SYSTEM SECURITY
/etc/default/login CONSOLE=/dev/console Restricts root login to console
/etc/default/su CONSOLE=/dev/console su command usage displayed on console
SULOG=/var/adm/sulog failed & successful su attempts are logged
SYSLOG=YES su logging using the syslog facility
/var/adm/loginlog Logs failed logins after 5 failed attempts, logging enabled
when file exists
USER ACCOUNT ADMINISTRATION FILES
/etc/passwd 7 colon delimited fields
Format: username:password:UID:GID:comment:homedir:login shell
Example: root:x:0:1:Super-User:/:/sbin/sh
/etc/shadow 9 colon delimited fields
Format:
UID:password:last_changed:minimum:maximum:warning:inactivity:expiration:flag
Example: guest:on7GbE18yYaek:10688:5:30:5:20:10844: (using all fields except
flag field)
/etc/group 4 colon delimited fields
Format: group_name:password:GID:users
Example: sys::3:root,bin,daemon
Commands
id displays real & effective UID & GID, -a option all the user’s groups are
returned
last displays current users logged in and those recently logged in
who displays current users logged in
-r option shows current run level & datte that run level set
-a displays information about processes, syystem reboots, and run level
whodo displays current users logged in and their processes
USER ADMINISTRATION
/etc/profile System profile, executed before user’s login initialization file
/etc/skel/local.profile Default initialization file templates
/etc/skel/local.cshrc
/etc/skel/local.login
/usr/dt/bin/Xsession DTSOURCEPROFILE=true Causes the .login or .profile to be
executed
FILE PERMISSIONS
/etc/system set rstchown=1 restricts chown command to superuser account &
chgrp to members of the group
change to 0 to remove restriction
umask will display your current umask setting
umask 022 changes current setting of umask to 022
Access Control Lists
setfacl –s u::rw-, g::r--, o:r-- file1 Sets access control lists on files
setfacl –m u:guest:rw-, g:staff:r-- file1 Sets access control lists for
particular users/group on files
setfacl –m d:u::rw-, d:g::rw-, d:o:r--, d:m:r-- /shlog d option defines ACL
default for directory
setuid permissions: absolute mode = 4000, symbolic mode = s (shown as an "s" in
the user account permission: rwsrwxrwx) Sets the effective UID to owner at
execution.
setgid permissions: absolute mode = 2000, symbolic mode = s (shown as an "s" in
the group account permission: rwxrwsrwx) Sets the effective GID to group at
execution.
sticky bit permissions: absolute mode = 1000, symbolic mode = 5 (shown as a "t"
in the other account permission: rwxrwxrwt) When set for a directory that has
write permission for everyone, only the user who created a file or subdirectory
in that directory can remove them.
Change Owner:
chown user1 file1
chown 1001 file1 file2
chown –R user1:staff directory1 (changes owner to user1 & group to staff)
Change Group: Change Permissions
chgrp other file1 chmod 645 file1 (absolute mode)
chgrp 14 file1 file2 chmod u-x, g+w, o+x file1 (symbolic mode)
chgrp –R staff