Security Guide - System Special User Accounts

System Special User Accounts

AIX provides a default set of system special user accounts that prevents root and system from owning all operating system files and file systems.

Attention: Use caution when removing a system special user account. You can disable a specific account by inserting an asterisk (*) at the beginning of its corresponding line of the /etc/security/passwd file. However, be careful not to disable the root user account. If you remove system special user accounts or disable the root account, the operating system will not function.

The following accounts are predefined in the operating system:

root

The root user account, UID 0, sometimes called the superuser account, through which you can perform system maintenance tasks and troubleshoot system problems.

daemon

The daemon user account exists only to own and execute system server processes and their associated files. ) This account guarantees that such processes execute with the appropriate file access permissions.

bin

The bin user account typically owns the executable files for most user commands. This account's primary purpose is to help distribute the ownership of important system directories and files so everything is not owned solely by the root and sys user accounts.

sys

The sys user owns the default mounting point for the Distributed File Service (DFS) cache, which must exist before you can install or configure DFS on a client. The /usr/sys directory can also store install images.

adm

The adm user account owns two basic system functions:

Diagnostics, the tools for which are stored in the /usr/sbin/perf/diag_tool directory.
Accounting, the tools for which are stored in the following directories:
- /usr/sbin/acct
- /usr/lib/acct
- /var/adm
- /var/adm/acct/fiscal
- /var/adm/acct/nite
- /var/adm/acct/sum

nobody

The nobody user account is used by the Network File System (NFS) product to enable remote printing. This account exists so a program can permit temporary root access to root users. For example, before turning on Secure RPC or Secure NFS, check the /etc/public key on the master NIS server to find a user has not been assigned a public key and a secret key. As root user, you can create an entry in the database for each unassigned user by entering:

newkey -u username

Or, you can create an entry in the database for the nobody user account, and then any user can run the chkey program to create their own entries in the database without logging in as root.

Removing Unnecessary Default User Accounts

During installation of the operating system, a number of default user and group IDs are created. Depending on the applications you are running on your system and where your system is located in the network, some of these user and group IDs can become security weaknesses, vulnerable to exploitation. If these users and group IDs are not needed, you can remove them to minimize security risks associated with them.

The following table lists the most common default user IDs that you might be able to remove:

Table 6. Common default user IDs that you might be able to remove.
User ID	Description
uucp, nuucp	Owner of hidden files used by uucp protocol. The uucp user account is used for the UNIX-to-UNIX Copy Program, which is group of commands, programs, and files, present on most UNIX systems, that allows the user to communicate with another UNIX system over a dedicated line or a telephone line.
lpd	Owner of files used by printing subsystem
imnadm	IMN search engine (used by Documentation Library Search)
guest	Allows access to users who do not have access to accounts

Table 6. Common default user IDs that you might be able to remove.

User ID

Description

uucp, nuucp

Owner of hidden files used by uucp protocol. The uucp user account is used for the UNIX-to-UNIX Copy Program, which is group of commands, programs, and files, present on most UNIX systems, that allows the user to communicate with another UNIX system over a dedicated line or a telephone line.

lpd

Owner of files used by printing subsystem

imnadm

IMN search engine (used by Documentation Library Search)

guest

Allows access to users who do not have access to accounts

The following table lists common group IDs that might not be needed:

Table 7. Common group IDs that might not be needed.
Group ID	Description
uucp	Group to which uucpand nuucp users belong
printq	Group to which lpd user belongs
imnadm	Group to which imnadm user belongs

Table 7. Common group IDs that might not be needed.

Group ID

Description

uucp

Group to which uucpand nuucp users belong

printq

Group to which lpd user belongs

imnadm

Group to which imnadm user belongs

Analyze your system to determine which IDs are indeed not needed. There might also be additional user and group IDs that you might not need. Before your system goes into production, perform a thorough evaluation of available IDs.