Solved

AIX IBM ACL question

Posted on 2014-04-15
3
675 Views
Last Modified: 2014-04-16
Can anyone help with interpret the following ACL report for this sample location:

--- /etc/passwd ---
*
* ACL_type   AIXC
*
attributes: 
base permissions
    owner(root):  rw-
    group(security):  r--
    others:  r--
extended permissions
    disabled

Open in new window


1) What does "group(security): r--" .....represent - i.e. who are these users? Is this a default ACL for this area of an AIX system?

2) What does "others: -r" ....represent - i.e. who are these users? Is this a default ACL for this area of an AIX system?

Obviously what we want to prevent is non admin (root) level users with access to files containing sensitive information like passwor hashes, so an understanding of what the above actually represents most helpful.
0
Comment
Question by:pma111
  • 2
3 Comments
 
LVL 3

Author Comment

by:pma111
ID: 40001086
And out of interest, which accounts can open/read the below password hash file on AIX IBM, is this limited to root only (or every user):

/etc/security/passwd
0
 
LVL 68

Accepted Solution

by:
woolmilkporc earned 500 total points
ID: 40001159
1) Members of the "security" group are allowed to create/modify user/group accounts by means of smit/smitty, except for those bearing the "admin=true" flag in /etc/security/user. These latter users/groups can only be manipulated by root.
No users except for root are by default members of the "security" group, it's your choice (and responsibility) whom to add to this group.
All files related to user/group/role/ldap/kerberos etc.  administration are by default owned by the "security" group.

Check with:

find /etc /usr/bin /usr/sbin -group security

This group is particular to AIX, as far as I know.

2) "others" is not a group, it's a catch-all for those who are neither the owner nor a member of the owning group of a file.
These users are allowed "read" access to files like /etc/passwd so that (for example) "ls -l" can convert numeric user ids to user names.
And yes, this is the default under AIX.
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 40001163
To answer the follow-up question:

Only root can read/write from/to /etc/security/passwd. Neither group (security) members nor "others" are granted any access, not even "read" access.
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
VMWare 6 crashing 14 96
mobaxterm not able to change directory 28 94
I think my Ubuntu 12.10 box is hacked, but not sure... 13 49
Backup & Restore 3 46
I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
In a previous video, we went over how to export a DynamoDB table into Amazon S3.  In this video, we show how to load the export from S3 into a DynamoDB table.

930 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now