Security Guide

User Accounts

Recommended User Attributes

User administration consists of creating users and groups and defining their attributes. A major attribute of users is how they are authenticated. Users are the primary agents on the system. Their attributes control their access rights, environment, how they are authenticated, and how, when, and where their accounts can be accessed.

Groups are collections of users who can share the same access permissions for protected resources. A group has an ID and is composed of members and administrators. The creator of the group is usually the first administrator.

Many attributes can be set for each user account, including password and login attributes. Refer to Disk Quota System Overview for a list of configurable attributes. The following attributes are recommended:

Each user should have a user ID that is not shared with any other user. All of the security safeguards and accountability tools only work if each user has a unique ID.
Give user names that are meaningful to the users on the system. Actual names are best, since most electronic mail systems use the user ID to label incoming mail.
Add, change, and delete users using the Web-based System Manager or SMIT interface. Although you can perform all these tasks from the command line, these interfaces help reduce small errors.
Do not give a user account an initial password until the user is ready to log in to the system. If the password field is defined as an * (asterisk) in the /etc/passwd file, account information is kept, but no one can log in to that account.
Do not change the system-defined user IDs that are needed by the system to function correctly. The system-defined user IDs are listed in the /etc/passwd file.
In general, do not set the admin parameter to true for any user IDs. Only the root user can change attributes for users with admin=true set in the /etc/security/user file.

The operating system supports the standard user attributes usually found in the /etc/passwd and /etc/group files, such as:

Authentication Information	Specifies the password
Credentials	Specifies the user identifier, principal group, and the supplementary group ID
Environment	Specifies the home or shell environment.

User Account Control

Each user account has a set of associated attributes. These attributes are created from default values when a user is created using the mkuser command. They can be altered by using the chuser command. The following are the user attributes that are not used to control aspects not related to password quality:

account_locked	If an account need to be explicitly locked, this attribute can be set to true, the default is false
admin	If set to true, then this user can not change her password. Only the administrator can change it.
admgroups	Lists groups for which this user has administrative rights. For those groups the user can add or delete members.
auth1	The authentication method that is used to grant the user access. Typically it is set to SYSTEM which will then use newer methods.
auth2	Method that runs after the user has been authenticated by whatever was specified in auth1. It cannot block access to the system. Typically it is set to NONE.
daemon	This boolean parameter specifies whether the user is allowed to start daemons or subsystems with the startsrc command. It also restricts the use of the cron and at facilities.
login	Specifies whether this user is allowed to log in at all.
logintimes	Restricts when a user can log in. For example, a user may be restricted to accessing the system only during normal business hours.
registry	Specifies the user registry. It can be used to tell the system about alternate registries for user information, like NIS, LDAP or Kerberos.
rlogin	Specifies whether this user is allowed to log in via rlogin or telnet.
su	Specifies whether other users can switch to this id with the su command.
sugroups	Specifies which groups are allowed to switch to this user id
ttys	Limits certain accounts to physically secure areas
expires	Manages student or guest accounts; also can be used to turn off accounts temporarily
loginretries	Specifies the maximum number of consecutive failed login attempts bevore the userid is locked by the system. The failed attempts are recoreded in /etc/security/lastlog.
umask	Specifies the initial umask for the user

The complete set of user attributes is defined in the /etc/security/user, /etc/security/limits, /etc/security/audit/config and /etc/security/lastlog files. The default for user creation with the mkuser command is specified in /usr/lib/security/mkuser.default file. Only options that override the general defaults in the default stanzas of /etc/security/user and /etc/securtiy/limits as well audit classes have to be specified in the mkuser.default file. Several of these attributes control how a user can log in and they can be configured to lock the user account (prevent further logins) automatically under specified conditions.

Once the user account has been locked by the system, the user is not able to log in until the system administrator resets the user unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than the value of login retries. This can be done using the following chsec command:

chsec -f /etc/security/lastlog -s username -a
unsuccessful_login_count=0

The defaults can be changed by using the chsec command to edit the default stanza in the appropriate security file, such as the /etc/security/user or /etc/security/limits files. Many of the defaults are defined to be the standard behavior. To explicitly specify attributes that are set every time a new user is created, change the user entry in /usr/lib/security/mkuser.default.

For information on extended user password attributes, refer to Passwords.

Login User IDs

The operating system identifies users by their login user ID. The login user ID allows the system to trace all user actions to their source. After a user logs in to the system but before running the initial user program, the system sets the login ID of the process to the user ID found in the user database. All subsequent processes during the login session are tagged with this ID. These tags provide a trail of all activities performed by the login user ID. The user can reset the effective user ID, real user ID, effective group ID, real group ID, and supplementary group ID during the session, but cannot change the login user ID.

Strengthening User Security with Access Control Lists

To achieve an appropriate level of security in your system, develop a consistent security policy to manage user accounts. The most commonly used security mechanism is the access control list (ACL). For information about ACLs and developing a security policy, see the Access Control List section in this book.

PATH Environment Variable

The PATH environment variable is an important security control. It specifies the directories to be searched to find a command. The default systemwide PATH value is specified in the /etc/profile file, and each user normally has a PATH value in the user's $HOME/.profile file. The PATH value in the .profile file either overrides the systemwide PATH value or adds extra directories to it.

Unauthorized changes to the PATH environment variable can enable a user on the system to "spoof" other users (including root users). Spoofing programs (also called Trojan horse programs) replace system commands and then capture information meant for that command, such as user passwords.

For example, suppose a user changes the PATH value so that the system searches the /tmp directory first when a command is run. Then the user places in the /tmp directory a program called su that asks for the root password just like the su command. Then the /tmp/su program mails the root password to the user and calls the real su command before exiting. In this scenario, any root user who used the su command would reveal the root password and not even be aware of it. This is just one of many scenarios for gaining confidential information by altering PATH values.

However, following a few simple steps will prevent any problems with the PATH environment variable for system administrators and users:

When in doubt, specify full path names. If a full path name is specified, the PATH environment variable is ignored.
Never put the current directory (specified by . (period)) in the PATH value specified for the root user. Never allow the current directory to be specified in /etc/profile.
The root user should have its own PATH specification in his private .profile, typically the specification in /etc/profile lists the minimal standard for all users, whereas the root user might need more or less directories than the default.
Warn other users not to change their .profile files without consulting the system administrator. Otherwise, an unsuspecting user could make changes that allow unintended access. A user .profile file should have permissions set to 740.
System administrators should not use the su command to gain root privilege from a user session, because the user's PATH value specified in the .profile file is in effect. User's can set their .profile files to whatever they please. System administrators should log on to the user's machine as root or even better, with their own id and then use the following command:
```
/usr/bin/su - root
```
This ensures that the root environment is used during the session. If a system administrator does operate as root in another user session, then the system administrator should specify full path names throughout the session.
Protect the input field separator (IFS) environment variable from being changed in the /etc/profile file. And beware of any user who changes the IFS variableb in the .profile file. It too can be used to alter the PATH value.