13.2 User Administration Related Commands

13.3 User Administration Related Files

The following files are referenced while doing user administration.

/etc/security/environ
Contains the environment attributes for users.
/etc/security/lastlog
Contains the last login attributes for users.
/etc/security/limits
Contains process resource limits for users.
/etc/security/user
Contains extended attributes for users.
/usr/lib/security/mkuser.default
Contains the default attributes for new users.
/etc/passwd
Contains the basic attributes of users.
/etc/security/passwd
Contains password information.
/etc/security/login.cfg
Contains configuration information for login and user authentication.

/etc/utmp Contains the record of users logged into the system.

/var/adm/wtmp Contains connect time accounting records.

/etc/security/failedlogin
Records all failed login attempts.

/etc/motd Contains the message to be displayed every time a user logs in to the system.

/etc/environment
Specifies the basic environment for all processes.
/etc/group
Contains the basic attributes of groups.
/etc/security/group
Contains the extended attributes of groups.

13.3.1 /etc/security/environ

The /etc/security/environ file is an ASCII file that contains stanzas with the environment attributes for users. Each stanza is identified by a user name and contains attributes in the Attribute=Value form with a comma separating the attributes. Each line is ended by a new-line character, and each stanza is ended by an additional new-line character. If environment attributes are not defined, the system uses default values.

The mkuser command creates a user stanza in this file. The initialization of the attributes depends upon their values in the /usr/lib/security/mkuser.default file. The chuser command can change these attributes, and the lsuser command can display them. The rmuser command removes the entire record for a user.

A typical /etc/security/environ file is shown in the following example which has no environment attributes defined. Therefore, the system is using default values.

# pg /etc/security/environ
default:
root:
daemon:
bin:
sys:
adm:
uucp:
guest:

13.3.2 /etc/security/lastlog

The /etc/security/lastlog file is an ASCII file that contains stanzas with the last login attributes for users. Each stanza is identified by a user name and contains attributes in the Attribute=Value form. Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. Two stanzas for users (root & john) are shown in Figure 109.

The mkuser command creates a user stanza in the lastlog file. The attributes of this user stanza are initially empty. The field values are set by the login command as a result of logging in to the system. The lsuser command displays the values of these attributes; the rmuser command removes the user stanza from this file along with the user account.



Figure 109: /etc/security/lastlog Stanzas

13.3.3 /etc/security/limits

The /etc/security/limits file is an ASCII file that contains stanzas that specify the process resource limits for each user. These limits are set by individual attributes within a stanza.

Each stanza is identified by a user name followed by a colon and contains attributes in the Attribute=Value form. Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character. If you do not define an attribute for a user, the system applies default values.

The default attributes and attributes for a user smith are shown in Figure 110.

When you create a user with the mkuser command, the system adds a stanza for the user to the limits file. Once the stanza exists, you can use the chuser command to change the user's limits. To display the current limits for a user, use the lsuser command. To remove users and their stanzas, use the rmuser command.



Figure 110: Contents of /etc/security/limits File

13.3.4 /etc/security/user

The /etc/security/user file contains extended user attributes. This is an ASCII file that contains attribute stanzas for users. The mkuser command creates a stanza in this file for each new user and initializes its attributes with the default attributes defined in the /usr/lib/security/mkuser.default file.

Each stanza in the /etc/security/user file is identified by a user name, followed by a colon (:), and contains comma-separated attributes in the Attribute=Value form. If an attribute is not defined for a user, either the default stanza or the default value for the attribute is used. You can have multiple default stanzas in the /etc/security/group file. A default stanza applies to all of the stanzas that follow but does not apply to the stanzas preceding it.

Each attribute is ended by a new-line character, and each stanza is ended by an additional new-line character.

The mkuser command creates an entry for each new user in the /etc/security/user file and initializes its attributes with the attributes defined in the /usr/lib/security/mkuser.default file. To change attribute values, use the chuser command. To display the attributes and their values, use the lsuser command. To remove a user, use the rmuser command.

13.3.5 /usr/lib/security/mkuser.default

The /usr/lib/security/mkuser.default file contains the default attributes for new users. This file is an ASCII file that contains user stanzas. These stanzas have attribute default values for users created by the mkuser command. Each attribute has the Attribute=Value form. If an attribute has a value of $USER, the mkuser command substitutes the name of the user. The end of each attribute pair and stanza is marked by a new-line character.

There are two stanzas, user and admin, that can contain all defined attributes except the ID and admin attributes. The mkuser command generates a unique ID attribute. The admin attribute depends on whether the -a flag is used with the mkuser command. The following example shows a typical stanza in /usr/lib/security/mkuser.default.

# pg /usr/lib/security/mkuser.default

user:
        pgrp = staff
        groups = staff
        shell = /usr/bin/ksh
        home = /home/$USER

admin:
        pgrp = system
        groups = system
        shell = /usr/bin/ksh
        home = /home/$USER

13.3.6 /etc/passwd

The /etc/passwd file contains basic user attributes. This is an ASCII file that contains an entry for each user. Each entry defines the basic attributes applied to a user.

When you use the mkuser command to add a user to your system, the command updates the /etc/passwd file.

An entry in the /etc/passwd file has the following form with all attributes separated by a colon(:).

Name:Password: UserID:PrincipleGroup:Gecos: HomeDirectory:Shell

Password attributes can contain an asterisk (*) indicating an invalid password or an exclamation point (!) indicating that the password is in the /etc/security/passwd file. Under normal conditions, the field contains an exclamation point (!). If the field has an asterisk (*) and a password is required for user authentication, the user cannot log in.

The shell attribute specifies the initial program or shell (login shell) that is executed after a user invokes the login command or su command. The Korn shell is the standard operating system login shell and is backwardly compatible with the Bourne shell. If a user does not have a defined shell, /usr/bin/sh, the system default shell (Bourne shell) is used. The Bourne shell is a subset of the Korn shell.

The mkuser command adds new entries to the /etc/passwd file and fills in the attribute values as defined in the /usr/lib/security/mkuser.default file. The Password attribute is always initialized to an asterisk (*), which is an invalid password. You can set the password with the passwd or pwdadm commands. When the password is changed, an exclamation point (!) is added to the /etc/passwd file indicating that the encrypted password is in the /etc/security/passwd file.

Use the chuser command to change all user attributes except Password. The chfn command and the chsh command change the Gecos attribute and Shell attribute, respectively. To display all the attributes in this file, use the lsuser command. To remove a user and all the user's attributes, use the rmuser command.

The contents of /etc/passwd file in Figure 111 shows that the Password attributes for two users (john and bob) are ! and *, respectively, which implies that bob cannot login as it has invalid password.




Figure 111: Contents of /etc/passwd File

13.3.7 /etc/security/passwd

The /etc/security/passwd file is an ASCII file that contains stanzas with password information. Each stanza is identified by a user name followed by a colon (:) and contains attributes in the form Attribute=Value. Each attribute is ended with a new line character, and each stanza is ended with an additional new line character.

Although each user name must be in the /etc/passwd file, it is not necessary to have each user name listed in the /etc/security/passwd file. A typical file would have contents as shown in Figure 112.



Figure 112: Contents of /etc/security/passwd File

13.3.8 /etc/security/login.cfg

The /etc/security/login.cfg file (Figure 113) is an ASCII file that contains stanzas of configuration information for login and user authentication. Each stanza has a name, followed by a : (colon). Attributes are in the form Attribute=Value. Each attribute ends with a new-line character, and each stanza ends with an additional new-line character. There are three types of stanzas.

port stanza
Defines the login characteristics of ports.
authentication stanza
Defines the authentication methods for users.
user configuration stanza
Defines programs that change user attributes (usw).



Figure 113: Contents of /etc/security/login.cfg File

13.3.9 /etc/utmp, /var/adm/wtmp, /etc/security/failedlogin

The utmp file, the wtmp file, and the failedlogin file contain records with user and accounting information. When a user successfully logs in, the login program writes entries in two files.

On an invalid login attempt, due to an incorrect login name or password, the login program makes an entry in the /etc/security/failedlogin file, which contains a record of unsuccessful login attempts.

13.3.10 /etc/motd

The message of the day is displayed every time a user logs in to the system. It is a convenient way to communicate information to all users, such as installed software version numbers or current system news. The message of the day is contained in the /etc/motd file. To change the message of the day, simply edit that file.

A typical /etc/motd file contents would look like Figure 114.



Figure 114: Sample etc/motd File

13.3.11 /etc/environment

The /etc/environment file contains variables specifying the basic environment for all processes. When a new process begins, the exec subroutine makes an array of strings available that have the form Name=Value. This array of strings is called the environment. Each name defined by one of the strings is called an environment variable or shell variable. Environment variables are examined when a command starts running.

When you log in, the system sets environment variables from the environment file before reading your login profile, .profile. Following are a few variables that make up part of the basic environment.

HOME
The full path name of the user login or HOME directory. The login program sets this to the name specified in the /etc/passwd file.
LANG
The locale name currently in effect. The LANG variable is set in the /etc/environment file at installation time.
PATH
The sequence of directories that commands, such as the sh, time, nice, and nohup commands search when looking for a command whose path name is incomplete. The directory names are separated by colons.
TZ
The time-zone information. The TZ environment variable is set by the /etc/environment file.

13.4 User Administration Tasks