Administering users and groups in IBM AIX is an essential part of an administrator's duties. You can manage users and groups in many different ways: You can maintain them through the AIX System Management Interface Tool (SMIT), manually editing the configuration files, or by using command-line commands. This article discusses the configuration files behind users and groups on AIX, as well as command-line tools designed to help manage the users and groups easily.
Before going into the commands to create, modify, and maintain users and groups in AIX, it is important that you know what is happening behind the scenes. For example, you should understand the files and what they mean.
Look at the some of the files that affect the user itself:
The file /etc/passwd contains the basics of a user and is probably the best-known file to UNIX® and Linux® users for user administration. Listing 1 provides an example of an /etc/passwd file.
Listing 1. Example /etc/passwd file
root:!:0:0::/:/usr/bin/ksh daemon:!:1:1::/etc: bin:!:2:2::/bin: sys:!:3:3::/usr/sys: adm:!:4:4::/var/adm: uucp:!:5:5::/usr/lib/uucp: guest:!:100:100::/home/guest: nobody:!:4294967294:4294967294::/: lpd:!:9:4294967294::/: lp:*:11:11::/var/spool/lp:/bin/false invscout:*:6:12::/var/adm/invscout:/usr/bin/ksh snapp:*:200:13:snapp login user:/usr/sbin/snapp:/usr/sbin/snappd ipsec:*:201:1::/etc/ipsec:/usr/bin/ksh nuucp:*:7:5:uucp login user:/var/spool/uucppublic:/usr/sbin/uucp/uucico pconsole:*:8:0::/var/adm/pconsole:/usr/bin/ksh esaadmin:*:10:0::/var/esa:/usr/bin/ksh sshd:*:206:201::/var/empty:/usr/bin/ksh atc:!:8000:400:Adam Cormany,Sr UNIX Admin:/home/atc:/bin/ksh amdc:!:8001:401:AMDC:/home/amdc:/bin/ksh pac:!:8002:400:PAC,Jr UNIX Admin:/home/pac:/bin/ksh atc2:!:8003:402:ATCv2:/home/atc2:/bin/ksh
As you can see, the file is colon (
:) delimited, and
each entry contains seven fields in the following format (with spaces added
before and after delimiter to ease reading):
Username : Password Flag : UID : GID : GECOS : Home : Shell/Command
Here's the line-by-line breakdown:
- Username. This is the login/user name associated with the account.
- Password Flag. This field varies slightly in different flavors
of UNIX and Linux. In AIX, the second field can contain one of
two characters, either
*. If the
!is displayed, a password has been set for the user. If no password has been set,
*appears. The passwords themselves are stored in /etc/security/passwd.
- UID. The User Identifier (UID) is a numeric identifier to a user.
- GID. The Group Identifier (GID) is similar to the UID but is associated with groups. The GIDs are defined in /etc/group.
- GECOS. The General Electric Comprehensive Operating System (GECOS) information is stored in the fifth field. The user's name, phone numbers, and other generic personal information are stored here.
- Home. This is the user's home directory.
- Shell/Command. Typically, the seventh and final field contains the shell that is started at the user's login. Administrators can also change this field to execute other commands instead of shells to limit access (for example, /bin/false).
The file /etc/security/.profile can really save you some valuable time and
ease frustration. When you create a user using the
command, the script /usr/lib/security/mkuser.sys is executed. This script
creates the user's directory, sets the correct permissions, and "creates" the
user's .profile. The mkuser.sys script actually copies the /etc/security/.profile
file into the user's new home directory.
If you are building a new system, or maybe a new division of 100 people needs accounts on a system, make sure you make your changes to the /etc/security/.profile file before creating all the users' accounts. If you create the accounts and then realize that you need to make a simple change in a variable or modify another setting, you're going to have to manually make the change to everyone's profile. It could be scripted out easily, but life would have been much simpler if you would have just changed the /etc/security/.profile.
Listing 2 provides an example /etc/security/.profile file.
Listing 2. Example /etc/security/.profile file
PATH=/usr/bin:/etc:/usr/sbin:/usr/ucb:$HOME/bin:/usr/bin/X11:/sbin:. export PATH if [ -s "$MAIL" ] # This is at Shell startup. In normal then echo "$MAILMSG" # operation, the Shell checks fi # periodically.
The /etc/security/limits file contains all the
or users' system resource limitations. Table 1 defines
the fields in the /etc/security/limits file and their use.
Table 1. Fields in /etc/security/limits
|Soft limit||Hard limit||Description|
|Size of file a user can create|
|Size of core file a user can create|
|The amount of system time allowed|
|Size of the process data segment|
|Size of the process stack segment|
|Physical memory allowed|
|Number of open file descriptors at one time|
|Number of running processes at one time|
What's the difference between soft and hard limits? A soft limit is a value that a user or application can change on the fly up to the maximum (the hard limit). The hard limit is just that -- the maximum value a parameter can be set to. If setting the parameter to a numeric value is too difficult (for example, if a developer has no idea how much memory his or her program is going to take or the number of files it will need to open), you can set the parameter to -1, which translates to unlimited.
It isn't imperative that you set individual
each and every user, however. The /etc/security/limits file contains a section
default that defines a template of
standard values for each user unless that user has set custom values. If the
default section doesn't exist, IBM kindly set
predetermined limits just in case.
The IBM default values are:
* Attribute Value * ========== ============ * fsize_hard set to fsize * cpu_hard set to cpu * core_hard -1 * data_hard -1 * stack_hard 8388608 * rss_hard -1 * nofiles_hard -1
Listing 3 provides an example of a /etc/security/limits file.
Listing 3. Example /etc/security/limits file
default: fsize = 4194303 core = 16384 cpu = -1 data = 262144 rss = 65536 stack = 65536 pac: fsize = 131072 fsize_hard = 262144 core = 262144
Considering that user "pac" is a junior UNIX administrator, his
soft value was reduced from the
4,194,303 to 131,072; however, you were nice enough to allow the user to
increase his value to 262,144, if needed. Also, pac is notorious for finding ways
to break his own programs. As a result, you've increased his core
ulimit to 262,144.
The /etc/security/passwd file contains the AIX user's password information. The file contains three fields per user:
- password. Encrypted password.
Note: If this field contains only an asterisk (
*), the account is locked until a password has been set.
- lastupdate. Number of seconds since epoch when the password was last updated.
- flags. Restrictions to changing the user's password. You can set
three different flags:
- ADMIN. If set, only the root user can change the user's password.
- ADMCHG. If set, the user is prompted to change
his or her password on the next login/
- NOCHECK. If set, any additional restrictions in /etc/security/user are ignored.
Listing 4 provides an example of a /etc/security/password file.
Listing 4. Example /etc/security/password file
amdc: password = oBQaUkPkUryCY lastupdate = 1243972006 flags = ADMCHG
In this example, user "amdc" has a password that was set on Tue. Jun. 2 15:46:46
EDT 2009. The next time the user logs in or
to amdc, he or she will be prompted to change the password.
If you're wondering how I converted the seconds from epoch to something a little more readable, I wrote a Perl script. Here's the gist of that script:
# perl -e 'use POSIX; print strftime("%c\n", localtime(1243972006));' Tue Jun 2 15:46:46 EDT 2009
Now you're getting into the meat of AIX user administration. The /etc/security/user file contains the most important settings, outside of the basics in /etc/passwd, for a user. Table 2 shows some of the parameters.
Table 2. Parameters in the /etc/security/user file
|TRUE | FALSE||Lock out the account; the user is unable to log in if set to True.|
|TRUE | FALSE||If True, the user has administrative rights.|
|MMDDHHYY||If the date has been reached, the account has expired and is locked.|
|0-260||Number of weeks the user can't reuse a password.|
|0-50||Number of passwords previously used that can't be reused.|
|TRUE | FALSE||User can log in if True.|
|0-52||Number of weeks a password is valid.|
|0-52||Number of weeks a user must wait before changing his or her password.|
|TRUE | FALSE||The account can be accessed remotely if set to True.|
|TRUE | FALSE||Others can use |
For a full listing of all parameters, look in your AIX system under /etc/security/user,
or see AIX
Like /etc/security/limits, a
default section sets
all the fields if not specified by the individual account.
The /usr/lib/security/mkuser.default file contains values used when creating a new
AIX user through
mkuser. Listing 5
provides an example of what the file may look like on your system.
Listing 5. Example /usr/lib/security/mkuser.default file
user: pgrp = staff groups = staff shell = /usr/bin/ksh home = /home/$USER admin: pgrp = system groups = system shell = /usr/bin/ksh home = /home/$USER
Many more parameters can be defined in this file. To view the full list, look at
man chuser, or go to
Systems Information Center.
Now that you are familiar with the files behind the commands, take a look at the commands themselves. You'll learn how to create a user as well as modify a user after it has been created.
The first command to know is
mkuser, the rest of the commands are useless.
You use this command to create the AIX user and set its initial values. There
are a few simple rules to remember when creating a user:
- Users cannot start with a:
- Dash or minus sign (
- Plus sign (
- At symbol (
- Tilde (
- Dash or minus sign (
- Users cannot be named ALL or default, as those names are reserved for the operating system.
- User names cannot include:
- Colon (
- Quotation marks—single or double (
- Pound or hash symbol (
- Comma (
- Equal sign (
- Slashes—back or forward (
- Question mark (
- Back quote or tick (
- White space (space or tab)
- New-line characters
- Colon (
- User names can only be eight characters or fewer in AIX version 5.2 and earlier. Starting with AIX version 5.3, IBM increased the maximum number of characters to 255.
To verify the setting in AIX 5.3 and later, you can extract the value from
# getconf LOGIN_NAME_MAX 9
# lsattr -El sys0 SW_dist_intr false Enable SW distribution of interrupts True autorestart true Automatically REBOOT OS after a crash True boottype disk N/A False capacity_inc 1.00 Processor capacity increment False capped true Partition is capped False conslogin enable System Console Login False cpuguard enable CPU Guard True dedicated true Partition is dedicated False enhanced_RBAC true Enhanced RBAC Mode True ent_capacity 1.00 Entitled processor capacity False frequency 2656000000 System Bus Frequency False fullcore true Enable full CORE dump True fwversion IBM,EL340_075 Firmware version and revision levels False id_to_partition 0X80000CE988400001 Partition ID False id_to_system 0X80000CE988400000 System ID False iostat false Continuously maintain DISK I/O history True keylock normal State of system keylock at boot time False log_pg_dealloc true Log predictive memory page deallocation events True max_capacity 1.00 Maximum potential processor capacity False max_logname 9 Maximum login name length at boot time True maxbuf 20 Maximum number of pages in block I/O BUFFER CACHE True maxmbuf 0 Maximum Kbytes of real memory allowed for MBUFS True maxpout 0 HIGH water mark for pending write I/Os per file True maxuproc 800 Maximum number of PROCESSES allowed per user True min_capacity 1.00 Minimum potential processor capacity False minpout 0 LOW water mark for pending write I/Os per file True modelname IBM,8203-E4A Machine name False ncargs 256 ARG/ENV list size in 4K byte blocks True nfs4_acl_compat secure NFS4 ACL Compatibility Mode True pre430core false Use pre-430 style CORE dump True pre520tune disable Pre-520 tuning compatibility mode True realmem 3784704 Amount of usable physical memory in Kbytes False rtasversion 1 Open Firmware RTAS version False sed_config select Stack Execution Disable (SED) Mode True systemid IBM,021082744 Hardware system identifier False variable_weight 0 Variable processor capacity weight False
To change the value, simply adjust the
parameter (shown as
to the maximum number of characters desired plus one to accommodate the
terminating character. For example, if you want to have user names that are
128 characters long, you would adjust the
parameter to 129:
# chdev -l sys0 -a max_logname=129 sys0 changed
Please note that this change will not go into effect until you have rebooted the operating system. Once the server has been rebooted, you can verify that the change has taken effect:
# getconf LOGIN_NAME_MAX 128
Keep in mind, however, that if your environment includes IBM RS/6000® servers prior to AIX version 5.3 or operating systems that cannot handle user names longer than eight characters and you rely on NIS or other authentication measures, it would be wise to continue with the eight-character user names.
To create a user with default settings and allocate the next available UID, simply
mkuser plus the user name as the root
# mkuser xander # finger xander Login name: xander Directory: /home/xander Shell: /usr/bin/ksh No Plan.
Easy, isn't it? Try something a bit more personable. By adding some values found
chuser man page
man chuser), you can include the user's GECOS
information and change his or her core
524,288, as shown in Listing 6.
Listing 6. Change a user's core ulimit
# mkuser core=524288 gecos="Xander Cormany,317.555.1234" xander # finger xander Login name: xander In real life: Xander Cormany Site Info: 317.555.1234 Directory: /home/xander Shell: /usr/bin/ksh No Plan. # su - xander "-c ulimit -a" time(seconds) unlimited file(blocks) unlimited data(kbytes) unlimited stack(kbytes) 4194304 memory(kbytes) unlimited coredump(blocks) 524288 nofiles(descriptors) unlimited threads(per process) unlimited processes(per user) unlimited
It's worth mentioning that the GECOS, like any other field in /etc/passwd,
should not include a colon (
:) in the value. By
trying to add a colon, the fields will be adjusted, and all expected values
would shift to the right. For instance, if the user tried to have Xander:Cormany
in the GECOS field in /etc/passwd, Xander would actually be in the
correct field, while Cormany would be the value of the field to the
right (that is, the home directory). Also, the GECOS field cannot end with
Most administrators do not really use the command line like this, but it is important
to understand what utilities like SMIT (
man smit or
man smitty) are doing behind the scenes. If you
would rather continue through SMIT, the process is simple. Here's an example
of creating the same user with the same attributes through SMIT. By entering
SMIT directly into the user creation screen, you
go in using the fastpath
# smitty mkuser
Figure 1 shows the SMIT utility in action.
Figure 1. The smitty mkuser process
When you are finished filling out the user name, GECOS field, and core
ulimit, click Enter to create the user. When
SMIT returns that the command finished successfully, click F10 or Esc + 0 to
exit the program. You can verify the user using the code in Listing 7.
Listing 7. Verify that SMIT correctly created the user
# finger xander Login name: xander In real life: Xander Cormany Site Info: 317.555.1234 Directory: /home/xander Shell: /usr/bin/ksh No Plan. # su - xander "-c ulimit -a" time(seconds) unlimited file(blocks) unlimited data(kbytes) unlimited stack(kbytes) 4194304 memory(kbytes) unlimited coredump(blocks) 524288 nofiles(descriptors) unlimited threads(per process) unlimited processes(per user) unlimited
The hard part is done now. But wait: Xander's manager, Ann, just came by and
informed you that Xander's core
ulimit should have
been 1,048,576 (someone forgot to multiply by 2). No problem: Just change
chuser command works very much like
mkuser in syntax and uses the identical attributes.
Listing 8 provides an example of the
Listing 8. The chuser command
# chuser core=1048576 xander # su - xander "-c ulimit -a" time(seconds) unlimited file(blocks) unlimited data(kbytes) unlimited stack(kbytes) 4194304 memory(kbytes) unlimited coredump(blocks) 1048576 nofiles(descriptors) unlimited threads(per process) unlimited processes(per user) unlimited
As always, IBM has made these commands easily accessible in SMIT using fastpaths.
smitty chuser takes you directly to the
user modification screen.
There are times when you want to change your shell. The default shell in AIX is the
Korn shell, or ksh. To change the shell, execute
with the user's name, and then select the desired shell, as shown in
Listing 9. Change a user's shell
# finger xander Login name: xander In real life: Xander Cormany Site Info: 317.555.1234 Directory: /home/xander Shell: /usr/bin/ksh No Plan. # chsh xander Current available shells: /bin/sh /bin/bsh /bin/csh /bin/ksh /bin/tsh /bin/ksh93 /usr/bin/sh /usr/bin/bsh /usr/bin/csh /usr/bin/ksh /usr/bin/tsh /usr/bin/ksh93 /usr/bin/rksh /usr/bin/rksh93 /usr/sbin/uucp/uucico /usr/sbin/sliplogin /usr/sbin/snappd xander's current login shell: /usr/bin/ksh Change (yes) or (no)? > yes To?>/usr/bin/csh # finger xander Login name: xander In real life: Xander Cormany Site Info: 317.555.1234 Directory: /home/xander Shell: /usr/bin/csh No Plan.
The administrator who created Xander's AIX user introduced a typo into his
name in the GECOS information. To correct the mistake, you use the
chfn command. This command works much like
chsh, where the command displays the current value,
asks the user whether he or she wants to change it, and then changes the value
to what was entered. Listing 10 provides an example.
Listing 10. Example chfn command
# finger xander Login name: xander In real life: Zander Cormany Site Info: 317.555.1234 Directory: /home/xander Shell: /usr/bin/ksh No Plan. # chfn xander xander's current gecos: "Zander Cormany,317.555.1234" Change (yes) or (no)? > yes To?>Xander Cormany,317.555.1234 # finger xander Login name: xander In real life: Xander Cormany Site Info: 317.555.1234 Directory: /home/xander Shell: /usr/bin/ksh No Plan.
Correcting the GECOS information may sound trivial, but it is helpful to the
other administrators and users on the system. For example, if you're trying
to find Xander's account but can't remember his user name, you could search
for it through his GECOS information. Searching for his last name, which was
correctly entered into the GECOS field, would quickly show me his user name.
finger command will search for all instances
of the string entered in /etc/passwd's user name and real name in the first field
of the GECOS information:
# finger cormany Login name: atc In real life: Adam Cormany Directory: /home/cormany Shell: /bin/ksh No Plan. Login name: xander In real life: Xander Cormany Site Info: 317.555.1234 Directory: /home/xander Shell: /usr/bin/ksh No Plan.
Gathering all the information for a user from the various user files may seem
cumbersome. Fortunately, AIX provides a command to gather the data in
one fell swoop. The
lsuser command returns
all the attributes used on the user from the various administration files, which
can be very helpful if you are comparing users, wanting to generate a complete
listing of all users for backup purposes, or are troubleshooting an issue with an
To view a user's attributes, you can use the
which displays everything in a stanza structure. Listing 11
provides an example of this output.
Listing 11. Output from lsuser -f
# lsuser -f xander xander: id=214 pgrp=staff groups=staff home=/home/xander shell=/usr/bin/ksh gecos=Xander Cormany,317.555.1234 login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=-1 cpu=-1 data=-1 stack=-1 core=1048576 rss=-1 nofiles=-1 roles=
If you are comparing users, simply change the switch from
-c and add the users you want to compare as
a comma-delimited argument. Listing 12 provides an
example of this output.
Listing 12. Output of lsuser -c
# lsuser -c xander,atc #name:id:pgrp:groups:home:shell:gecos:login:su:rlogin:daemon:admin: sugroups:tpath:ttys:expires:auth1:auth2:umask:registry:SYSTEM:loginretries: pwdwarntime:account_locked:minage:maxage:maxexpired:minalpha:minother: mindiff:maxrepeats:minlen:histexpire:histsize:fsize:cpu:data:stack:core:rss:nofiles xander:214:staff:staff:/home/xander:/usr/bin/ksh:Xander Cormany,317.555.1234: true:true:true:true:false:ALL:nosak:ALL:0:SYSTEM:NONE:22:files:compat:0:0:false: 0:0:-1:0:0:0:8:0:0:0:-1:-1:-1:-1:1048576:-1:-1 #name:id:pgrp:groups:home:shell:gecos:login:su:rlogin:daemon:admin:sugroups: tpath:ttys:expires:auth1:auth2:umask:registry:SYSTEM:loginretries:pwdwarntime: account_locked:minage:maxage:maxexpired:minalpha:minother:mindiff:maxrepeats: minlen:histexpire:histsize:fsize:cpu:data:stack:core:rss:nofiles:time_last_login: time_last_unsuccessful_login:tty_last_login:tty_last_unsuccessful_login:host_last_login: host_last_unsuccessful_login:unsuccessful_login_count cormany:215:staff:staff,support:/home/cormany:/bin/ksh:Adam Cormany:true:true: true:true:false:ALL:nosak:ALL:0:SYSTEM:NONE:22:NIS:compat:0:0:false:0:0: -1:0:0:0:8:0:0:0:-1:-1:-1:-1:-1:-1:-1:1250854405:1250522447:/dev/pts/3:/dev/pts/13: 10.20.30.40:10.20.30.41:0
That is a lot of information to look at and may be a bit overwhelming in its raw form. However, if you import this data into a spreadsheet, it will look much cleaner. Having a delimited format is also helpful when you are using the data in scripts to manage users.
If you are only looking for a few fields—say, the user's shell and home
lsuser command can do the
work for you with the
-a switch. Listing 13
provides an example of this command using the fields from the
chuser man page.
Listing 13. Running lsuser -c –a on a man page
# lsuser -c -a shell home xander,cormany #name:shell:home xander:/usr/bin/ksh:/home/xander #name:shell:home cormany:/bin/ksh:/home/cormany
Many think the
passwd command only changes a
user's password. Although
passwd does perform
this important function, it contains other features, as well.
The most important function of
passwd is indeed
changing a user's password. By following the rules set forth in the configuration
files /etc/security/user and /etc/security/passwd, a standard user can change
his or her own password or, if logged in as the root user, can change other
users' passwords, as Listing 14 shows.
Listing 14. Using passwd to change a user's password
# lsuser -c -a password xander #name:password xander:* # passwd xander Changing password for "xander" xander's New password: Enter the new password again: # lsuser -c -a password xander #name:password xander:!
passwd command can also change a user's
GECOS information like
chfn or his or her
shell/command to execute during the login process, like
Listing 15 provides an example.
Listing 15. Using passwd to change a user's information
# passwd -f xander xander's current gecos: "Xander Cormany,317.555.1234" Change (yes) or (no)? > yes To?>Xander Cormany,317.555.7890 # passwd -s xander Current available shells: /bin/sh /bin/bsh /bin/csh /bin/ksh /bin/tsh /bin/ksh93 /usr/bin/sh /usr/bin/bsh /usr/bin/csh /usr/bin/ksh /usr/bin/tsh /usr/bin/ksh93 /usr/bin/rksh /usr/bin/rksh93 /usr/sbin/uucp/uucico /usr/sbin/sliplogin /usr/sbin/snappd xander's current login shell: /usr/bin/ksh Change (yes) or (no)? > yes To?>/usr/bin/bsh # finger xander Login name: xander In real life: Xander Cormany Site Info: 317.555.7890 Directory: /home/xander Shell: /usr/bin/bsh No Plan.
pwdadm command can change passwords
in AIX. In addition,
pwdadm can display
(excluding encrypted passwords) or update a user's flags in /etc/security/passwd.
Continuing with Xander's account as a guinea pig, First change his password,
and then view his current password attributes. Because his password was just
ADMCHG flag will be set. Change
that flag to
ADMIN, and restrict the account so that
only administrators can update the password going forward. Listing 16
shows the code to perform this task.
Listing 16. Change a user's flag and restrict privileges
# pwdadm xander Changing password for "xander" xander's New password: Enter the new password again: # pwdadm -q xander xander: lastupdate = 1250858719 flags = ADMCHG # pwdadm -f ADMIN xander # pwdadm -q xander xander: lastupdate = 1250858719 flags = ADMIN
The time has come to remove a user from the system; Xander's account must
be deleted. To do so, you need
To remove a user, simply execute
rmuser with the user's
account name as the argument. Doing so with no switches removes the user
from the system, but the user's password information will be retained in the
# rmuser xander
To fully remove the user's password information, use the
# rmuser –p xander
rmuser does not remove the user's
home directory. If a user has important data in his or her home directory
that should be kept, it is up to you to remove the home directories when
you deem it safe.
You're familiar with a few user modification commands; now, let's talk about groups. Like user administration, it's important that you know the configuration files behind the commands that modify them.
The /etc/group file contains the basics of a group. Listing 17 provides an example of the file /etc/group.
Listing 17. Example /etc/group file
system:!:0:root,pconsole,esaadmin staff:!:1:ipsec,esaadmin,sshd,xander bin:!:2:root,bin sys:!:3:root,bin,sys adm:!:4:bin,adm uucp:!:5:uucp,nuucp mail:!:6: security:!:7:root cron:!:8:root printq:!:9:lp audit:!:10:root ecs:!:28: nobody:!:4294967294:nobody,lpd perf:!:20: shutdown:!:21: lp:!:11:root,lp invscout:!:12:invscout snapp:!:13:snapp ipsec:!:200: pconsole:!:14:pconsole sshd:!:201:sshd
As you can see, the file is colon delimited like the /etc/passwd file, and each entry contains only four fields in the following format (with spaces added before and after the delimiter to ease reading):
Group Name : Password Flag : GID : User(s)
Here's the line-by-line breakdown:
- Group Name. The group name associated with the group.
- Password Flag. This field is not used in AIX. Instead, AIX uses the /etc/security/group file for group administrators.
- GID. The GID associated with the group.
- User(s). The list of users who are members of the group.
Note: This field is comma delimited.
The /etc/security/group file is much like /etc/security/user for users: It contains extended attributes to the specified group. Table 3 provides a couple of useful settings in the configuration file.
Table 3. /etc/security/group parameters
|user1, user2, …||Comma-delimited list of users with administrative rights to the group.|
|TRUE | FALSE||If True, the group has administrative rights to the group.|
For more attributes, read the man page for /etc/security/group
man group), or visit
The file is broken down into stanzas like the other configuration files in
/etc/security, with the group name as the identifier. A nice feature of this
file is that it allows you to set administrator rights to a standard user for a
group. The administrators of that group can then modify the group as they
see fit by adding members to or removing members from the group.
Listing 18 provides an example of what an
/etc/security/group looks like. In this example, the group jradmin has
admin set to False and standard users pac
and xander defined as administrators of the group.
Listing 18. Example of an /etc/security/group file
system: admin = true staff: admin = false bin: admin = true sys: admin = true jradmin: admin = false adms = pac,xander
You've read enough about the files behind the commands. Now, let's look at the commands themselves. You'll see how to create a group as well as modify it after it has been created.
Creating a group in AIX is simple and straightforward. The same restrictions for creating a user pertain to creating a group:
- Groups cannot start with the:
- Dash or minus sign (
- Plus sign (
- At symbol (
- Tilde (
- Dash or minus sign (
- Groups cannot be named ALL or default, as these names are reserved to the operating system.
- Group names cannot include:
- Colon (
- Quotation marks—single or double (
- Pound or hash sign (
- Comma (
- Equal sign (
- Slashes—back or forward (
- Question mark (
- Back quote or tick (
- White space (space or tab)
- New-line characters
- Colon (
- Group names can only be eight characters or less in AIX version 5.2 and earlier. Starting with AIX version 5.3, IBM increased the maximum number of characters to 255.
Both user and group name lengths are handled by the same parameter:
v_max_logname. To view or change the value, follow
the instructions provided for viewing and changing the user name length in
mkuser, earlier in this article.
To create a group, simply execute the
with the group name as an argument, as shown in Listing 19.
Listing 19. Create a group with mkgroup
# mkgroup atctest # grep atctest /etc/group atctest:!:202: # grep -p atctest /etc/security/group atctest: admin = false
To create an admin group, add the
-a switch, as
shown in Listing 20.
Listing 20. Create an admin group
# mkgroup -a atcadmin # grep atcadmin /etc/group atcadmin:!:15: # grep -p atcadmin /etc/security/group atcadmin: admin = true
To create a group and add Xander as the administrator of the group, add
adm section of the /etc/security/group stanza
to the command line, as shown in Listing 21.
Listing 21. Add a specific user as a group administrator
# mkgroup adms=xander xangroup # grep xangroup /etc/group xangroup:!:203: # grep -p xangroup /etc/security/group xangroup: admin = false adms = xander
the same attributes as
chgroup. For a full list of
the attributes, read
chgroup's man page
chgroup command works just like
chuser, and its man page contains all the
attributes you can change on a group. Listing 22
provides an example of how to change the group's
GID from 203 to 204. Add a few users to the group, as well.
Listing 22. Change the group's GID and add users
# grep xangroup /etc/group xangroup:!:203: # chgroup id=204 users=xander,atc,amdc xangroup # grep xangroup /etc/group xangroup:!:204:xander,atc,amdc
Another way to modify a group's members is with
chgrpmem command allows you to list,
add, and remove users from a group as well as modify the administrators
of the group.
For example, the group xangroup has xander and atc as members and xander as an administrator of the group. Remove atc from the group, as shown in Listing 23.
Listing 23. Remove a user from a group
# chgrpmem xangroup xangroup: members = xander,atc adms = xander # chgrpmem -m - atc xangroup # chgrpmem xangroup xangroup: members = xander adms = xander
Suppose there was a mistake and user atc was not supposed to be removed. Instead, user atc was supposed to become the administrator of the group, while xander's administrative rights were to be removed. Listing 24 shows the code to make the correction.
Listing 24. Add a deleted user and change the group administrator
# chgrpmem -m + atc xangroup # chgrpmem -a + atc xangroup # chgrpmem -a - xander xangroup # chgrpmem xangroup xangroup: members = xander,atc adms = atc
With such a nice command for users as
there be one for groups, as well? There is:
To continue with the standard format of commands and their options in AIX,
lsgroup follows the same structure as
Listing 25. Output from the lsgroup command
# lsgroup xangroup xangroup id=204 admin=false users=xander,cormany adms=cormany registry=files # lsgroup -f xangroup xangroup: id=204 admin=false users=xander,cormany adms=cormany registry=files # lsgroup -c xangroup,atcadmin #name:id:admin:users:adms:registry xangroup:204:false:xander,cormany:cormany:files #name:id:admin:registry atcadmin:15:true:files # lsgroup -c -a id xangroup,atcadmin #name:id xangroup:204 #name:id atcadmin:15
Throughout this article, you've been creating sample groups. Now, it's time
to clean up the AIX system you're using. To remove a group from the system,
rmgroup with the group's name
as the argument:
# rmgroup atctest
rmgroup command does not allow you to remove
the group until you have moved all users that have the group as their primary
group to another group.
After reading this article, you should now have a better understanding of the configuration files for user and group maintenance in AIX. You should also understand the command-line tools better and see how easy it really is to create, modify, and remove users and groups. IBM really has made such maintenance simple so that you can focus on more complicated issues.
getconf: See IBM's man page for the
See IBM's System Information Center Web page for /etc/security/limits.
See IBM's System Information Center Web page for /etc/security/user.
See IBM's System Information Center Web page for /usr/lib/security/mkuser.default.
See IBM's System Information Center Web page for the
See IBM's System Information Center Web page for /etc/group.
See IBM's System Information Center Web page for /etc/security/group.
The AIX and UNIX developerWorks
zone provides a wealth of information relating to all aspects of AIX systems
administration and expanding your UNIX skills.
New to AIX and UNIX?
Visit the New to AIX and UNIX page to learn more.
Browse the technology
bookstore for books on this and other technical topics.
Check out developerWorks blogs
and get involved in the developerWorks
Participate in the AIX and UNIX forums:
- AIX Forum
- AIX Forum for developers
- Cluster Systems Management
- IBM Support Assistant Forum
- Performance Tools Forum
- Virtualization Forum
- More AIX and UNIX Forums
Adam Cormany is currently the manager of the National Data Center, but he has also been a UNIX systems engineer, a UNIX administrator, and operations manager for Scientific Games Corporation. Adam has worked extensively with AIX as well as in Solaris and Red Hat Linux administration for more than 10 years. He is an IBM
eServer-Certified Specialist in pSeries AIX System Administration. In addition to administration, Adam has extensive knowledge of shell scripting in Bash, CSH, and KSH as well as programming in
C, PHP, and Perl. You can reach Adam at firstname.lastname@example.org