chuser Command
Purpose
Changes user attributes.
Syntax
chuser [ -R load_module ] Attribute=Value ... Name
Description
The chuser command changes attributes for the user identified by the Name parameter. The user name must already exist. To change an attribute, specify the attribute name and the new value with the Attribute=Value parameter. The following files contain local user attributes that are set by this command:
- /etc/passwd
- /etc/security/environ
- /etc/security/limits
- /etc/security/user
- /etc/security/user.roles
- /etc/security/audit/config
- /etc/group
- /etc/security/group
To change attributes for a user with an alternate Identification and Authentication (I&A) mechanism, the -R flag can be used to specify the I&A load module that user is defined under. If the -R flag is not specified, the chuser command treats the user as a local user. Load modules are defined in the /usr/lib/security/methods.cfg file.
If you specify a single incorrect attribute or attribute value with the chuser command, the command does not change any attribute.
You can use the System Management Interface Tool (SMIT) smit chuser fast path to change user characteristics.
Changing the ID for an account can compromise system security and as a result one should not do so. However, when the ID is changed using the chuser command, ID collision checking is also controlled by the dist_uniqid attribute in the usw stanza of the /etc/security/login.cfg file. The behavior of ID collision control is the same as that described for the mkuser command.
Restrictions on Changing Users
To ensure the integrity of user information, some restrictions apply when using the chuser command. Only the root user or users with UserAdmin authorization can use the chuser command to perform the following tasks:
- Make a user an administrative user by setting the admin attribute to true.
- Change any attributes of an administrative user.
- Add a user to an administrative group.
An administrative group is a group with the admin attribute set to true. Members of the security group can change the attributes of non-administrative users and add users to non-administrative groups.
The chuser command manipulates local user data only. You cannot use it to change data in registry servers like NIS and DCE.
Flags
Item | Description |
---|---|
-R load_module | Specifies the loadable I&A module used to change the user's attributes. |
Attributes
If you have the proper authority, you can set the following user attributes:
Item | Description |
---|---|
account_locked | Indicates if the user account is locked. Possible values
include:
|
admin | Defines the administrative status of the user. Possible values
are:
|
admgroups | Defines the groups that the user administrates. If the domainlessgroups attribute is set in the /etc/secvars.cfg file, the Lightweight Directory Access Protocol ( LDAP) group can be assigned to the local user and vice versa. For more information, see /etc/secvars.cfg file. The Value parameter is a comma-separated list of group names. |
auditclasses | Defines the user's audit classes. The Value parameter is a list of comma-separated classes, or a value of ALL to indicate all audit classes. |
auth1 | Defines the primary methods for authenticating the user. The Value parameter
is a comma-separated list of Method;Name pairs.
The Method parameter is the name of the authentication method.
The Name parameter is the user to authenticate. If you do
not specify a Name parameter, the name of the invoking login
program is used. Valid authentication methods are defined in the /etc/security/login.cfg file. By default, the SYSTEM method and local password authentication are used. The NONE method indicates that no primary authentication check is made. |
auth2 | Defines the secondary methods used to authenticate the user.
The Value parameter is a comma-separated list of Method;Name pairs.
The Method parameter is the name of the authentication method.
The Name parameter value is the user to authenticate. If this attribute is not specified, the default is NONE, indicating that no secondary authentication check is made. Valid authentication methods are defined in the /etc/security/login.cfg file. If you do not specify a Name parameter, the name of the invoking login program is used. |
capabilities | Defines the system privileges (capabilities)
which are granted to a user by the login or su commands.
Valid capabilities are:
|
core | Specifies the soft limit for the largest core file a user's process can create. The Value parameter is an integer representing the number of 512-byte blocks. |
core_compress | Enables or disables core file compression. Valid values for this attribute are On and Off. If this attribute has a value of On, compression is enabled; otherwise, compression is disabled. The default value of this attribute is Off. |
core_hard | Specifies the largest core file a user's process can create. The Value parameter is an integer representing the number of 512-byte blocks.. |
core_naming | Selects a choice of core file naming strategies. Valid values
for this attribute are On and Off. A value of On enables core file
naming in the form core.pid.time , which
is the same as what the CORE_NAMING environment variable does.
A value of Off uses the default name of core. |
core_path | Enables or disables core file path specification. Valid values for this attribute are On and Off. If this attribute has a value of On, core files will be placed in the directory specified by core_pathname (the feature is enabled); otherwise, core files are placed in the user's current working directory. The default value of this attribute is Off. |
core_pathname | Specifies a location to be used to place core files, if the core_path attribute is set to On. If this is not set and core_path is set to On, core files will be placed in the user's current working directory. This attribute is limited to 256 characters. |
cpu | Identifies the soft limit for the largest amount of system unit time (in seconds) that a user's process can use. The Value parameter is an integer. All negative values are considered as unlimited. |
cpu_hard | Identifies the largest amount of system unit time (in seconds) that a user's process can use. The Value parameter is an integer. The default value is -1 which turns off restrictions. |
daemon | Indicates whether the user specified by the Name parameter
can run programs using the cron daemon or the src (system
resource controller) daemon. Possible values are:
|
data | Specifies the soft limit for the largest data segment for a user's process. The Value parameter is an integer representing the number of 512-byte blocks. The minimum allowable value for this attribute is 1272. Specify -1 to make it unlimited. |
data_hard | Specifies the largest data segment for a user's process. The Value parameter is an integer representing the number of 512-byte blocks. The minimum allowable value for this attribute is 1272. Specify -1 to make it unlimited. |
dce_export | Allows the DCE registry to overwrite the local
user information with the DCE user information during a DCE export
operation. Possible values are:
|
default_roles | Specifies the default roles for the user. The Value parameter, a comma-separated list of valid role names, can only contain roles assigned to the user in the roles attribute. You can use the ALL keyword to signify that the default roles for the user are all their assigned roles. |
dictionlist | Defines the password dictionaries used by the composition restrictions
when checking new passwords. The password dictionaries are a list of comma-separated absolute path names, evaluated from left to right. All dictionary files and directories must be write protected from all users except root. The dictionary files are formatted one word per line. The word starts in the first column and terminates with a newline character. Only 7 bit ASCII words are supported for passwords. The user names can be disallowed in
the password field by adding an entry with the key word $USER in
the dictionary files.
Note: The key word $USER cannot be used
as a part of any word or pattern for the entries in the dictionary
files.
Any password that matches with a pattern or regular expression mentioned in the dictionary file will be disallowed. To differentiate between a word and a pattern in the dictionary file, a pattern is indicated with * as the first character. For example, if an administrator wants to disallow any password ending with 123, then this information needs to be mentioned in the dictionary file as the following entry: *.*123 The first part (*) is used to indicate a pattern entry and remaining part (.*123) forms the pattern. If you install the text processing tool on your system, the recommended dictionary file is the /usr/share/dict/words file. |
domains | Defines the list of domains that the user belongs to. |
expires | Identifies the expiration date of the account. The Value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire. The default is 0. See the date command for more information. |
fsize | Defines the soft limit for the largest file a user's process can create or extend. The Value parameter is an integer representing the number of 512-byte blocks. To make files greater than 2G, specify -1. The minimum value for this attribute is 8192. |
fsize_hard | Defines the largest file a user's process can create or extend. The Value parameter is an integer representing the number of 512-byte blocks. To make files greater than 2G, specify -1. The minimum value for this attribute is 8192. |
gecos | Supplies general information about the user specified by the Name parameter. The Value parameter is a string with no embedded colon (:) character and no embedded newline character. |
groups | Identifies the groups to which user belongs. If the domainlessgroups attribute is set in the /etc/secvars.cfg file, the LDAP group can be assigned to the local user and vice versa. For more information, see /etc/secvars.cfg. The Value parameter is a comma-separated list of group names. |
histexpire | Defines the period of time (in weeks) that a user cannot reuse a password. The value is a decimal integer string. The default is 0, indicating that no time limit is set. Only an administrative user can change this attribute. |
histsize | Defines the number of previous passwords that a user cannot reuse. The value is a decimal integer string. The default is 0. This attribute can have a value in the range 0 - 50. Only an administrative user can change this attribute. |
home | Identifies the home directory of the user specified by the Name parameter. The Value parameter is a full path name. |
id | Specifies the user ID. The Value parameter is a unique integer string. Changing this attribute compromises system security and, for this reason, you should not change this attribute. |
login | Indicates whether the user can log in to the system with
the login command. Possible values are:
|
loginretries | Defines the number of unsuccessful login attempts allowed
after the last successful login before the system locks the account.
The value is a decimal integer string. A zero or negative value indicates
that no limit exists. Once the user's account is locked, the user
will not be able to log in until the system administrator resets
the user's unsuccessful_login_count attribute in the /etc/security/lastlog file
to be less than the value of loginretries. To do this, enter the
following:
|
Item | Description |
---|---|
logintimes | Defines the days and times that the user is allowed to access
the system. The value is a comma-separated list of entries in one
of the following formats:
Possible values for <day> include mon, tues, w, THU, Friday, sat, and SUNDAY. Indicate the day value as any abbreviated day of the week; however, the abbreviation must be unique with respect to both day and month names. The range of days can be circular, such as Tuesday-Monday. Day names are case insensitive. Possible values for <time> include times specified in 24-hour military format. Precede the time value with a : (colon) and specify a string of 4 characters. Leading zeros are required. Thus, 0800 (8am) is valid while 800 is not valid. An entry consisting of only a specified time period applies to every day. The start hour must be less than the end hour. The time period cannot flow into the next day. Possible values for <month> include Jan, F, march, apr, and s. Indicate the month value as any abbreviated month; however, the abbreviation must be unique with respect to both day and month names. The range of months can be circular, such as September-June. Month names are case insensitive. Possible values for <daynum> include days 1-31 of a month. This value is checked against the specified month. Specify the month value as either a 1 or 2 character string. A month specified without a daynum value indicates the first or last day of the month, depending on if the month is the start or end month specified, respectively. Entries prefixed with ! (exclamation point) deny access to the system and are called DENY entries. Entries without the ! prefix allow access and are called ACCESS entries. The ! prefix applies to single entries and must prefix each entry. Currently, the system allows 200 entries per user. This attribute is internationalized. Month and day names can be entered and are displayed in the language specified by the locales variables set for the system. The relative order of the month and day values are also internationalized; the <month><daynum> and <daynum><month> formats are accepted. The system evaluates entries in the following order:
|
maxage | Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is a decimal integer string. The default is a value of 0, indicating no maximum age. Range: 0 to 52 |
maxexpired | Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. After this defined time, only an administrative user can change the password. The value is a decimal integer string. The default is -1, indicating restriction is set. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored. Range: 0 to 52 (a root user is exempt from maxexpired) |
maxrepeats | Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is meaningless, the default value of 8 indicates that there is no maximum number. The value is a decimal integer string. Range: 0 to 8 |
maxulogs | Specifies the maximum number of concurrent logins per user. If the concurrent login number for a user exceeds the maximum number of allowed logins, the login is denied. |
minage | Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal integer string. The default is a value of 0, indicating no minimum age. Range: 0 to 52 |
minalpha | Defines the minimum number of alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to 8 |
mindiff | Defines the minimum number of characters required in a new password that were not in the old password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to 8 |
minlen | Defines the minimum length of a password. The value is a decimal integer string. The default is a value of 0, indicating no minimum length. The maximum value allowed is 8. This attribute is determined by for more information minlen and/or 'minalpha + minother', whichever is greater. 'minalpha + minother' should never be greater than 8. If 'minalpha + minother' is greater than 8, then the effective value for minother is reduced to '8 - minalpha'. |
minother | Defines the minimum number of non-alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to 8 |
nofiles | Defines the soft limit for the number of file descriptors a user process may have open at one time. The Value parameter is an integer. |
nofiles_hard | Defines the hard limit for the number of file descriptors a user process may have open at one time. The Value parameter is an integer. The default value is -1, which sets the limit to the maximum allowed by the system. |
nproc | Defines the soft limit on the number of processes a user can have running at one time. The Value parameter is an integer equal to or greater than 1. The default value is -1, which sets the limit to the maximum allowed by the system. |
nproc_hard | Defines the hard limit on the number of processes a user can have running at one time. The Value parameter is an integer equal to or greater than 1. The default value is -1, which sets the limit to the maximum allowed by the system. |
pgrp | Identifies the primary group of the user. If the domainlessgroups attribute is set in the /etc/secvars.cfg file, the LDAP group can be assigned as a primary group to the local user and vice versa. For more information, see /etc/secvars.cfg. The Value parameter must contain a valid group name and cannot be a null value. |
projects | Defines the list of projects to which the user's processes can be assigned. The value is a list of comma-separated project names and is evaluated from left to right. The project name should be a valid project name as defined in the system. If an invalid project name is found on the list, it will be reported as an error. |
pwdchecks | Defines the password restriction methods enforced on new passwords. The value is a list of comma-separated method names and is evaluated from left to right. A method name is either an absolute path name or a path name relative to /usr/lib of an executable load module. |
pwdwarntime | Defines the number of days before the system issues a warning that a password change is required. The value is a decimal integer string. A zero or negative value indicates that no message is issued. The value must be less than the difference of the maxage and minage attributes. Values greater than this difference are ignored and a message is issued when the minage value is reached. |
rcmds | Controls the remote execution of the r-commands
(rsh, rexec, and rcp).
Possible values are as follows:
Note: The rcmds attribute
controls only remote command execution. It does not control r-command
functionality to open a remote shell. Login functions such as this
are controlled by the rlogin, hostsallowedlogin,
and hostsdeniedlogin attributes.
Although
the deprecated ttys attribute value |
rlogin | Permits access to the account from a remote location with
the telnet orrlogin commands. Possible values are:
|
roles | Defines the administrative roles for this user. The Value parameter is a list of role names, separated by commas. |
rss | The soft limit for the largest amount of physical memory a user's process can allocate. The Value parameter is a decimal integer string specified in units of 512-byte blocks. This value is not currently enforced by the system. |
rss_hard | The largest amount of physical memory a user's process can allocate. The Value parameter is a decimal integer string specified in units of 512-byte blocks. This value is not currently enforced by the system. |
shell | Defines the program run for the user at session initiation. The Value parameter is a full path name. |
stack | Specifies the soft limit for the largest process stack segment for a user's process. The Value parameter is an integer representing the number of 512-byte blocks to allot. The minimum allowable value for this attribute is 49. |
stack_hard | Specifies the largest process stack segment of a user's process. The Value parameter is an integer representing the number of 512-byte blocks to allot. The minimum allowable value for this attribute is 49. The largest allowable value for this parameter is 2147483647. |
su | Indicates whether another user can switch to the specified
user account with the su command. Possible values are:
|
sugroups | Defines the groups that can use the su command
to switch to the specified user account. The Value parameter
is a comma-separated list of group names, or a value of ALL that
indicates all groups. An exclamation point (!) in front of a group
name excludes that group. If this attribute is not specified, all
groups can switch to this user account by using the su command.
If the domainlessgroups attribute is set in the /etc/secvars.cfg file,
the LDAP group can be assigned to the local user and vice versa. For
more information, see /etc/secvars.cfg file. Note: If
a user belongs to multiple groups and any of the groups is specified
with the exclamation point (!), then user cannot use the su command
to access the specified user account.
|
sysenv | Identifies the system-state (protected) environment. The Value parameter is a set of comma-separated Attribute=Value pairs as specified in the /etc/security/environ file. |
threads | Specifies the soft limit for the largest number of threads that a user process can create. The Value parameter is an integer equal to or greater than 1, representing the number of threads each user process can create. This limit is enforced by both the kernel and the user space pthread library. |
threads_hard | Specifies the largest possible number of threads that a user process can create. The Value parameter is an integer equal to or greater than 1, representing the number of threads each user process can create. This limit is enforced by both the kernel and the user space pthread library. |
tpath | Indicates the user's trusted path status. The possible values
are:
|
ttys | Defines the terminals that can access the account specified by the Name parameter. The Value parameter is a comma-separated list of full path names, or a value of ALL to indicate all terminals. An ! (exclamation point) in front of a terminal name excludes that terminal. If this attribute is not specified, all terminals can access the user account. |
umask | Determines file permissions. This value, along with the permissions of the creating process, determines a file's permissions when the file is created. The default is 022. |
usrenv | Defines the user-state (unprotected) environment. The Value parameter is a set of comma-separated Attribute=Value pairs as specified in the /etc/security/environ file. |
efs_keystore_access | Specifies the database type of the user keystore. You can specify
the following values:
Restriction: The attribute is valid only when the system is EFS-enabled. |
efs_adminks_access | Represents the database type for the efs_admin keystore.
The only valid value is file. Restriction: The attribute is valid only when the system is EFS-enabled. |
efs_initialks_mode | Specifies the initial mode of the user keystore. You can specify
the following values:
The attribute specifies the initial mode of the user keystore. You can use the attribute with the mkuser command. After the keystore has been created, changing the attribute value with the chuser, chgroup, or chsec command, or manual editing does not change the mode of the keystore unless the keystore is deleted and a new one is created. To change the keystore mode, use the efskeymgr command. Restriction: The attribute is valid only when the system is EFS-enabled. |
efs_allowksmodechangebyuser |
Specifies whether the mode can be changed. You can specify
the following values:
Restriction: The attribute is valid only when the system is EFS-enabled. |
efs_keystore_algo | Specifies the algorithm that is used to generate the private
key of the user during the keystore creation. You can specify the
following values:
You can use the attribute with the mkuser command. After the keystore has been created, changing the value of this attribute with the chuser, chgroup, or chsec command, or manual editing does not regenerate the private key unless the keystore is deleted and a new one is created. To change the algorithm for the keys, use the efskeymgr command. Restriction: The attribute is valid only when the system is EFS-enabled. |
efs_file_algo | Specifies the encryption algorithm for user files. You can
specify the following values:
Restriction: The attribute is valid only when the system is EFS-enabled. |
minsl | Defines the minimum sensitivity-clearance level that the user
can have. Note: This attribute is valid only for Trusted AIX.
The valid
values are defined in the "Clearances" section of the /etc/security/enc/LabelEncodings file
for the system. The value must be defined in quotation marks if it
has white spaces. The minsl value must be dominated by the defsl value
for the user. |
maxsl | Defines the maximum sensitivity-clearance level that the user
can have. Note: This attribute is valid only for Trusted AIX.
The valid
values are defined in the "Clearances" section of the /etc/security/enc/LabelEncodings file.
The value must be defined in quotation marks if it has white spaces.
The maxsl value must dominate the defsl value for the
user. |
defsl | Defines the default sensitivity level that the user is assigned
during login. Note: This attribute is valid only for Trusted AIX.
The valid
values are defined in the "Clearances" section of the /etc/security/enc/LabelEncodings file.
The value must be defined in quotation marks if it has white spaces.
The defsl value must dominate the minsl value and be
dominated by the maxsl value. |
mintl | Defines the minimum integrity clearance level that the user
can have. Note: This attribute is valid only for Trusted AIX.
The valid
values are defined in the "Sensitivity labels" section of the /etc/security/enc/LabelEncodings file
. If the optional "Integrity labels" section is defined in the /etc/security/enc/LabelEncodings file,
the value must be from this section. The value must be defined in
quotation marks if it contains white spaces. The mintl value
must be dominated by the deftl value for the user. |
maxtl | Defines the maximum integrity clearance level that the user
can have. Note: This attribute is valid only for Trusted AIX.
The valid
values are defined in the "Sensitivity labels" section of the /etc/security/enc/LabelEncodings file
. If the optional "Integrity labels" section is defined in the /etc/security/enc/LabelEncodings file,
the value must be from this section. The value must be defined in
quotation marks if it contains white spaces. The maxtl value
must dominate the deftl value for the user. |
deftl | Defines the default integrity clearance level that the user
is assigned during login. Note: This attribute is valid only for Trusted AIX.
The valid
values are defined in the "Sensitivity labels" section of the /etc/security/enc/LabelEncodings file
. If the optional "Integrity labels" section is defined in the /etc/security/enc/LabelEncodings file,
the value must be from this section. The value must be defined in
quotation marks if it contains white spaces. The deftl value
must dominate the mintl value and be dominated by the maxtl value. |
minloweralpha | Defines the minimum number of lower case alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to PW_PASSLEN. |
minupperalpha | Defines the minimum number of upper case alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0,indicating no minimum number. Range: 0 to PW_PASSLEN. |
mindigit | Defines the minimum number of digits that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to PW_PASSLEN. |
minspecialchar | Defines the minimum number of special characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to PW_PASSLEN. |
Security
Access Control
This command must grant execute (x) access only to the root user and the security group. This command must be installed as a program in the trusted computing base (TCB). The command must be owned by the root user with the setuid (SUID) bit set.
On a Trusted AIX system, only users with the aix.mls.clear.write authorization can modify the attributes minsl, maxsl, defsl, mintl, maxtl and deftl.
Auditing Events
Event | Information |
---|---|
USER_Change | user, attributes |
Files Accessed
Mode | File |
---|---|
rw | /etc/passwd |
rw | /etc/security/user |
rw | /etc/security/user.roles |
rw | /etc/security/limits |
rw | /etc/security/environ |
rw | /etc/security/audit/config |
rw | /etc/group |
rw | /etc/security/group |
r | /etc/security/enc/LabelEncodings |
r | /etc/security/domains |
- aix.security.user.audit
- aix.security.role.assign
- aix.security.group.change
Limitations
Changing a user's attributes may not be supported by all loadable I&A modules. If the loadable I&A module does not support changing a user's attributes, an error is reported.
Examples
- To enable user smith to access this system remotely,
type:
chuser rlogin=true smith
- To change the expiration date for the davis user account
to 8 a.m., 1 May, 1995, type:
chuser expires=0501080095 davis
- To add davis to the groups finance and accounting, type:
chuser groups=finance,accounting davis
- To change the user davis, who was created with the LDAP
load module, to not be allowed remote access, type:
chuser -R LDAP rlogin=false davis
- To change the domains of the user davis, type:
chuser domains=INTRANET,APPLICATION davis
- To unset the roles of the user davis,
type:
chuser roles=" " davis
Files
Item | Description |
---|---|
/usr/bin/chuser | Contains the chuser command. |
/etc/passwd | Contains the basic attributes of users. |
/etc/group | Contains the basic attributes of groups. |
/etc/security/group | Contains the extended attributes of groups. |
/etc/security/user | Contains the extended attributes of users. |
/etc/security/user.roles | Contains the administrative role attributes of users. |
/etc/security/lastlog | Contains the last login attributes of users. |
/etc/security/limits | Defines resource quotas and limits for each user. |
/etc/security/audit/config | Contains audit configuration information. |
/etc/security/environ | Contains the environment attributes of users. |
/etc/security/enc/LabelEncodings | Contains the label definitions for the Trusted AIX system. |
/etc/security/domains | Contains the valid domain definitions for the system. |