AIX IBM ACL question

Can anyone help with interpret the following ACL report for this sample location:

--- /etc/passwd ---
*
* ACL_type   AIXC
*
attributes: 
base permissions
    owner(root):  rw-
    group(security):  r--
    others:  r--
extended permissions
    disabled

Open in new window


1) What does "group(security): r--" .....represent - i.e. who are these users? Is this a default ACL for this area of an AIX system?

2) What does "others: -r" ....represent - i.e. who are these users? Is this a default ACL for this area of an AIX system?

Obviously what we want to prevent is non admin (root) level users with access to files containing sensitive information like passwor hashes, so an understanding of what the above actually represents most helpful.
LVL 3
pma111Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
woolmilkporcConnect With a Mentor Commented:
1) Members of the "security" group are allowed to create/modify user/group accounts by means of smit/smitty, except for those bearing the "admin=true" flag in /etc/security/user. These latter users/groups can only be manipulated by root.
No users except for root are by default members of the "security" group, it's your choice (and responsibility) whom to add to this group.
All files related to user/group/role/ldap/kerberos etc.  administration are by default owned by the "security" group.

Check with:

find /etc /usr/bin /usr/sbin -group security

This group is particular to AIX, as far as I know.

2) "others" is not a group, it's a catch-all for those who are neither the owner nor a member of the owning group of a file.
These users are allowed "read" access to files like /etc/passwd so that (for example) "ls -l" can convert numeric user ids to user names.
And yes, this is the default under AIX.
0
 
pma111Author Commented:
And out of interest, which accounts can open/read the below password hash file on AIX IBM, is this limited to root only (or every user):

/etc/security/passwd
0
 
woolmilkporcCommented:
To answer the follow-up question:

Only root can read/write from/to /etc/security/passwd. Neither group (security) members nor "others" are granted any access, not even "read" access.
0
All Courses

From novice to tech pro — start learning today.