IBM Certification Guide AIX V4.3 System Administration

13.4 User Administration Tasks

User administration creates users, defines or changes their attributes, and defines security environment for the users. These topics are discussed in the following sections.

13.4.1 Adding a New User Account

The mkuser command creates a new user account. The Name parameter must be a unique 8-byte or less string. By default, the mkuser command creates a standard user account. To create an administrative user account, specify the -a flag.

The mkuser command does not create password information for a user, and, therefore, the new accounts are disabled until the passwd command is used to add authentication information to the /etc/security/passwd file. The mkuser command only initializes the Password attribute of /etc/passwd file with an * (asterisk).

The following example shows the command to create a user account, smith with the default values in the /usr/lib/security/mkuser.default file.
```
mkuser smith
```
Alternatively, you can use SMIT:
1. Executing smitty mkuser will prompt you to a menu as shown in Figure 115.
2. Type smith for the field User NAME.
3. Press the Enter to create the user.
4. When SMIT returns an OK prompt, Press the F10 key to return to the command prompt.
  
  Figure 115: Adding a User
To create the smith account with smith as an administrator, enter:
```
mkuser -a smith
```
You must be the root user to create smith as an administrative user.
To create the smith user account and set the su attribute to a value of false enter:
```
mkuser su=false smith
```

13.4.2 Creating or Changing User Password

The passwd command will create an encrypted passwd entry in /etc/security/passwd and change the Password attribute of /etc/passwd from * to ! (exclamation).

You could also use the (SMIT) smit mkuser fast path to run this command.

The following example shows the command to change your password.
passwd
The passwd command prompts you for your old password, if it exists and you are not the root user. After you enter the old password, the command prompts you twice for the new password.
Alternatively, you can use SMIT:
1. Executing smitty passwd will prompt you to a menu as shown in Figure 116.
2. Type smith for the field User NAME.
3. Press Enter, and you will prompted to enter the new password (twice) as shown in Figure 117.
4. Enter the new password and press the Enter key.
5. When SMIT returns an OK prompt, press the F10 key to return to command prompt.
  
  Figure 116: Changing a User Password
  
  Figure 117: Entering a User Password
To change your full name in the /etc/passwd file, enter:
```
passwd -f smith
```
The passwd command displays the name stored for your user ID. For example, for login name smith, the passwd command could display the message as shown in the following example.
```
# passwd -f smith
 smith's current gecos:
                "Mr J.Smith"
 Change (yes) or (no)? > n
 Gecos information not changed.
```
If you enter a Y for yes, the passwd command prompts you for the new name. The passwd command records the name you enter in the /etc/passwd file.

13.4.3 Changing User Attributes

The chuser command changes attributes for the user identified by the Name parameter. The user name must already exist as an alphanumeric string of eight bytes or less.

Note

Do not use the chuser command if you have a Network Information Service (NIS) database installed on your system.

Note
Do not use the `chuser` command if you have a Network Information Service (NIS) database installed on your system.

Only the root user can use the chuser command to perform the following tasks:

Make a user an administrative user by setting the admin attribute to true.
Change any attributes of an administrative user.
Add a user to an administrative group.

The following examples show the use of the chuser command with various flags.

To enable user smith to access this system remotely, enter:
```
chuser rlogin=true smith
```
To change the expiration date for the smith user account to 8 a.m., 1 December, 1998, enter:
```
chuser expires=1201080098 smith
```
To add smith to the group programers, enter:
```
chuser groups=programers smith
```
Alternatively, you can go through the SMIT hierarchy by:
1. Executing smitty chuser will prompt you to a menu as shown in Figure 118.
2. Type smith for the field User NAME.
3. Use the Arrows key to highlight the Primary GROUP field and type programmer in it.
4. Press Enter.
5. When SMIT returns an OK prompt, press the F10 key to return to the command prompt.
  
  Figure 118: Changing User Characteristics

13.4.4 Displaying User Attributes

The lsuser command displays the user account attributes. You can use this command to list all attributes of all the users or all the attributes of specific users except their passwords. Since there is no default parameter, you must enter the ALL keywords to see the attributes of all the users. By default, the lsuser command displays all user attributes. To view selected attributes, use the -a List flag. If one or more attributes cannot be read, the lsuser command lists as much information as possible.

Note-NIS Users

If you have a Network Information Service (NIS) database installed on your system, some user information may not appear when you use the lsuser command.

Note-NIS Users
If you have a Network Information Service (NIS) database installed on your system, some user information may not appear when you use the `lsuser` command.

By default, the lsuser command lists each user's attributes on one line. It displays attribute information as Attribute=Value definitions each separated by a blank space. To list the user attributes in stanza format, use the -f flag. To list the information as colon-separated records, use the -c flag.

The following examples shows the use of the lsuser command with various flags.

To display the user ID and group-related information for the root account in stanza form, enter:
```
# lsuser -f -a id pgrp home root
root:
        id=0
        pgrp=system
        home=/
```
To display the user ID, groups, and home directory of smith in colon format, enter:
```
lsuser -c -a id home groups smith
```
To display all the attributes of user smith in the default format, enter:
```
lsuser smith
```
All the attribute information appears with each attribute separated by a blank space.
To display all the attributes of all the users, enter:
```
lsuser ALL
```
All the attribute information appears with each attribute separated by a blank space.
Alternatively, you can use SMIT:
1. Executing smitty lsuser, which will prompt you to a menu as shown in Figure 119.
2. Type smith for the field User NAME and press the Enter key. This will display a screen as shown in Figure 120.
3. When SMIT returns an OK prompt, press the F10 key to return to the command prompt.
  
  Figure 119: smitty users Command
  
  Figure 120: Listing User Characteristics

13.4.5 Removing a User Account

The rmuser command removes the user account identified by the Name parameter. This command removes a user's attributes without removing the user's home directory and files. The user name must already exist as a string of eight bytes or less. If the -p flag is specified, the rmuser command also removes passwords and other user authentication information from the /etc/security/passwd file.

Only the root user can remove administrative users.

The following example shows the use of the rmuser command to remove a user account smith and its attributes from the local system.
```
rmuser smith
```
To remove the user smith account and all its attributes, including passwords and other user authentication information in the /etc/security/passwd file, use the following command:
```
rmuser -p smith
```
Alternatively, you can go through the SMIT hierarchy by:
1. Executing smitty rmuser will prompt you to a menu as shown in Figure 121.
2. Type smith for the field User NAME.
3. Press the Enter key.
4. When SMIT returns an OK prompt, Press the F10 key to return to the command prompt.
  
  Figure 121: Removing a User

13.4.6 Changing Security Attributes of User

The chsec command changes the attributes stored in the security configuration stanza files. The following security configuration stanza files have attributes that you can specify with the Attribute = Value parameter.

/etc/security/environ
/etc/security/group
/etc/security/lastlog
/etc/security/limits
/etc/security/login.cfg
/usr/lib/security/mkuser.default
/etc/security/passwd
/etc/security/portlog
/etc/security/user

When modifying attributes in the /etc/security/environ, /etc/security/lastlog, /etc/security/limits, /etc/security/passwd, and /etc/security/user files, the stanza name specified by the Stanza parameter must either be a valid user name or default.

When modifying attributes in the /etc/security/group file, the stanza name specified by the Stanza parameter must either be a valid group name or default.

When modifying attributes in the /usr/lib/security/mkuser.default file, the Stanza parameter must be either admin or user.

When modifying attributes in the /etc/security/portlog file, the Stanza parameter must be a valid port name. When modifying attributes in the /etc/security/login.cfg file, the Stanza parameter must either be a valid port name, a method name, or the usw attribute.

When modifying attributes in the /etc/security/login.cfg or /etc/security/portlog files in a stanza that does not already exist, the stanza is automatically created by the chsec command.

Note

You cannot modify the password attribute of the /etc/security/passwd file using the chsec command. Instead, use the passwd command.

Note
You cannot modify the password attribute of the /etc/security/passwd file using the `chsec` command. Instead, use the `passwd` command.

The following examples show the usage of chsec command to change security stanzas in various files.

To change the /dev/tty0 port to automatically lock if five unsuccessful login attempts occur within 60 seconds, enter:
```
chsec -f /etc/security/login.cfg -s /dev/tty0 -a logindisable=5 -a logininterval=60
```
To unlock the /dev/tty0 port after it has been locked by the system, enter:
```
chsec -f /etc/security/portlog -s /dev/tty0 -a locktime=0
```
To allow logins from 8:00 a.m. until 5:00 p.m. for all users, enter:
```
chsec -f /etc/security/user -s default -a logintimes=:0800-1700
```
To change the CPU time limit of user smith to one hour (3600 seconds), enter:
```
chsec -f /etc/security/limits -s smith -a cpu=3600
```

13.4.7 Displaying Currently Logged Users

The who command displays information about all users currently on the local system. The following information is displayed: Login name, tty, and the date and time of login. Entering who am ior who am I displays your login name, tty, and the date and time you logged in. If the user is logged in from a remote machine, then the host name of that machine is displayed as well. The who command can also display the elapsed time since line activity occurred, the process ID of the command interpreter (shell), logins, logoffs, restarts, and changes to the system clock, as well as other processes generated by the initialization process.

Note

The /etc/utmp file contains a record of users logged into the system. The command who -a processes the /etc/utmp file, and if this file is corrupted or missing, no output is generated from the who command.

Note
The /etc/utmp file contains a record of users logged into the system. The command `who -a` processes the /etc/utmp file, and if this file is corrupted or missing, no output is generated from the `who` command.

The following examples show the usage of the who command with various flags.

The following example shows the command to display information about all the users who are logged on to the system.

# who
root        pts/0       Nov 17 10:20    (sv1166a.itsc.aus)
root        pts/2       Nov 23 10:45    (sv1121c.itsc.aus)
root        pts/3       Nov 23 10:48    (sv1121c)

The following example shows the command to display your user name.
```
# who am I
root        pts/3       Nov 23 10:48    (sv1121c)
```
The following shows how to display the run-level of the local system.
```
# who -r
   .        run-level 2 Nov 17 10:19      2    0    S
```

To display any active process that is currently actively and has been previously generated by init, execute the following command.

# who -p
rc              .       Nov 17 10:19    4:12      2896 id=rc
fbcheck         .       Nov 17 10:19    4:12      2898 id=fbcheck
srcmstr         .       Nov 17 10:19    4:12      2900 id=srcmstr
rctcpip         .       Nov 17 10:19    4:12      4648 id=rctcpip
rcnfs           .       Nov 17 10:19    4:12      4650 id=rcnfs
cron            .       Nov 17 10:19    4:12      4652 id=cron
piobe           .       Nov 17 10:19    4:12      4984 id=piobe
qdaemon         .       Nov 17 10:19    4:12      4986 id=qdaemon
writesrv        .       Nov 17 10:19    4:12      4988 id=writesr
uprintfd        .       Nov 17 10:19    4:12      4990 id=uprintf
pmd             .       Nov 17 10:19    4:12      8772 id=pmd
dt              .       Nov 17 10:19    4:12      9034 id=dt

13.4.8 Changing User Login Shell

The chsh command changes a user's login shell attribute. The shell attribute defines the initial program that runs after a user logs in to the system. This attribute is specified in the /etc/passwd file. By default, the chsh command changes the login shell for the user who gives the command.

The chsh command is interactive. When you run the chshcommand, the system displays a list of the available shells and the current value of the shell attribute, as shown in Figure 122. In addition to the default shells (/usr/bin/ksh, /usr/bin/sh, /usr/bin/bsh, /usr/bin/csh) your system manager may have defined more. Then, the system prompts you to change the shell. You must enter the full path name of an available shell.

If you have execute permission for the chuser command, you can change the login shell for another user.

Figure 122: chsh Command

13.4.9 Changing the Shell Prompt

The shell uses the following three prompt variables.

PS1: Prompt used as the normal system prompt.
PS2: Prompt used when the shell expects more input.
PS3: Prompt used when you have root authority.

You can change any of your prompt characters by changing the value of its shell variable. The changes to your prompts last until you log off. To make your changes permanent, place them in your .env file.

The following command shows how to display the current value of the PS1 variable.

# echo "prompt is $PS1":
prompt is $

The following example shows the command to change the prompt to Ready>:

export PS1="Ready> "

The following example shows the command to change the continuation prompt to Enter more->:

export PS2="Enter more->"

The following example shows the command to change the root prompt to Root->:

export PS3="Root-> "

13.4.10 Starting AIX Common Desktop Environment

If the AIX Common Desktop Environment is not set up to start automatically on a locally attached graphics display, you can use the following command to start the desktop from an AIX command line.

xinit /usr/dt/bin/Xsession

Using the xinit command starts the desktop without bringing up the whole desktop environment. You will bypass the login screen when you start the desktop, and when you exit, you will return to a command line rather than an AIX Common Desktop Environment login screen. You will, however, use the same desktop applications you would use had you started the desktop from the welcome screen.

You can set up the system so that the AIX Common Desktop Environment comes up automatically when you start the system, or you can start AIX Common Desktop Environment manually. You must log in as root to perform each of these tasks.

13.4.10.1 Enabling and Disabling Desktop Autostart

To enable the desktop autostart, use smit dtconfig or dtconfig -e.

To disable the desktop autostart, use smit dtconfig or dtconfig -d.

13.4.10.2 Starting AIX Common Desktop Environment Manually.

Use the following command to start the AIX Common Desktop Environment at the command line.

/usr/dt/bin/dtlogin -daemon

A Desktop Login screen will display. When you log in, you will start a desktop session.

13.4.10.3 Stopping AIX Common Desktop Environment Manually.

When you manually stop the login manager, all X servers and desktop sessions that the login manager started are stopped.

Open a terminal emulator window and log in as root.
Obtain the process ID of the Login Manager by entering the following:
```
cat /var/dt/Xpid
```
Stop the Login Manager by entering:
```
kill -term process_id
```

13.5 Error Messages