Contains extended user attributes.
The /etc/security/user file contains extended user attributes. This is an ASCII file that contains attribute stanzas for users. The mkuser command creates a stanza in this file for each new user and initializes its attributes with the default attributes defined in the /usr/lib/security/mkuser.default file.
Each stanza in the /etc/security/user file is identified by a user name, followed by a : (colon), and contains attributes in the form Attribute=Value. Each attribute value pair is ended by a new-line character, and each stanza is ended by an additional new-line character. For an example of a stanza, see the Examples section.
The file supports a default stanza. If an attribute is not defined for a user, the default value for the attribute is used.
Attributes
If you have the proper authority, you can set the following user attributes:
Item | Description |
---|---|
account_locked | Indicates if the user account is locked. Possible values include:
|
admin | Defines the administrative status of the user. Possible values
are:
|
admgroups | Lists the groups the user administrates. The Value parameter is a comma-separated list of group names. For additional information on group names, see the adms attribute of the /etc/security/group file. |
auditclasses | Lists the user's audit classes. The Value parameter is a list of comma-separated classes, or a value of ALL to indicate all audit classes. |
auth1 | Lists additional mandatory methods for authenticating the user.
The auth1 attribute has been deprecated and may not be supported
in a future release. The SYSTEM attribute should be used instead.
The authentication process will fail if any of the methods specified
by the auth1 attribute fail. The Value parameter is a comma-separated list of Method;Name pairs. The Method parameter is the name of the authentication method. The Name parameter is the user to authenticate. If you do not specify a Name parameter, the name of the user being authenticated is used. Valid authentication methods for the auth1 and auth2 attributes are defined in the /etc/security/login.cfg file. |
auth2 | Lists additional optional methods for authenticating the user.
The auth2 attribute has been deprecated and may not be supported
in a future release. The SYSTEM attribute should be used instead.
The authentication process will not fail if any of the methods specified
by the auth2 attribute fail. The Value parameter is a comma-separated list of Method;Name pairs. The Method parameter is the name of the authentication method. The Name parameter is the user to authenticate. If you do not specify a Name parameter, the name of the user being authenticated is used. |
core_compress | Enables or disables core file compression. Valid values for this attribute are On and Off. If this attribute has a value of On, compression is enabled; otherwise, compression is disabled. The default value of this attribute is Off. |
core_path | Enables or disables core file path specification. Valid values for this attribute are On and Off. If this attribute has a value of On, core files will be placed in the directory specified by core_pathname (the feature is enabled); otherwise, core files are placed in the user's current working directory. The default value of this attribute is Off. |
core_pathname | Specifies a location to be used to place core files, if the core_path attribute is set to On. If this is not set and core_path is set to On, core files will be placed in the user's current working directory. This attribute is limited to 256 characters. |
core_naming | Selects a choice of core file naming strategies. Valid values for this attribute are On and Off. A value of On enables core file naming in the form core.pid.time, which is the same as what the CORE_NAMING environment variable does. A value of Off uses the default name of core. |
daemon | Indicates whether the user specified by the Name parameter
can execute programs using the cron daemon or the src (system resource controller) daemon. Possible values are:
|
dce_export | Allows the DCE registry to overwrite the local user information
with the DCE user information during a DCE export operation. Possible
values are:
|
dictionlist | Defines the password dictionaries used by the composition restrictions
when checking new passwords. The password dictionaries are a list of comma-separated, absolute path names that are evaluated from left to right. All dictionary files and directories must be write-protected from all users except root. The dictionary files are formatted one word per line. The word begins in the first column and terminates with a new-line character. Only 7-bit ASCII words are supported for passwords. If text processing is installed on your system, the recommended dictionary file is the /usr/share/dict/words file. User name can be disallowed in the password by adding an entry with the key word ‘$USER’ in the dictionary files. This key word, ‘$USER’ cannot be part of any word or pattern of the entries in dictionary files. A regular expression can also be disallowed in the password, if mentioned in the dictionary file. To differentiate, between a word and a pattern in the dictionary file. A pattern will be indicated with ‘*’ as first character. For example, if administrator wants to disallow any password ending with “123”, then he/she can mention in the dictionary file the following entry :
First “*” will be used to indicate
a pattern entry and remaining part will be the pattern that is, “.*123”. If text processing is installed on your system, the
recommended dictionary file is the /usr/share/dict/words file. |
minloweralpha | Defines the minimum number of lower case alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to PW_PASSLEN. |
minupperalpha | Defines the minimum number of upper case alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to PW_PASSLEN. |
mindigit | Defines the minimum number of digits that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to PW_PASSLEN. |
minspecialchar | Defines the minimum number of special characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to PW_PASSLEN. |
efs_adminks_access | Defines the efs_admin keystore location. Only one value
is possible:
Note: This attribute is valid only if the system is
EFS-enabled.
|
efs_allowksmodechangebyuser | Defines whether the user can change the mode or not. The following
values are possible:
Note: This attribute is valid only if the system is
EFS-enabled.
|
efs_file_algo | Defines the algorithm that is used to generate the file protection
key. The following values are possible:
Note: This attribute is valid only if the system is EFS-enabled.
|
efs_initialks_mode | Defines the initial mode of the user keystore. The following
values are possible:
Notes:
|
efs_keystore_access | Defines the user keystore location. The following values are
possible:
Note: This attribute is valid only if the system is
EFS-enabled.
|
efs_keystore_algo | Defines the algorithm that is used to generate the user private
key when the keystore is created. The following values are possible:
Notes:
|
expires | Identifies the expiration date of the account. The Value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire. The default is 0. See the date command for more information. |
histexpire | Designates the period of time (in weeks) that a user cannot reuse a password. The value is a decimal integer string. The default is 0, indicating that no time limit is set. |
histsize | Designates the number of previous passwords a user cannot reuse. The value is a decimal integer string. The default is 0. |
login | Indicates whether the user can log in to the system with the login command. Possible values are:
|
logintimes | Specifies the times, days, or both, the user is allowed to
access the system. The value is a comma-separated list of entries
of the following form:
The day variable must be one digit between 0 and 6 that represents one of the days of the week. A 0 (zero) indicates Sunday and a 6 indicates Saturday. The time variable is 24-hour military time (1700 is 5:00 p.m.). Leading zeroes are required. For example, you must enter 0800, not 800. The time variable must be four characters in length, and there must be a leading colon (:). An entry consisting of only a time specification applies to every day. The start hour of a time value must be less than the end hour. The date variable is a four digit string in the form mmdd. mm represents the calendar month and dd represents the day number. For example 0001 represents January 1. dd may be 00 to indicate the entire month, if the entry is not a range, or indicating the first or last day of the month depending on whether it appears as part of the start or end of a range. For example, 0000 indicates the entire month of January. 0600 indicates the entire month of June. 0311-0500 indicates April 11 through the last day of June. Entries in this list specify times that a user is allowed or denied access to the system. Entries not preceded by an ! (exclamation point) allow access and are called ALLOW entries. Entries prefixed with an ! (exclamation point) deny access to the system and are called DENY entries. The ! operator applies to only one entry, not the whole restriction list. It must appear at the beginning of each entry. |
loginretries | Defines the number of unsuccessful login attempts allowed after
the last successful login before the system locks the account. The
value is a decimal integer string. A zero or negative value indicates
that no limit exists. Once the user's account is locked, the user
will not be able to log in until the system administrator resets the
user's unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than the value of loginretries. To do this,
enter the following:
|
maxage | Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is a decimal integer string. The default is a value of 0, indicating no maximum age. |
maxexpired | Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. After this defined time, only an administrative user can change the password. The value is a decimal integer string. The default is -1, indicating no restriction is set. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored. |
maxrepeats | Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is meaningless, the default value of 8 indicates that there is no maximum number. The value is a decimal integer string. |
minage | Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal integer string. The default is a value of 0, indicating no minimum age. |
minalpha | Defines the minimum number of alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. |
mindiff | Defines the minimum number of characters required in a new password that were not in the old password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. |
minlen | Defines the minimum length of a password. The value is a decimal
integer string. The default is a value of 0, indicates no minimum
length. The maximum value allowed is PW_PASSLEN attribute.
This attribute is determined by the minalpha attribute value
added to the minother attribute value. If the sum of these
values is greater than the minlen attribute value, the minimum
length is set to the result. Note: The PW_PASSLEN attribute
is defined in /usr/include/userpw.h. The value of the PW_PASSLEN attribute is determined by the system-wide password algorithm that
is defined in /etc/security/login.cfg .
The minimum length of a password is determined by the minlen attribute and should never be greater than the PW_PASSLEN attribute. If the minalpha attribute + minother attribute is greater than the PW_PASSLEN attribute, then the minother attribute is reduced to PW_PASSLEN attribute - minalpha attribute. |
minother | Defines the minimum number of non-alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. |
projects | Defines the list of projects that the user's processes can be assigned to. The value is a list of comma-separated project names and is evaluated from left to right. The project name should be a valid project name as defined in the system. If an invalid project name is found on the list, it will be reported as an error by the user command. |
pwdchecks | Defines the password restriction methods enforced on new passwords. The value is a list of comma-separated method names and is evaluated from left to right. A method name is either an absolute path name or a path name relative to /usr/lib of an executable load module. |
pwdwarntime | Defines the number of days before the system issues a warning that a password change is required. The value is a decimal integer string. A zero or negative value indicates that no message is issued. The value must be less than the difference of the maxage and minage attributes. Values greater than this difference are ignored, and a message is issued when the minage value is reached. |
registry | Defines the authentication registry where the user is administered. It is used to resolve a remotely administered user to the local administered domain. This situation may occur when network services unexpectedly fail or network databases are replicated locally. Example values are files or NIS or DCE. |
rlogin | Permits access to the account from a remote location with the telnet or rlogin commands. Possible values are:
|
su | Indicates whether another user can switch to the specified
user account with the su command. Possible values are:
|
sugroups | Lists the groups that can use the su command to switch to the specified user account. The Value parameter is a comma-separated list of group names, or a value of ALL to indicate all groups. An ! (exclamation point) in front of a group name excludes that group. If this attribute is not specified, all groups can switch to this user account with the su command. |
SYSTEM | Defines the system authentication mechanism for the user. The value may be an expression describing which authentication methods are to be used or it may be the keyword NONE. The SYSTEM mechanism is always used to authenticate the user, regardless of the value of the auth1 and auth2 attributes. If the SYSTEM attribute is set to NONE, authentication is only performed using the auth1 and auth2 attributes. If the auth1 and auth2 attributes are blank or ignored, as with the TCP socket daemons (ftpd, rexecd and rshd), no authentication will be performed. The method names compat, files and NIS are provided by the security library. Additional methods may be defined in the file /usr/lib/security/methods.cfg. Specify the value for SYSTEM using the following grammar:
An example of the syntax is:
|
tpath | Indicates the user's trusted path status. The possible values
are:
|
ttys | Lists the terminals that can access the account specified by the Name parameter. The Value parameter is a comma-separated list of full path names, or a value of ALL to indicate all terminals. The values of RSH and REXEC also can be used as terminal names. An ! (exclamation point) in front of a terminal name excludes that terminal. If this attribute is not specified, all terminals can access the user account. If the Value parameter is not ALL, then /dev/pts must be specified for network logins to work. |
umask | Determines file permissions. This value, along with the permissions of the creating process, determines a file's permissions when the file is created. The default is 022. |
Item | Description |
---|---|
minsl | Defines the minimum sensitivity clearance level (SCL). Note: The defsl value for the user dominates the minsl value.
|
maxsl | Defines the maximum SCL. Note: The maxsl value dominates
the defsl value for the user.
|
defsl | Defines the default sensitivity level that the user is assigned
during login. Note: The defsl value dominates the minsl value and is dominated by the maxsl value.
|
mintl | Defines the minimum integrity clearance level. Note: The deftl value for the user dominates the mintl value.
|
maxtl | Defines the maximum integrity clearance level. Note: The maxtl value dominates the deftl value for the user.
|
deftl | Defines the default integrity clearance level that the user
is assigned during login. Note: The deftl value dominates the mintl value and is dominated by the maxtl value.
|
Changing the user File
You should access this file through the commands and subroutines defined for this purpose. You can use the following commands to change the user file:
The mkuser command creates an entry for each new user in the /etc/security/user file and initializes its attributes with the attributes defined in the /usr/lib/security/mkuser.default file. To change attribute values, use the chuser command. To display the attributes and their values, use the lsuser command. To remove a user, use the rmuser command.
To write programs that affect attributes in the /etc/security/user file, use the subroutines listed in the related information section.
Access Control
This file should grant read (r) access only to the root user and members of the security group. Access for other users and groups depends upon the security policy for the system. Only the root user should have write (w) access.
Auditing Events
Event | Information |
---|---|
S_USER_WRITE | file name |
dhs:
login = true
rlogin = false
ttys = /dev/console
sugroups = security,!staff
expires = 0531010090
tpath = on
admin = true
auth1 = SYSTEM,METH2;dhs
ttys = !/dev/tty0,ALL
Item | Description |
---|---|
/etc/group | Contains the basic group attributes. |
/etc/passwd | Contains the basic user attributes. |
/etc/security/audit/config | Contains audit system configuration information. |
/etc/security/environ | Contains the environment attributes of users. |
/etc/security/group | Contains the extended attributes of groups. |
/etc/security/limits | Contains the process resource limits of users. |
/etc/security/login.cfg | Contains configuration information for user log in and authentication. |
/etc/security/passwd | Contains password information. |
/usr/lib/security/mkuser.default | Contains default user configurations. |
/etc/security/user | Contains extended user attributes. |
/etc/security/lastlog | Contains last login information. |
/etc/security/enc/LabelEncodings | Contains label definitions for the Trusted AIX system. |