Prevent root and system from owning all system filesystems and files in Unix

Traditionally, UNIX has come with a default set of system user accounts to  prevent root and system from owning all system filesystems and files. As such it  is never recommended to remove the account but rather set an asterick in the
/etc/security/passwd for all except root. This document describes the default  set of user accounts.

This document applies to all levels of AIX Version 4.

Related documentation
Practical UNIX Security, published by O’Reilly.
The product documentation library can be accessed at the following URL:


Description of accounts

– root

Commonly called the superuser (UID 0), this is the account that system  administrators log into to perform system maintenance and problem determination.

– daemon

A user used to execute system server processes. This user only exists to own these processes (and the associated files) and to guarantee that they execute  with appropriate file access permissions.

– bin

A second system account used primarily to break up owners of important system  directories and files from being solely owned by root and system. This account  typically owns the executable files for most user commands.

– sys

sys user owns the default mounting point for the Distributed File Service (DFS)  cache which is necessary before installation and configuration of DFS on a client. /usr/sys directory can also be used to put install images.

– adm

The adm user in the /etc/passwd is basically responsible for two system  functions:

1. ownership of diagnostic tools, as evidenced by the directory

2. accounting, as evidenced by System Accounting Directories:

– guest

Many computer centers provide accounts for visitors to play games while they wait for an appointment, or to allow them to use a modem or network connection to contact their own computer. Typically, these accounts have names like open, guest, or play.

– nobody

An account used by the Network File System (NFS) product, and to enable remote  printing nobody exists when a program needs to permit temporary root access to  root users. For example, before turning on Secure RPC or Secure NFS, check /etc/public key on the master NIS server to see if every user has been assigned  a public key and a secret key. You can create an entry in the database for a user by becoming the superuser and entering:

newkey -u username

You can also create an entry in the database for the special user, nobody.
Users can now run the chkey program to create their own entries in the database.

– uucp

UUCP is a system for transferring files and electronic mail between UNIX  computers connected by telephone. When one computer dials to another computer, it must log in. Instead of logging in as root, the remote computer logs in as
uucp. Electronic mail that is awaiting transmission to the remote machine is stored in directories that are readable only by the uucp user so that other users on the computer cannot read each other’s personal mail.

Linux Setfacl and getfacl setup and mount file system with acl

Mount filesystem with acl option

$ mount -o remount,acl /oracle

$ mount

/dev/mapper/VG0-LV1 on / type ext3 (rw)
none on /proc type proc (rw)
none on /sys type sysfs (rw)
none on /dev/pts type devpts (rw,gid=5,mode=620)
usbfs on /proc/bus/usb type usbfs (rw)
/dev/sda1 on /boot type ext3 (rw)
none on /dev/shm type tmpfs (rw)
/dev/mapper/VG0-LV4 on /dump type ext3 (rw)
/dev/mapper/VG0-LV2 on /oracle type ext3 (rw,acl)
/dev/mapper/VG0-LV3 on /usr type ext3 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)
sunrpc on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)

Granting an additional user read access

$ setfacl -m u:lisa:r file

Revoking write access from all groups and all named users (using the effective rights mask)

$ setfacl -m m::rx file

Removing a named group entry from a file’s ACL

$ setfacl -x g:staff file

Copying the ACL of one file to another

Method 1 (did not work in my cygwin install):

$ getfacl file1 | setfacl --set-file=- file2

Method 2:

$ getfacl file1 > acls.txt
$ setfacl -f acls.txt file2

Copying the access ACL into the Default ACL

$getfacl --access dir | setfacl -d -M- dir

using fuser Instead of ps

Here is an alternative way to get the process ID (PID) of a particular process. The fuser command is more reliable and can be quicker than ps.

/usr/sbin/fuser files

/usr/sbin/fuser /bin/bash

The fuser command outputs the PIDs of all processes that are currently opened under the named file. If a named directory is passed through fuser, the PIDs of all the processes that have a file or files open for reading in that directory are displayed. The files passed must be fully qualified in order for the command to function properly. If they are not, the proper syntax is displayed on standard output.
There is one caveat to using this command. You must have read access to /dev/kmem and /dev/mem. This is because fuser takes an actual snapshot of the system image that is found in these character devices at the time it is executed.

# fuser /bin/bash
/bin/bash: 1034t1106t

The t at the end of the each PID denotes that these processes have their own executable text segment that is open.
The fuser command has an option ( -k) that can be passed to send a kill signal to the PID. So, to kill all the bash processes, execute the following simple command:

# fuser -k /bin/bash
/bin/bash: 1034t 1106t

This replaces the following set of commands you would use a number of times throughout the day:
# ps -ef | grep bash

root 1033 1034 1 17:54:02 pts/1 0:00 /bin/bash
root 1216 1217 1 17:54:16 pts/1 0:00 grep bash
root 1090 1091 0 Aug 09 pts/2 0:00 /bin/bash
# kill 1033 1090

If multiple processes are associated with a particular process that you run within your environment, you can easily write a script to kill the application and all the daemons associated with it. Suppose an application lives in /sbin called bsr. It has several daemons that run independently from bsr, such as bsrqqd, bsrexecd, and bsrojbd. You can write a quick-and-dirty script to kill the entire application by using fuser:

#! /bin/sh
fuser -k /sbin/bsr
fuser -k /sbin/bsrqqd
fuser -k /sbin/bsrexecd
fuser -k /sbin/bsrojbd

kernel parameter setup for Solaris 10

Generally speaking, information on setting kernel parameters in Solaris 10 is limited. There is a new project file that is used to set kernel parameters (or more generally 10 Operating System.

Basics on /etc/projects
1. Specifying a limit in the /etc/project file extends that limit to all processes belonging to the project.

2. Now, before I show you an example of an /etc/project file containing IPC settings for both the oracle_oltp and oracle_dss projects, please allow me to emphasize that below is just one (1) single line with no linebreak. Likewise, the “oracle_dss:101:Oracle DSS…….” line below is just one (1) single line with no linebreak. It is only for readability break these lines up:

oracle_oltp:100:Oracle OLTP:oracle::
oracle_dss:101:Oracle DSS:oracle::

This sets a limit of 48GB per shared memory segment and 300 semaphores for all processes in the oracle_oltp project, and a 16GB shared memory segment limit for all processes in the oracle_dss project.

3. The recommended method for modifying the /etc/project file is to use the “proj*” commands, such as projadd(1) for creating a project and projmod(1) for modifying a project.
Examples of projadd and projmod

a.) # projadd -c “Oracle” ‘’
b.) # projmod -s -K “project.max-shm-memory=(privileged,6GB,deny)” ‘’

4. Resource Control assignments made in this way (in the /etc/project file) are permanent, and will survive a system re-boot. This is covered in much more detail in the 5. There is also an “on-the-fly” way to temporarily set Resource Control assignments using the prctl(1) command. However, unlike the /etc/project file,  system re-boot. Again, this is covered in much more detail in the example section below.

6. Oracle support encourages the use of the “id -p” command. It shows the active and available projects for a user. If the limits (such as kernel parameters) that you establish for a particular user, the “id -p” will help you to see that the user is not using that project.

Questions and Answers
Q1: Why can’t we just set them the old way?
A1: Actually, you can. While it is not the preferred method, kernel parameter values specified in /etc/system are still honored, with some caveats:
* Values in /etc/system must be greater than the new defaults values of Solaris 10
* Any kernel parameters tunables that are obsolete in Solaris 10 are ignored.
* Values specified in /etc/system are global and affect all processes on the system
* If you use /etc/system to set IPC rctl values, you must reboot the system for them to take effect.
Real World Examples – Permanently Setting Kernel Parameters
After upgrading a system from Solaris 9 to Solaris 10, it was decided that the new IPC resource control assignment should be used.
The old /etc/system file contained values that were suitable for the Oracle installation on the system, but these values were too large for average users. The assumption is that all Oracle processes are run under the ‘oracle’ user.
The contents of the /etc/system file, as pertaining to IPC:
% /bin/egrep “semsys:|shmsys:|msgsys:” /etc/system

set semsys:seminfo_semmni=100 << see A.) below
set semsys:seminfo_semmns=1024
set semsys:seminfo_semmsl=256 << see B.) below
set semsys:seminfo_semvmx=32767
set shmsys:shminfo_shmmax=4294967295 << see C.) below
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmmni=256 << see D.) below
set shmsys:shminfo_shmseg=10
Immediately, these lines can be ignored as the tunables are removed in Solaris 10:
set semsys:seminfo_semmns=1024
set semsys:seminfo_semvmx=32767
set shmsys:shminfo_shmmin=1
set shmsys:shminfo_shmseg=10

The remaining lines need to have resource controls set up for them. To do so, the first step is that a project must be created. Since all processes are run under the userid used. For more details on special projects, consult the Solaris OS project(4) man page or the Resource Management Guide.
# projadd -c “Oracle” ‘’

A.) Once the project is created, we will assign resource controls corresponding to the remaining lines of the old /etc/system file that need to be “converted”. The first line set semsys:seminfo_semmni=100
Since this “100” value is less than the new Solaris 10 default for project.max-sem-ids of “128”, we could either artificially lower the value to 100 with a specific resource accept the new Solaris 10 default value by simply ignore the old /etc/system line. We chose to simple ignore it..

B.) The next line of the old /etc/system file that need to be “converted” to a resource control is:
set semsys:seminfo_semmsl=256
Again, this value is less than the new Solaris 10 default value for process.max-sem-nsems of 512. In this case however, we wish to artificially limit Oracle to only 256 semaphores this old /etc/system line to a resource control assignment as follows:
# projmod -s -K “process.max-sem-nsems=(privileged,256,deny)” ‘’

C.) The next line of the old /etc/system file that need to be “converted” to a resource control is:
set shmsys:shminfo_shmmax=4294967295
This system has 8GB of memory. Therefore, this value (4GB, in bytes) is larger than new Solaaris 10 OS default value for project.max-shm-memory of “1/4 physmem” another resource control assignment must be created:
# projmod -s -K “project.max-shm-memory=(privileged,4GB,deny)” ‘’

D.) The final line of the old /etc/system file that need to be “converted” to a resource control is:
set shmsys:shminfo_shmmni=256
Again, this value is larger than the new default for project.max-shm-ids so another resource control assignment needs to be created:
# projmod -s -K “project.max-shm-ids=(privileged,256,deny)” ‘’
Since there are no more lines from /etc/system that pertain to IPC, we remove the old lines:
# /bin/cp /etc/system /etc/system.solaris9
# /bin/egrep -v “semsys:|shmsys:|msgsys:” /etc/system > /etc/system.solaris10
# /bin/mv /etc/system.solaris10 /etc/system
Now, before I show you our final /etc/project file, please allow me to emphasis that the “……..” line below is just one (1) single line with no whitepaper document that I break it up:

# cat /etc/project
************************,256,deny);project.max-shm-ids=(privileged,256,deny);project.max-shm-memory=(privileged,4294967296,NOTICE this is ONE LINE!
===============================================================================================================================Real World Examples – Temporarily Setting Kernel Parameters
Resource controls can also be set “on the fly” using prctl(1). Unlike the /etc/project file, resource assignments made in this way will NOT survive a system re
The syntax of prctl(1) can, at first, seem complex. Some common usages are:
# prctl -i process <pid>
to list all resource controls for process <pid>
# prctl -i project <project>
to list all resource controls for project <project>
# prctl -n <rctl> -i process <pid>
lists only the resource control named <rctl> for process <pid>
# prctl -n <rctl> -r -v <value> -i process <pid>
replaces (-r) the named rctl setting with the value <value> for process <pid>
Unlike the /etc/project file, prctl allows the use of “scale factors” to simplify resource control management.
Values specified with the -v switch can be “human readable” values such as 48GB instead of the 51539607552 bytes required in the project database.
For example, assuming the preceding /etc/project file we can check the values for the Shared Memory setting for the oracle_dss project:
% prctl -n project.max-shm-memory -i project oracle_dss
project: 101: oracle_dss
privileged 16.0GB – deny –
system 16.0EB max deny –
Should we need to temporarily increase the setting to 24GB:
% prctl -n project.max-shm-memory -r -v 24GB -i project oracle_dss
% prctl -n project.max-shm-memory -i project oracle_dss
project: 101: oracle_dss
privileged 24.0GB – deny –
system 16.0EB max deny

The prctl(1) man page and System Administration Guide:
Solaris Containers-Resource Management and Solaris Zones provide several useful examples as well.

How to find Windows process using port

netstat -an |find /i “listening”
netstat -an |find /i “established”
netstat -ao |find /i “listening”

1. netstat -aon | findstr “”

This shows if the specified is being used. The number in the last column is the process id (PID) of the process holding the socket. Once PID is determined, one can refer to “Windows Task Manager” to determine which application corresponds to the PID.

Windows Example

C:>netstat -aon | findstr “4557”

C:>pslist 5678

pslist v1.28 – Sysinternals PsList
Copyright ¬ 2000-2004 Mark Russinovich

Process information for MACHINENAME:

Name Pid Pri Thd Hnd Priv CPU Time Elapsed Time
oracle 5678 8 15 366 34512 0:00:02.859 12:02:09.424

How to trace port in AIX

1. netstat -Aan | grep <Port Name>
– This shows if the specified is being used. The hex number in the first column is the address of protocol control block (PCB)

bash-3.00# netstat -Aan | grep 32775
f100060000942398 tcp4       0      0  *.32775            *.*                LISTEN

2. rmsock tcpcb
– This shows the process who is holding the socket. Note that this command must be run as root.

bash-3.00# rmsock f100060000942398  tcpcb
The socket 0x942008 is being held by Kernel/Kernel Extension.

AIX Example

1. bash-3.00# netstat -An | grep 1522

f100060002e69b98 tcp4       0      0   ESTABLISHED
f100060001ecbb98 tcp4       0      0   ESTABLISHED
f100060003ae2398 tcp4       0      0   ESTABLISHED
f100060003a13b98 tcp4       0      0   ESTABLISHED
f100060003f7cb98 tcp4       0      0   ESTABLISHED
f100060003f28b98 tcp4       0      0   ESTABLISHED
f100060002eb7398 tcp4       0      0   ESTABLISHED
f100060003e09398 tcp4       0      0   ESTABLISHED
f100060003bf0b98 tcp4       0      0   ESTABLISHED
f100060003a22398 tcp4       0      0   ESTABLISHED
f100060003e27398 tcp4       0      0   ESTABLISHED
f1000600003e2398 tcp4       0      0   ESTABLISHED
f100060003be3398 tcp4       0      0   ESTABLISHED
f100060000356398 tcp4       0      0   ESTABLISHED
f100060003925398 tcp4       0      0   TIME_WAIT
f1000600039a4398 tcp4       0      0   TIME_WAIT
f100060003c42398 tcp4       0      0   TIME_WAIT
f100060003aea398 tcp4       0      0   ESTABLISHED
f10006000394c398 tcp4       0      0   ESTABLISHED
f100060003e53398 tcp4       0      0   ESTABLISHED
f100060003b90398 tcp4       0      0   ESTABLISHED

bash-3.00# rmsock f100060002e69b98 tcpcb
The socket 0x2e69808 is being held by proccess 2027686 (oracle).

2. Let’s set SVCENAME to 30542, so that the listener will use this port. Then, use the commands above to check if the port is indeed being used by DB2 LUW.

bash-3.00# db2 update dbm cfg using svcename 30542
bash-3.00# db2start
bash-3.00# netstat -Aan | grep 30542
f10000f6436321b58 tcp4 0 0 *.30542 *.* LISTEN

The netstat command, above, shows that the port 30542 is being used for listening. To confirm that it is DB2 LUW that’s using the port, run rmsock as root like following.

bash-3.00# rmsock f10000f6436321b58 tcpcb
The socket 0x3321800 is being held by proccess 692476 (db2sysc).

This shows that it’s db2sysc process that’s using the port, and its PID is 692476.

Note that rmsock, unlike what its name implies, does not remove the socket, if the socket is being used by any process. Instead of removing the socket, it just reports the process holding the socket. Also note that the second argument of rmsock is the protocol. It’s tcpcb in the example to indicate that the protocol is TCP.

EMC Symmetrix, CLARiiON, and IBM AIX SAN or Fiber Boot

New Installation

1. If a boot device has already been assigned and discovered by the host via the internal installation of
AIX, skip to step 3.

2. After the boot device has been assigned to the host, you must discover the boot device. To do so, use
the command cfgmgr ­vl fcsX where X is the number of the adapter that will be used for fibre
boot. As the following output shows, unless you already have the EMC ODM Support Package
installed, the new external devices will appear as Other FC SCSI Disk Drive. Only the relevant
portions of the output are shown.

# lsdev -Cc disk
hdisk0 Available 30-68-00-10,0 16 Bit LVD SCSI Disk Drive

# cfgmgr -vl fcs0
Time: 1 LEDS: 0x539
Number of running methods: 0
attempting to configure device ‘hdisk1’
Time: 1 LEDS: 0x626
invoking /usr/lib/methods/cfgscsidisk -l hdisk1
Number of running methods: 1

# lsdev -Cc disk
hdisk0 Available 30-68-00-10,0 16 Bit LVD SCSI Disk Drive

hdisk1 Available 10-58-01
Other FC SCSI Disk Drive
The easiest way to track your external boot device is to assign a PVID to the intended installation disk.
This is done using the command chdev -l hdiskX -a pv=yes.

# lspv
hdisk0          0005e48ea566f3a3                    rootvg          active
hdisk1          none                                None
hdisk2          none                                None
# chdev -l hdisk1 -a pv=yes
hdisk1 changed

# lspv

hdisk0          0005e48ea566f3a3                    rootvg          active
hdisk1          none                                None
hdisk2          none                                None

4. Write down the PVID; you will then use this to identify your installation disk.


5. Place the AIX 4.3.3, 5.1, or 5.2 installation media into the host and shut down. After the shutdown,you can remove the internal disk if you want.
6. Boot from the installation media. If the installation media was not a part of your bootlist, you can select it by entering the SMS menus and selecting your installation device as a boot device. Typically,the CD-ROM is a part of your bootlist.
7. Select the display to be used as a terminal.
8. Select the language to be used.
9. Select option 2, Change/Show Installation Settings and Install.
10. Select option 1, System Settings, and ensure that New and Complete Overwrite is selected.

11. If you have more than one disk allocated to the adapter, to verify your installation disk you can select option 77, Display More Disk Information, to see the PVID of the hdisks. Depending on the method you used to identify the installation disk, as you continue selecting 77, additional information such as WWPN, SCSI ID, and LUN ID will appear. Also, on the initial disk selection screen, verify that Yes appears under the field marked bootable for the hdisk you will install to. Once you have identified the correct hdisk device(s), select it and then continue. After the installation is complete, the host will automatically reboot from your external boot device.

Installing SSH on AIX

  1. Download the openssh and prerequisite openssl packages from their respective websites.
  2. Transfer the installation files to a temporary directory on the AIX server
  3. Unpack and install:
#uncompress openssl.
#tar xf openssl.
inutoc .
#geninstall -Y -d . openssl
#uncompress openssh-4.7_5301aix61.tar.Z
#tar xf openssh-4.7_5301aix61.tar
inutoc .
#geninstall -Y -d . openssh

Once you have installed ssh, you may disable telnet by commenting it out of /etc/inetd.conf and stopping the service:

#perl -p -i -e 's/^telnet/#telnet/g' /etc/inetd.conf
#refresh -s inetd

Display a legal warning before login.

For FTP server:

To change the greeting banner for vsftpd, add the following directive to the /etc/vsftpd/vsftpd.conf file:


Replace <insert_greeting_here> in the above directive with the text of the greeting message.

For mutli-line banners, it is best to use a banner file. To simplify management of multiple banners, place all banners in a new directory called /etc/banners/. The banner file for FTP connections in this example is /etc/banners/ftp.msg. Below is an example of what such a file may look like:

# Hello, all activity on is logged.#

For SMTP(if using postfix)

edit /etc/postfix/

smtpd_banner = $myhostname ESMTP $mail_namen
n System Info: This is a Postfix mail servern . running a multiline SMTP greeting patchn
n Please don’t send me SPAM here – we don’t like it

For SMTP(if using sendmail)

define(`confSMTP_LOGIN_MSG’, ` n System is being Monitored’)dnl

Telnet greeting message:

Edit file /etc/issue

SSH : Secure shell login greeting message:

Edit file /etc/ssh/sshd_config
Edit/enable the line: Banner /etc/issue
Restart sshd: service sshd restart

GDM login message:

Edit /etc/X11/gdm/gdm.conf as shown above. Configure “Welcome” option.

Brocade New Switch and Merging of Switch in to the existing Fabrics

New SW:

Rack mount it ,  power on the SW.Connect through serial port, default IP Add is in case of Dir with admin login:

  1. Set the IPaddress(ipaddrshow/ipaddrset),
  2. set the time with either NTP server IP(tsclockserver cmd) or tstimezone –interactive cmd
  3. check the license(licenseshow)
  4. add the license with licenseadd cmd
  5. Atleast Full fabric / XX domain licenses to form ISLs.
  6. Trunking licenses for trunking(trunks will be formed while connected through common speed, same quad/octet)
  7. give a switch name(switchname ….)
  8. change the passwords and keep it in library
  9. always ask one time password of root , while taking the new sw from any vendor and keep it in library for further troubleshooting
  10. do a portstatsclear, portlogclear
  11. disable the SW with switchdisable cmd
  12. clear the configuration with cfgclear cmd

Set the fabric.ops parameters through configure cmd(specially unique Domain ID(1-239), Pid format, data field size, )


  1. enable the switch with switchenable cmd
  2. reboot the switch with reboot cmd
  3. take a config backup with configupload cmd

 if you want to do an FOS upgrade, then do it.

For the new sw , while you first connect the hosts, check the hosts HBA driver and FW with Brocade compatibility matrix,

create a config file with cfgcreate to do the first time zoning

For merging of the SWs, do the above activities but set the Fabric.ops parameters exactly same as the existing SW except Domain ID.

  1. Then disable the new SW,
  2. Connect the ISL ,
  3. Enable the switch
  4. check it with fabricshow, islshow, trunkshow.
  5. check the utilization of the ISLs with portperfshow