Contains extended group attributes.
The /etc/security/group file contains extended group attributes. This is an ASCII file that contains a stanza for each system group. Each stanza is identified by a group name from the /etc/group file followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a new-line character as does each stanza. You can have multiple default stanzas in the /etc/security/group file. A default stanza applies to all of the stanzas that follow, but does not apply to the stanzas preceding it.
A stanza can have either or both of the following attributes:
Attribute | Description |
---|---|
adms | Defines the group administrators. Administrators are users who can perform administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string. |
admin | Defines the administrative status of the group. Possible values are:
|
dce_export | Allows the DCE registry to overwrite the local group information with the DCE group information during a DCE export operation. Possible values are: |
For a typical stanza, see the "Examples" section .
You should access the /etc/security/group file through the system commands and subroutines defined for this purpose. You can use the following commands to manage groups:
The mkgroup command adds new groups to the /etc/group file and the /etc/security/group file. Use this command to create an administrative group. You can also use the mkgroup to set the group administrator.
Use the chgroup command to change all the attributes. If you are an administrator of a standard group, you can change the adms attribute for that group with the chgrpmem command.
The lsgroup command displays both the adms and the admin attributes. The rmgroup command removes the entry from both the /etc/group file and the /etc/security/group file.
To write programs that affect attributes in the /etc/security/group file, use the subroutines listed in Related Information.
Access Control: This file should grant read (r) access to the root user and members of the security group, and to others as permitted by the security policy for the system. Only the root user should have write (w) access.
Auditing Events:
Event | Information |
---|---|
S_GROUP_WRITE | file name |
A typical stanza looks like the following example for the finance group:
finance: admin = false adms = cjf, scott, sah
/etc/security/group | Specifies the path to the file. |
/etc/group | Contains the basic attributes of groups. |
/etc/passwd | Contains the basic attributes of users. |
/etc/security/passwd | Contains password information. |
/etc/security/user | Contains the extended attributes of users. |
/etc/security/environ | Contains the environment attributes of users. |
/etc/security/limits | Contains the process resource limits of users. |
/etc/security/audit/config | Contains audit system configuration information. |
/etc/security/lastlog | Contains last login information. |
The chgroup command, chgrpmem command, lsgroup command, mkgroup command, rmgroup command, setgroups command.
The enduserdb subroutine, getgroupattr subroutine, IDtogroup subroutine, nextgroup subroutine, putgroupattr subroutine, setuserdb subroutine.
File and System Security Overview in AIX 5L Version 5.2 System Management Guide: Operating System and Devices.