Security and User Administration: Part One

Security and user administration:
Part one
© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp 8.1
Unit objectives
IBM Power Systems
After completing this unit, you should be able to:

• Define the concepts of users and groups, and explain how
and when these should be allocated on the system
• Describe ways of controlling root access on the system
• Explain the uses of SUID, SGID, and SVTX permission bits
• Administer user accounts and groups

US Government Users Restricted Rights - Use duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp
Security and user concepts
IBM Power Systems
After completing this topic, you should be able to:

• Understand user accounts and groups
• Describe the role of RBAC
• Understand and apply file permissions
– Including the role of the umask parameter
• Change file ownership and group assignment

User accounts
IBM Power Systems
• Each user has a unique name, numeric ID, and password.

• File ownership is determined by a numeric user ID.
• The owner is usually the user who created the file, but
ownership can be transferred by root.
• Default users:
– root Superuser
– adm, sys, bin, ... IDs that own system files but
cannot be used for login
## id
id
uid=0(root)
uid=0(root) gid=0(system)
gid=0(system)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)
groups=2(bin),3(sys),7(security),8(cron),10(audit),11(lp)

Controlling access to the root account
IBM Power Systems
• root’s password:
– Carefully guard
– Non-trivial passwords
– Changed on an unannounced schedule
• Assign different root passwords to different machines.
• Always log in as an ordinary user first and then su to root
instead of logging in as root.
– audit trail in /var/adm/sulog
– Enforce use of the su method to use root authority:
## chuser
chuser login=false
login=false su=true
su=true sugroup=system
sugroup=system root
root
• Do not include unsecured directories in root's PATH.

Groups
IBM Power Systems
• A group is a set of users who need access to a set of files.

• Group membership is commonly used to delegate system
administration authority.
• Every user is a member of at least one group and can be a
member of several groups (a groupset).
• The user has access to a file if any group in the user’s
groupset provides access.
– To list the groupset, use the groups command.
• The user's real group ID is used for file ownership on creation.
– To change the real group ID, use the newgrp command.
• Default groups are:
– System administrators: system
– Ordinary users: staff
System defined groups
IBM Power Systems
system security
Rights to
printq administrative
adm functions
audit
shutdown
staff Ordinary
users

Role based access control
IBM Power Systems
• Very granular delegation of system administration tasks

• Authorizations to run privileged commands assigned to roles
– For example, SysBoot role authorizes executing shutdown
• Roles, such as SysBoot, assigned to users
1 Roles 2 Users
Authorizations Roles
• Domain RBAC
– Controls which objects can be administered
Network Intranet interface

Mgt.
Internet interface
File/directory permissions
IBM Power Systems
File Perm. Bit Directory

Read content of file r List content of directory
Modify content of file w Create and remove files in
directory
Use file name to execute x Give access to directory
as a command
Run program with SUID --------
effective UID of owner
Run program with SGID Files created in directory
effective GID of group inherit the same group as
the directory
-------- SVTX Must be owner of files to
delete files from directory

Reading permissions
IBM Power Systems
owner group other

r w x r w x r w x
s s t
S S T
SUID SUID SGID SGID sticky sticky

only +x only +x bit bit
only +x
## ls
ls -ld
-ld /usr/bin/passwd
/usr/bin/passwd /usr/bin/crontab
/usr/bin/crontab /tmp
/tmp
-r-sr-xr-x
-r-sr-xr-x root
root security
security ...
... /usr/bin/passwd
/usr/bin/passwd
-r-sr-sr-x
-r-sr-sr-x root
root cron
cron ...
... /usr/bin/crontab
/usr/bin/crontab
drwxrwxrwt
drwxrwxrwt bin
bin bin
bin ...
... /tmp
/tmp
Changing permissions
IBM Power Systems
4 2 1
SUID SGID SVTX
owner group other
r w x r w x r w x
4 2 1 4 2 1 4 2 1
# chmod 4 7 7 7 file1 SUID

# chmod 2 7 7 7 file1 SGID
# chmod 1 7 7 7 dir1 SVTX
OR
# chmod u+s file1 SUID
# chmod g+s file1 SGID
# chmod +t dir1 SVTX
umask
IBM Power Systems
• The umask governs permissions on new files and directories.

• System default umask is 022.
• 022 calculation Files: 666 Directories: 777
umask: 022 umask: 022
644 755
rw-r--r-- rwxr-xr-x
• A umask of 027 is recommended.

• 027 calculation Files: 666 Directories: 777
umask: 027 umask: 027
640 750
rw-r----- rwxr-x---
• /etc/security/user specifies default and individual user

umask values.

Changing ownerships and groups
IBM Power Systems
The chown command:

## chown
chown fred
fred file1
file1
The chgrp command:

## chgrp
chgrp staff
staff file1
file1
Changing both user and group ownership:

## chown
chown fred:staff
fred:staff file1
file1
-- OR
OR --
## chown
chown fred.staff
fred.staff file1
file1

Security policy and setup
IBM Power Systems
• Identify the different types of users and what data they will
need to access.
– Consider using enhanced RBAC roles to perform system
administration tasks (as opposed to using root).
• Organize groups around the type of work that is to be done.
• Organize ownership of data to fit with the group structure.
• Set SVTX on shared directories.
• Security policy and implementation design should be formally
documented.
Security
Security
policy
policyand
and
setup
setup

Topic summary
IBM Power Systems
Having completed this topic, you should be able to:

• Understand user accounts and groups
• Describe the role of RBAC
• Understand and apply file permissions
– Including the role of the umask attribute
• Change file ownership and group assignment

User and group administration
IBM Power Systems
After completing this topic, you should be able to:

• Understand how security commands are used to manage
security files
• Add, list, change, and delete users and groups
• Set and change passwords
– Recover root password if lost or forgotten
• Identify files that hold user and group definitions

Security files and security commands
IBM Power Systems
• Many different commands can modify a security file.

mkuser chsec
/etc/security/user
chuser vi
• A single command can result in an update to several files.

mkuser, chuser, rmuser
/etc/security/passwd /etc/security/limits
/etc/passwd /etc/security/user
• Best practice: Avoid directly editing files.

• Use high level management commands (or SMIT).
Validating the user environment
IBM Power Systems
• pwdck verifies the validity of local authentication information:

– pwdck {-n|-p|-t|-y} {ALL | username}
– Verifies consistency between /etc/passwd, /etc/security/passwd,
and /etc/security/user
• usrck verifies the validity of a user definition:

– usrck {-l|-b|-n|-p|-t|-y} {ALL | username}
– Checks consistency between /etc/passwd, /etc/security/user,
/etc/security/limits, and /etc/security/passwd
– Reasonability checks on attribute values
– Option –l will identify problems that would block a user’s access
• grpck verifies the validity of a group:

– grpck {-n|-p|-t|-y} {ALL | groupname }
– Verifies that the files /etc/passwd, /etc/security/user, /etc/group,
and /etc/security/group are consistent
chsec, lssec, and stanza format security files
IBM Power Systems
File name /etc/security/user
Stanza name default:

admin = false
login = true
…
Attribute name umask = 022
…
root:
login = true
…
Syntax:
chsec –f filename -s stanza_name -a attribute_name=value
lssec –f filename -s stanza_name -a attribute_name
Example:
# lssec –f /etc/security/user -s default -a umask
default umask=22
# chsec –f /etc/security/user -s default -a umask=027
User and group administration hierarchy
IBM Power Systems
• Some users and groups are set as administrative.

– flag=ADMIN: Attribute in /etc/security/passwd stanza
– admin=true: Attribute in /etc/security/group stanza
• Default primary group of an admin user is “system” (guid 0).
• UID and GID default values:
– Standard users and groups have high values ( > 200)
– Administrative users and groups have low values
• Only root can add, remove, or change an admin user or admin group.
root
administer
root
admin user or group
root or administer
security group standard user or group

Security & Users
IBM Power Systems
# smit security
Security
Security && Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Users
Users
Groups
Groups
Passwords
Passwords
Login
Login Controls
Controls
PKI
PKI
LDAP
LDAP
Role
Role Based
Based Access
Access Control
Control (RBAC)
(RBAC)
Trusted
Trusted Execution
Execution

SMIT users
IBM Power Systems
# smit users
Users
Users
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
Add
Add aa User
User
Change
Change aa User's
User's Password
Password
Change
Change // Show
Show Characteristics
Characteristics of
of aa User
User
Lock
Lock // Unlock
Unlock aa User's
User's Account
Account
Reset
Reset User's
User's Failed
Failed Login
Login Count
Count
Remove
Remove aa User
User
List
List All
All Users
Users

Listing users
IBM Power Systems
The lsuser command:

lsuser [-c | -f] [-a attribute …] {ALL | username …}
Example:
## lsuser
lsuser -a
-a id
id home
home ALL
ALL
root
root id=0
id=0 home=/
home=/
daemon
daemon id=1
id=1 home=/etc
home=/etc
bin
bin id=2
id=2 home=/bin
home=/bin
sys
sys id=3
id=3 home=/usr/sys
home=/usr/sys
adm
adm id=4
id=4 home=/var/adm
home=/var/adm
uucp
uucp id=5
id=5 home=/usr/lib/uucp
home=/usr/lib/uucp
guest
guest id=100
id=100 home=/home/guest
home=/home/guest
alex
alex id=333
id=333 home=/home/alex
home=/home/alex

Add or change a user
IBM Power Systems
# smit mkuser mkuser id=333 alex

Add
Add aa User
User
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter AFTER making
Enter AFTER making all
all desired
desired changes.
changes.
[TOP]
[TOP] [Entry
[Entry Fields]
Fields]
** User
User NAME
NAME [alex]
[alex]
User
User ID ID [333]
[333] ##
ADMINISTRATIVE
ADMINISTRATIVE USER?
USER? false
false ++
Primary
Primary GROUP
GROUP []
[] ++
Group
Group SETSET []
[] ++
ADMINISTRATIVE
ADMINISTRATIVE GROUPS
GROUPS []
[] ++
ROLES
ROLES []
[] ++
Another
Another user
user can
can SU
SU TO
TO USER?
USER? true
true ++
SU GROUPS
SU GROUPS [ALL]
[ALL] ++
HOME
HOME directory
directory []
[]
Initial
Initial PROGRAM
PROGRAM []
[]
.. .. ..
# smit chuser chuser groups='staff,security' alex

Assign a password
IBM Power Systems
• root or members of security group can assign or change the password

of another user.
– A new user ID is blocked until an initial password is assigned.
– If user forgets password, a new password can be set.
– User is prompted to change password at first login.
root or security
## pwdadm
pwdadm <username>
<username> group
OR
OR
## passwd
passwd [username]
[username] root only
OR
OR
## smit
smit passwd
passwd root or security
group
• To avoid prompt to change password at first login:

## pwdadm
pwdadm –c–c <username>
<username>
Regaining root’s password
IBM Power Systems
1. Boot from optical media, NIM, or a bootable tape.

2. Select Access a Root Volume Group from the Maintenance menu.
Maintenance
Maintenance
>>>
>>> 11 Access
Access aa Root
Root Volume
Volume Group
Group
22 Copy
Copy aa System
System Dump
Dump to
to Removable
Removable Media
Media
33 Access
Access Advanced
Advanced Maintenance
Maintenance Functions
Functions
44 Erase
Erase Disks
Disks
3. Follow the options to activate the root volume group and obtain a shell.
4. Once a shell is available, execute the passwd command to change
root’s password.
5. Enter the following command:
# sync ; sync
6. Reboot the system.

/etc/passwd file
IBM Power Systems
Format: name:password:UID:principleGID:Gecos:HomeDirectory:Shell
## cat
cat /etc/passwd
/etc/passwd
root:!:0:0::/:/usr/bin/ksh
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
nobody:!:4294967294:4294967294::/:
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
sshd:*:202:201::/var/empty:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
alex:!:333:1::/home/alex:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
tyrone:!:204:1::/home/tyrone:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh
ted:*:205:1::/home/ted:/usr/bin/ksh ! = Passwd is set in
/etc/security/passwd
* = no password set
/etc/security/passwd file
IBM Power Systems
## cat
cat /etc/security/passwd
/etc/security/passwd
root:
root:
password
password == etNKvWlXX5EFk
etNKvWlXX5EFk
lastupdate
lastupdate == 1145381446
1145381446
flags
flags ==
daemon:
daemon:
password
password == **
bin:
bin:
password
password == **
alex:
alex:
password
password == XAkhucsiyVwAA
XAkhucsiyVwAA
lastupdate
lastupdate == 1225381869
1225381869
flags
flags ==
tyrone:
tyrone:
password
password == RWWoFp5iuL.JI
RWWoFp5iuL.JI
lastupdate
lastupdate = 1225381903
= 1225381903
flags = ADMCHG,ADMIN,NOCHECK
flags = ADMCHG,ADMIN,NOCHECK
SMIT groups
IBM Power Systems
# smit groups
Groups
Groups
Move
Move cursor
cursor to
to desired
desired item
item and
and press
press Enter.
Enter.
List
List All
All Groups
Groups
Add
Add aa Group
Group
Change
Change // Show
Show Characteristics
Characteristics of
of aa Group
Group
Remove
Remove aa Group
Group

Listing groups
IBM Power Systems
The lsgroup command:

lsgroup [-c | -f] [-a attribute …] {ALL | groupname …}
Example:
## lsgroup
lsgroup –f
–f -a
-a id
id users
users ALL
ALL
system:
system:
id=0
id=0
users=root,esaadmin,pconsole
users=root,esaadmin,pconsole
staff:
staff:
id=1
id=1
users=ipsec,ted,sshd,alex,local,tyrone,daemon
users=ipsec,ted,sshd,alex,local,tyrone,daemon
bin:
bin:
id=2
id=2
users=root,bin
users=root,bin
...
...
Add or change a group
IBM Power Systems
# smit mkgroup mkgroup id=101 users=alex,tyrone techies
Add
Add aa Group
Group
Type
Type or
or select
select values
values in
in entry
entry fields.
fields.
Press
Press Enter AFTER making all desired changes.
Enter AFTER making all desired changes.
[Entry
[Entry Fields]
Fields]
** Group
Group NAME
NAME [techies]
[techies]
ADMINISTRATIVE
ADMINISTRATIVE group?
group? false
false ++
Group
Group ID
ID [101]
[101] ##
USER
USER list
list [alex,tyrone]
[alex,tyrone] ++
ADMINISTRATOR
ADMINISTRATOR list
list []
[] ++
Projects
Projects []
[] ++
Initial
Initial Keystore
Keystore Mode
Mode []
[] ++
Keystore
Keystore Encryption Algorithm
Encryption Algorithm []
[] ++
Keystore
Keystore Access
Access []
[] ++
# smit chgroup chgroup techies –a users=tyrone techies

Group files
IBM Power Systems
## cat
cat /etc/group
/etc/group
system:!:0:root,esaadmin,pconsole
system:!:0:root,esaadmin,pconsole
staff:!:1:ipsec,sshd,alex,tyrone,ted
staff:!:1:ipsec,sshd,alex,tyrone,ted
bin:!:2:root,bin
bin:!:2:root,bin
sys:!:3:root,bin,sys
sys:!:3:root,bin,sys
adm:!:4:bin,adm
adm:!:4:bin,adm
uucp:!:5:nuucp,uucp
uucp:!:5:nuucp,uucp
...
...
## cat
cat /etc/security/group
/etc/security/group
system:
system:
admin
admin == true
true
staff:
staff:
admin
admin == false
false
bin:
bin:
admin
admin == true
true
...
...
techies:
techies:
admin
admin == false
false
adms
adms == alex
alex
Remove a user or group from the system
IBM Power Systems
• Use the rmuser command or SMIT to delete a user from the

system.
## rmuser
rmuser –p
–p user01
user01
• Use the rmgroup command or SMIT to delete a group from

the system.
## rmgroup
rmgroup finance
finance

Files owned by removed user or group
IBM Power Systems
• Best handled prior to removing user or group

# ls –l
-r-xr-xr-x 1 207 system 26732 Feb 1 01:10 file54
• Home directory
– Move needed files
– Remove home directory
# rm –R /home/user01
• Other files
– Use find to locate files
# find / -group <GID or groupname>
# find / -user <UID or username>
– Change user or group ownership
# chown
# chgrp
Topic summary
IBM Power Systems
Having completed this topic, you should be able to:

• Understand how security commands are used to manage
security files
• Add, list, change, and delete users and groups
• Set and change passwords
– Recover root password if lost or forgotten
• Identify files that hold user and group definitions

Checkpoint (1 of 2)
IBM Power Systems
1. If the following command was run, what would the file

permissions be for file1: chmod 6754 file1
2. A binary executable with the SUID flag set is owned by

user root. User michael executes the binary. The
executable runs under which user, root or michael?
3. A shared directory is created on the system. What flag

must be set to ensure only the owner of the files can
delete them?
4. Why is a umask of 027 recommended?

Checkpoint solutions (1 of 2)
IBM Power Systems
1. If the following command was run, what would the file

permissions be for file1: chmod 6754 file1
The answer is r w s r w- r - -.
2. A binary executable with the SUID flag set is owned by user root.
User michael executes the binary. The executable runs under
which user, root or michael?
The answer is root.
3. A shared directory is created on the system. What flag must be

set to ensure only the owner of the files can delete them?
The answer is SVTX of sticky bit.
4. Why is a umask of 027 recommended?

The answer is this value removes all permission bits for the
“others” category, which enhances security.
Checkpoint (2 of 2)
IBM Power Systems
5. What is the difference between the commands pwdadm and

passwd?
6. Which command can be used to change the default

attributes for users?
7. True or False: When you delete a user from the system, all
the user’s files and directories are also deleted.

Checkpoint solutions (2 of 2)
IBM Power Systems
5. What is the difference between the commands pwdadm and passwd?

The answer is a member of security group can use pwdadm to reset a
different user’s password, but only root can use passwd for this
purpose.
6. Which command can be used to change the default attributes for

users?
The answer is chsec –f /etc/security/user –s default \
–a attribute=value.
7. True or False: When you delete a user from the system, all the user’s
files and directories are also deleted.
The answer is false.

Exercise
IBM Power Systems
Security and user

administration: Part one

Unit summary
IBM Power Systems
Having completed this unit, you should be able to:

• Define the concepts of users and groups, and explain how
and when these should be allocated on the system
• Describe ways of controlling root access on the system
• Explain the uses of SUID, SGID, and SVTX permission bits
• Administer user accounts and groups


Security and User Administration: Part One

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Security and User Administration: Part One

Încărcat de

Drepturi de autor:

Formate disponibile

Security and user administration:

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

After completing this unit, you should be able to:

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

After completing this topic, you should be able to:

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

• Each user has a unique name, numeric ID, and password.

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

• Do not include unsecured directories in root's PATH.

• A group is a set of users who need access to a set of files.

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

• Very granular delegation of system administration tasks

Network Intranet interface

File Perm. Bit Directory

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

owner group other

SUID SUID SGID SGID sticky sticky

# chmod 4 7 7 7 file1 SUID

• The umask governs permissions on new files and directories.

• A umask of 027 is recommended.

• /etc/security/user specifies default and individual user

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

The chown command:

The chgrp command:

Changing both user and group ownership:

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

Having completed this topic, you should be able to:

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

After completing this topic, you should be able to:

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

• Many different commands can modify a security file.

• A single command can result in an update to several files.

• Best practice: Avoid directly editing files.

• pwdck verifies the validity of local authentication information:

• usrck verifies the validity of a user definition:

• grpck verifies the validity of a group:

File name /etc/security/user

Stanza name default:

• Some users and groups are set as administrative.

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

The lsuser command:

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

# smit mkuser mkuser id=333 alex

# smit chuser chuser groups='staff,security' alex

• root or members of security group can assign or change the password

• To avoid prompt to change password at first login:

1. Boot from optical media, NIM, or a bootable tape.

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

The lsgroup command:

# smit mkgroup mkgroup id=101 users=alex,tyrone techies

# smit chgroup chgroup techies –a users=tyrone techies

• Use the rmuser command or SMIT to delete a user from the

• Use the rmgroup command or SMIT to delete a group from

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

• Best handled prior to removing user or group

Having completed this topic, you should be able to:

© Copyright IBM Corporation 2009, 2013. All Rights Reserved.

1. If the following command was run, what would the file

2. A binary executable with the SUID flag set is owned by