User administration consists of creating users and groups and defining their attributes. A major attribute of users is how they are authenticated. Users are the primary agents on the system. Their attributes control their access rights, environment, how they are authenticated, and how, when, and where their accounts can be accessed.
Groups are collections of users who can share the same access permissions for protected resources. A group has an ID and is composed of members and administrators. The creator of the group is usually the first administrator.
Many attributes can be set for each user account, including password and login attributes. Refer to Disk Quota System Overview for a list of configurable attributes. The following attributes are recommended:
The operating system supports the standard user attributes usually found in the /etc/passwd and /etc/group files, such as:
Authentication Information | Specifies the password |
Credentials | Specifies the user identifier, principal group, and the supplementary group ID |
Environment | Specifies the home or shell environment. |
Each user account has a set of associated attributes. These attributes are created from default values when a user is created using the mkuser command. They can be altered by using the chuser command. The following are the user attributes that are not used to control aspects not related to password quality:
The complete set of user attributes is defined in the /etc/security/user, /etc/security/limits, /etc/security/audit/config and /etc/security/lastlog files. The default for user creation with the mkuser command is specified in /usr/lib/security/mkuser.default file. Only options that override the general defaults in the default stanzas of /etc/security/user and /etc/securtiy/limits as well audit classes have to be specified in the mkuser.default file. Several of these attributes control how a user can log in and they can be configured to lock the user account (prevent further logins) automatically under specified conditions.
Once the user account has been locked by the system, the user is not able to log in until the system administrator resets the user unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than the value of login retries. This can be done using the following chsec command:
chsec -f /etc/security/lastlog -s username -a unsuccessful_login_count=0
The defaults can be changed by using the chsec command to edit the default stanza in the appropriate security file, such as the /etc/security/user or /etc/security/limits files. Many of the defaults are defined to be the standard behavior. To explicitly specify attributes that are set every time a new user is created, change the user entry in /usr/lib/security/mkuser.default.
For information on extended user password attributes, refer to Passwords.
The operating system identifies users by their login user ID. The login user ID allows the system to trace all user actions to their source. After a user logs in to the system but before running the initial user program, the system sets the login ID of the process to the user ID found in the user database. All subsequent processes during the login session are tagged with this ID. These tags provide a trail of all activities performed by the login user ID. The user can reset the effective user ID, real user ID, effective group ID, real group ID, and supplementary group ID during the session, but cannot change the login user ID.
To achieve an appropriate level of security in your system, develop a consistent security policy to manage user accounts. The most commonly used security mechanism is the access control list (ACL). For information about ACLs and developing a security policy, see the Access Control List section in this book.
The PATH environment variable is an important security control. It specifies the directories to be searched to find a command. The default systemwide PATH value is specified in the /etc/profile file, and each user normally has a PATH value in the user's $HOME/.profile file. The PATH value in the .profile file either overrides the systemwide PATH value or adds extra directories to it.
Unauthorized changes to the PATH environment variable can enable a user on the system to "spoof" other users (including root users). Spoofing programs (also called Trojan horse programs) replace system commands and then capture information meant for that command, such as user passwords.
For example, suppose a user changes the PATH value so that the system searches the /tmp directory first when a command is run. Then the user places in the /tmp directory a program called su that asks for the root password just like the su command. Then the /tmp/su program mails the root password to the user and calls the real su command before exiting. In this scenario, any root user who used the su command would reveal the root password and not even be aware of it. This is just one of many scenarios for gaining confidential information by altering PATH values.
However, following a few simple steps will prevent any problems with the PATH environment variable for system administrators and users:
/usr/bin/su - root
This ensures that the root environment is used during the session. If a system administrator does operate as root in another user session, then the system administrator should specify full path names throughout the session.