Privileges User ((Please urgent))


 
Thread Tools Search this Thread
Operating Systems AIX Privileges User ((Please urgent))
# 1  
Old 02-24-2008
Privileges User ((Please urgent))

Hi ,,,

I create new user on AIX 5.2 but the user have privileges root user

Why the user have privileges root user although the user specification not the same specification root user ???

PLease help me ...
# 2  
Old 02-24-2008
With which command or procedure do you create the users? What exactly is the output of this command or script? Please provide an excerpt of /etc/passwd with the line(s) representing the users you have created so far.

Finally, if you could provide the output of the command "lsuser <username>" for one or several of the users you created it would help.

bakunin
# 3  
Old 02-24-2008
Quote:
Originally Posted by bakunin
With which command or procedure do you create the users? What exactly is the output of this command or script? Please provide an excerpt of /etc/passwd with the line(s) representing the users you have created so far.

Finally, if you could provide the output of the command "lsuser <username>" for one or several of the users you created it would help.

bakunin
created user by smitty but the user have privilegees admin user : (

although ADMINISTRATIVE USER is FALSE and primary group not system

Why the user have privileges admin users ???

thanks
# 4  
Old 02-24-2008
Quote:
Originally Posted by AIX122
created user by smitty but the user have privilegees admin user
ok, we are making progress. Still we are not quite there. What exactly did SMITty have to say? "OK"? or something else? What exactly did you fill into the SMIT screens? And finally, give us the excerpt of /etc/passwd and the output of "lsuser" i asked for in my last post.

Quote:
Why the user have privileges admin users ???
This is what i'm trying to find out - if you let me.

A last question: was is making you believe that any of these users have "admin privileges"? What exactly do you mean by that?

bakunin
# 5  
Old 02-25-2008
Quote:
Originally Posted by bakunin
ok, we are making progress. Still we are not quite there. What exactly did SMITty have to say? "OK"? or something else? What exactly did you fill into the SMIT screens? And finally, give us the excerpt of /etc/passwd and the output of "lsuser" i asked for in my last post.


This is what i'm trying to find out - if you let me.

A last question: was is making you believe that any of these users have "admin privileges"? What exactly do you mean by that?

bakunin

SMITTY say "OK"

output of "lsuser " :

Knbokt id=209 pgrp=nbokt groups=nbokt,apps home=/reports/NBOKT shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes=!saturday-thursday:0930-1230,!saturday-wednesday:1600-1900 loginretries=3 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=0 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_unsuccessful_login=1203769000 tty_last_unsuccessful_login=/dev/pts/3 host_last_unsuccessful_login=10.130.15.125 unsuccessful_login_count=11 roles=


I mean : the user can change directory from home directory to any directory for example file systems " /opt , / , /usr , ...."

thanks
# 6  
Old 02-25-2008
Quote:
Originally Posted by AIX122
output of "lsuser "

...

I mean : the user can change directory from home directory to any directory for example file systems " /opt , / , /usr , ...."
*Now we are talking*. This is information i can help you with.

First off: everything is ok! The user is *supposed* to be able to change the directory to the directories you mentioned. This is *not* an admin privilege but in fact it necessary to make the user account usable at all: if the user would not be allowed to "cd /usr/bin" for instance, the account would not be able to use any of the programs which are stored there. This would be most of the system commands. Hence the user would not be able to use the system in any reasonable way.

Anyway, i take from your words that your concern is security, ao i will give you some security tips based on your output of lsuser:

Quote:
Knbokt id=209 pgrp=nbokt groups=nbokt,apps home=/reports/NBOKT shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat
su=true means that the user is allowed to use the su-command with switches user roles. This is a necessary feature sometimes, but its use is undocumented. You cannot see in any log which user and when has used this command. This is a problem not so much of security but more of "auditing", which is a similar area. You can enhance this by doing the following:

- install "sudo", which always a good idea anyways.
- disallow all users except root to use su by setting "su=" to false (use the "chuser" command for that)
- create a sudo-rule which allows su for a certain group of users via sudo means
- now it is possible to audit the times someone is issuing "su", because it cannot be issued directly any more but only in the form "sudo su - ...."

Quote:
logintimes=!saturday-thursday:0930-1230,!saturday-wednesday:1600-1900 loginretries=3 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=0 minlen=0 histexpire=0 histsize=0
These values deal with the password authentification. "Logintimes" is already set and limits the time a user can log on - good. "pwdwarntime" is a value in days and tells the system to warn the user that many days in advance when the password expires. It is a good idea to set this to a sensible value, say, 14 days. "minage" and "maxage" are (in days) the minimal and maximal age of a password. Set these to some sensible values to make the user change the password regularly.

minlen, "minalpha" and "minother" deal with the password composition: minalpha requires a minimum of that many alphanumeric characters in the password, minother does the same with "other" (punctuation marks, etc.) characters. "minlen" is the minimal length of the password. Right now your users could set a blank password and the system would be happy. "maxrepeats" is the number of times a certain character is allowed to repeat in a password. Set it to avoid having passwords like "xxxxxxxx". "histexpire" is the number of passwords to keep in history. A user is not allowed to reuse a password in the history. Right now even if the user changes his password he might change the password to the same value it already had. If you set it to 9 the user has to use at least 10 different passwords befor he can use the first one again.

Quote:
pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_unsuccessful_login=1203769000 tty_last_unsuccessful_login=/dev/pts/3 host_last_unsuccessful_login=10.130.15.125 unsuccessful_login_count=11 roles=
The rest is default. It seems that this specific user is not allowed to log on any more as "unsuccessful_login_count" is 11 and "loginretries" is 3. After 3 unsuccessful login retries the system will lock the account and only an admin (you) can unlock it by issuing

chuser -a unsuccessful_login_count=0 <username>

but this only as an aside.

Another security consideration is: you probably allow telnet/ftp to the system and the users use that (or rlogin, ...) to connect. All these protocols use clear text to transmit the passwords over the networ lines. Install ssh (you can download it from IBMs website, see the pinned links in the forum) and switch off (comment out) telnet and ftp in the file /etc/inetd.conf.

I hope this helps.

bakunin
# 7  
Old 02-25-2008
Quote:
Originally Posted by bakunin
*Now we are talking*. This is information i can help you with.

First off: everything is ok! The user is *supposed* to be able to change the directory to the directories you mentioned. This is *not* an admin privilege but in fact it necessary to make the user account usable at all: if the user would not be allowed to "cd /usr/bin" for instance, the account would not be able to use any of the programs which are stored there. This would be most of the system commands. Hence the user would not be able to use the system in any reasonable way.

Anyway, i take from your words that your concern is security, ao i will give you some security tips based on your output of lsuser:



su=true means that the user is allowed to use the su-command with switches user roles. This is a necessary feature sometimes, but its use is undocumented. You cannot see in any log which user and when has used this command. This is a problem not so much of security but more of "auditing", which is a similar area. You can enhance this by doing the following:

- install "sudo", which always a good idea anyways.
- disallow all users except root to use su by setting "su=" to false (use the "chuser" command for that)
- create a sudo-rule which allows su for a certain group of users via sudo means
- now it is possible to audit the times someone is issuing "su", because it cannot be issued directly any more but only in the form "sudo su - ...."



These values deal with the password authentification. "Logintimes" is already set and limits the time a user can log on - good. "pwdwarntime" is a value in days and tells the system to warn the user that many days in advance when the password expires. It is a good idea to set this to a sensible value, say, 14 days. "minage" and "maxage" are (in days) the minimal and maximal age of a password. Set these to some sensible values to make the user change the password regularly.

minlen, "minalpha" and "minother" deal with the password composition: minalpha requires a minimum of that many alphanumeric characters in the password, minother does the same with "other" (punctuation marks, etc.) characters. "minlen" is the minimal length of the password. Right now your users could set a blank password and the system would be happy. "maxrepeats" is the number of times a certain character is allowed to repeat in a password. Set it to avoid having passwords like "xxxxxxxx". "histexpire" is the number of passwords to keep in history. A user is not allowed to reuse a password in the history. Right now even if the user changes his password he might change the password to the same value it already had. If you set it to 9 the user has to use at least 10 different passwords befor he can use the first one again.



The rest is default. It seems that this specific user is not allowed to log on any more as "unsuccessful_login_count" is 11 and "loginretries" is 3. After 3 unsuccessful login retries the system will lock the account and only an admin (you) can unlock it by issuing

chuser -a unsuccessful_login_count=0 <username>

but this only as an aside.

Another security consideration is: you probably allow telnet/ftp to the system and the users use that (or rlogin, ...) to connect. All these protocols use clear text to transmit the passwords over the networ lines. Install ssh (you can download it from IBMs website, see the pinned links in the forum) and switch off (comment out) telnet and ftp in the file /etc/inetd.conf.

I hope this helps.

bakunin

thank you very much

I find that and fixed , this user needed for ftp so i edit /etc/ftpaccess and add user in this file .

thanks
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. HP-UX

User with root privileges in hp ux

hi, i am new in hp ux and i must create a user with root privileges and so i disable ssh connection from root login. thanks.. (6 Replies)
Discussion started by: eliste
6 Replies

2. UNIX for Advanced & Expert Users

Unix privileges for Oracle user

Hi I have an issue I am currently trying to execute Unix Commands through a Java Source within Oracle 10g I am currently running Oracle on a Unix Sun Solaris Platform. I am executing the Java Source through a PL/SQL and on SQL Navigator it is saying that it has been executed. I'm... (2 Replies)
Discussion started by: CRL88
2 Replies

3. Ubuntu

Create New User with the same group nd privileges of the other user

Hi, Anyone can help me on how to duplicate privileges and group for useroradb01 to userrootdb01. I have currently using "useroradb01" and create a newly user "userrootdb01". I want both in the sames privileges and group. Please see the existing users list below; drwxr-xr-x 53 useroradb01... (0 Replies)
Discussion started by: fspalero
0 Replies

4. UNIX for Dummies Questions & Answers

User gets "The operation could not be completed because you do not have enough access privileges."

Does anyone know why this could be happening? User tries to save into a directory, but gets the error message. I checked permissions on directory and see the following: drwxrwxr-x 10 root pm 1024 Nov 22 14:46 Folder 1 drwxrwxr-x 10 root pm 1024 Oct 19 ... (1 Reply)
Discussion started by: scrivic
1 Replies

5. Shell Programming and Scripting

Special group & user privileges

Special group and user privileges help I'm having some trouble understanding the group and user privileges. So let's say I make a group.. and assign some users to the groups that I made. How would I -- 1) Allow different groups and different users to have full privileges over a file with .X... (5 Replies)
Discussion started by: LibRid
5 Replies

6. Shell Programming and Scripting

How can i copy user permissions(privileges) to a group

Hey there I have a problem and i was hoping that you guys could help me out I want to copy a user privileges to a group and i need to copy all privileges(Recursively) every directory with all its sub directories and I tried some solution and it did not work. I used the following command:- ... (14 Replies)
Discussion started by: The Dark Knight
14 Replies

7. Linux

grant root privileges to ordinary user

Hi, Is it possible to grant root privileges to an ordinary user? Other than 'sudo', is there some way under Users/Groups configuration? I want ordinary user to be able to mount, umount and use command mt. /Brendan (4 Replies)
Discussion started by: brendan76
4 Replies

8. Solaris

user with limited privileges

Hi, I tried to search, but could not find answer for this really: Is it possible to create a user that would have access only to a defined list of files? I would like to create a user that can access a set of files that are located behind different path. This user should not have access to... (1 Reply)
Discussion started by: Juha
1 Replies

9. UNIX for Advanced & Expert Users

new user - basic privileges

I want to create a new user with very basic priviliges. How to jail the user in his home directory?? how to deny him some of unix commands (rm for example) thx (1 Reply)
Discussion started by: melanie_pfefer
1 Replies

10. UNIX for Advanced & Expert Users

User Privileges

I have used several Linux Flavors and now I need to know something. I have the ROOT user and then I have my personal user. What I need to do is for my normal user to be able to write files to directories where appearntly, only the root user has privileges. For example, to write files to... (1 Reply)
Discussion started by: gdboling
1 Replies
Login or Register to Ask a Question