/etc/group File Purpose

Contains basic group attributes.

Description
The /etc/group file contains basic group attributes. This is an ASCII file that contains records for system groups. Each record appears on a single line and is the following format: Name:Password:ID:User1,User2,...,Usern You must separate each attribute with a colon. Records are separated by new-line characters. The attributes in a record have the following values: Attribute Name Description Specifies a group name that is unique on the system. See the mkgroup command for information on the restrictions for naming groups. Not used. Group administrators are provided instead of group passwords. See the/etc/security/group file for more information. Specifies the group ID. The value is a unique decimal integer string. Identifies a list of one or more users. Separate group member names with commas. Each user must already be defined in the local database configuration files. Do not use a : (colon) in any of the attribute fields. For an example of a record, see the "Examples" section . Additional attributes are defined in the /etc/security/group file. Note: Certain system-defined group and user names are required for proper installation and update of the system software. Exercise care before replacing the /etc/group file to ensure that no system-supplied groups or users are removed. You should access the /etc/group file through the system commands and subroutines defined for this purpose. You can use the following commands to manage groups: chgroup chgrpmem chuser lsgroup mkgroup mkuser rmgroup

Password ID User1,User2,...,Usern

To change the Name parameter, you first use the mkgroup command to add a new entry. Then, you use the rmgroup command to remove the old group. To display all the attributes in the file, use the lsgroup command. You can use the chgroup, chgrpmem, or chuser command to change all user and group attributes. The mkuser command adds a user whose primary group is defined in the /usr/lib/security/mkuser.default file and the rmuser command removes a user. Although you can change the group ID with the chgroup command, this is not recommended. The following table lists all the possible group names and what functions the group controls. Group name system printq security adm staff audit shutdown bin sys uucp mail cron nobody kmen log lp network power root tty users Description This group is used for configuration and maintenance for hardware and software. This group is used for managing queuing functions such as, enable, disable, qadm, and qpri. This group is used for handling password and limits control. This group is used for monitoring functions such as, performance, cron, and accounting. This group is the default group assigned to all new users. This group is used for auditing. This group allows users access to the shutdown command. This group is used for the system internal group. This group is used for the system internal group. This group manages the UUCP system. This group allows users to access the mail command. This group allows users to access the crontab command. This group is for user that do not owns any files and can be used as the default user for unprivileged operations. This group allows users virtual memory read and write access such as, /deev/mem, /dev/port, and /dev/kmem. This group allows users access to log files in /var/log. This group allows users access to the lp command. This group allows users access to use the NetworkManager functions such as NM-Applet and KNetwrokmanager. This group allows users access to suspend power. This group allows users access to all system functions. This group allows users access to serial and USB devices. This group is the default users group. This is the recommended group name you should use for users.

Security
Access Control: This file should grant read (r) access to all users and grant write (w) access only to the root user and members of the security group.

Examples
A typical record looks like the following example for the staff group:

staff:!:1:shadow,cjf In this example, the GroupID parameter is 1 and the users are defined to be shadow and cjf.

/etc/security/group File Purpose

Contains extended group attributes.

Description
The /etc/security/group file contains extended group attributes. This is an ASCII file that contains a stanza for each system group. Each stanza is identified by a group name from the /etc/group file followed by a : (colon) and contains attributes in the formAttribute=Value. Each attribute pair ends with a new-line character as does each stanza. The file supports a default stanza. If an attribute is not defined for a group, the default value for the attribute is used. A stanza can contain one or more of the following attributes: Attribute Description Defines the group administrators. Administrators are users who can perform administrative tasks for the group, such as setting the members and administrators of the group. This attribute is ignored if admin = true, since only the root user can alter a group defined as administrative. The value is a list of comma-separated user login-names. The default value is an empty string. Defines the administrative status of the group. Possible values are: true Defines the group as administrative. Only the root user can change the attributes of groups defined as administrative. false Defines a standard group. The attributes of these groups can be changed by the root user or a member of the security group. This is the default value. Allows the DCE registry to overwrite the local group information with the DCE group information during a DCE export operation. Possible values are: dce_export true Local group information will be overwritten. false Local group information will not be overwritten.

adms

admin

Attribute

projects

Description Defines the list of projects that the user's processes can be assigned to. The value is a list of comma-separated project names and is evaluated from left to right. The project name should be a valid project name as defined in the system. If an invalid project name is found on the list, it will be reported as an error by the group commands.

For a typical stanza, see the "Examples" section . You should access the /etc/security/group file through the system commands and subroutines defined for this purpose. You can use the following commands to manage groups: mkgroup chgroup chgrpmem lsgroup rmgroup

The mkgroup command adds new groups to the /etc/group file and the /etc/security/group file. Use this command to create an administrative group. You can also use the mkgroup to set the group administrator. Use the chgroup command to change all the attributes. If you are an administrator of a standard group, you can change the admsattribute for that group with the chgrpmem command. The lsgroup command displays both the adms and the admin attributes. The rmgroup command removes the entry from both the/etc/group file and the /etc/security/group file. To write programs that affect attributes in the /etc/security/group file, use the subroutines listed in Related Information.

Security
Access Control: This file should grant read (r) access to the root user and members of the security group, and to others as permitted by the security policy for the system. Only the root user should have write (w) access. Auditing Events: Event Information S_GROUP_WRITE file name

Examples
A typical stanza looks like the following example for the finance group: finance: admin = false

adms = cjf, scott, sah

/etc/passwd File Purpose

Contains basic user attributes.

Description
The /etc/passwd file contains basic user attributes. This is an ASCII file that contains an entry for each user. Each entry defines the basic attributes applied to a user. When you use the mkuser command to add a user to your system, the command updates the/etc/passwd file. Note: Certain system-defined group and user names are required for proper installation and update of the system software. Use care before replacing this file to ensure that no systemsupplied groups or users are removed. An entry in the /etc/passwd file has the following form: Name:Password: UserID:PrincipleGroup:Gecos: HomeDirectory:Shell Attributes in an entry are separated by a : (colon). For this reason, you should not use a : (colon) in any attribute. The attributes are defined as follows: Attribute Name Definition Specifies the user's login name. There are a number of restrictions on naming users. See the mkusercommand for more information. Contains an * (asterisk) indicating an invalid password or an ! (exclamation point) indicating that the password is in the /etc/security/passwd file. Under normal conditions, the field contains an !. If the field has an * and a password is required for user authentication, the user cannot log in. Specifies the user's unique numeric ID. This ID is used for discretionary access control. The value is a unique decimal integer. Specifies the user's principal group ID. This must be the numeric ID of a group in the user database or a group defined by a network information service. The value is a unique decimal integer. Specifies general information about the user that is not needed by the system, such as an office or phone number. The value is a character string. The Gecos field cannot contain a colon. Specifies the full path name of the user's home directory. If the user does not have a defined home directory, the home directory of the guest user is used. The value is a character string. Specifies the initial program or shell that is executed after a user invokes the login command or sucommand. If a user does not have a defined shell, /usr/bin/sh, the system shell, is used. The value is a character string that may contain arguments to pass to the initial program.

Password

UserID PrincipleGroup

Gecos

HomeDirectory

Shell

Users can have additional attributes in other system files. See the " Files" section for additional information.

Changing the User File

You should access the user database files through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases. Use the following commands to access user database files: chfn chsh chuser lsuser mkuser rmuser

The mkuser command adds new entries to the /etc/passwd file and fills in the attribute values as defined in the/usr/lib/security/mkuser.default file. The Password attribute is always initialized to an * (asterisk), an invalid password. You can set the password with the passwd orpwdadm command. When the password is changed, an ! (exclamation point) is added to the /etc/passwd file, indicating that the encrypted password is in the /etc/security/passwd file. Use the chuser command to change all user attributes except Password. The chfn command and the chsh command change the Gecosattribute and Shell attribute, respectively. To display all the attributes in this file, use the lsuser command. To remove a user and all the user's attributes, use the rmuser command. To write programs that affect attributes in the /etc/passwd file, use the subroutines listed in Related Information.

Security
Access Control: This file should grant read (r) access to all users and write (w) access only to the root user and members of the security group.

Examples
1. Typical records that show an invalid password for smith and guest follow: 2. smith:*:100:100:8A-74(office):/home/smith:/usr/bin/sh guest:*:200:0::/home/guest:/usr/bin/sh The fields are in the following order: user name, password, user ID, primary group, general (gecos) information, home directory, and initial program (login shell). The * (asterisk) in the password field indicates that the password is invalid. Each attribute is separated by a : (colon).

3. If the password for smith in the previous example is changed to a valid password, the record will change to the following: smith:!:100:100:8A-74(office):/home/smith:/usr/bin/sh The ! (exclamation point) indicates that an encrypted password is stored in the /etc/security/passwd file.

/etc/security/passwd File Purpose

Contains password information.

Description
The /etc/security/passwd file is an ASCII file that contains stanzas with password information. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute is ended with a new line character, and each stanza is ended with an additional new line character. Each stanza can have the following attributes: Attribute Definition Specifies the encrypted password. The system encrypts the password created with the passwd command or thepwdadm command. If the password is empty, the user does not have a password. If the password is an * (asterisk), the user cannot log in. The value is a character string. The default value is *. Specifies the time (in seconds) since the epoch (00:00:00 GMT, January 1, 1970) when the password was last changed. If password aging (the minage attribute or the maxage attribute) is in effect, the lastupdate attribute forces a password change when the time limit expires. (See the /etc/security/user file for information on password aging.) The passwd and pwdadm commands normally set this attribute when a password is changed. The value is a decimal integer that can be converted to a text string using the ctime subroutine. Specifies the restrictions applied by the login, passwd, and su commands. The value is a list of comma-separated attributes. The flags attribute can be left blank or can be one or more of the following values: flags ADMIN Defines the administrative status of the password information. If the ADMIN attribute is set, only the root user can change this password information. ADMCHG

password

lastupdate

Attribute

Definition Indicates that the password was last changed by a member of the security group or the root user. Normally this flag is set implicitly when the pwdadm command changes another user's password. When this flag is set explicitly, it forces the password to be updated the next time a user gives the logincommand or the su command. NOCHECK None of the system password restrictions defined in the /etc/security/user file are enforced for this password.

When the passwd or pwdadm command updates a password, the command adds values for the password and lastupdate attributes and, if used to change another user's password, for the flags ADMCHG attribute. Access to this file should be through the system commands and subroutines defined for this purpose. Other accesses may not be supported in future releases. Users can update their own passwords with the passwd command, administrators can set passwords and password flags with the pwdadm command, and the root user is able to use the passwd command to set the passwords of other users. Refer to the "Files" section for information on where attributes and other information on users and groups are stored. Although each user name must be in the /etc/passwd file, it is not necessary to have each user name listed in the/etc/security/passwd file. If the authentication attributes auth1 and auth2 are so defined in the /etc/security/user file, a user may use the authentication name of another user. For example, the authentication attributes for user tom can allow that user to use the entry in the /etc/security/passwd file for user carol for authentication.

Security
Access Control: This file should grant read (r) and write (w) access only to the root user. Auditing Events: Event Information

S_PASSWD_READ file name S_PASSWD_WRITE file name

Examples
The following line indicates that the password information in the /etc/security/passwd file is available only to the root user, who has no restrictions on updating a password for the specified user: flags = ADMIN,NOCHECK

An example of this line in a typical stanza for user smith follows: smith: password = MGURSj.F056Dj lastupdate = 623078865 flags = ADMIN,NOCHECK The password line shows an encrypted password. The lastupdate line shows the number of seconds since the epoch that the password was last changed. The flags line shows two flags: the ADMIN flag indicates that the information is available only to the root user, and the NOCHECK flag indicates that the root user has no restrictions on updating a password for the specified user.

/etc/security/passwd File Purpose

Contains password information.

Description
The /etc/security/passwd file is an ASCII file that contains stanzas with password information. Each stanza is identified by a user name followed by a : (colon) and contains attributes in the form Attribute=Value. Each attribute is ended with a new line character, and each stanza is ended with an additional new line character. Each stanza can have the following attributes: Attribute Definition Specifies the encrypted password. The system encrypts the password created with the passwd command or thepwdadm command. If the password is empty, the user does not have a password. If the password is an * (asterisk), the user cannot log in. The value is a character string. The default value is *. Specifies the time (in seconds) since the epoch (00:00:00 GMT, January 1, 1970) when the password was last changed. If password aging (the minage attribute or the maxage attribute) is in effect, the lastupdate attribute forces a password change when the time limit expires. (See the /etc/security/user file for information on password aging.) The passwd and pwdadm commands normally set this attribute when a password is changed. The value is a decimal integer that can be converted to a text string using the ctime subroutine. Specifies the restrictions applied by the login, passwd, and su commands. The value is a list of comma-separated attributes. The flags attribute can be left blank or can be one or more of the

password

lastupdate

flags

Attribute

Definition following values: ADMIN Defines the administrative status of the password information. If the ADMIN attribute is set, only the root user can change this password information. ADMCHG Indicates that the password was last changed by a member of the security group or the root user. Normally this flag is set implicitly when the pwdadm command changes another user's password. When this flag is set explicitly, it forces the password to be updated the next time a user gives the logincommand or the su command. NOCHECK None of the system password restrictions defined in the /etc/security/user file are enforced for this password.

When the passwd or pwdadm command updates a password, the command adds values for the password and lastupdate attributes and, if used to change another user's password, for the flags ADMCHG attribute. Access to this file should be through the system commands and subroutines defined for this purpose. Other accesses may not be supported in future releases. Users can update their own passwords with the passwd command, administrators can set passwords and password flags with the pwdadm command, and the root user is able to use the passwd command to set the passwords of other users. Refer to the "Files" section for information on where attributes and other information on users and groups are stored. Although each user name must be in the /etc/passwd file, it is not necessary to have each user name listed in the/etc/security/passwd file. If the authentication attributes auth1 and auth2 are so defined in the /etc/security/user file, a user may use the authentication name of another user. For example, the authentication attributes for user tom can allow that user to use the entry in the /etc/security/passwd file for user carol for authentication.

Security
Access Control: This file should grant read (r) and write (w) access only to the root user. Auditing Events: Event Information

S_PASSWD_READ file name S_PASSWD_WRITE file name

Examples
The following line indicates that the password information in the /etc/security/passwd file is available only to the root user, who has no restrictions on updating a password for the specified user: flags = ADMIN,NOCHECK An example of this line in a typical stanza for user smith follows: smith: password = MGURSj.F056Dj lastupdate = 623078865 flags = ADMIN,NOCHECK The password line shows an encrypted password. The lastupdate line shows the number of seconds since the epoch that the password was last changed. The flags line shows two flags: the ADMIN flag indicates that the information is available only to the root user, and the NOCHECK flag indicates that the root user has no restrictions on updating a password for the specified user.

environ File Purpose

Defines the environment attributes for users.

Description
The /etc/security/environ file is an ASCII file that contains stanzas with the environment attributes for users. Each stanza is identified by a user name and contains attributes in the Attribute=Value form, with a comma separating the attributes. Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. If environment attributes are not defined, the system uses default values. Each user stanza can have the following attributes: Attribute Definition Defines variables to be placed in the user environment when the initial login command is given or when the sucommand resets the environment. The value is a list of comma-separated attributes. The default value is an empty string. Defines variables to be placed in the user protected state environment when the initial login command is given or when the su command resets the environment. These variables are protected from access by unprivileged programs so other programs can depend on their values. The default value is an empty string.

usrenv

sysenv

For a description of environment variables, refer to the /etc/environment file. Access to all the user database files should be through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases. The mkuser command creates a user stanza in this file. The initialization of the attributes depends upon their values in the/usr/lib/security/mkuser.default file. The chuser command can change these attributes, and the lsuser command can display them. The rmuser command removes the entire record for a user.

Security
Access Control: This command should grant read (r) access to the root user, members of the security group, and others consistent with the security policy for the system. Only the root user should have write (w) access. Auditing Events: Event Information

S_ENVIRON_WRITE file name

Examples
A typical stanza looks like the following example for user dhs: dhs: usrenv = "MAIL=/home/spool/mail/dhs,MAILCHECK=600" sysenv = "NAME=dhs@delos"

limits File Purpose

Defines process resource limits for users.

Description
Note: Changing the limit does not affect those processes that were started by init. Alternatively, ulimits are only used by those processes that go through the login processes. The /etc/security/limits file defines process resource limits for users. This file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza. Each stanza is identified by a user name followed by a colon, and contains attributes in the Attribute=Value form. Each attribute is ended by a new-line character, and each

stanza is ended by an additional new-line character. If you do not define an attribute for a user, the system applies default values. If the hard values are not explicitly defined in the /etc/security/limits file but the soft values are, the system substitutes the following values for the hard limits: Resource Core Size CPU Time Data Size File Size Memory Size Stack Size File Descriptors Note: Use a value of -1 Hard Value unlimited cpu unlimited fsize unlimited 4194304 unlimited to set a resource to unlimited.

If the hard values are explicitly defined but the soft values are not, the system sets the soft values equal to the hard values. You can set the following limits on a user: Limit fsize core cpu data stack rss nofiles core_hard cpu_hard data_hard fsize_hard rss_hard stack_hard nofiles_hard Description Identifies the soft limit for the largest file a user's process can create or extend. Specifies the soft limit for the largest core file a user's process can create. Sets the soft limit for the largest amount of system unit time (in seconds) that a user's process can use. Identifies the soft limit for the largest process data segment for a user's process. Specifies the soft limit for the largest process stack segment for a user's process. Sets the soft limit for the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system. Sets the soft limit for the number of file descriptors a user process may have open at one time. Specifies the largest core file a user's process can create. Sets the largest amount of system unit time (in seconds) that a user's process can use. Identifies the largest process data segment for a user's process. Identifies the largest file a user's process can create or extend. Sets the largest amount of physical memory a user's process can allocate. This limit is not enforced by the system. Specifies the largest process stack segment for a user's process. Sets the soft limit for the number of file descriptors a user process may have open at one time.

Except for the cpu and nofiles attributes, each attribute must be a decimal integer string that represents the number of 512-byte blocks allotted to a user. This decimal integer represents a 32-bit value and can have a maximum value of 2147483647.

The cpu and nofilesattributes represent the maximum number of seconds of system time that a user's process can use, and the maximum number of files a user's process can have open at one time. For an example of a limits stanza, see the "Examples" section . When you create a user with the mkuser command, the system adds a stanza for the user to the limits file. Once the stanza exists, you can use the chuser command to change the user's limits. To display the current limits for a user, use the lsuser command. To remove users and their stanzas, use the rmuser command. Note: Access to the user database files should be through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases.

Security
Access Control: This file should grant read (r) access to the root user and members of the security group, and write (w) access only to the root user. Access for other users and groups depends upon the security policy for the system. Auditing Events: Event Information S_LIMITS_WRITE file name

Examples
A typical record looks like the following example for user dhs: dhs: fsize = 8192 core = 4096 cpu = 3600 data = 1272 stack = 1024 rss = 1024 nofiles = 2000

mkuser.default File Purpose

Contains the default attributes for new users.

Description
The /usr/lib/security/mkuser.default file contains the default attributes for new users. This file is an ASCII file that contains user stanzas. These stanzas have attribute default values for users created by the mkuser command. Each attribute has

the Attribute=Valueform. If an attribute has a value of $USER, the mkuser command substitutes the name of the user. The end of each attribute pair and stanza is marked by a new-line character. There are two stanzas, user and admin, that can contain all defined attributes except the id and admin attributes. The mkuser command generates a unique id attribute. The admin attribute depends on whether the -a flag is used with the mkuser command. For a list of the possible user attributes, see the chuser command.

Security
Access Control: If read (r) access is not granted to all users, members of the security group should be given read (r) access. This command should grant write (w) access only to the root user.

Examples
A typical user stanza looks like the following: user: pgroup = staff groups = staff shell = /usr/bin/ksh home = /home/$USER auth1 = SYSTEM

lastlog File Format Purpose

Defines the last login attributes for users.

Description
The /etc/security/lastlog file is an ASCII file that contains stanzas with the last login attributes for users. Each stanza is identified by a user name and contains attributes in the Attribute=Value form. Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. Each stanza can have the following attributes: time_last_login tty_last_login host_last_login unsuccessful_login_count Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last successful login. The value is a decimal integer. Specifies the terminal on which the user last logged in. The value is a character string. Specifies the host from which the user last logged in. The value is a character string. Specifies the number of unsuccessful login

attempts since the last successful login. The value is a decimal integer. This attribute works in conjunction with the user's loginretries attribute, specified in the/etc/security/user file, to lock the user's account after a specified number of consecutive unsuccessful login attempts. Once the user's account is locked, the user will not be able to log in until the system administrator resets the user's unsuccessful_login_count attribute to be less than the value of loginretries. To do this, enter the following: chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0 time_last_unsuccessful_login Specifies the number of seconds since the epoch (00:00:00 GMT, January 1, 1970) since the last unsuccessful login. The value is a decimal integer. Specifies the terminal on which the last unsuccessful login attempt occurred. The value is a character string. Specifies the host from which the last unsuccessful login attempt occurred. The value is a character string.

tty_last_unsuccessful_login

host_last_unsuccessful_login

All user database files should be accessed through the system commands and subroutines defined for this purpose. Access through other commands or subroutines may not be supported in future releases. The mkuser command creates a user stanza in the lastlog file. The attributes of this user stanza are initially empty. The field values are set by the login command as a result of logging in to the system. The lsuser command displays the values of these attributes; thermuser command removes the user stanza from this file, along with the user account.

Security
Access Control: This command should grant read (r) access to the root user, members of the security group, and others consistent with the security policy for the system. Only the root user should have write (w) access.

Examples
A typical stanza is similar to the following example for user bck: bck: time_last_unsuccessful_login = 732475345 tty_last_unsuccessful_login = tty0 host_last_unsuccessful_login = waterski unsuccessful_login_count = 0 time_last_login = 734718467

tty_last_login = lft/0 host_last_login = waterski