AIX Security Basics

Validate Permissions and Ownership

Chapter 3 | AIX eCourse

Checking for Uneven Permissions and Access Controls

Access control is not effective if users other than the file owner have greater access permissions to system files and directories than the owner does as demonstrated in the  instance circled below. Bin/mail group has read-write-execute permissions, while /bin itself only has read-execute permissions. The group class can actually edit the files, whereas the actual owner of the file can only view them.

Review the files that come from the # ls output command listing and adjust the permissions to make sure that owners have more rights than groups and others. This can typically be fixed with the chmod command, followed by the permissions you wish a file to have. For example:

chmod 755 /bin/Mail

This gives the read-write-execute permissions to the owner and read-execute permissions to the group class and the other class.


Checking for Programs and Services with No Ownership or Invalid Ownership & Verifying Incorrect Attributes

All programs and services must have valid owners. Sometimes, when you install an application, it may list a UID (user id) for an owner that’s not really valid on the system. Additionally, unowned files and directories can be unintentionally inherited if a new user is later assigned the same UID as the UID belonging to those unowned files, giving them system rights that he or she shouldn’t have access to. You can identify unowned or improperly owned  files with the find command.

You should then trace those files to an authorized user, change the file’s owner to root, or simply delete them if you do not need them. Ensure that all the directories and files, executable and data have an identifiable owner and group name.


Checking the Mode of Network Services Daemons

Restricted permissions on daemons also protect them from unauthorized modification and possible system compromise. Permissions should be set to 755 or more restrictive. Similarly, symbolic links may be set to 777, so you will need to follow the link and modify the underlying file permissions.

Want to make sure ownership and permission settings are always accurate?

Gain complete visibility into avoidable security errors by continuously monitoring your systems against your security policy with Security Auditor, which will notify you in real time of any policy exceptions.