chgroup Command

AIX Version 4.3 Commands Reference, Volume 1

chgroup Command

Purpose

Changes attributes for groups.

Syntax

chgroup Attribute=Value ... Group

Description

Attention: Do not use the chgroup command if you have a Network Information Service (NIS) database installed on your system, as this could cause serious system database inconsistencies.

The chgroup command changes attributes for the group specified by the Group parameter. The group name must already exist as a string of 8 bytes or less. To change an attribute, specify the attribute name and the value you want to change it to in the Attribute=Value parameter.

You can use the Web-based System Manager Users application (wsm users fast path) to run this command. You could also use the System Management Interface Tool (SMIT) smit chgroup fast path to run this command.

Restrictions on Changing Groups

To ensure the security of group information, there are restrictions on using the chgroup command. The root user can change any group. A root user can do the following:

Make a group an administrative group by setting the admin attribute to true.
Change any attributes of an administrative group.
Add users to an administrative group's administrators list.

An administrative group is a group with the admin attribute set to true. Members of the security group can change the attributes of nonadministrative groups including adding users to the list of administrators.

The Attributes

You change attributes by specifying an Attribute=Value parameter. If you have the proper authority you can set the following group attributes:

adms

Defines the users who can perform administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The Value parameter is a list of comma-separated user login names. If you do not specify a Value parameter, all the administrators are removed.

admin

Defines the administrative status of the group. Possible values are:

true	Defines the group as administrative. Only the root user can change the attributes of groups defined as administrative.
false	Defines a standard group. The attributes of these groups can be changed by the root user or a member of the security group. This is the default value.

The group ID. The Value parameter is a unique integer string. Changing this attribute compromises system security and, for this reason, you should not change this attribute.

users

A list of one or more users in the form: User1,User2,...,Usern. Separate group member names with commas. Each user must be defined in the database configuration files. You cannot remove users from their primary group.

The adms and admin attributes are set in the /etc/security/group file. The remaining attributes are set in the /etc/group file. If any of the attributes you specify with the chgroup command are invalid, the command makes no changes at all.

Security

Access Control: This command should grant execute (x) access only to the root user and the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.

Files Accessed:

Mode	File
rw	/etc/group
rw	/etc/security/group
r	/etc/passwd

Auditing Events:

Event	Information
GROUP_Change	group, attributes

Examples

To add sam and caro l to the finance group, which currently only has frank as a member, enter:
```
chgroup users=sam,carol,frank  finance
```
To remove frank from the finance group, but retain sam and carol , and to remove the administrators of the finance group, enter:
```
chgroup users=sam,carol adms= finance
```
In this example, two attribute values were changed. The name frank was omitted from the list of members, and the value for the adms attribute was left blank.

Files

/usr/bin/chgroup	Specifies the path to the chgroup command.
/etc/group	Contains the basic attributes of groups.
/etc/security/group	Contains the extended attributes of groups.
/etc/passwd	Contains the basic attributes of users.

Related Information

The chfn command, chgrpmem command, chsh command, chuser command, lsgroup command, lsuser command, mkgroup command, mkuser command, passwd command, pwdadm command, rmgroup command, rmuser command, setgroups command, setsenv command.

Setting up and running Web-based System Management in AIX Version 4.3 System Management Guide: Operating System and Devices.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration in AIX Version 4.3 System Management Guide: Operating System and Devices.