user File

Edit online

Purpose

Contains extended user attributes.

Description

The user file contains extended user attributes. The user file is an ASCII file that contains attribute stanzas for users. The mkuser command creates a stanza in this file for each new user and initializes its attributes with the default attributes defined in the /usr/lib/security/mkuser.default file.

Each stanza in the /etc/security/user file is identified by a user name, followed by a colon (:), and contains attributes in the form Attribute=Value. Each attribute value pair is ended by a new-line character, and each stanza is ended by an additional new-line character. For an example of a stanza, see the Examples section.

The file supports a default stanza. If an attribute is not defined for a user, the default value for the attribute is used.

Attributes

If you have the proper authority, you can set the following user attributes:

Table 1. Attributes
Item Description
account_locked Indicates whether the user account is locked. The following values are the possible values for the account_locked field:
true
The user account is locked. The values yes, true, and always are equivalent. The user is denied access to the system.
false
The user account is not locked. The values no, false, and never are equivalent. The user is allowed access to the system. The default value is false.
admin Defines the administrative status of the user. The following values are the possible values for the admin field:
true
The user is an administrator. Only the root user can change the attributes of users who are defined as administrators.
false
The user is not an administrator. The default value is false.
admgroups Lists the groups that the user administers. The Value parameter is a comma-separated list of group names. For additional information on group names, see the adms attribute of the /etc/security/group file.
auditclasses Lists the user's audit classes. The Value parameter is a list of comma-separated classes, or a value of ALL to indicate all audit classes.
auth1 Lists additional mandatory methods for authenticating the user. The auth1 attribute is deprecated and might not be supported in a future release. The SYSTEM attribute must be used instead. The authentication process fails if any of the methods specified by the auth1 attribute fail.

The Value parameter is a comma-separated list of Method and Name pairs in the format Method;Name. The Method parameter is the name of the authentication method. The Name parameter is the name of the user to authenticate. If you do not specify a Name parameter, the name of the user who is authenticated is used.

Valid authentication methods for the auth1 and auth2 attributes are defined in the /etc/security/login.cfg file.

auth2 Lists additional optional methods for authenticating the user. The auth2 attribute is deprecated and might not be supported in a future release. The SYSTEM attribute must be used instead. The authentication process does not fail if any of the methods specified by the auth2 attribute fail.

The Value parameter is a comma-separated list of Method and Name pairs in the format Method;Name. The Method parameter is the name of the authentication method. The Name parameter is the name of the user to authenticate. If you do not specify a Name parameter, the name of the user who is authenticated is used.
core_compress Enables or disables core file compression. The valid values for this attribute are On and Off. When the core_compress attribute value is On, compression of the core file is enabled; otherwise, compression is disabled. The default value is Off.
core_path Enables or disables the core file path specification. The valid values for this attribute are On and Off. If the value of the core_path field is On, the core files are placed in the directory that is specified by core_pathname field. Otherwise, the core files are placed in the current working directory of the user. The default value is Off.
core_pathname Specifies a location to be used to place core files, if the core_path attribute is set to On. If the core_pathname filed is not set and core_path filed is set to On, core files are placed in the current working directory of the user. This attribute is limited to 256 characters.
core_naming Selects a choice of core file naming strategies. Valid values for this attribute are On and Off. A value of On enables core file naming in the form core.pid.time, which is the same as what the CORE_NAMING environment variable does. A value of Off uses the default name of core.
daemon Indicates whether the user who is specified by the Name parameter can execute programs by using the cron daemon or the src (system resource controller) daemon. The following values are the possible values of the daemon field:
true
The user can initiate cron and src sessions. The default value is true.
false
The user cannot initiate cron and src sessions.
dce_export Allows the DCE registry to overwrite the local user information with the DCE user information during a DCE export operation. The following values are the possible values of the dce_export field:
true
Local user information is overwritten.
false
Local user information is not overwritten.
dictionlist Defines the password dictionaries that are used by the composition restrictions when checking the new passwords.
The password dictionaries are a list of comma-separated, absolute path names that are evaluated from left to right. All dictionary files and directories must be write-protected from all users except root. The dictionary files are formatted one word per line. The word begins in the first column and terminates with a new-line character. Only 7-bit ASCII words are supported for passwords. If text processing is installed on your system, the recommended dictionary file is the /usr/share/dict/words file. A user name can be disallowed in the password by adding an entry with the keyword $USER in the dictionary files. This keyword USER cannot be part of any word or pattern of the entries in dictionary files. A regular expression can also be disallowed in the password, if mentioned in the dictionary file. To differentiate between a word and a pattern in the dictionary file. A pattern is indicated with * as first character. For example, if the administrator wants to disallow any password that ends with 123, then the administrator can mention the following entry in the dictionary file:
*.*123

First * is used to indicate a pattern entry and the remaining part is the pattern that is, .*123. If text processing is installed on your system, the recommended dictionary file is the /usr/share/dict/words file.

minloweralpha Defines the minimum number of lowercase alphabetic characters that must be in a new password. The value is a decimal integer string. The default value is 1. The range is 0 to PW_PASSLEN.
minupperalpha Defines the minimum number of uppercase alphabetic characters that must be in a new password. The value is a decimal integer string. The default value is 1. The range is 0 to PW_PASSLEN.
mindigit Defines the minimum number of digits that must be in a new password. The value is a decimal integer string. The default value is 1. The range is 0 to PW_PASSLEN.
minspecialchar Defines the minimum number of special characters allowed in a new password. The value is a decimal integer string. The default value is 1. The range is 0 to PW_PASSLEN.
Notes:
  • If the value of the mindigit or minspecialchar attribute is greater than the minother attribute, the greater attribute is reduced to a value that is equal to the minother attribute.
  • If the sum of the mindigit and minspecialchar attributes is greater than the value of the minother attribute, the value of the minspecialchar attribute is reduced to the difference between the minother and mindigit attributes.
efs_adminks_access Defines the efs_admin keystore location. The possible value is file.
file
Keystore is stored in the /var/efs/efs_admin/ file.
Note: This attribute is valid only if the system is Encrypted File System (EFS)-enabled.
efs_allowksmodechangebyuser Defines whether the user can change the mode or not. The following values are possible:
yes
The user can change the keystore mode (by using the efskeymgr command).
no
The user cannot change the keystore mode (by using the efskeymgr command).
Note: This attribute is valid only if the system is EFS-enabled.
efs_file_algo Defines the algorithm that is used to generate the file protection key. The following values are possible:
  • AES_128_CBC
  • AES_192_CBC
  • AES_256_CBC
Note: This attribute is valid only if the system is EFS-enabled.
efs_initialks_mode Defines the initial mode of the user keystore. The following values are the possible values:
guard
When a keystore is in root guard mode, the keys that are contained in this keystore cannot be retrieved without the correct password of this keystore.
admin
When a keystore is in root admin mode, the keys that are contained in this keystore can be retrieved with the EFS admin key.
Notes:
  • This attribute is valid only if the system is EFS-enabled.
  • The efs_initialks_mode attribute defines the initial mode of the keystore. Changing this value by using the chuser command, the chgroup command, or the chsec command, or with manual editing, does not change the mode of the keystore. Use this attribute only when you are creating the keystore. Do not use this attribute again until the keystore is deleted and a new one is created. To change the keystore mode, use the efskeymgr command.
efs_keystore_access Defines the user keystore location. The following values are the possible values:
none
There is no keystore.
file
Keystore is stored in the /var/efs/users/ directory.
Note: This attribute is valid only if the system is EFS-enabled.
efs_keystore_algo Defines the algorithm that is used to generate the user private key when the keystore is created. The following values are possible:
  • RSA_1024
  • RSA_2048
  • RSA_4096
Notes:
  • This attribute is valid only if the system is EFS-enabled.
  • Changing the value of this attribute by using the chuser command, the chgroup command, or the chsec command, or with manual editing, does not regenerate the private key. Use this attribute only when you are creating the keystore. Do not use this attribute again until the keystore is deleted and a new one is created. To change the algorithm for the keys, use the efskeymgr command.
expires Identifies the expiration date of the account. The Value parameter is a 10-character string in the MMDDhhmmyy form, where MM denotes the month, DD denotes the day, hh denotes the hour, mm denotes the minute, and yy denotes the last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire. The default value is 0. See the date command for more information.
histexpire Designates the period (in weeks) that a user cannot reuse a password. The value is a decimal integer string. The default value is 52.
histsize Designates the number of previous passwords that a user cannot reuse. The value is a decimal integer string. The default value is 4.
login Indicates whether the user can log in to the system with the login command. The following values are the possible values:
true
The user can log in to the system. The default value is true.
false
The user cannot log in to the system.
logintimes Specifies the time, day, or both the user is allowed to access the system. The value is a comma-separated list of entries of the following form: 
[!]:time-time
        -or-
[!]day[-day][:time-time]
        -or-
[!]date[-date][:time-time]

The day variable must be one digit between 0 and 6 that represents one of the days of the week. A 0 (zero) indicates Sunday and a 6 indicates Saturday.

The time variable is 24-hour military time (1700 is 5:00 PM). Leading zeros are required. For example, you must enter 0800, not 800. The time variable must be four characters in length, and there must be a leading colon (:). An entry that consists of only a time specification applies to every day. The start hour of a time value must be less than the end hour.

The date variable is a four-digit string in the format mmdd, where mm represents the calendar month and dd represents the day number. For example, 0001 represents 1 January. The value of dd might be 00 to indicate the entire month, if the entry is not a range, or the entry indicates the first or last day of the month depending on whether it appears as part of the start or end of a range. For example, 0000 indicates the entire month of January. The entry 0600 indicates the entire month of July. The entry 0311-0500 indicates April 11 through the last day of June.

Entries in this list specify the times that a user is allowed or denied access to the system. Entries not preceded by an ! (exclamation point) allow access and are called ALLOW entries. Entries prefixed with an ! (exclamation point) deny access to the system and are called DENY entries. The ! operator applies to only one entry, not the whole restriction list. It must appear at the beginning of each entry.
loginretries Defines the number of unsuccessful login attempts allowed after the last successful login before the system locks the account. The value is a decimal integer string. A zero or negative value indicates that no limit exists. Once the account of the user is locked, the user cannot log-in until the system administrator resets the unsuccessful_login_count attribute of the user in the /etc/security/lastlog file to be less than the value of loginretries. To reset the unsuccessful_login_count attribute, enter the following command: 
chsec -f /etc/security/lastlog -s username -a \
unsuccessful_login_count=0
maxage Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is a decimal integer string. The default value is 13, indicating a maximum age of 13 weeks.
maxexpired Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. After this defined time, only an administrative user can change the password. The value is a decimal integer string. The default value is 4. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored.
maxrepeats Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is meaningless, the default value of 8 indicates that there is no maximum number. The value is a decimal integer string.
minage Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal integer string. The default value is 4.
minalpha Defines the minimum number of alphabetic characters that must be in a new password. The value is a decimal integer string. The default value is 2.
mindiff Defines the minimum number of characters that are required in a new password that were not in the old password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
minlen Defines the minimum length of a password. The value is a decimal integer string. The default value is 10. The maximum value that is allowed is PW_PASSLEN attribute. This attribute is determined by the sum of the value of the minalpha and minother attribute. If the sum of these values is greater than the minlen attribute value, the minimum length is set to the result.
Note: The PW_PASSLEN attribute is defined in /usr/include/userpw.h. The value of the PW_PASSLEN attribute is determined by the system-wide password algorithm that is defined in /etc/security/login.cfg.

The minimum length of a password is determined by the minlen attribute and must never be greater than the PW_PASSLEN attribute. If the sum of the minalpha and minother attributes is greater than the PW_PASSLEN attribute, then the minother attribute is reduced to the difference of the PW_PASSLEN and minalpha attributes.
minother Defines the minimum number of non-alphabetic characters that are allowed in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
Notes:
  • If the value of the mindigit or minspecialchar attribute is greater than the minother attribute, the greater attribute is reduced to a value that is equal to the minother attribute.
  • If the sum of the mindigit and minspecialchar attributes is greater than the value of the minother attribute, the value of the minspecialchar attribute is reduced to the difference between the minother and mindigit attributes.
projects Defines the list of projects that the processes of the user can be assigned to. The value is a list of comma-separated project names and is evaluated from left to right. The project name must be a valid project name as defined in the system. If an invalid project name is found on the list, it is reported as an error by the user command.
pwdchecks Defines the password restriction methods that are enforced on new passwords. The value is a list of comma-separated method names and is evaluated from left to right. A method name is either an absolute path name or a path name relative to /usr/lib of an executable load module.
pwdwarntime Defines the number of days before the system issues a warning that a password change is required. The value is a decimal integer string. A zero or negative value indicates that no message is issued. The value must be less than the difference of the maxage and minage attributes. Values greater than this difference are ignored, and a message is issued when the minage value is reached.
registry Defines the authentication registry where the user is administered. It is used to resolve a remotely administered user to the locally administered domain. This situation might occur when network services unexpectedly fail or network databases are replicated locally. Example values are files or NIS or DCE.
rlogin Permits access to the account from a remote location with the telnet or rlogin commands. The following values are the possible values:
true
The user account can be accessed remotely. The default value is true.
false
The user account cannot be accessed remotely.
su Indicates whether another user can switch to the specified user account with the su command. The following values are the possible values of the su field:
true
Another user can switch to the specified account. The default vale is true.
false
Another user cannot switch to the specified account.
sugroups Lists the groups that can use the su attribute to switch to the specified user account. The Value parameter is a comma-separated list of group names, or a value of ALL to indicate all groups. An ! (exclamation point) in front of a group name excludes that group. If this attribute is not specified, all groups can switch to this user account with the su attribute.
SYSTEM

Defines the system authentication mechanism for the user. The value might be an expression that describes which authentication methods are to be used or it might be the keyword NONE.

The SYSTEM mechanism is always used to authenticate the user, regardless of the value of the auth1 and auth2 attributes. If the SYSTEM attribute is set to NONE, authentication is only performed by using the auth1 and auth2 attributes. If the auth1 and auth2 attributes are blank or ignored, as with the TCP socket daemons (ftpd, rexecd, and rshd), no authentication is performed.

The method names compat, files, and NIS are provided by the security library. Additional methods might be defined in the file /usr/lib/security/methods.cfg.

Specify the value for SYSTEM by using the following grammar: 

"SYSTEM"       ::= EXPRESSION
EXPRESSION     ::= PRIMITIVE  |
                    "("EXPRESSION")"  |
                     EXPRESSION OPERATOR EXPRESSION
PRIMITIVE      ::= METHOD  |
                    METHOD "["RESULT"]"
RESULT         ::= "SUCCESS" | "FAILURE" | "NOTFOUND" |
                   "UNAVAIL"  | "*"
OPERATOR       ::= "AND" | "OR"
METHOD         ::= "compat" | "files" | "NONE" |
                   [a-z,A-Z,0-9]*

The following example is an example of the syntax:

SYSTEM = "DCE OR DCE[UNAVAIL] AND 
compat"
tpath Indicates the user's trusted path status. The following values are the possible values:
always
The user can execute only trusted processes. The always value of the tpath attribute implies that the user's initial program is in the trusted shell or some other trusted process.
notsh
The user cannot invoke the trusted shell on a trusted path. If the user enters the secure attention key (SAK) after logging in, the login session ends.
nosak
The secure attention key (SAK) is disabled for all processes run by the user. Use this value if the user transfers binary data that might contain the SAK sequence. The default value is nosak.
on
The user has normal trusted path characteristics and can invoke a trusted path (enter a trusted shell) with the secure attention key (SAK).
ttys Lists the terminals that can access the account that is specified by the Name parameter. The Value parameter is a comma-separated list of full path names, or a value of ALL to indicate all terminals. The values of RSH and REXEC also can be used as terminal names. An ! (exclamation point) in front of a terminal name excludes that terminal. If this attribute is not specified, all terminals can access the user account. If the Value parameter is not ALL, then /dev/pts must be specified for network logins to work.
umask Determines file permissions. This value, along with the permissions of the creating process, determines the permissions of a file when the file is created. The default is 022.

Changing the user File

Access this file through the commands and subroutines that are defined for this purpose. You can use the following commands to change the user file:

  • chuser Command
  • lsuser Command
  • mkuser Command
  • rmuser Command

The mkuser command creates an entry for each new user in the /etc/security/user file and initializes its attributes with the attributes that are defined in the /usr/lib/security/mkuser.default file. To change attribute values, use the chuser command. To display the attributes and their values, use the lsuser command. To remove a user, use the rmuser command.

To write programs that affect attributes in the /etc/security/user file, use the subroutines that are listed in the related information section.

Security

Access Control

The user file must grant read (r) access only to the root user and members of the security group. Access for other users and groups depends upon the security policy for the system. Only the root user must have write (w) access.

Auditing events

Table 2. Auditing events
Event Information
S_USER_WRITE File name

Examples

  1. A typical stanza looks like the following example for user dhs: 
    dhs:
    login = true
    rlogin = false
    ttys = /dev/console
    sugroups = security,!staff
    expires = 0531010090
    tpath = on
    admin = true
    auth1 = SYSTEM,METH2;dhs
  2. To allow all ttys except /dev/tty0 to access the user account, change the ttys entry so that it reads as the following entry: 
    ttys = !/dev/tty0,ALL

Files

Table 3. Files
Item Description
/etc/group Contains the basic group attributes.
/etc/passwd Contains the basic user attributes.
/etc/security/audit/config Contains information about the audit system configuration.
/etc/security/environ Contains the environment attributes of users.
/etc/security/group Contains the extended attributes of groups.
/etc/security/limits Contains the process resource limits of users.
/etc/security/login.cfg Contains configuration information for user log-in and authentication.
/etc/security/passwd Contains password information.
/usr/lib/security/mkuser.default Contains default user configurations.
/etc/security/user Contains extended user attributes.
/etc/security/lastlog Contains last login information.