AIX

Hi ,,,

I create new user on AIX 5.2 but the user have privileges root user

Why the user have privileges root user although the user specification not the same specification root user ???

PLease help me ...

With which command or procedure do you create the users? What exactly is the output of this command or script? Please provide an excerpt of /etc/passwd with the line(s) representing the users you have created so far.

Finally, if you could provide the output of the command "lsuser <username>" for one or several of the users you created it would help.

bakunin

created user by smitty but the user have privilegees admin user : (

although ADMINISTRATIVE USER is FALSE and primary group not system

Why the user have privileges admin users ???

thanks

ok, we are making progress. Still we are not quite there. What exactly did SMITty have to say? "OK"? or something else? What exactly did you fill into the SMIT screens? And finally, give us the excerpt of /etc/passwd and the output of "lsuser" i asked for in my last post.

This is what i'm trying to find out - if you let me.

A last question: was is making you believe that any of these users have "admin privileges"? What exactly do you mean by that?

bakunin

SMITTY say "OK"

output of "lsuser " :

Knbokt id=209 pgrp=nbokt groups=nbokt,apps home=/reports/NBOKT shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes=!saturday-thursday:0930-1230,!saturday-wednesday:1600-1900 loginretries=3 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=0 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_unsuccessful_login=1203769000 tty_last_unsuccessful_login=/dev/pts/3 host_last_unsuccessful_login=10.130.15.125 unsuccessful_login_count=11 roles=


I mean : the user can change directory from home directory to any directory for example file systems " /opt , / , /usr , ...."

thanks

*Now we are talking*. This is information i can help you with.

First off: everything is ok! The user is *supposed* to be able to change the directory to the directories you mentioned. This is *not* an admin privilege but in fact it necessary to make the user account usable at all: if the user would not be allowed to "cd /usr/bin" for instance, the account would not be able to use any of the programs which are stored there. This would be most of the system commands. Hence the user would not be able to use the system in any reasonable way.

Anyway, i take from your words that your concern is security, ao i will give you some security tips based on your output of lsuser:

su=true means that the user is allowed to use the su-command with switches user roles. This is a necessary feature sometimes, but its use is undocumented. You cannot see in any log which user and when has used this command. This is a problem not so much of security but more of "auditing", which is a similar area. You can enhance this by doing the following:

- install "sudo", which always a good idea anyways.
- disallow all users except root to use su by setting "su=" to false (use the "chuser" command for that)
- create a sudo-rule which allows su for a certain group of users via sudo means
- now it is possible to audit the times someone is issuing "su", because it cannot be issued directly any more but only in the form "sudo su - ...."

These values deal with the password authentification. "Logintimes" is already set and limits the time a user can log on - good. "pwdwarntime" is a value in days and tells the system to warn the user that many days in advance when the password expires. It is a good idea to set this to a sensible value, say, 14 days. "minage" and "maxage" are (in days) the minimal and maximal age of a password. Set these to some sensible values to make the user change the password regularly.

minlen, "minalpha" and "minother" deal with the password composition: minalpha requires a minimum of that many alphanumeric characters in the password, minother does the same with "other" (punctuation marks, etc.) characters. "minlen" is the minimal length of the password. Right now your users could set a blank password and the system would be happy. "maxrepeats" is the number of times a certain character is allowed to repeat in a password. Set it to avoid having passwords like "xxxxxxxx". "histexpire" is the number of passwords to keep in history. A user is not allowed to reuse a password in the history. Right now even if the user changes his password he might change the password to the same value it already had. If you set it to 9 the user has to use at least 10 different passwords befor he can use the first one again.

The rest is default. It seems that this specific user is not allowed to log on any more as "unsuccessful_login_count" is 11 and "loginretries" is 3. After 3 unsuccessful login retries the system will lock the account and only an admin (you) can unlock it by issuing

chuser -a unsuccessful_login_count=0 <username>

but this only as an aside.

Another security consideration is: you probably allow telnet/ftp to the system and the users use that (or rlogin, ...) to connect. All these protocols use clear text to transmit the passwords over the networ lines. Install ssh (you can download it from IBMs website, see the pinned links in the forum) and switch off (comment out) telnet and ftp in the file /etc/inetd.conf.

I hope this helps.

bakunin

thank you very much

I find that and fixed , this user needed for ftp so i edit /etc/ftpaccess and add user in this file .

thanks