chgroup Command
Purpose
Changes attributes for groups.
Syntax
chgroup [ -R load_module ] Attribute=Value ... Group
Description
The chgroup command changes attributes for the group specified by the Group parameter. The group name must already exist. To change an attribute, specify the attribute name and the value you want to change it to in the Attribute=Value parameter.
To change the attributes for a group that was created with an alternate Identification and Authentication (I&A) mechanism, the -R flag can be used to specify the I&A loadable module. Load modules are defined in the /usr/lib/security/methods.cfg file.
You could also use the System Management Interface Tool (SMIT) smit chgroup fast path to run this command.
Changing the ID for an account can compromise system security and as a result one should not do so. However, when the ID is changed using the chgroup command, ID collision checking is also controlled by the dist_uniqid attribute in the usw stanza of the /etc/secvars.cfg file. The behavior of ID collision control is the same as that described for the mkgroup command.
Restrictions on Changing Groups
To ensure the security of group information, there are restrictions on using the chgroup command. Only the root user or users with UserAdmin or aix.security.group.change authorization can use the chgroup command to change any group. These changes include:
- Make a group an administrative group by setting the admin attribute to true.
- Change any attributes of an administrative group.
- Add users to an administrative group's administrators list.
An administrative group is a group with the admin attribute set to true. Members of the security group can change the attributes of nonadministrative groups including adding users to the list of administrators.
Flag
Item | Description |
---|---|
-R | Specifies the loadable I&A module used to change user's attributes. |
Attributes
You change attributes by specifying an Attribute=Value parameter. If you have the proper authority you can set the following group attributes:
Item | Description |
---|---|
adms | Defines the users who can perform administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The Value parameter is a list of comma-separated user login names. If you do not specify a Value parameter, all the administrators are removed. |
admin | Defines the administrative status of the group. You can specify
the following values:
|
id | The group ID. The Value parameter is a unique integer string. Changing this attribute compromises system security and, for this reason, you should not change this attribute. |
projects | Defines the list of projects to which the user's processes can be assigned. The value is a list of comma-separated project names and is evaluated from left to right. The project name should be a valid project name as defined in the system. If an invalid project name is found on the list, it will be reported as an error. |
users | Specifies a list of one or more users in the form: User1, User2,..., Usern.
The group member names are separated by commas. Each user must be
defined in the database configuration files. You cannot remove users
from their primary group. If the domainlessgroups attribute is set in the secvars.cfg file, users from the Lightweight Directory Access Protocol (LDAP) group can be assigned to the local group and vice versa. |
efs_initialks_mode | Specifies the initial mode of the group keystore. You can specify
the following values:
The attribute specifies the initial mode of the group keystore. You can use the attribute with the mkgroup command. After the keystore has been created, changing the attribute value with the chuser, chgroup, or chsec command, or manual editing does not change the mode of the keystore unless the keystore is deleted and a new one is created. To change the keystore mode, use the efskeymgr command. Restriction: The attribute is valid only when the system is EFS-enabled. |
efs_keystore_algo | Specifies the algorithm that is used to generate the private
key of the group during the keystore creation. You can specify the
following values:
You can use the attribute with the mkgroup command. After the keystore has been created, changing the value of this attribute with the chuser, chgroup, or chsec command, or manual editing does not regenerate the private key unless the keystore is deleted and a new one is created. To change the algorithm for the keys, use the efskeymgr command. Restriction: The attribute is valid only when the system is EFS-enabled. |
efs_keystore_access | Specifies the database type of the group keystore. You can
specify the following values:
Restriction: The attribute is valid only when the system is EFS-enabled. |
The adms and admin attributes are set in the /etc/security/group file. The remaining attributes are set in the /etc/group file. If any of the attributes you specify with the chgroup command are invalid, the command makes no changes at all.
Exit Status
Item | Description |
---|---|
0 | The command runs successfully and all requested changes are made. |
>0 | An error occurred. The printed error message gives further details about the type of failure. |
Security
Access Control
This command should grant execute (x) access only to the root user and the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.
Auditing Events
Event | Information |
---|---|
GROUP_Change | group, attributes |
Files Accessed
Mode | File |
---|---|
rw | /etc/group |
rw | /etc/security/group |
r | /etc/passwd |
Attention RBAC users and Trusted AIX® users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
Limitations
Changing a group's attributes may not be supported by all loadable I&A modules. If the loadable I&A module does not support changing a group's attributes, an error is reported.
Examples
- To add sam and carol to the finance group,
which currently only has frank as a member, type:
chgroup users=sam,carol,frank finance
- To remove frank from the finance group, but
retain sam and carol, and to remove the administrators
of the finance group, type:
In this example, two attribute values were changed. The name frank was omitted from the list of members, and the value for the adms attribute was left blank.chgroup users=sam,carol adms= finance
- To change the LDAP I&A loadable module group user's attribute,
type:
chgroup -R LDAP users=sam,frank monsters
Files
Item | Description |
---|---|
/usr/bin/chgroup | Specifies the path to the chgroup command. |
/etc/group | Contains the basic attributes of groups. |
/etc/security/group | Contains the extended attributes of groups. |
/etc/passwd | Contains the basic attributes of users. |