange is unknown (i.e. it isn't set for the user or in the default section.. in these cases AIX has a hard coded default).   So in this example we can see most of the attributes for this user are defaulting, and that it has several attributes set such as maxage and minother.

If you are going to change a default attribute and would like to know which accounts it will affect, you can run "./userattr -a maxage ALL".   This will show the maxage attribute for all users and whether or not each user has a default attribute or if the attribute has been set for that user.  Below is an example screenshot:


All of the users listed in white text have a default attribute and they would all be affected if the default attribute value was changed.   The users with green text have had the maxage attribute set for them and would not be affected by a default attribute value change.

You can also run "./userattr ALL" to list the attributes of all users:

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)