Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Confused

Status
Not open for further replies.
Feb 22, 2009
60
MX
Hello everyone,

Checking configuration access files of an AIX server, left me wondering this:

- If a user is added to system group, it shares gid=0 with some security risks because it gets some root kind of access level.

- Is this insecure condition is kept if the user has admin variable equal to FALSE in /etc/security/user file?

What is the resultant combination of having gid=0 and ADMIN=FALSE?
 
Never tried it! I would assume that the user would be able to access the system group level files but won't be able to run certain commands!

Worth trying!
 
Q If a user is added to system group, it shares gid=0 with some security risks because it gets some root kind of access level.

A gid=0 is not the same as uid=0. File access control in UNIX-like operating systems is ignored for uid=0 and euid=0. That means root (or any other user with uid=0) can access *any* file at all, no matter what the permissions are. Non-root users with gid=0 can only access files with permissions which allow them to.

Q Is this insecure condition is kept if the user has admin variable equal to FALSE in /etc/security/user file?

Q ADMIN=FALSE is not involved in file access security. The documentation will tell you that "Only the root user can change the attributes of users defined as administrators.".
 
What happens if the user is also part of security group (gid=7).
 
If the user is also part of security group, or indeed any group, then that user can also access, files for which they have access. Consider these files:

-rw-r--r-- 1 root security 1380 26 Sep 2008 /etc/passwd
-rw-r----- 1 root security 701 24 Jul 2008 /etc/security/group
-rw------- 1 root security 1319 08 Mar 2010 /etc/security/passwd

Lots of programs need info from /etc/passwd so it is world readable - or in "user/group/other" terms other has read permission. /etc/security/group may be changed by user who belong to security group, so it has "group" read access but not "other". /etc/security/passwd is only readable by root or by programs which we trust with setuid and owner=0.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top