Softpanorama

Home Switchboard Unix Administration Red Hat TCP/IP Networks Neoliberalism Toxic Managers
May the source be with you, but remember the KISS principle ;-)

AIX User and Group Administration

News

See also

Redbooks IBM Links Recommended Links Reference
Using Smit for user administration Using Smit for group administration User administration via command line Group administration via command line    
Useful AIX commands smit sudo Tips Humor Etc

There are three ways to administer users and groups in AIX

Before going into the commands to create, modify, and maintain users and groups in AIX, it is important that you know what is happening behind the scenes. For example, you should understand the files and what they mean.

Look at the some of the files that affect the user itself:

/etc/passwd

The file /etc/passwd contains the basics of a user and is probably the best-known file to UNIX® and Linux® users for user administration.

	
root:!:0:0::/:/usr/bin/ksh
daemon:!:1:1::/etc:
bin:!:2:2::/bin:
sys:!:3:3::/usr/sys:
adm:!:4:4::/var/adm:
uucp:!:5:5::/usr/lib/uucp:
guest:!:100:100::/home/guest:
nobody:!:4294967294:4294967294::/:
lpd:!:9:4294967294::/:
lp:*:11:11::/var/spool/lp:/bin/false
invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh
snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd
ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh
nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico
pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh
esaadmin:*:10:0::/var/esa:/usr/bin/ksh
sshd:*:206:201::/var/empty:/usr/bin/ksh
atc:!:8000:400:Adam Cormany,Sr UNIX Admin:/home/atc:/bin/ksh
amdc:!:8001:401:AMDC:/home/amdc:/bin/ksh
pac:!:8002:400:PAC,Jr UNIX Admin:/home/pac:/bin/ksh
atc2:!:8003:402:ATCv2:/home/atc2:/bin/ksh
As you can see, the file is colon (:) delimited, and each entry contains seven fields in the following format (with spaces added before and after delimiter to ease reading):
Username : Password Flag : UID : GID : GECOS : Home : Shell/Command
Here's the line-by-line breakdown:

/etc/security/.profile

The file /etc/security/.profile can really save you some valuable time and ease frustration. When you create a user using the mkuser command, the script /usr/lib/security/mkuser.sys is executed. This script creates the user's directory, sets the correct permissions, and "creates" the user's .profile. The mkuser.sys script actually copies the /etc/security/.profile file into the user's new home directory.

If you are building a new system, or maybe a new division of 100 people needs accounts on a system, make sure you make your changes to the /etc/security/.profile file before creating all the users' accounts. If you create the accounts and then realize that you need to make a simple change in a variable or modify another setting, you're going to have to manually make the change to everyone's profile. It could be scripted out easily, but life would have been much simpler if you would have just changed the /etc/security/.profile.

PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:.

export PATH

if [ -s "$MAIL" ]           # This is at Shell startup.  In normal
then echo "$MAILMSG"        # operation, the Shell checks
fi                          # periodically.

/etc/security/limits

The /etc/security/limits file contains all the ulimits, or users' system resource limitations. The fields in the /etc/security/limits file: 

Soft limit Hard limit Description
fsize fsize_hard Size of file a user can create
core core_hard Size of core file a user can create
cpu cpu_hard The amount of system time allowed
data data_hard Size of the process data segment
stack stack_hard Size of the process stack segment
rss rss_hard Physical memory allowed
nofiles nofiles_hard Number of open file descriptors at one time
nproc nproc_hard Number of running processes at one time

What's the difference between soft and hard limits? A soft limit is a value that a user or application can change on the fly up to the maximum (the hard limit). The hard limit is just that -- the maximum value a parameter can be set to. If setting the parameter to a numeric value is too difficult (for example, if a developer has no idea how much memory his or her program is going to take or the number of files it will need to open), you can set the parameter to -1, which translates to unlimited.

It isn't imperative that you set individual ulimits for each and every user, however. The /etc/security/limits file contains a section called default that defines a template of standard values for each user unless that user has set custom values. If the default section doesn't exist, IBM kindly set predetermined limits just in case.

The IBM default values are:

*   Attribute        Value
*   ==========    ============
*   fsize_hard    set to fsize
*   cpu_hard      set to cpu
*   core_hard         -1
*   data_hard         -1
*   stack_hard      8388608
*   rss_hard          -1
*   nofiles_hard      -1

An example of a /etc/security/limits file.
	
default:
        fsize = 4194303
        core = 16384
        cpu = -1
        data = 262144
        rss = 65536
        stack = 65536

pac:
        fsize = 131072
        fsize_hard = 262144
        core = 262144

 

Considering that user "pac" is a junior UNIX administrator, his fsize soft value was reduced from the default section's 4,194,303 to 131,072; however, you were nice enough to allow the user to increase his value to 262,144, if needed. Also, pac is notorious for finding ways to break his own programs. As a result, you've increased his core ulimit to 262,144.

/etc/security/passwd

The /etc/security/passwd file contains the AIX user's password information. The file contains three fields per user:

Listing 4 provides an example of a /etc/security/password file.


Listing 4. Example /etc/security/password file
 
	
amdc:
        password = oBQaUkPkUryCY
        lastupdate = 1243972006
        flags = ADMCHG

 

In this example, user "amdc" has a password that was set on Tue. Jun. 2 15:46:46 EDT 2009. The next time the user logs in or sus to amdc, he or she will be prompted to change the password.

To convert the seconds from epoch to timestamp you can use Perl one-kliner:

# perl -e 'use POSIX; print strftime("%c\n", localtime(1243972006));'
Tue Jun  2 15:46:46 EDT 2009

/etc/security/user

Now you're getting into the meat of AIX user administration. The /etc/security/user file contains the most important settings, outside of the basics in /etc/passwd, for a user:
 

Parameter Format Description
account_locked TRUE | FALSE Lock out the account; the user is unable to log in if set to True.
admin TRUE | FALSE If True, the user has administrative rights.
expires MMDDHHYY If the date has been reached, the account has expired and is locked.
histexpire 0-260 Number of weeks the user can't reuse a password.
histsize 0-50 Number of passwords previously used that can't be reused.
login TRUE | FALSE User can log in if True.
maxage 0-52 Number of weeks a password is valid.
minage 0-52 Number of weeks a user must wait before changing his or her password.
rlogin TRUE | FALSE The account can be accessed remotely if set to True.
su TRUE | FALSE Others can use su to access this account if set to True.

For a full listing of all parameters, look in your AIX system under /etc/security/user, or see AIX Information Center. Like /etc/security/limits, a default section sets all the fields if not specified by the individual account.

/usr/lib/security/mkuser.default

The /usr/lib/security/mkuser.default file contains values used when creating a new AIX user through mkuser.

	
user:
        pgrp = staff
        groups = staff
        shell = /usr/bin/ksh
        home = /home/$USER

admin:
        pgrp = system
        groups = system
        shell = /usr/bin/ksh
        home = /home/$USER

More parameters can be defined in this file. To view the full list, look at man chuser.

Recommended Links

AIX user and group administration by Adam Cormany

 



Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least


Copyright © 1996-2018 by Dr. Nikolai Bezroukov. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) in the author free time and without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

 

FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

Disclaimer:

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: September 12, 2017