Security user Can't change the groups.


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
Operating Systems AIX Security user Can't change the groups.
# 1  
Security user Can't change the groups.

Dears

Security users in AIX don’t have permission to change the group of the user thru Smitty Users

When they try to change the group of the users to any group they'll get permission denied

Security profile in Smitty :

[TOP] [Entry Fields]
User NAME...................................................securityuser
User ID.......................................................[205]
ADMINISTRATIVE USER?...............................false
Primary GROUP............................................[security]
Group SET..................................................[security,staff]
ADMINISTRATIVE GROUPS...........................[]
ROLES.......................................................[]
Another user can SU TO USER?......................true
SU GROUPS................................................[ALL]
HOME directory.......................................... [/home/securityuser]
Initial PROGRAM..........................................[/usr/bin/ksh]
User INFORMATION...................................[securityuser]
EXPIRATION date (MMDDhhmmyy)................[0]



Error message when security user try to change the group for any user !!

============================================================

Command: failed stdout: yes stderr: no

Before command completion, additional instructions may appear below.
3004-692 Error changing "groups" to "sys" : You do not have permission.

============================================================


We are on AIX 5.3

Dears

Can you please advice us in this regard and what's the solution of this issue ?

Last edited by ITHelper; 05-23-2009 at 12:11 PM..
ITHelper
# 2  
Try adding the group sys to Group Set.
# 3  
I tried .. but same problem !!
ITHelper
# 4  
I am not an expert at this so I am probably not the right person to help. Having said that I had to set up a user with the same rights as root. One of the things I had to do was set their User Id to 0 (zero) along with the groups that they can have access to. The problem I believe is that it will give them the same rights as root which may not be what you want. Good luck.
# 5  
For security reasons only root can use chown and chgrp. Else you could write a program with malicious code, chown/chgrp it to somebody else, maybe root or whoever and try to get it executed by those. So no chown/chgrp for normal users. I have no appropriate line from IBM at hand, but usually it is on many types of systems like this.

From Sun Admin documentation for example:
Quote:
Restrictions


On most systems, the use of the chown and chgrp commands is restricted for non-privileged users. If you are not the administrator of the system, you can not change user nor group ownerships for security reasons. If the usage of these commands would not be restricted, malicious users could assign ownership of files to other users and/or groups and change behavior of those users' environments and even cause damage to other users' files.
# 6  
If found this on IBM's site:
Code:
Only the root user can change the owner of a file. You can change the group of a file only if you are a root
 user or if you own the file. If you own the file but are not a root user, you can change the group only to a
 group of which you are a member.

# 7  
we are not talking about chown !!

Security User is manging users in AIX by smitty menu and he'll modify group of some exiting users from staff to System will group users to another groups but he is getting below error

=======================================

Command: failed stdout: yes stderr: no

Before command completion, additional instructions may appear below.
3004-692 Error changing "groups" to "sys" : You do not have permission.

=======================================

Security user should has full permission in this regard ?!!

issue is in permission of security Group there is no permission for security Group to change the group of the users ?!!

?

Last edited by ITHelper; 05-21-2009 at 05:54 PM..
ITHelper
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #922
Difficulty: Easy
Unix time can be extended backwards from the epoch using negative numbers.
True or False?

10 More Discussions You Might Find Interesting

1. HP-UX

Creating user groups that are persistent

Hi, I need to modify the user 'munfai' by adding it into groups bscs, oinstall, dba. I use this command as user root to add the user into the mentioned groups : # usermod -G bscs,oinstall,dba munfai I can thereafter see the id in the groups : # id munfai uid=258(munfai) gid=20(users)... (2 Replies)
Discussion started by: anaigini45
2 Replies

2. UNIX for Advanced & Expert Users

How to get User list from different groups and root?

Hi all, I want to list out users from different group and root, who are roaming in our group or root as a user. how can i list out this users ? (1 Reply)
Discussion started by: kpatel97
1 Replies

3. AIX

Nested user groups

Is there a command to nest a group in another group in AIX. (2 Replies)
Discussion started by: daveisme
2 Replies

4. UNIX for Dummies Questions & Answers

How to add user to multiple groups

hi all i am new to solaris how to add a user to multiple(secondary) groups. user :anna Groups : delhi ,mumbai,pune i need like this in cat /etc/group delhi::anna mumbai::anna pune::anna i tried using usermod -a -G hyd anna that does int work how to delete user from group... (3 Replies)
Discussion started by: kalyankalyan
3 Replies

5. AIX

user & groups

1 - what is the maximum no: of groups a user can be a part of ? 2 - what is maximum no: of users a group can contain ? (6 Replies)
Discussion started by: senmak
6 Replies

6. Solaris

Setting user groups

Hi......... I'm trying to set a group of users to login to do a required super-user tasks without knowing the super-user passwd. For example...a user popodude logs in as self with passwd..system accepts the password & then automatically asks for the super-user account passwd. My goal is... (1 Reply)
Discussion started by: Remi
1 Replies

7. UNIX for Advanced & Expert Users

How to remove UNIX user and groups

I created UNIX groups - oinstall, dba and UNIX user - oracle for the installation of Oracle 10g. But I might did something incorrectly. Oracle user account didn't created properly. How to remove these UNIX groups and user so that I can start over again to create them properly. Thanks. (7 Replies)
Discussion started by: duke0001
7 Replies

8. UNIX for Dummies Questions & Answers

User groups

Hi I have a user zak and 4 groups:- oracle stats data archive I want user zak to be part of the oracle and stats group but not be able to view,list anything in data and archive. Also anyone in the data and archive group should not be able to view,list anything in oracle and stats....... (3 Replies)
Discussion started by: Zak
3 Replies

9. UNIX for Dummies Questions & Answers

Adding user to groups

How do I add a user to a group? And how do I determine the list of groups to add a user? Solaris 10 newbie (1 Reply)
Discussion started by: peteythapitbull
1 Replies

10. UNIX for Dummies Questions & Answers

dynamic user groups

Is it possible to dynamically allocate a new user group to an existing session on Solaris 5.8 I'd like to be able to allow certain users to access a set of scripts for the life of session (preferably there own session not a specific login created for the purpose) by dynamically giving the session... (0 Replies)
Discussion started by: hammer
0 Replies

Featured Tech Videos