System special user accounts
AIX® provides a default set of system special user accounts that prevents the root and system accounts from owning all operating system files and file systems.
Attention: Use caution when removing a system special user account. You can disable a specific account by inserting an asterisk (*) at the beginning of its corresponding line of the /etc/security/passwd file. However, be careful not to disable the root user account. If you remove system special user accounts or disable the root account, the operating system will not function.
The following accounts are predefined in the operating system:
adm
The adm user account owns the following basic system functions:
Diagnostics, the tools for which are stored in the /usr/sbin/perf/diag_tool directory.
Accounting, the tools for which are stored in the following directories:
/usr/sbin/acct
/usr/lib/acct
/var/adm
/var/adm/acct/fiscal
/var/adm/acct/nite
/var/adm/acct/sum
bin
The bin user account typically owns the executable files for most user commands. This account's primary purpose is to help distribute the ownership of important system directories and files so that everything is not owned solely by the root and sys user accounts.
daemon
The daemon user account exists only to own and run system server processes and their associated files. This account guarantees that such processes run with the appropriate file access permissions.
nobody
The nobody user account is used by the Network File System (NFS) to enable remote printing. This account exists so that a program can permit temporary root access to root users. For example, before enabling Secure RPC or Secure NFS, check the /etc/public key on the master NIS server to find a user who has not been assigned a public key and a secret key. As root user, you can create an entry in the database for each unassigned user by entering:
newkey -u username
Or, you can create an entry in the database for the nobody user account, and then any user can run the chkey program to create their own entries in the database without logging in as root.
root
The root user account, UID 0, through which you can perform system maintenance tasks and troubleshoot system problems.
sys
The sys user owns the default mounting point for the Distributed File Service (DFS) cache, which must exist before you can install or configure DFS on a client. The /usr/sys directory can also store installation images.
system
System group is a system-defined group for system administrators. Users of the system group have the privilege to perform some system maintenance tasks without requiring root authority.
esaadmin - The Electronic Service Agent application automatically monitors and collects hardware problem information
ficheck
invscout - The invscout program is "a setuid root application, installed by default under newer versions of IBM AIX, that surveys the host system for currently installed microcode or Vital Product Data (VPD)".
snapp - An extensible, XML-based application that provides a menu-driven interface for UNIX system administration tasks on a handheld
Removing unnecessary default user accounts
During installation of the operating system, a number of default user and group IDs are created. Depending on the applications you are running on your system and where your system is located in the network, some of these user and group IDs can become security weaknesses, vulnerable to exploitation. If these users and group IDs are not needed, you can remove them to minimize security risks associated with them.
Note: You can remove unneeded users and group IDs from systems that do not undergo system updates (for example, CAPP/EAL4 systems). However, if you remove unneeded users and group IDs from AIX® systems that are updated, installation errors may occur during AIX update installations. To avoid these errors, use one of the following methods:
Instead of deleting the users, use the following command to lock those accounts so that users cannot log into the system:
chuser "account_locked=true"
Before deleting a user, uninstall the fileset associated with that user. For example: if you plan to delete the users uucp and nuucp, remove the bos.net.uucp fileset before you delete the users.
The following table lists the most common default user IDs that you might be able to remove:
Table 1. Common default user IDs that you might be able to remove.
User ID | Description |
uucp, nuucp | Owner of hidden files used by uucp protocol. The uucp user account is used for the UNIX-to-UNIX Copy Program, which is a group of commands, programs, and files, present on most AIX systems, that allows the user to communicate with another AIX system over a dedicated line or a telephone line. |
lpd | Owner of files used by printing subsystem |
guest | Allows access to users who do not have access to accounts |
The following table lists common group IDs that might not be needed:
Table 2. Common group IDs that might not be needed.
Group ID | Description |
uucp | Group to which uucp and nuucp users belong |
printq | Group to which lpd user belongs |
Analyze your system to determine which IDs are indeed not needed. There might also be additional user and group IDs that you might not need. Before your system goes into production, perform a thorough evaluation of available IDs.
Accounts created by security components
When security components such as LDAP and OpenSSH are installed or configured, user and group accounts are created.
The user and group accounts created include:
Internet Protocol (IP) Security: IP Security adds the user ipsec and the group ipsec during its installation. These IDs are used by the key management service. Note that the group ID in /usr/lpp/group.id.keymgt cannot be customized before the installation.
Kerberos and Public Key Infrastructure (PKI): These components do not create any new user or group accounts.
LDAP: When the LDAP client or server is installed, the ldap user account is created. The user ID of ldap is not fixed. When the LDAP server is installed, it automatically installs DB2®. The DB2 installation creates the group account dbsysadm. The default group ID of dbsysadm is 400. During the configuration of the LDAP server, the mksecldap command creates the ldapdb2 user account.
OpenSSH: During the installation of OpenSSH, the user sshd and group sshd are added to the system. The corresponding user and group IDs must not be changed. The privilege separation feature in SSH requires IDs.
We remove snapp, invscout, ipsec, lp, and uucp along with the associated packages. Why IBM still insists on installing the SNAPP package is beyond me...