[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]
Files Reference

user File

Purpose

Contains extended user attributes.

Description

The /etc/security/user file contains extended user attributes. This is an ASCII file that contains attribute stanzas for users. The mkuser command creates a stanza in this file for each new user and initializes its attributes with the default attributes defined in the /usr/lib/security/mkuser.default file.

Each stanza in the /etc/security/user file is identified by a user name, followed by a : (colon), and contains comma-separated attributes in the Attribute=Value form. If an attribute is not defined for a user, either the default stanza or the default value for the attribute is used. You can have multiple default stanzas in the /etc/security/group file. A default stanza applies to all of the stanzas that follow, but does not apply to the stanzas preceding it.

Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. For an example of a stanza, see the Examples section.

Attributes

If you have the proper authority, you can set the following user attributes:

account_locked Indicates if the user account is locked. Possible values include:
true The user's account is locked. The values yes, true, and always are equivalent. The user is denied access to the system.
false The user's account is not locked. The values no, false, and never are equivalent. The user is allowed access to the system.
admin Defines the administrative status of the user. Possible values are:
true The user is an administrator. Only the root user can change the attributes of users defined as administrators.
false The user is not an administrator. This is the default value.
admgroups Lists the groups the user administrates. The Value parameter is a comma-separated list of group names.
auditclasses Lists the user's audit classes. The Value parameter is a list of comma-separated classes, or a value of ALL to indicate all audit classes.
auth1 Lists the primary methods for authenticating the user. The Value parameter is a comma-separated list of Method;Name pairs. The Method parameter is the name of the authentication method. The Name parameter is the user to authenticate. If you do not specify a Name parameter, the name of the invoking login program is used.

Valid authentication methods are defined in the /etc/security/login.cfg file. The SYSTEM method is always used in addition to the methods listed here on auth1, even if SYSTEM is not specified. The SYSTEM method is defined by the SYSTEM user attribute. If you do not want the user to authenticate using the SYSTEM method, specify NONE for the SYSTEM user attribute.

auth2 Lists the secondary methods used to authenticate the user. The Value parameter is a comma-separated list of Method;Name pairs. The Method parameter is the name of the authentication method. The Name parameter is the name of the user to be authenticated.

If this attribute is not specified, the default is NONE, indicating that no secondary authentication check is made. Valid authentication methods are defined in the /etc/security/login.cfg file. If you do not specify a Name parameter, the name of the invoking login program is used.

daemon Indicates whether the user specified by the Name parameter can execute programs using the src (system resource controller) daemon. Possible values are:
true The user can initiate src sessions. This is the default.
false The user cannot initiate src sessions.
dce_export Allows the DCE registry to overwrite the local user information with the DCE user information during a DCE export operation. Possible values are:
true Local user information will be overwritten.
false Local user information will not be overwritten.
dictionlist Defines the password dictionaries used by the composition restrictions when checking new passwords.

The password dictionaries are a list of comma-separated absolute path names, evaluated from left to right. All dictionary files and directories must be write-protected from all users except root. The dictionary files are formatted one word per line. The word starts in the first column and terminates with a new-line character. Only 7-bit ASCII words are supported for passwords. If you install text processing on your system, the recommended dictionary file is the /usr/share/dict/words file.

expires Identifies the expiration date of the account. The Value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire. The default is 0. See the date command for more information.
histexpire Defines the period of time (in weeks) that a user cannot reuse a password. The value is a decimal integer string. The default is 0, indicating that no time limit is set.
histsize Defines the number of previous passwords a user cannot reuse. The value is a decimal integer string. The default is 0.
login Indicates whether the user can log in to the system with the login command. Possible values are:
true The user can log in to the system. This is the default.
false The user cannot log in to the system.
logintimes Specifies the times, days, or both the user is allowed to access the system. The value is a comma-separated list of entries of the following form:
[!]:time-time
        -or-
[!]day[-day][:time-time]
        -or-
[!]date[-date][:time-time]

The day variable must be one digit between 0 and 6 that represents one of the days of the week. A 0 (zero) indicates Sunday and a 6 indicates Saturday.

The time variable is 24-hour military time (1700 is 5:00 p.m.). Leading zeroes are required. For example, you must enter 0800, not 800. The time variable must be four characters in length, and there must be a leading colon (:). An entry consisting of only a time specification applies to every day. The start hour of a time value must be less than the end hour.

The date variable is a four digit string in the form mmdd. mm represents the calendar month and dd represents the day number. For example 0001 represents January 1. dd may be 00 to indicate the entire month, if the entry is not a range, or indicating the first or last day of the month depending on whether it appears as part of the start or end of a range. For example, 0000 indicates the entire month of January. 0600 indicates the entire month of June. 0311-0500 indicates April 11 through the last day of June.

Entries in this list specify times that a user is allowed or denied access to the system. Entries not preceded by an exclamation point (!) allow access and are called ALLOW entries. Entries prefixed with an exclamation point (!) deny access to the system and are called DENY entries. The ! operator applies to only one entry, not the whole restriction list. It must appear at the beginning of an entry.

loginretries Defines the number of unsuccessful login attempts allowed after the last successful login before the system locks the account. The value is a decimal integer string. A zero or negative value indicates that no limit exists. Once the user's account is locked, the user will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than the value of loginretries. To do this, enter the following:

chsec -f /etc/security/lastlog -s username -a \
unsuccessful_login_count=0
maxage Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is a decimal integer string. The default is a value of 0, indicating no maximum age.
maxexpired Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. After this defined time, only an administrative user can change the password. The value is a decimal integer string. The default is -1, indicating no restriction is set. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored.
maxrepeats Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is meaningless, the default value of 8 indicates that there is no maximum number. The value is a decimal integer string.
minage Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal integer string. The default is a value of 0, indicating no minimum age.
minalpha Defines the minimum number of alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
mindiff Defines the minimum number of characters required in a new password that were not in the old password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
minlen Defines the minimum length of a password. The value is a decimal integer string. The default is a value of 0, indicating no minimum length. The maximum value allowed is 8. This attribute is determined by the minalpha attribute added to the minother attribute. If the result of this addition is greater than the minlen attribute, the minimum length is set to the result.
minother Defines the minimum number of non-alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number.
pwdchecks Defines the password restriction methods enforced on new passwords. The value is a list of comma-separated method names and is evaluated from left to right. A method name is either an absolute path name or a path name relative to /usr/lib of an executable load module.
pwdwarntime Defines the number of days before the system issues a warning that a password change is required. The value is a decimal integer string. A zero or negative value indicates that no message is issued. The value must be less than the difference of the maxage and minage attributes. Values greater than this difference are ignored, and a message is issued when the minage value is reached.
registry Defines the authentication registry where the user is administered. It is used to resolve a remotely administered user to the local administered domain. This situation may occur when network services unexpectedly fail or network databases are replicated locally. Example values are files or NIS or DCE.
rlogin Permits access to the account from a remote location with the telnet or rlogin commands. Possible values are:
true The user account can be accessed remotely. This is the default rlogin value.
false The user cannot be accessed remotely.
su Indicates whether another user can switch to the specified user account with the su command. Possible values are:
true Another user can switch to the specified account. This is the default.
false Another user cannot switch to the specified account.
sugroups Lists the groups that can use the su command to switch to the specified user account. The Value parameter is a comma-separated list of group names, or a value of ALL to indicate all groups. An ! (exclamation point) in front of a group name excludes that group. If this attribute is not specified, all groups can switch to this user account with the su command.
SYSTEM Defines the system authentication method for the user. The SYSTEM method is always used to authenticate the user, no matter what other methods are specified on the auth1 and auth2 attributes. If you do not want the user to authenticate using the SYSTEM method, specify NONE. The AIX TCP socket daemons (that is, ftpd, rexecd, rshd) do not use these authentication methods. Instead, they access the passwd file directly. So, if SYSTEM is set to NONE, authentication is turned off for all of these commands. Specify the value for SYSTEM using the following grammar:
"SYSTEM"       ::= EXPRESSION
EXPRESSION     ::= PRIMITIVE  |
                    "("EXPRESSION")"  |
                     EXPRESSION OPERATOR EXPRESSION
PRIMITIVE      ::= METHOD  |
                    METHOD "["RESULT"]"
RESULT         ::= "SUCCESS" | "FAILURE" | "NOTFOUND" |
                   "UNAVAIL"  | "*"
OPERATOR       ::= "AND" | "OR"
METHOD         ::= "compat" | "files" | "NONE" |
                   [a-z,A-Z,0-9]*

An example of the syntax is:

SYSTEM = "DCE OR DCE[UNAVAIL] AND 
compat"
tpath Indicates the user's trusted path status. The possible values are:
always The user can only execute trusted processes. This implies that the user's initial program is in the trusted shell or some other trusted process.
notsh The user cannot invoke the trusted shell on a trusted path. If the user enters the secure attention key (SAK) after logging in, the login session ends.
nosak The secure attention key (SAK) is disabled for all processes run by the user. Use this value if the user transfers binary data that may contain the SAK sequence. This is the default value.
on The user has normal trusted path characteristics and can invoke a trusted path (enter a trusted shell) with the secure attention key (SAK).
ttys Lists the terminals that can access the account specified by the Name parameter. The Value parameter is a comma-separated list of full path names, or a value of ALL to indicate all terminals. The values of RSH and REXEC also can be used as terminal names. An ! (exclamation point) in front of a terminal name excludes that terminal. If this attribute is not specified, all terminals can access the user account. If the Value parameter is not ALL, then /dev/pts must be specified for network logins to work.
umask Determines file permissions. This value, along with the permissions of the creating process, determines a file's permissions when the file is created. The default is 022.

Changing the user File

You should access this file through the commands and subroutines defined for this purpose. You can use the following commands to change the user file:

The mkuser command creates an entry for each new user in the /etc/security/user file and initializes its attributes with the attributes defined in the /usr/lib/security/mkuser.default file. To change attribute values, use the chuser command. To display the attributes and their values, use the lsuser command. To remove a user, use the rmuser command.

To write programs that affect attributes in the /etc/security/user file, use the subroutines listed in Related Information.

Security

Access Control: This file should grant read (r) access only to the root user and members of the security group. Access for other users and groups depends upon the security policy for the system. Only the root user should have write (w) access.

Auditing Events:

Event Information
S_USER_WRITE file name

Examples

  1. A typical stanza looks like the following example for user dhs:
    dhs:
        login = true
        rlogin = false
        ttys = /dev/console
        sugroups = security,!staff
        expires = 0531010090
        tpath = on
        admin = true
        auth1 = SYSTEM,METH2;dhs
  2. To allow all ttys except /dev/tty0 to access the user account, change the ttys entry so that it reads as follows:
    ttys = !/dev/tty0,ALL

Implementation Specifics

This file is part of Base Operating System (BOS) Runtime.

Files

/etc/group Contains the basic group attributes.
/etc/passwd Contains the basic user attributes.
/etc/security/audit/config Contains audit system configuration information.
/etc/security/environ Contains the environment attributes of users.
/etc/security/group Contains the extended attributes of groups.
/etc/security/limits Contains the process resource limits of users.
/etc/security/login.cfg Contains configuration information for user log in and authentication.
/etc/security/passwd Contains password information.
/usr/lib/security/mkuser.default Contains default user configurations.
/etc/security/user Contains extended user attributes.
/etc/security/lastlog Contains last login information.

Related Information

The chuser command, lsuser command, mkuser command, rmuser command.

The enduserdb subroutine, getuserattr subroutine, putuserattr subroutine, setuserdb subroutine.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to Security Administration and Managing Authentication Methods in AIX Version 4.3 System Management Concepts: Operating System and Devices.


[ Next Article | Previous Article | Book Contents | Library Home | Legal | Search ]