mkgroup Command

Purpose

Creates a new group.

Syntax

mkgroup [ -R load_module ] [ -a ] [ -A ] [ Attribute=Value ... ] Group

Description

The mkgroup command creates a new group. The Group parameter must be a unique string (whose length is administrator-configurable by way of the chdev command) and cannot be the ALL or default keywords. By default, the mkgroup command creates a standard group. To create an administrative group, specify the -a flag. You must be the root user or a user with GroupAdmin authorization to create an administrative group.

To create a group with an alternate Identification and Authentication (I&A) mechanism, the -R flag can be used to specify the I&A load module used to create the group. Load modules are defined in the /usr/lib/security/methods.cfg file.

You can use the System Management Interface Tool (SMIT) smit mkgroups fast path to run this command.

The mkgroup command always checks the target group registry to make sure the ID for the new account is unique to the target registry. The mkgroup command can also be configured to check all group registries of the system using the dist_uniqid system attribute. The dist_uniqid system attribute is an attribute of the usw stanza of the /etc/security/login.cfg file, and can be managed using the chsec command.

The dist_uniqid system attribute has the following values:

never - Does not check for ID collision against the non-target registries. This is the default setting.
always - Checks for ID collision against all other registries. If collision is detected between the target registry and any other registry account creation or modification fails.
uniqbyname - Checks for ID collision against all other registries. Collision between registries is allowed only if the account to be created has the same name as the existing account.

Note: ID collision detection in the target registry is always enforced regardless of the dist_uniqid system attribute.

The uniqbyname system attribute setting works well against two registries. With more than two registries, and with ID collision already existing between two registries, the behavior of the mkgroup command is unspecified when creating a new account in a third registry using the colliding ID values. The new account creation might succeed or fail depending the order in which the registries are checked.

The check for ID collision only enforces ID uniqueness between the local registry and remote registries or between remote registries. There is no guarantee of ID uniqueness between the newly created account on the remote registry and existing local users on other systems that make use of the same remote registry. The mkgroup command bypasses a remote registry if the remote registry is not reachable at the time the command is run.

If Encrypted File System (EFS) is enabled on the system, the mkgroup command updates the /etc/security/group file with EFS attributes (default values are added if you do not specify the attributes on the command line). If you do not specify efs_keystore_access=none, the mkgroup command creates the group keystore if at least one of the users has a keystore.

If the mkgroup command returns with the return code of 3, the keystore for the group is not created, but the mkgroup command creates the group.

Note: You can later create the group keystore by using the efskeymgr command.

Restrictions on Creating Group Names

To prevent login inconsistencies, you should avoid composing group names entirely of uppercase alphabetic characters. While the mkgroup command supports multibyte group names, it is recommended that you restrict group names to characters with the POSIX portable filename character set.

To ensure that your user database remains uncorrupted, you must be careful when naming groups. Group names must not begin with a - (dash), + (plus sign), @ (at sign), or ~ (tilde). You cannot use the keywords ALL or default in a group name. Additionally, do not use any of the following characters within a group-name string:

Item	Description
:	Colon
"	Double quote
#	Pound sign
,	Comma
=	Equal sign
\	Back slash
/	Slash
?	Question mark
'	Single quote
`	Back quote

Finally, the Name parameter cannot contain any space, tab, or new-line characters.

Flags

Item	Description
-a	Creates an administrative group. Only the root user can use this flag.
-A	Sets the group administrator to the person who invoked the mkgroup command.
-R load_module	Specifies the loadable I&A module used to create the user.
Attribute=Value	Initializes a group with a specific attribute. See the chgroup command for more information about the group attributes.

Exit Status

This command returns the following exit values:

Item	Description
0	The command runs successfully and all requested changes are made.
>0	An error occurred. The printed error message lists further details about the type of failure.

Security

Access Control: This command should grant execute (x) access only to the root user and members of the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

To get the full functionality of the command, besides the accessauths, the role must also have the aix.security.group.change authorization. If Encrypted File System (EFS) is enabled on the system, the role must also have the aix.security.efs authorization to create the group keystore.

Files Accessed:

Mode	File
rw	/etc/passwd
rw	/etc/security/user
rw	/etc/security/limits
rw	/etc/security/environ
rw	/etc/group
rw	/etc/security/group
r	/usr/lib/security/mkuser.default
x	/usr/lib/security/mkuser.sys

Auditing Events:

Event	Information
USER_Create	user

Limitations

Creating a group may not be supported by all loadable I&A modules. If the loadable I&A module does not support creating a group, an error is reported.

Examples

To create a new group account called finance, type:
```
mkgroup finance
```
To create a new administrative group account called payroll, type:
```
mkgroup -a payroll
```
Only the root user can issue this command.
To create a new group account called managers and set yourself as the administrator, type:
```
mkgroup -A managers
```
To create a new group account called managers and set the list of administrators to steve and mike, type:
```
mkgroup adms=steve,mike managers
```
The users steve and mike must already exist on the system.
To create a new group that is a LDAP I&A loadable module user, type:
```
mkgroup -R LDAP monsters
```

Files

Item	Description
/usr/bin/mkgroup	Contains the mkgroup command.
/etc/group	Contains the basic attributes of groups.
/etc/security/group	Contains the extended attributes of groups.
/etc/passwd	Contains basic user information.
/etc/security/passwd	Contains password information.