Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 586
  • Last Modified:

user permissions report on *nix servers

How can you determine what permissions each local user account on a *nix server has? In this case I am interested in a AIX IBM SYstem. I can see a list of users in \etc\password, but how can you marry that up to what permissions they have over the System.

On a Windows Server you typically have local groups, i.e. administrators, power users, users, backup operators etc. Is the concept similar in *nix systems? If so which are the more powerful groups/type of user to be concious about?
0
pma111
Asked:
pma111
3 Solutions
 
woolmilkporcCommented:
Run

id username

This will show the user's ID, their primary group as well as the group set the user belongs to.

"Powerful" groups are "system", "sys", "bin" and "security", but none of these groups will give its members full superuser ("root") privileges.
Only the user with ID "0" (= root) has those privileges.
0
 
pma111Author Commented:
Thanks, is there no way to run one command to list out all users and there groups (as there are quite a few), also is there anyway  to see an accounts "status", i.e. assume like windows servers you can have an active or disabled account status?
0
 
pma111Author Commented:
Would also be useful to see if there is a last login timestamp associated with accounts to help identify stale / unused accounts? Would an account that hasnt logged in in some time indicate a stale accounts, or can accounts exist that are used for purposes other than logging in to the server.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
woolmilkporcCommented:
lsuser -a time_last_login username

Time is in seconds since epoch.

Convert it (example 1371036583) with

perl -we ‘print(my $time = localtime 1371036583, “\n”)’


There are system accounts which never log in, like daemon, esaadmin, pconsole etc.
0
 
MazdajaiCommented:
You can use last to determine last login.

Can you clarify what are you trying to achieve?
0
 
woolmilkporcCommented:
To answer your question in #39240713:

lsuser -fa pgrp groups account_locked ALL

or in one line per user

lsuser -a pgrp groups account_locked ALL

Run

lsuser -f root

to see all available attributes.
0
 
gheistCommented:
Actually list of users is in /etc/security/passwd
/etc/passwd is a decoration generated by SMIT for POSIX compatibility

I think you need some crash course in UNIX basics
step 1)
instal AIX manuals (bos.rte.man) from AIX CDs You will not get anywhere without those
1a) if you dont have CDs cough up 50$ and order them from IBM
step 2)
make usable server out of debian or netbsd (to learn some commands) virtualbox and vmware are good.
step3)
learn to press F6 in smit/smitty (and read manuals after)

As you learn you can stroll through
https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_5.3-6.1_Benchmark_v1.0.0.pdf
and http://redbooks.ibm.com/
to gradually secure your system
0

Featured Post

 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

Tackle projects and never again get stuck behind a technical roadblock.
Join Now