/etc/security/group File

Purpose

Contains extended group attributes.

Description

The /etc/security/group file contains extended group attributes. This is an ASCII file that contains a stanza for each system group. Each stanza is identified by a group name from the /etc/group file followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a new-line character as does each stanza. The file supports a default stanza. If an attribute is not defined for a group, the default value for the attribute is used.

A stanza can contain one or more of the following attributes:

Attribute	Description
adms	Defines the group administrators. Administrators are users who can perform administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string.
admin	Defines the administrative status of the group. Possible values are: true Defines the group as administrative. Only the root user can change the attributes of groups defined as administrative. false Defines a standard group. The attributes of these groups can be changed by the root user or a member of the security group. This is the default value.
dce_export	Allows the DCE registry to overwrite the local group information with the DCE group information during a DCE export operation. Possible values are: true Local group information will be overwritten. false Local group information will not be overwritten.
efs_initialks_mode	Defines the initial mode of the group keystore. You can specify the following values: guard When a group keystore is in root guard mode, the keys contained in this keystore can be retrieved only with the correct access key of this keystore. admin When a keystore is in root admin mode, the keys contained in this keystore can be retrieved with the EFS (Encrypted File System) admin key. Notes: This attribute is valid only if the system is EFS-enabled. This attribute defines the initial mode of the keystore. Changing this value using the chuser command, the chgroup command, or the chsec command, or with manual editing, does not change the mode of the keystore. This attribute is used only when the keystore is created and is not used again until the keystore is deleted and a new one is created. To change the keystore mode, use the efskeymgr command.
efs_keystore_access	Defines the group keystore location. You can specify the following values: none There is no keystore. file Keystore is stored in the /var/efs/groups/ directory. Note: This attribute is valid only if the system is EFS-enabled.
efs_keystore_algo	Defines the algorithm that is used to generate the group private key. You can specify the following values: RSA_1024 RSA_2048 RSA_4096 Notes: This attribute is valid only if the system is EFS-enabled. Changing the value of this attribute using the chuser command, the chgroup command, or the chsec command, or with manual editing, does not regenerate the private key. This attribute is used only when the keystore is created and is not used again until the keystore is deleted and a new one is created. To change the algorithm for the keys, use the efskeymgr command.
projects	Defines the list of projects that the user's processes can be assigned to. The value is a list of comma-separated project names and is evaluated from left to right. The project name should be a valid project name as defined in the system. If an invalid project name is found in the list, it will be reported as an error by the group commands.

For a typical stanza, see the "Examples" section:

You should access the /etc/security/group file through the system commands and subroutines defined for this purpose. You can use the following commands to manage groups:

mkgroup
chgroup
chgrpmem
lsgroup
rmgroup

The mkgroup command adds new groups to the /etc/group file and the /etc/security/group file. Use this command to create an administrative group. You can also use the mkgroup to set the group administrator.

Use the chgroup command to change all the attributes. If you are an administrator of a standard group, you can change the adms attribute for that group with the chgrpmem command.

The lsgroup command displays both the adms and the admin attributes. The rmgroup command removes the entry from both the /etc/group file and the /etc/security/group file.

To write programs that affect attributes in the /etc/security/group file, use the subroutines listed in Related Information.

Security

Access Control: This file should grant read (r) access to the root user and members of the security group, and to others as permitted by the security policy for the system. Only the root user should have write (w) access.

Auditing Events:

Event	Information
S_GROUP_WRITE	file name

Examples

A typical stanza looks like the following example for the finance group:

finance:
          admin = false
          adms = cjf, scott, sah

Files

Item	Description
/etc/security/group	Specifies the path to the file.
/etc/group	Contains the basic attributes of groups.
/etc/passwd	Contains the basic attributes of users.
/etc/security/passwd	Contains password information.
/etc/security/user	Contains the extended attributes of users.
/etc/security/environ	Contains the environment attributes of users.
/etc/security/limits	Contains the process resource limits of users.
/etc/security/audit/config	Contains audit system configuration information.
/etc/security/lastlog	Contains last login information.