Security user Can't change the groups.

system · May 13, 2009, 4:18am

Dears

Security users in AIX don�t have permission to change the group of the user thru Smitty Users

When they try to change the group of the users to any group they'll get permission denied

Security profile in Smitty :

[TOP] [Entry Fields]
User NAME...................................................securityuser
User ID.......................................................[205]
ADMINISTRATIVE USER?...............................false
Primary GROUP............................................[security]
Group SET..................................................[security,staff]
ADMINISTRATIVE GROUPS...........................[]
ROLES.......................................................[]
Another user can SU TO USER?......................true
SU GROUPS................................................[ALL]
HOME directory.......................................... [/home/securityuser]
Initial PROGRAM..........................................[/usr/bin/ksh]
User INFORMATION...................................[securityuser]
EXPIRATION date (MMDDhhmmyy)................[0]

Error message when security user try to change the group for any user !!

============================================================

Command: failed stdout: yes stderr: no

Before command completion, additional instructions may appear below.
3004-692 Error changing "groups" to "sys" : You do not have permission.

============================================================

We are on AIX 5.3

Dears

Can you please advice us in this regard and what's the solution of this issue ?

jyoung · May 13, 2009, 7:29am

Try adding the group sys to Group Set.

system · May 13, 2009, 9:29am

I tried .. but same problem !!

jyoung · May 13, 2009, 9:51am

I am not an expert at this so I am probably not the right person to help. Having said that I had to set up a user with the same rights as root. One of the things I had to do was set their User Id to 0 (zero) along with the groups that they can have access to. The problem I believe is that it will give them the same rights as root which may not be what you want. Good luck.

zaxxon · May 13, 2009, 10:24am

For security reasons only root can use chown and chgrp. Else you could write a program with malicious code, chown/chgrp it to somebody else, maybe root or whoever and try to get it executed by those. So no chown/chgrp for normal users. I have no appropriate line from IBM at hand, but usually it is on many types of systems like this.

From Sun Admin documentation for example:

jyoung · May 13, 2009, 10:35am

If found this on IBM's site:

Only the root user can change the owner of a file. You can change the group of a file only if you are a root
 user or if you own the file. If you own the file but are not a root user, you can change the group only to a
 group of which you are a member.

system · May 21, 2009, 4:23pm

we are not talking about chown !!

Security User is manging users in AIX by smitty menu and he'll modify group of some exiting users from staff to System will group users to another groups but he is getting below error

=======================================

Command: failed stdout: yes stderr: no

Before command completion, additional instructions may appear below.
3004-692 Error changing "groups" to "sys" : You do not have permission.

=======================================

Security user should has full permission in this regard ?!!

issue is in permission of security Group there is no permission for security Group to change the group of the users ?!!

?

garethr · May 22, 2009, 5:11am

On my AIX 5.3, I notice that while "security" is the group for /etc/group, it does not have write access:

[root@hostname]:/etc # ls -l /etc/group
-rw-r--r-- 1 root security 1427 19 May 10:22 /etc/group

Consequently, I wouldn't expect that being in the security group would allow a user to change groups for others (unless this is enforced elsewhere).

system · May 23, 2009, 11:05am

Dear garethr ,

security user has access and authority to mange AIX users and to do the following ...

create user in AIX .
delete user in AIX .
rest password of any user .
lock and unlock any user .

only if he want to modify the group of any user he'll will get error and permission denied

security user should has this permission or who will change the group of the users !

don't say root .. root is only for administrator .

security should has limited permission to this thing .

What you are advising to do to solve this issue ?!!

system · May 30, 2009, 5:07am

edit by bakunin: ahem! It is against the rules to bump up threads and your post hardly contains any advancement of the threads content, don't you agree?

system · June 1, 2009, 10:14am

I'm agreed .