grpck Command
Purpose
Verifies the correctness of a group definition. This document describes both the AIX® grpck command and the System V grpck command.
Syntax
Description
The grpck command verifies the correctness of the group definitions in the user database files by checking the definitions for all the groups or for the groups that are specified by the Group parameter. If more than one group is specified, there must be a space between the groups.
You must select a flag to indicate whether the system must try to fix erroneous attributes. The following attributes are checked:
Item | Description |
---|---|
name | Checks the uniqueness and composition of the group name. The
group name must be a unique string of 8 bytes or less. It cannot begin
with a + (plus sign), a : (colon), a - (minus sign), or a ~ (tilde).
It cannot contain a : (colon) in the string and cannot be the ALL or default keywords.
No system fix is possible. |
groupID | Checks the uniqueness and composition of the group ID. The ID must not be null and must consist of decimal digits only. No system fix is possible. |
users | Checks the existence of the users that are listed in the group database files. If you indicate that the system must fix errors, it deletes all the users that are not found in the user database files. |
adms | Checks the existence of the users that are listed as group administrators in the group database files. If you indicate that the system must fix errors, it deletes all the administrators that are not found in the user database files. |
admin | Checks for a valid admin attribute for each group in the /etc/security/group file. No system fix is available. |
Generally, the sysck command calls the grpck command as part of the verification of a trusted-system installation. In addition, the root user or a member of the security group can enter the command.
The grpck command checks to see whether the database management security files (/etc/passwd.nm.idx, /etc/passwd.id.idx, /etc/security/passwd.idx, and /etc/security/lastlog.idx) files are up-to-date or newer than the corresponding system security files. It is acceptable for /etc/security/lastlog.idx to be not newer than /etc/security/lastlog. If the database management security files are out-of-date, a warning message appears indicating that the root user must run the mkpasswd command.
Flags
Item | Description |
---|---|
-n | Reports errors but does not fix them. |
-p | Fixes errors but does not report them. |
-t | Reports errors and asks if they must be fixed. |
-y | Fixes errors and reports them. |
Security
Access Control: This command must grant execute (x) access to the root user and members of the security group. The setuid command for the root user must have the trusted computing base attribute.
Files Accessed:
Mode | File |
---|---|
r | /etc/passwd |
r | /etc/security/user |
rw | /etc/security/group |
rw | /etc/group |
Auditing Events:
Event | Information |
---|---|
GROUP_User | user, groups, attribute | error, status |
GROUP_Adms | user, groups, attribute | error, status |
Examples
- To verify that all the group members and administrators exist
in the user database, and to report all the errors but not fix them,
enter the following command:
grpck -n ALL
- To verify that all the group members and administrators exist
in the user database, and to fix all the errors but not report them,
enter the following command:
grpck -p ALL
- To verify the uniqueness of the group name and group ID defined
for the
install
group, enter the following command:
Or,grpck -n install
Or,grpck -t install
The grpck command does not correct the group names and IDs. Therefore, the -n, -t, and -y flags report problems with group names and group IDs, but do not correct them.grpck -y install
Files
Item | Description |
---|---|
/usr/sbin/grpck | Contains the grpck command. |
/etc/passwd | Contains the basic attributes of users. |
/etc/security/user | Contains the extended attributes of users. |
/etc/group | Contains the basic attributes of groups. |
/etc/security/group | Contains the extended attributes of groups. |
System V grpck command
Syntax
/usr/sysv/bin/grpck
Description
The /usr/sysv/bin/grpck command verifies the correctness of the group definitions in the user database files by checking the definitions for all the groups. This /usr/sysv/bin/grpck command is a System V version of the existing grpck command in /usr/sbin/. This command calls the /usr/sbin/grpck command with the -n flag and ALL options.
- 0
- Successful completion.
- >0
- An error occurred.
- To verify that all the group members and administrators exist in the user database, and have any
errors that are reported (but not fixed), enter the following command:
/usr/sysv/bin/grpck
- /usr/sysv/bin/grpck
- Contains the System V version of the grpck command.