/etc/security/group File

Purpose

Contains extended group attributes.

Description

The /etc/security/group file contains extended group attributes. This is an ASCII file that contains a stanza for each system group. Each stanza is identified by a group name from the /etc/group file followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute pair ends with a new-line character as does each stanza. The file supports a default stanza. If an attribute is not defined for a group, the default value for the attribute is used.

A stanza can contain one or more of the following attributes:

Attribute Description
adms Defines the group administrators. Administrators are users who can perform administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string.
admin Defines the administrative status of the group. Possible values are:
true
Defines the group as administrative. Only the root user can change the attributes of groups defined as administrative.
false
Defines a standard group. The attributes of these groups can be changed by the root user or a member of the security group. This is the default value.
dce_export Allows the DCE registry to overwrite the local group information with the DCE group information during a DCE export operation. Possible values are:
true
Local group information will be overwritten.
false
Local group information will not be overwritten.
efs_initialks_mode Defines the initial mode of the group keystore. You can specify the following values:
guard
When a group keystore is in root guard mode, the keys contained in this keystore can be retrieved only with the correct access key of this keystore.
admin
When a keystore is in root admin mode, the keys contained in this keystore can be retrieved with the EFS (Encrypted File System) admin key.
Notes:
  • This attribute is valid only if the system is EFS-enabled.
  • This attribute defines the initial mode of the keystore. Changing this value using the chuser command, the chgroup command, or the chsec command, or with manual editing, does not change the mode of the keystore. This attribute is used only when the keystore is created and is not used again until the keystore is deleted and a new one is created. To change the keystore mode, use the efskeymgr command.
efs_keystore_access Defines the group keystore location. You can specify the following values:
none
There is no keystore.
file
Keystore is stored in the /var/efs/groups/ directory.
Note: This attribute is valid only if the system is EFS-enabled.
efs_keystore_algo Defines the algorithm that is used to generate the group private key. You can specify the following values:
  • RSA_1024
  • RSA_2048
  • RSA_4096
Notes:
  • This attribute is valid only if the system is EFS-enabled.
  • Changing the value of this attribute using the chuser command, the chgroup command, or the chsec command, or with manual editing, does not regenerate the private key. This attribute is used only when the keystore is created and is not used again until the keystore is deleted and a new one is created. To change the algorithm for the keys, use the efskeymgr command.
projects Defines the list of projects that the user's processes can be assigned to. The value is a list of comma-separated project names and is evaluated from left to right. The project name should be a valid project name as defined in the system. If an invalid project name is found in the list, it will be reported as an error by the group commands.

For a typical stanza, see the "Examples" section:

You should access the /etc/security/group file through the system commands and subroutines defined for this purpose. You can use the following commands to manage groups:

The mkgroup command adds new groups to the /etc/group file and the /etc/security/group file. Use this command to create an administrative group. You can also use the mkgroup to set the group administrator.

Use the chgroup command to change all the attributes. If you are an administrator of a standard group, you can change the adms attribute for that group with the chgrpmem command.

The lsgroup command displays both the adms and the admin attributes. The rmgroup command removes the entry from both the /etc/group file and the /etc/security/group file.

To write programs that affect attributes in the /etc/security/group file, use the subroutines listed in Related Information.

Security

Access Control: This file should grant read (r) access to the root user and members of the security group, and to others as permitted by the security policy for the system. Only the root user should have write (w) access.

Auditing Events:

Event Information
S_GROUP_WRITE file name

Examples

A typical stanza looks like the following example for the finance group:

finance:
          admin = false
          adms = cjf, scott, sah   

Files

Item Description
/etc/security/group Specifies the path to the file.
/etc/group Contains the basic attributes of groups.
/etc/passwd Contains the basic attributes of users.
/etc/security/passwd Contains password information.
/etc/security/user Contains the extended attributes of users.
/etc/security/environ Contains the environment attributes of users.
/etc/security/limits Contains the process resource limits of users.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/lastlog Contains last login information.