Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Confused

Status
Not open for further replies.
BeatrixKiddo

BeatrixKiddo

ISP
Feb 22, 2009
60
MX
Hello everyone,

Checking configuration access files of an AIX server, left me wondering this:

- If a user is added to system group, it shares gid=0 with some security risks because it gets some root kind of access level.

- Is this insecure condition is kept if the user has admin variable equal to FALSE in /etc/security/user file?

What is the resultant combination of having gid=0 and ADMIN=FALSE?
 
Sort by date Sort by votes
Never tried it! I would assume that the user would be able to access the system group level files but won't be able to run certain commands!

Worth trying!
 
Upvote 0 Downvote
Q If a user is added to system group, it shares gid=0 with some security risks because it gets some root kind of access level.

A gid=0 is not the same as uid=0. File access control in UNIX-like operating systems is ignored for uid=0 and euid=0. That means root (or any other user with uid=0) can access *any* file at all, no matter what the permissions are. Non-root users with gid=0 can only access files with permissions which allow them to.

Q Is this insecure condition is kept if the user has admin variable equal to FALSE in /etc/security/user file?

Q ADMIN=FALSE is not involved in file access security. The documentation will tell you that "Only the root user can change the attributes of users defined as administrators.".
 
Upvote 0 Downvote
What happens if the user is also part of security group (gid=7).
 
Upvote 0 Downvote
If the user is also part of security group, or indeed any group, then that user can also access, files for which they have access. Consider these files:

-rw-r--r-- 1 root security 1380 26 Sep 2008 /etc/passwd
-rw-r----- 1 root security 701 24 Jul 2008 /etc/security/group
-rw------- 1 root security 1319 08 Mar 2010 /etc/security/passwd

Lots of programs need info from /etc/passwd so it is world readable - or in "user/group/other" terms other has read permission. /etc/security/group may be changed by user who belong to security group, so it has "group" read access but not "other". /etc/security/passwd is only readable by root or by programs which we trust with setuid and owner=0.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

polani
  • Locked
  • Question
confused about SDDPCM on VIO server?
Replies
2
Views
83
p5wizard
p5wizard
aixchild
  • Locked
  • Question
lsvg against df - for space available - confused
Replies
2
Views
62
aixchild
aixchild
KenCunningham
  • Locked
  • Question
Confused by MLs 2
Replies
3
Views
41
KenCunningham
KenCunningham
dman7777777
  • Locked
  • Question
Confused about where the filesystems are built on
Replies
5
Views
66
MoreFeo
MoreFeo
alexhu
  • Locked
  • Question
Confused about Maintainance Levels! 1
Replies
4
Views
47
raylin
raylin

Part and Inventory Search

Sponsor

Back
Top