|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
|
|
There are three ways to administer users and groups in AIX
|
|
Before going into the commands to create, modify, and maintain users and groups in AIX, it is important that you know what is happening behind the scenes. For example, you should understand the files and what they mean.
Look at the some of the files that affect the user itself:
The file /etc/passwd contains the basics of a user and is probably the best-known file to UNIX® and Linux® users for user administration.
root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh esaadmin:*:10:0::/var/esa:/usr/bin/ksh sshd:*:206:201::/var/empty:/usr/bin/ksh atc:!:8000:400:Adam Cormany,Sr UNIX Admin:/home/atc:/bin/ksh amdc:!:8001:401:AMDC:/home/amdc:/bin/ksh pac:!:8002:400:PAC,Jr UNIX Admin:/home/pac:/bin/ksh atc2:!:8003:402:ATCv2:/home/atc2:/bin/kshAs you can see, the file is colon (
:) delimited, and each entry contains
seven fields in the following format (with spaces added before and after delimiter
to ease reading):
Username : Password Flag : UID : GID : GECOS : Home : Shell/CommandHere's the line-by-line breakdown:
! or *. If the ! is displayed,
a password has been set for the user. If no password has been set, *
appears. The passwords themselves are stored in /etc/security/passwd. The file /etc/security/.profile can really save you some valuable time and ease
frustration. When you create a user using the mkuser command, the script
/usr/lib/security/mkuser.sys is executed. This script creates the user's directory,
sets the correct permissions, and "creates" the user's .profile. The mkuser.sys
script actually copies the /etc/security/.profile file into the user's new home
directory.
If you are building a new system, or maybe a new division of 100 people needs accounts on a system, make sure you make your changes to the /etc/security/.profile file before creating all the users' accounts. If you create the accounts and then realize that you need to make a simple change in a variable or modify another setting, you're going to have to manually make the change to everyone's profile. It could be scripted out easily, but life would have been much simpler if you would have just changed the /etc/security/.profile.
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:. export PATH if [ -s "$MAIL" ] # This is at Shell startup. In normal then echo "$MAILMSG" # operation, the Shell checks fi # periodically.
The /etc/security/limits file contains all the ulimits, or users'
system resource limitations. The fields in the /etc/security/limits file:
| Soft limit | Hard limit | Description |
|---|---|---|
fsize |
fsize_hard |
Size of file a user can create |
core |
core_hard |
Size of core file a user can create |
cpu |
cpu_hard |
The amount of system time allowed |
data |
data_hard |
Size of the process data segment |
stack |
stack_hard |
Size of the process stack segment |
rss |
rss_hard |
Physical memory allowed |
nofiles |
nofiles_hard |
Number of open file descriptors at one time |
nproc |
nproc_hard |
Number of running processes at one time |
What's the difference between soft and hard limits? A soft limit is a value that a user or application can change on the fly up to the maximum (the hard limit). The hard limit is just that -- the maximum value a parameter can be set to. If setting the parameter to a numeric value is too difficult (for example, if a developer has no idea how much memory his or her program is going to take or the number of files it will need to open), you can set the parameter to -1, which translates to unlimited.
It isn't imperative that you set individual ulimits for each and
every user, however. The /etc/security/limits file contains a section called
default that defines a template of standard values for each user unless
that user has set custom values. If the default section doesn't exist,
IBM kindly set predetermined limits just in case.
The IBM default values are:
* Attribute Value * ========== ============ * fsize_hard set to fsize * cpu_hard set to cpu * core_hard -1 * data_hard -1 * stack_hard 8388608 * rss_hard -1 * nofiles_hard -1 |
default: fsize = 4194303 core = 16384 cpu = -1 data = 262144 rss = 65536 stack = 65536 pac: fsize = 131072 fsize_hard = 262144 core = 262144
Considering that user "pac" is a junior UNIX administrator, his fsize
soft value was reduced from the default section's 4,194,303 to 131,072;
however, you were nice enough to allow the user to increase his value to 262,144,
if needed. Also, pac is notorious for finding ways to break his own programs. As
a result, you've increased his core ulimit to 262,144.
The /etc/security/passwd file contains the AIX user's password information. The file contains three fields per user:
Note: If this field contains only an asterisk (*), the
account is locked until a password has been set.
su. Listing 4 provides an example of a /etc/security/password file.
amdc: password = oBQaUkPkUryCY lastupdate = 1243972006 flags = ADMCHG |
In this example, user "amdc" has a password that was set on Tue. Jun. 2
15:46:46 EDT 2009. The next time the user logs in or sus to amdc, he
or she will be prompted to change the password.
To convert the seconds from epoch to timestamp you can use Perl one-kliner:
# perl -e 'use POSIX; print strftime("%c\n", localtime(1243972006));'
Tue Jun 2 15:46:46 EDT 2009
Now you're getting into the meat of AIX user administration. The /etc/security/user
file contains the most important settings, outside of the basics in /etc/passwd,
for a user:
| Parameter | Format | Description |
|---|---|---|
account_locked |
TRUE | FALSE | Lock out the account; the user is unable to log in if set to True. |
admin |
TRUE | FALSE | If True, the user has administrative rights. |
expires |
MMDDHHYY | If the date has been reached, the account has expired and is locked. |
histexpire |
0-260 | Number of weeks the user can't reuse a password. |
histsize |
0-50 | Number of passwords previously used that can't be reused. |
login |
TRUE | FALSE | User can log in if True. |
maxage |
0-52 | Number of weeks a password is valid. |
minage |
0-52 | Number of weeks a user must wait before changing his or her password. |
rlogin |
TRUE | FALSE | The account can be accessed remotely if set to True. |
su |
TRUE | FALSE | Others can use su to access this account if set to True.
|
For a full listing of all parameters, look in your AIX system under /etc/security/user,
or see
AIX Information Center. Like /etc/security/limits, a default section
sets all the fields if not specified by the individual account.
/usr/lib/security/mkuser.default
The /usr/lib/security/mkuser.default file contains values used when creating
a new AIX user through mkuser.
user: pgrp = staff groups = staff shell = /usr/bin/ksh home = /home/$USER admin: pgrp = system groups = system shell = /usr/bin/ksh home = /home/$USER
More parameters can be defined in this file. To view the full list, look at
man chuser.
AIX user and group administration by Adam Cormany
getconf: See IBM's man page for the getconf command.
chuser
command.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Last modified: March 12, 2019
