Controlling Access to a System

You can control who has access to your system, its files, and its processes.

Authorized users gain access to the system by supplying a valid user name (login name) and password. Each user is defined by an entry in the file/etc/passwd. You can use SAM to add, remove, deactivate, reactivate, or modify a user account.

For additional information about passwords, refer to passwd(4) and passwd(1). To manually change user account entries, use the /usr/sbin/vipw command to edit /etc/passwd; see vipw(1M) for details.

Adding a User to a System

You can add a user several ways:

To add a user, you do the following tasks:

Ensure that the user has a unique UID.
Insert a line for the user in the /etc/passwd file.
Make a home directory for the user.
Create an environment for the user.

Consider performing the following tasks for your new user:

Add a user to a group. See “Defining Group Membership”.
Add a user to mail distribution lists.
Add a user to disk quota systems.
Allow user to log into other systems without a password. See “$HOME/.rhosts file”.
Import remote directories using NFS. See “Sharing Files and Applications via NFS and ftp ”.
Give remote access to a user. See “Allowing Access to Remote Systems”.
Set up the user’s login environment. See “Customizing System-Wide and User Login Environments ”.
Test the new account.

Using SAM to Add a User

If you are adding a user on a remote machine, before using SAM, type the following commands on your local machine:

/usr/bin/X11/xhost + remote_machine
export DISPLAY=your_local_machine:0.0

Start SAM
To start SAM, you can either
- type /usr/sbin/sam
  or
- use CDE and access the Application Manager, double-click on System_Admin and double-click on SAM.
Choose:
1. Accounts for Users and Groups
2. Users
3. Add... from the Actions menu
Fill in the text fields. Use a unique User Identification (UID). Your facility may have a program to determine unique UIDs.
Click on Primary Group Name... and add the user to the primary and other groups.
Click OK. This opens the password window. Type a password and click OK. Enter the password when requested and click OK.
Click OK on the Note dialog box.

To see the steps that SAM executes, choose Options/View SAM Log...

When you use SAM to add a user, SAM does the following:

creates an entry in the /etc/passwd file for the user
creates a home directory for the user
copies start-up files (.cshrc, .exrc, .login, .profile) to the user’s home directory

Manually Adding a User

Use the following steps to add a user from the command line.

Add the user to the /etc/passwd file.
As root, use the /usr/sbin/vipw command to edit /etc/passwd. See vipw(1M), passwd(4), and passwd(1)
For example, you might want to add this line for user tom:
tom:,..:102:20:,,,:/home/tom:/usr/bin/sh
The default for the shell is an empty field, which causes the system to use /sbin/sh as the login. The “,..” in the password field will require tom to set his password when he first logs in.
IMPORTANT: Note that the shell for root must not be changed from /sbin/sh.
Create a home directory. For example:
/usr/bin/mkdir /home/tom
Change the ownership of the directory to the user’s name. For example:
/usr/bin/chown tom:users /home/tom

Ensure that the user has the appropriate shell start-up files to execute when logging in. The three most popular shells in the HP-UX environment are: POSIX shell, Korn shell, and C shell. Each shell uses particular start-up files.

Table 3-3 Start-Up Files

Shell Name	Location	Start-up Files
POSIX shell	`/usr/bin/sh`, `/sbin/sh`	`.profile` and any file specified in the `ENV` environment variable (conventionally `.kshrc`)
Korn shell	`/usr/bin/ksh`
C shell	/usr/bin/csh	`.login` and `.cshrc`

You can create standard start-up files (templates) that can be copied to users’ directories. The directory most often used for this purpose is /etc/skel.

For example:

cp /etc/skel/.profile /users/tom/.profile

Change the ownership of the start-up file to the new user’s account. For example:
/usr/bin/chown tom .profile
Add the user to a primary working group. For example:
/usr/bin/chgrp users tom

Automating the Process of Adding a User

When you have several users to add to a system, you can save time by:

Using the SAM Template
Using the useradd Command

Using the SAM Template

Create a template that contains uniform information about accounts by initiating SAM and then choosing Users and Groups, pulling down the Actions menu, and finally choosing User Templates and Create. Read the SAM online help for details.

Using the useradd Command

You can use the useradd command to add users, as well as usermod and userdel for modifying and deleting them. useradd has the form:

/usr/sbin/useradd [option]... username

username is the new login name for the user. The options are described in Table 3-6 “useradd Options”. See also useradd(1M).

Table 3-4 useradd Options

Option	Meaning
`-u uid`	UID (defaults to next highest number).
`-g group`	Primary working group name or group ID. Group must exist. The default is `20`.
`-G groups`	Comma-separated list of secondary groups. Groups must exist.
`-b b_dir`	Default base directory for user home directory. The default is `/home`.
`-d dir`	Home directory path name. The default is `b_dir/username`.
`-m`	Create home directory /home in addition to defining user.
`-s shell`	Shell. The default is an empty field, which defaults to `/sbin/sh`.
`-c "comments"`	Full name or other comments. This is often a comma-separated string in the form: `fullname``,``location``,``workphone``,``homephone`
`-k dir`	Skeleton directory containing initialization files. The default is `/etc/skel`.
`-e date`	Account expiration date. The default is none. Requires enhanced security.
`-f n`	Number of days the account can be inactive before being disabled. Requires enhanced security.

The following command creates a new user account, adds Patrick to the primary working group (called users), creates a home directory and sets up a default Korn shell:

useradd -g users -m -k /etc/skel -s /usr/bin/ksh patrick

The resulting entry in the /etc/passwd file is:

patrick:*:104:20::/home/patrick:/usr/bin/ksh

You can make a script with as many instances of the useradd command as necessary. You can set different defaults with the useradd -D command.

Controlling File Access

Working groups, file permissions, and file ownership all determine who can access a given file. See also Chapter 8 “Administering a System: Managing System Security”.

Defining Group Membership

Users on your system can be divided into working groups so that files owned by members of a given group can be shared and yet remain protected from access by users who are not members of the group. A user’s primary group membership number is included as one entry in the /etc/passwd file. Group information is defined in /etc/group and /etc/logingroup.

Users who are members of more than one group, as specified in /etc/group, can change their current group with the /usr/bin/newgrp command. You do not need to use the newgrp command if user groups are defined in /etc/logingroup. If you do not divide the users of your system into separate working groups, it is customary to set up one group (usually called users) and assign all users of your system to that group.

You can use SAM to add, remove, or modify group membership.

To manually change group membership, edit /etc/group and optionally /etc/logingroup with a text editor, such as vi. Although you can enter a group-level password in /etc/group, it is not recommended. To avoid maintaining multiple files, you can link /etc/logingroup to /etc/group. For details on the /etc/group and /etc/logingroup files, see the group(4) manpage. F or information on linking files, see the link(1M) manpage.

You can assign special privileges to a group of users using the /usr/sbin/setprivgrp command. For information, refer to setprivgrp(1M), setprivgrp(2), getprivgrp(2), rtprio(2), plock(2), shmctl(2), chown(1), chown(2), getprivgrp(1), plock(2), shmctl(2),lockf(2), setuid(2), setgid(2), and setgid(2).

Setting File Access Permissions

The /usr/bin/chmod command changes the type of access (read, write, and execute privileges) for the file’s owner, group members, or all others. Only the owner of a file (or the superuser) can change its read, write, and execute privileges. For details, see chmod(1).

By default, new files have read/write permission for everyone (-rw-rw-rw-) and new directories have read/write/execute permission for everyone (drwxrwxrwx). Default file permissions can be changed using the /usr/bin/umask command. For details, see umask(1). The default for trusted systems is different; see “Setting Up Your Trusted System”.

Setting Ownership for Files

The /usr/bin/chown command changes file ownership. To change the owner, you must own the file or have superuser privileges.

The /usr/bin/chgrp command changes file group ownership. To change the group, you must own the file or have superuser privileges.

For more information, refer to chown(1) and chgrp(1).

Setting Access Control Lists

Access control lists (ACLs) offer a finer degree of file protection than traditional file access permissions. You can use ACLs to allow or restrict file access to individual users unrelated to what group the users belong. Only the owner of a file (or the superuser) can create ACLs.

ACLs are supported on both JFS and HFS file systems, but the commands and some of the semantics differ. On a JFS file system, use setacl(1) to set ACLs and use getacl(1) to view them. On an HFS file system, use chacl(1) to set ACLs and use lsacl(1) to view them. For a discussion of both JFS and HFS ACLs, see “Managing Access to Files and Directories”. For additional JFS ACL information see setacl(1), getacl(1), and aclv(5). For additional HFS ACL information, see lsacl(1), chacl(1), and acl(5).




	NOTE: Access Control Lists are supported in JFS beginning with JFS 3.3, which is included with HP-UX 11i. You can obtain JFS 3.3 for HP-UX 11.00 from the HP Software Depot, http://software.hp.com. To see if JFS 3.3 is installed on an HP-UX 11.00 system, run `swlist -l fileset JFS` If JFS 3.3 is installed, the output will include a list of JFS file sets. If you get an error message, JFS 3.3 is not installed.

Controlling Usage and Processes with Run-Levels

A run-level is an HP-UX state of operation in which a specific set of processes is permitted to run. These processes and default run-levels are defined in the file /etc/inittab.

The run-levels are:

Run-level s: The operating mode system administrators use (often called “single-user state”). This mode ensures that no one else is on the system while you are performing system maintenance tasks. In this run-level, the only access to the system is through the system console by the user root. The only processes running on the system can be the shell on the system console, background daemon processes started by /sbin/rc, and processes that you invoke. Commands requiring an inactive system (such as /sbin/fsck) should be run in run-level s.
Run-level 1: Starts a subset of essential system processes; can also be used to perform system administration tasks.
Run-level 2: The operating mode typically called “multiuser state”. This mode allows all users to access the system.
Run-level 3: For NFS servers. In this mode, NFS file systems can be exported, as required for NFS servers.
Run-level 4: For CDE users. In this mode, CDE is active. CDE is the default desktop on HP-UX 10.30 and later.

The default run-level is usually run-level 3 or 4, depending on your system. The default run-level for CDE is 4.

To determine the current run-level of the init process, type:

who -r

You can add to and change the sequence of processes that HP-UX starts at each run-level. See “Customizing Start-up and Shutdown”. Also see the manpage inittab(4).

You can use SAM to shut down a system and change the current run-level to single-user state. Use the “Routine Tasks” and “System Shutdown” menus.

The superuser logged in at the system console can also change the current run-level with the /sbin/init command, as follows:

Warn all users who are currently logged in. Whenever the run-level of the system is changed, any process that does not have a run-level entry matching the new run-level will be killed. There is a grace period of 20 seconds after an automatic warning signal is sent.
To change to run-level s, use the shutdown command.
To change to a run-level other than run-level s, use the init command.
See shutdown(1M) and init(1M).

CAUTION: Only use the shutdown command to change to run-level s (that is, do not specify /sbin/init s). The shutdown command safely brings your system to run-level s without leaving system resources in an unusable state. The shutdown command also allows you to specify a grace period to allow users to terminate their work before the system goes down. For example, to enter run-level s after allowing 30 seconds, enter:

shutdown 30

To shut down immediately, enter one of the following:

shutdown now

shutdown 0

Do not use run-level 0; this is a special run-level reserved for system installation.

For increased security, ensure that the permissions (and ownership) for the files /sbin/init and /etc/inittab are as follows:

-r-xr-xr-x    bin     bin             /sbin/init
-r--r--r--    bin     bin             /etc/inittab