System Special Accounts

Contents

About this document
    Related documentation
Description of accounts

About this document

Traditionally, UNIX has come with a default set of system user accounts to prevent root and system from owning all system filesystems and files. As such it is never recommended to remove the account but rather set an asterick in the /etc/security/passwd for all except root. This document describes the default set of user accounts.

This document applies to all levels of AIX Version 4.

Related documentation

 Practical UNIX Security, published by O'Reilly.

The product documentation library can be accessed at the following URL:
http://www.rs6000.ibm.com/resource/aix_resource/Pubs/index.html

Description of accounts
root
Commonly called the superuser (UID 0), this is the account that system administrators log into to perform system maintenance and problem determination.



daemon
A user used to execute system server processes. This user only exists to own these processes (and the associated files) and to guarantee that they execute with appropriate file access permissions.


bin
A second system account used primarily to break up owners of important system directories and files from being solely owned by root and system. This account typically owns the executable files for most user commands.


sys
sys user owns the default mounting point for the Distributed File Service (DFS) cache which is necessary before installation and configuration of DFS on a client. /usr/sys directory can also be used to put install images.


adm
The adm user in the /etc/passwd is basically responsible for two system functions:
  1. ownership of diagnostic tools, as evidenced by the directory /usr/sbin/perf/diag_tool/
  2. accounting, as evidenced by System Accounting Directories:
    • /usr/sbin/acct
    • /usr/lib/acct
    • /var/adm
    • /var/adm/acct/fiscal
    • /var/adm/acct/nite
    • /var/adm/acct/sum

guest
Many computer centers provide accounts for visitors to play games while they wait for an appointment, or to allow them to use a modem or network connection to contact their own computer. Typically, these accounts have names like open, guest, or play.


nobody
An account used by the Network File System (NFS) product, and to enable remote printing nobody exists when a program needs to permit temporary root access to root users. For example, before turning on Secure RPC or Secure NFS, check /etc/public key on the master NIS server to see if every user has been assigned a public key and a secret key. You can create an entry in the database for a user by becoming the superuser and entering: 
	newkey -u username
You can also create an entry in the database for the special user, nobody. Users can now run the chkey program to create their own entries in the database.


uucp
UUCP is a system for transferring files and electronic mail between UNIX computers connected by telephone. When one computer dials to another computer, it must log in. Instead of logging in as root, the remote computer logs in as uucp. Electronic mail that is awaiting transmission to the remote machine is stored in directories that are readable only by the uucp user so that other users on the computer cannot read each other's personal mail.



[ Doc Ref: 95642574713466     Publish Date: Oct. 29, 2001]