Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Confused

Status
Not open for further replies.
BeatrixKiddo

BeatrixKiddo

ISP
Feb 22, 2009
60
0
0
MX
Hello everyone,

Checking configuration access files of an AIX server, left me wondering this:

- If a user is added to system group, it shares gid=0 with some security risks because it gets some root kind of access level.

- Is this insecure condition is kept if the user has admin variable equal to FALSE in /etc/security/user file?

What is the resultant combination of having gid=0 and ADMIN=FALSE?
 
Sort by date Sort by votes
Never tried it! I would assume that the user would be able to access the system group level files but won't be able to run certain commands!

Worth trying!
 
Upvote 0 Downvote
Q If a user is added to system group, it shares gid=0 with some security risks because it gets some root kind of access level.

A gid=0 is not the same as uid=0. File access control in UNIX-like operating systems is ignored for uid=0 and euid=0. That means root (or any other user with uid=0) can access *any* file at all, no matter what the permissions are. Non-root users with gid=0 can only access files with permissions which allow them to.

Q Is this insecure condition is kept if the user has admin variable equal to FALSE in /etc/security/user file?

Q ADMIN=FALSE is not involved in file access security. The documentation will tell you that "Only the root user can change the attributes of users defined as administrators.".
 
Upvote 0 Downvote
What happens if the user is also part of security group (gid=7).
 
Upvote 0 Downvote
If the user is also part of security group, or indeed any group, then that user can also access, files for which they have access. Consider these files:

-rw-r--r-- 1 root security 1380 26 Sep 2008 /etc/passwd
-rw-r----- 1 root security 701 24 Jul 2008 /etc/security/group
-rw------- 1 root security 1319 08 Mar 2010 /etc/security/passwd

Lots of programs need info from /etc/passwd so it is world readable - or in "user/group/other" terms other has read permission. /etc/security/group may be changed by user who belong to security group, so it has "group" read access but not "other". /etc/security/passwd is only readable by root or by programs which we trust with setuid and owner=0.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

polani
  • Locked
  • Question
confused about SDDPCM on VIO server?
Replies
2
Views
68
p5wizard
p5wizard
aixchild
  • Locked
  • Question
lsvg against df - for space available - confused
Replies
2
Views
52
aixchild
aixchild
KenCunningham
  • Locked
  • Question
Confused by MLs 2
Replies
3
Views
37
KenCunningham
KenCunningham
dman7777777
  • Locked
  • Question
Confused about where the filesystems are built on
Replies
5
Views
54
MoreFeo
MoreFeo
alexhu
  • Locked
  • Question
Confused about Maintainance Levels! 1
Replies
4
Views
44
raylin
raylin

Part and Inventory Search

Sponsor

Back
Top