AIX Security Commands Tips Page 1 of 8

What We Do Custom Development For the Web Maintenance Testimonials

Development Concepts Usability Metatags
Anti-Virus Anti-Spam Business Accounting Backup EDGE Digital Signage Linux Scalix Shop OnLine Document Management
Applications Business Info Hardware Info Microsoft Info Linux 101 AIX 101 OnLine Help Help Desk Blog
Backup EDGE Eudora mySQL PowerTerm uniBasic Business Pro & Yes I Can
Analyze Your Needs Software Ownership Password Creation Effective Presentations
Buses Cables Chips DVD Memory Monitors Networks Power Protection RAID SCSI
Versions & LIcenses About Office Windows XP Access Excel Word
Contact Us What's New Horizon Newsletter Our Customers Employment

Set-up & Status

General Security Commands
Commands
File Permissions Users

Shell Commands

Permissisons
mkpasswd - creates a hashed file

Other Tips

chmod - change permission attributes of /etc/passwd

File Info

umask - set default permissions when creating
pwdck - checks users password

Networking
files or directories
usrck - verifies user security

Printing

Sticky bit
rmuser - remove a user

Backup

ulimit - set user limits

su - switch users
More... Location of security files Groups

/etc/security/.ids
chgrp - change the group owner of a file or

Security
/etc/security/limits directory

Performance
/etc/security/login.cfg
newgrp - switch to another group

LED Status
/etc/security/mkuser.default

Devices
/etc/security/passwd

/etc/security/user
ACL Commands Status

acledit
tcbck - check security integrity

aclget
sysck - system check

aclput
lsgroup - list groups, lsuser - list users
Permissisons

Depending on how the umask is set, when a user creates a file, the file permissions will be set to

read/write for the owner of the file

read-only for group and other

If you look at the permissions using the ls -l command, you will see...
-rw-r--r-- 1 roger staff 129 Oct 07 10:14 testfile

- r w - r - - r - - 1 roger staff 129 Oct 7 10:14 testfile

Fle Type Owner Flag Group Flag Other Flag Links Owner Group filename
-=ordinary r w e r w e r w e # owner of group size of date ast
F=remote e r x e r x e r x o file owner file in written to
l=symbolic liink a i e a i e a i e f bytes
D=directory d t c d t c d t c
b=block e u e u e u l
B=remote block t t t i
c=character e e e n
special k
p=fifo s
s=socket

A dash under the owner, group, and other fields means that particular attribute (either read,write or execute) isn't
permitted. When a file is created, a mask is applied to the permission bits to determine what permissions are allowed.
The mask can be user defined by the umask command.

File permission bits are verified when a file is opened. The commands mv (move) and rm (remove), for example, don't
open a file. Thus, it's possible to remove a file that you don't have permissions to open, as long as you have write (w)

http://www.ahinc.com/aix/security.htm 2/18/2010
AIX Security Commands Tips Page 2 of 8

permission for the directory containing that file.

top of page

Sticky bit

The Sticky Bit is usually associated with world writeable directories, such as the /tmp directory. This prevents users from
deleting files they don't own. Users can write to those directories but only they can delete or update those files they own.
It's commonly used for scratch directories like /tmp to provide some security for otherwise world-writable directories.

top of page

/etc/security

The directory /etc/security contains many files used to configure individual user or system-wide security defaults. The
files listed below can be modified to enhance system security at your site:

/etc/security.ids

Holds the value for the next assignment to a group/user id and group/user admin id. Used by mkuser
and mkgroup commands.

Sample contents: 4 203 12 200

where...

4 = administrative user id (mkuser -a)

203 = user id (mkuser)

12 = administrative group id (mkgroup -a)

200 = group id (mkgroup)

top of page

/etc/security/limits

Set one or more of the following stanzas for each user. All field attributes below default to 512 byte blocks.

Value What it does

fsize Largest file size that can be created or extended
core Largest core file size that can be created
cpu maximum Amount of cpu time to be used by each process. Must log out and back in for the changes to take
affect.
data maximum Size of data segment for a Data and stack are tied together. Combined, they can never be
process (malloc call) greater than 256 MB.
stack maximum Size of stack segment for a
process.
rss maximum Set a process's resident set size (working set) may grow. As long as real memory is available,
system will give additional memory to the process instead of causing the process to page
portions of it's code.

top of page

/etc/security/login.cfg

Sets system-wide password restrictions (pw_restrictions).

Value What it does

maxage Value of 4 forces users to change passwords every 4 weeks. Default=0 indicating no maximum age.
minage Defines the miniumum number of weeks that can pass before a password must be changed. This option
can conflict with the flags field in /etc/security/passwd. If minage has a value greater than zero and flags
= ADMCHG in the /etc/security/passwd file for that user, then the user will not be forced to change their

http://www.ahinc.com/aix/security.htm 2/18/2010
AIX Security Commands Tips Page 3 of 8

password until the number of week(s) has elapsed. Default=0

minalpha Minimum number of alphabetic characters in password. Default=0
minother Minimum number of non-alphabetic characters in the password. Default=0
mindiff Number of characters that must be different from previous password. This option is recommended since
by default, you can reuse previous password when prompted to ch ange to a new password. This is not
positional. If the new password is xycd and the old password was abcd, then the number of different
characters is one. Default=0
maxrepeats Maximum number of repeatable characters in a password. The repeatable characters don't have to be
consecutive. Default of 8 is used to indicate that there is no maximum number.

top of page

etc/security/mkuser.default

Default attributes for generating a new user.

user:

group = staff
groups = staff
prog = /bin/ksh
home = /u/$USER
admin:
group = system
groups = system
prog = /bin/ksh
home = /u/$USER

top of page

/etc/security/passwd

Holds the encrypted password for each user. Lets assume you have an unhappy worker that is asked to leave the
company. Your afraid that person will attempt to get into the system. You ask everybody to change their password but
aren't sure if everyone will follow suite.

To force users to change their password, perform the following procedures.

1. Edit /etc/security/login.cfg and change maxage=1. This will force users, who haven't changed their password
in the past week, to do so the next time they login.
2. If some people have changed their password in the past week, review the lastupdate field for that user. Subtract
604800 (number of seconds in one week) from the value specified in the lastupdate field . The next time that
user logs into the system, they will be forced to change their password. The lastupdate field represents the
number of seconds passed since Jan 1, 1970.

A simpler way to force a user to change their password the next time they log into the system is to change that
user's flag field to ADMCHG. Use the command pwdadm -f ADMCHG <username> to change the flag.

 The next time a login or su command is executed for that user, they will be forced to change their
password, based on the password guidelines specified in the /etc/security/login.cfg file.
 If the user has a password, they will be asked for their original password before being prompted to
change to a new password.
 Make sure the mindiff attribute in the pw_restrictions stanza of /etc/security/login.cfg is nonzero to
force the new password to be different from the old one.

If flag field for a user is set to llags = NOCHECK, then the /etc/security/login.cfg restrictions won't apply to that user for
new passwords that follow.

Note: If an '*' appears in the password field ( password = * ), this indicates that no password has been set for that user
and prevents the user from logging in until root user assigns a password to that account.

If the /etc/passwd has an asterik (*) in the second field, this implies that the account has been defined to the system but
is not an account that can be logged into yet. There will not be an entry placed into the /etc/security/passwd file until a
passwd has been assigned to this account.

top of page

http://www.ahinc.com/aix/security.htm 2/18/2010
AIX Security Commands Tips Page 4 of 8

/etc/security/.profile

System-wide default profile used to copy into the $HOME directory of each user as they are created on the system. Add
to this file to acquire default capabilities that otherwise would have to be added manually to each $HOME/.profile.

Remember, the /etc/profile file contains commands executed by all users at login, so if everyone needs to have certain
environmental variables set, set them in that file.

top of page

/etc/security/user

Lists attributes that have changed from the default values for individual users, like whether that user has rlogin or telnet
access, login authentication method and so on. For example, if a particular user could only log into the system from a
particular terminal, the stanza for that user would read:

roger:
admin = false
ttys = /dev/tty1

Where the only terminal user roger could log in from would be tty1.

One could also specify that user roger could use any terminal directly connected to the system but terminal tty5 by
stating the following in this file:

roger:
admin = false
ttys = !/dev/tty5, ALL

The chuser command modifies this file.

If the login field is set to false (login = false), that user will be locked out from logging into the system from a locally
attached terminal. There are only two ways to login to that account. You could 'su' into that account, assumming the SU
to user field is set to TRUE. The other way is to log into that system if the telnet or rlogin field is set to true and your
system is connected to a TCP/IP network.

roger:
login = false
telnet = true
rlogin = true

top of page

acledit

Combines aclget and aclput capabilities. Must set the EDITOR variable to the following:
export EDITOR=/usr/bin/vi

Must be owner or ROOT to modify the base or extended permissions of file - regardless of what the extended
permissions say. The use of an octal operand (chmod 755 <filename>) will disable the extended ACL parameters (if
any) associated with the file.

Example: acledit mytest

top of page

aclget

Gets the ACL values for a file

Example: aclget mytest (Displays base and extended permissions for file mytest)

top of page

http://www.ahinc.com/aix/security.htm 2/18/2010
AIX Security Commands Tips Page 5 of 8

aclput

Sets the ACL for a file

Example: aclget mytest | aclput yourtest (Copies ACL attributes from file mytest to file yourtest)

top of page

chgrp

Changes the group ownership of a file or directory.

Examples What it does

chgrp staff mgmt Changes group from staff to mgmt

chgrp -R office /lisa Will recursively descend through the lisa directory and all its subdirectories to change
the group permissions of all files to the group named office.

top of page

chmod

Change permissioms of a file or directory. Without considering the umask value, when a directory is created, the
permissions are set to 'rwxrwxrwx'; and for a new file, the permissions are 'rw-rw-rw'. When the umask is applied,
directory settings are 'rwxr-xr-x' and files are 'rw-r--r--'. To have access to another user's directory, that users directory
must have the execute bit set for either group or other (eg., 'rwxr-xr-x).

Be very careful with the files needed for booting. Other system files should be handled with care. Accidentally entering
chmod 666 / usr/file instead of chmod 666 /usr/file can be disastrous. The former will instantly render the root file
system unusable and unbootable, since it takes execute (directory search) permission away from the entire file system
except for references relative to the current directory that do not go through the root directory.

Same analogy applies to the /u or /home directory. If execute permission is removed for group and other (drwxr--r--)
users other than ROOT will not be able to log into the system.

Examples What it does

chmod go+wr testfile Add read/write to group/others
chmod u-x testfile Remove execute permission from owner
chmod 1777 ickfar Turns on sticky bit for file named ickfar

top of page

tcbck
Examples What it does
tcbck -p ALL Checks files specified in /etc/security/tcbck.cfg. Use this command to check the file system
anytime you suspect the integrity of the system may have been compromised
tcbck -t tree All files in the system are checked for correct installation (this may take several hours to
complete).

top of page

lsgroup

List attributes of a group

Example: lsgroup staff (Displays characteristics of the group named staff)

top of page

grpck

http://www.ahinc.com/aix/security.htm 2/18/2010
AIX Security Commands Tips Page 6 of 8

Verifies that all users listed as group members are defined as users, that the GID is unique, and that the group name is
correct.

Examples What it does

grpck -n ALL Reports errors but doesn't fix them.
grpck -t ALL If problems are detected, will ask if they should be fixed

top of page

lsuser

List characteristics of user accounts

Example: lsuser roger (Display attributes for the user roger)

top of page

usrck

Verifies most parameters in the /etc/security/user database.

Each user name listed in the /etc/passwd file has a stanza in

 /etc/security/user
 /etc/security/limits
 /etc/security/passwd

Stanzas will be added for each missing user name as needed.

Also verifies each group name listed in /etc/group has a corresponding stanza in /etc/security/group.

It may disable a userid by adding an expired expiration date to the /etc/security/user database.

The user's $HOME directory is not effected.

Re-enable account by removing the expiration date in the /etc/security/user database or via smit chuser

Examples What it does

usrck -n ALL Reports errors but doesn't fix them.
usrck -t ALL if problems are detected, will ask if they should be fixed.

top of page

mkpasswd

Creates a hashed version of the /etc/passwd for faster login capability. This command should be run every time
the /etc/passwd and etc/security/passwd files have changed. If more than 40-50 user accounts are defined to the
system, running this command will quicken the time it takes to login to your account.

Example: mkpasswd -v /etc/passwd (Creates the /etc/passwd.pag and /etc/passwd.dir files.)

top of page

pwdck

Checks authentication stanzas in /etc/passwd and /etc/security/passwd. May not check for specified password rules
such as minalpha, minother, and lastupdate in the /etc/security/login.cfg file. One drawback to pwdck is that it doesn't
report on root equivalent accounts (accounts with a UID of 0 but a username other than root).

Examples What it does

pwdck -n ALL Reports errors but doesn't fix them.
pwdck -t ALL If problems are detected, will ask if they should be fixed.
1)pwdck -y ALL Will import a BSD or SYSV password file. Use the usrck command to create default limit entries.
2) usrck

top of page

http://www.ahinc.com/aix/security.htm 2/18/2010
AIX Security Commands Tips Page 7 of 8

newgrp

Switch to another group for users who are members of multiple groups.

top of page

rmuser

Removes a user from the system. The $HOME directory for this user is left intact. Must manually remove the directory.

top of page

su

By changing the flag of Another user can SU to user? = no for root, one can disable users from acquiring ROOT
priviledge. The su command wont accept any user name greater than 8 characters.

top of page

sysck

Audits the security state of the system. This command uses the /etc/security/sysck.cfg configuration file to provide it with
the expected security state of the system. The effectiveness of sysck is directly related to the accuracy of this
configuration file. Checks for file ownership, permissions, acess control lists, and checksums. System directories aren't
included, but this info can be easily added via a text editor of your choice.

Examples What it does

sysck -n ALL Errors are to be reported but not fixed
sysck -t ALL Errors asre to be reported with a prompt asking whether the error should be fixed
tcbck -n ALL Check for inconsistencies in the system

top of page

umask

Sets the default file permissions for files created by a user.

Type in the umask command by itself to show what the current defaults are. This can be changed by the smit user
command or by the umask command itself.

By default, the umask is set to 022 which means

Don't allow write access for GROUP and OTHER.

When this mask is applied to the system file default of 666 (read/write for everyone), the result is 644 read/write
for owner, and read for group and other).

The math works out as follows 666 - 022 = 644.

The system default for creating directories is 777 - 022 = 755, which means the owner has read/write/execute
permissions on that directory, while group and others only have read and execute permissions.

top of page

ulimit

Quota limits for individual users for memory usage and file size. Doesn't effect the /etc/security/limits database. Only
changes your environment for the current session (not a permanent change). This command allows the user to change
their hard or soft limits.

To raise or lower the soft limit (within the bounds of the hard limit), use the -S option.

To raise or lower the hard limit (within the bounds of the default values specified in the /etc/security/limits database),
use the -H option.

http://www.ahinc.com/aix/security.htm 2/18/2010
AIX Security Commands Tips Page 8 of 8

Examples What it does

ulimit -a View current limits
time(seconds) 3600
file(blocks) 2097151
data(kbytes) 65536
stack(kbytes) 4096
memory(kbytes) 32768
coredump(blocks) 2048
ulimit -Sf 1000000 Increase file limit to 1000000
ulimit -d 100000 Data section is now increased to 50 MB. When compiling large C or FORTRAN programs,
you may receive a MALLOC error during the link phase. This is because their is not enough
heap space allocated to this process.

top of page
Services | Products | Support | About Us | Privacy Policy | Legal Stuff
Email us at Info@AHinc.com
© Advanced Horizons, Inc. All Rights Reserved

http://www.ahinc.com/aix/security.htm 2/18/2010