[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Security Guide

User Accounts

User administration consists of creating users and groups and defining their attributes. A major attribute of users is how they are authenticated. Users are the primary agents on the system. Their attributes control their access rights, environment, how they are authenticated, and how, when, and where their accounts can be accessed.

Groups are collections of users who can share the same access permissions for protected resources. A group has an ID and is composed of members and administrators. The creator of the group is usually the first administrator.

Many attributes can be set for each user account, including password and login attributes. Refer to Disk Quota System Overview for a list of configurable attributes. The following attributes are recommended:

The operating system supports the standard user attributes usually found in the /etc/passwd and /etc/group files, such as:

Authentication Information Specifies the password
Credentials Specifies the user identifier, principal group, and the supplementary group ID
Environment Specifies the home or shell environment.

User Account Control

Each user account has a set of associated attributes. These attributes are created from default values when a user is created using the mkuser command. They can be altered by using the chuser command. The following are the user attributes that are not used to control aspects not related to password quality:

account_locked If an account need to be explicitly locked, this attribute can be set to true, the default is false
admin If set to true, then this user can not change her password. Only the administrator can change it.
admgroups Lists groups for which this user has administrative rights. For those groups the user can add or delete members.
auth1 The authentication method that is used to grant the user access. Typically it is set to SYSTEM which will then use newer methods.
auth2 Method that runs after the user has been authenticated by whatever was specified in auth1. It cannot block access to the system. Typically it is set to NONE.
daemon This boolean parameter specifies whether the user is allowed to start daemons or subsystems with the startsrc command. It also restricts the use of the cron and at facilities.
login Specifies whether this user is allowed to log in at all.
logintimes Restricts when a user can log in. For example, a user may be restricted to accessing the system only during normal business hours.
registry Specifies the user registry. It can be used to tell the system about alternate registries for user information, like NIS, LDAP or Kerberos.
rlogin Specifies whether this user is allowed to log in via rlogin or telnet.
su Specifies whether other users can switch to this id with the su command.
sugroups Specifies which groups are allowed to switch to this user id
ttys Limits certain accounts to physically secure areas
expires Manages student or guest accounts; also can be used to turn off accounts temporarily
loginretries Specifies the maximum number of consecutive failed login attempts bevore the userid is locked by the system. The failed attempts are recoreded in /etc/security/lastlog.
umask Specifies the initial umask for the user

The complete set of user attributes is defined in the /etc/security/user, /etc/security/limits, /etc/security/audit/config and /etc/security/lastlog files. The default for user creation with the mkuser command is specified in /usr/lib/security/mkuser.default file. Only options that override the general defaults in the default stanzas of /etc/security/user and /etc/securtiy/limits as well audit classes have to be specified in the mkuser.default file. Several of these attributes control how a user can log in and they can be configured to lock the user account (prevent further logins) automatically under specified conditions.

Once the user account has been locked by the system, the user is not able to log in until the system administrator resets the user unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than the value of login retries. This can be done using the following chsec command:

chsec -f /etc/security/lastlog -s username -a

The defaults can be changed by using the chsec command to edit the default stanza in the appropriate security file, such as the /etc/security/user or /etc/security/limits files. Many of the defaults are defined to be the standard behavior. To explicitly specify attributes that are set every time a new user is created, change the user entry in /usr/lib/security/mkuser.default.

For information on extended user password attributes, refer to Passwords.

Login User IDs

The operating system identifies users by their login user ID. The login user ID allows the system to trace all user actions to their source. After a user logs in to the system but before running the initial user program, the system sets the login ID of the process to the user ID found in the user database. All subsequent processes during the login session are tagged with this ID. These tags provide a trail of all activities performed by the login user ID. The user can reset the effective user ID, real user ID, effective group ID, real group ID, and supplementary group ID during the session, but cannot change the login user ID.

Strengthening User Security with Access Control Lists

To achieve an appropriate level of security in your system, develop a consistent security policy to manage user accounts. The most commonly used security mechanism is the access control list (ACL). For information about ACLs and developing a security policy, see the Access Control List section in this book.

PATH Environment Variable

The PATH environment variable is an important security control. It specifies the directories to be searched to find a command. The default systemwide PATH value is specified in the /etc/profile file, and each user normally has a PATH value in the user's $HOME/.profile file. The PATH value in the .profile file either overrides the systemwide PATH value or adds extra directories to it.

Unauthorized changes to the PATH environment variable can enable a user on the system to "spoof" other users (including root users). Spoofing programs (also called Trojan horse programs) replace system commands and then capture information meant for that command, such as user passwords.

For example, suppose a user changes the PATH value so that the system searches the /tmp directory first when a command is run. Then the user places in the /tmp directory a program called su that asks for the root password just like the su command. Then the /tmp/su program mails the root password to the user and calls the real su command before exiting. In this scenario, any root user who used the su command would reveal the root password and not even be aware of it. This is just one of many scenarios for gaining confidential information by altering PATH values.

However, following a few simple steps will prevent any problems with the PATH environment variable for system administrators and users:

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]