Managing Systems and Workgroups: A Guide for HP-UX System Administrators
Administering a System: Managing System Security
Managing Standard Passwords and System Access
Chapter 8750
The fields contain the following information (listed in order), separated
by colons:
1. User (login) name, consisting of up to 8 characters. (In the example,
robin)
2. Encrypted password field. (Z.yxGaSvxAXGg)
3. User ID (uid), an integer ranging from 0 to MAXINT-1 (equal to
2,147,483,646 or 2
31
-2). (102)
4. Group ID (gid), from /etc/group, an integer ranging from 0 to
MAXINT-1. (99)
5. Comment field, used for identifying information such as the user’s
full name, location, and phone numbers. For historic reasons, this is
also called the gecos field.
(Robin Hood,Rm 3,x9876,408-555-1234)
6. Home directory, the user’s initial login directory. (/home/robin)
7. Login shell path name, executed when the user logs in.
(/usr/bin/sh)
The user can change the password by invoking passwd, the comment
field (fifth field) with chfn, and the login program path name (seventh
field) with chsh. The system administrator sets the remaining fields. The
uid should be unique. See chfn (1), chsh (1), passwd (1), and passwd (4).
Eliminating Pseudo-Accounts and Protecting Key
Subsystems
By tradition, the /etc/passwd file contains numerous “pseudo-accounts”
— entries not associated with individual users and which do not have
true interactive login shells.
Some of these entries, such as date, who, sync, and tty, evolved strictly
for user convenience, providing commands that could be executed
without logging in. To tighten security, they have been eliminated in the
distributed /etc/passwd so that these programs can be run only by a
user who is logged in.
Other such entries remain in /etc/passwd because they are owners of
files. Programs with owners such as adm, bin, daemon, hpdb, lp, and
uucp encompass entire subsystems, and represent a special case. Since
they grant access to files they protect or use, these programs must be