[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Files Reference

/etc/security/group File

Purpose

Contains extended group attributes.

Description

The /etc/security/group file contains extended group attributes. This is an ASCII file that contains a stanza for each system group. Each stanza is identified by a group name from the /etc/group file followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a new-line character as does each stanza. You can have multiple default stanzas in the /etc/security/group file. A default stanza applies to all of the stanzas that follow, but does not apply to the stanzas preceding it.

A stanza can have either or both of the following attributes:

Attribute Description
adms Defines the group administrators. Administrators are users who can perform administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string.
admin Defines the administrative status of the group. Possible values are:
true
Defines the group as administrative. Only the root user can change the attributes of groups defined as administrative.
false
Defines a standard group. The attributes of these groups can be changed by the root user or a member of the security group. This is the default value.
dce_export Allows the DCE registry to overwrite the local group information with the DCE group information during a DCE export operation. Possible values are:
true
Local group information will be overwritten.
false
Local group information will not be overwritten.

For a typical stanza, see the "Examples" section .

You should access the /etc/security/group file through the system commands and subroutines defined for this purpose. You can use the following commands to manage groups:

The mkgroup command adds new groups to the /etc/group file and the /etc/security/group file. Use this command to create an administrative group. You can also use the mkgroup to set the group administrator.

Use the chgroup command to change all the attributes. If you are an administrator of a standard group, you can change the adms attribute for that group with the chgrpmem command.

The lsgroup command displays both the adms and the admin attributes. The rmgroup command removes the entry from both the /etc/group file and the /etc/security/group file.

To write programs that affect attributes in the /etc/security/group file, use the subroutines listed in Related Information.

Security

Access Control: This file should grant read (r) access to the root user and members of the security group, and to others as permitted by the security policy for the system. Only the root user should have write (w) access.

Auditing Events:

Event Information
S_GROUP_WRITE file name

Examples

A typical stanza looks like the following example for the finance group:

finance:
          admin = false
          adms = cjf, scott, sah   

Files

/etc/security/group Specifies the path to the file.
/etc/group Contains the basic attributes of groups.
/etc/passwd Contains the basic attributes of users.
/etc/security/passwd Contains password information.
/etc/security/user Contains the extended attributes of users.
/etc/security/environ Contains the environment attributes of users.
/etc/security/limits Contains the process resource limits of users.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/lastlog Contains last login information.

Related Information

The chgroup command, chgrpmem command, lsgroup command, mkgroup command, rmgroup command, setgroups command.

The enduserdb subroutine, getgroupattr subroutine, IDtogroup subroutine, nextgroup subroutine, putgroupattr subroutine, setuserdb subroutine.

File and System Security Overview in AIX 5L Version 5.2 System Management Guide: Operating System and Devices.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]