Administering user accounts

Assigning subsystem authorizations

Authorizations allow users to run certain system programs. Primary authorizations are intended for users entrusted with system administration. Secondary authorizations grant more limited capabilities.

In the Account Manager, select the user name, then select Authorizations from the Users menu.

To change authorizations, deselect the Use system default authorizations for this user account button. This allows you to assign a set of authorizations specific to this account.

To add an authorization, select an entry the ``Not authorized'' column and click on the Add button.

To remove an authorization, select an entry in the ``Authorized'' column and click on the Remove button.

To change the authorizations assigned by default, use this command:

usermod -D -x "{subsystemAuths {list}}"

where list is one or more authorizations separated by spaces.

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Primary authorizations

Primary authorizations effectively divide superuser powers into subsystems, allowing you to assign only the capabilities you want the user to have. Use secondary authorizations to assign more limited capabilities to normal users.

Users lacking the required authorization to run a SCOadmin manager will see the message You are not authorized to run...

WARNING: The auth subsystem authorization should only be assigned to persons entrusted with account administration. Never assign auth by default because it permits users to make changes to any account, including root. The backup, sysadmin, and passwd authorizations can be similarly abused -- do not assign them lightly.

Primary authorizations

Authorization SCOadmin Manager Powers
mem - access to system data tables, listing all processes on the system
terminal - unrestricted use of the write(C) command
lp Printer Manager administer printers
backup Backup Manager perform backups
auth Account Manager
Terminal Manager
administer accounts and terminals: adding users, changing passwords, controlling logins
audit Audit Manager run system audits and generate reports
cron Cron Manager control use of cron(C), at(C), and batch(C) commands
root - use any command found in /tcb/files/rootcmds -- see ``Allowing users to execute superuser commands''
sysadmin Filesystem Manager alter mount configuration
passwd - manage system passwords using passwd(C)

NOTE: Certain SCOadmin managers require more than one authorization. For example, to run the Backup Manager (backup authorization), you also need the sysadmin authorization (to mount filesystems).

Secondary authorizations

Secondary authorizations allow limited access by users to resources that would otherwise be tightly controlled (for example, without the printqueue authorization, users would only be able to see their own jobs when they use the lpstat command). They are useful when running the Improved or High security profiles to provide behavior that is more consistent with other UNIX systems.

Secondary authorizations

Secondary authorization Parent authorization Powers
audittrail audit generate personal audit reports on one's own activities
backup_create backup create (but not restore) backups
restore backup restore (but not create) backups
queryspace backup use df(C) command to query disk space
printqueue lp view all jobs in queue using lpstat(C)
printerstat lp use printer enable/disable commands
su auth access the root (superuser) account and other accounts. Access still requires a password; see ``Accessing other accounts with su(C)'' for more information.
shutdown root use the Shutdown Manager or shutdown in conjunction with the asroot(ADM) command as described in ``Allowing users to execute superuser commands''.

NOTE: When the primary authorization for a subsystem is granted, the secondary authorizations for that subsystem are also granted. (For example, the lp authorization carries the printqueue and printerstat authorizations.)

Next topic: Changing system privileges
Previous topic: Assigning user powers

© 2003 Caldera International, Inc. All rights reserved.
SCO OpenServer Release 5.0.7 -- 11 February 2003