Using AIX System Accounts

Edit: Still good to know.

Originally posted August 23, 2016 on AIXchange

I recently was asked about AIX system accounts. You’ll find the answers — why they’re there, how you login to them, etc. — in this IBM Support doc. It’s an older document that covers the basics, but the information is still relevant:

“Question: What are system Special Accounts?
Answer: Traditionally, UNIX has come with a default set of system user accounts to prevent root and system from owning all system filesystems and files. As such it is never recommended to remove the account but rather set an asterisk in the /etc/security/passwd for all except root. This document describes the default set of user accounts.

root — Commonly called the superuser (UID 0), this is the account that system administrators log into to perform system maintenance and problem determination.

daemon — A user used to execute system server processes. This user only exists to own these processes (and the associated files) and to guarantee that they execute with appropriate file access permissions.

bin — A second system account used primarily to break up owners of important system directories and files from being solely owned by root and system. This account typically owns the executable files for most user commands.

sys — sys user owns the default mounting point for the Distributed File Service (DFS) cache which is necessary before installation and configuration of DFS on a client. /usr/sys directory can also be used to put install images.

adm — The adm user in the /etc/passwd is basically responsible for two system functions:

    * ownership of diagnostic tools, as evidenced by the directory /usr/sbin/perf/diag_tool/
    * accounting, as evidenced by System Accounting Directories:
         /usr/sbin/acct
         /usr/lib/acct
         /var/adm
         /var/adm/acct/fiscal
         /var/adm/acct/nite
         /var/adm/acct/sum

guest — Many computer centers provide accounts for visitors to play games while they wait for an appointment, or to allow them to use a modem or network connection to contact their own computer. Typically, these accounts have names like open, guest, or play.

nobody — An account used by the Network File System (NFS) product, and to enable remote printing nobody exists when a program needs to permit temporary root access to root users. For example, before turning on Secure RPC or Secure NFS, check /etc/public key on the master NIS server to see if every user has been assigned a public key and a secret key. You can create an entry in the database for a user by becoming the superuser and entering:

    newkey -u username

You can also create an entry in the database for the special user, nobody. Users can now run the chkey program to create their own entries in the database.

uucp — UUCP is a system for transferring files and electronic mail between UNIX computers connected by telephone. When one computer dials to another computer, it must log in. Instead of logging in as root, the remote computer logs in as uucp. Electronic mail that is awaiting transmission to the remote machine is stored in directories that are readable only by the uucp user so that other users on the computer cannot read each other’s personal mail.

nuucp — The operating system provides a default nuucp login ID for transferring files. This is normally used for the uucp communication. These two ID’s, uucp and nuucp, are created when the bos.net.uucp fileset is installed. As logging in as the uucp user is not allowed, the nuucp user was created. Basically, uucp user id will not have a password entry set in /etc/security/passwd, but the nuucp user ID will have a password set. You can remove the user nuucp if you wish.

lpd, lp — Used for starting the lpd daemon which is necessary in order for the AIX Spooler to do remote printing.

invscout — Used by Inventory Scout which is a tool that checks the software and hardware configurations on the Hardware Management Console (HMC).

imnadm — IMN Search engine (used by Documentation Library Search).

snapp — Allows access to the snappd command which allows for hand-held PDA devices to be attached to a tty port on an AIX box. The PDA can then function in similar capacities to a dumb terminal.”

Here’s a more recent document from the IBM Knowledge Center:

“AIX provides a default set of system special user accounts that prevents the root and system accounts from owning all operating system files and file systems.

Attention: Use caution when removing a system special user account. You can disable a specific account by inserting an asterisk (*) at the beginning of its corresponding line of the /etc/security/passwd file. However, be careful not to disable the root user account. If you remove system special user accounts or disable the root account, the operating system will not function.”

Finally, here’s a list of accounts you may be able to remove, and here’s a link to accounts that are created by different security components on the system.

If you’re new to this area, these links should help you. And even if you already know this stuff, it never hurts to revisit the basics.