Solved

user permissions report on *nix servers

Posted on 2013-06-12
7
582 Views
Last Modified: 2013-06-28
How can you determine what permissions each local user account on a *nix server has? In this case I am interested in a AIX IBM SYstem. I can see a list of users in \etc\password, but how can you marry that up to what permissions they have over the System.

On a Windows Server you typically have local groups, i.e. administrators, power users, users, backup operators etc. Is the concept similar in *nix systems? If so which are the more powerful groups/type of user to be concious about?
0
Comment
Question by:pma111
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 167 total points
ID: 39240700
Run

id username

This will show the user's ID, their primary group as well as the group set the user belongs to.

"Powerful" groups are "system", "sys", "bin" and "security", but none of these groups will give its members full superuser ("root") privileges.
Only the user with ID "0" (= root) has those privileges.
0
 
LVL 3

Author Comment

by:pma111
ID: 39240713
Thanks, is there no way to run one command to list out all users and there groups (as there are quite a few), also is there anyway  to see an accounts "status", i.e. assume like windows servers you can have an active or disabled account status?
0
 
LVL 3

Author Comment

by:pma111
ID: 39240726
Would also be useful to see if there is a last login timestamp associated with accounts to help identify stale / unused accounts? Would an account that hasnt logged in in some time indicate a stale accounts, or can accounts exist that are used for purposes other than logging in to the server.
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39240748
lsuser -a time_last_login username

Time is in seconds since epoch.

Convert it (example 1371036583) with

perl -we ‘print(my $time = localtime 1371036583, “\n”)’


There are system accounts which never log in, like daemon, esaadmin, pconsole etc.
0
 
LVL 21

Assisted Solution

by:Mazdajai
Mazdajai earned 167 total points
ID: 39240972
You can use last to determine last login.

Can you clarify what are you trying to achieve?
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 39240998
To answer your question in #39240713:

lsuser -fa pgrp groups account_locked ALL

or in one line per user

lsuser -a pgrp groups account_locked ALL

Run

lsuser -f root

to see all available attributes.
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 166 total points
ID: 39242860
Actually list of users is in /etc/security/passwd
/etc/passwd is a decoration generated by SMIT for POSIX compatibility

I think you need some crash course in UNIX basics
step 1)
instal AIX manuals (bos.rte.man) from AIX CDs You will not get anywhere without those
1a) if you dont have CDs cough up 50$ and order them from IBM
step 2)
make usable server out of debian or netbsd (to learn some commands) virtualbox and vmware are good.
step3)
learn to press F6 in smit/smitty (and read manuals after)

As you learn you can stroll through
https://benchmarks.cisecurity.org/tools2/aix/CIS_IBM_AIX_5.3-6.1_Benchmark_v1.0.0.pdf
and http://redbooks.ibm.com/
to gradually secure your system
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
WordPress: Debugging from my Windows 10 Desktop 6 95
Shell Script- gzip 5 85
Logrotate Every Saturday 5 44
sed command 3 28
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Google Drive is extremely cheap offsite storage, and it's even possible to get extra storage for free for two years.  You can use the free account 15GB, and if you have an Android device..when you install Google Drive for the first time it will give…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question