security.4 (2011 09)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

security(4) security(4)

SU_DEFAULT_PATH=

new_PATH

The

PATH environment variable is set to new_PATH when the

su command is

invoked. The path value is not validated. This attribute does not apply to a

superuser account, and is applicable only when the ’

-’ option is not used with the

su command.

Default value: If this attribute is not deﬁned or if it is commented out,

PATH is not

changed.

SU_KEEP_ENV_VARS

This attribute forces su to propagate certain ’unsafe’ environment variables to its

child process despite the security risk of doing so. Refer to su(1).

By default,

su does not export the environment variables

HOME, ENV, IFS,

SHLIB_PATH or LD_* because they could be maliciously misused. Any combina-

tion of these can be speciﬁed in this entry, with a comma separating the variables.

Currently, no other environment variables may be speciﬁed in this way. This may

change in future HP-UX releases as security needs require.

SU_KEEP_ENV_VARS=

var1 ,var2,... ,varN

Default value: If this attribute is not deﬁned or if it is commented out, these

environment variables will not be propagated by the

su command.

SU_ROOT_GROUP

This attribute deﬁnes the root group name for the su command. Refer to su(1).

SU_ROOT_GROUP=group_name The root group name is set to the speciﬁed sym-

bolic group name. The su command enforces the restriction that a non-superuser

must be a member of the speciﬁed root group to be allowed to su

to root. This does

not alter password checking.

Default value: If this attribute is not deﬁned or if it is commented out, there is no

default value. In this case, a non superuser is allowed to

su to root without being

bound by root group restrictions.

UMASK This attribute controls umask() of all sessions initiated via pam_hpsec. This

attribute is supported for users in all name server switch repositories, such as local,

NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and

requires that the pam_hpsec module be conﬁgured in /etc/pam.conf

. See

pam_hpsec (5). It accepts values from 0 to 0777 as an unsigned octal integer (must

have a leading zero to denote octal). The system-wide default deﬁned here may be

overridden by deﬁning a per-user value in

/var/adm/userdb

(described in

userdb(4)).

UMASK=default_umask

The current

umask is set or restricted further with the value of default_umask.

For trusted systems, the umask is also restricted so as not to exceed

SEC_DEFAULT_MODE deﬁned in /usr/include/hpsecurity.h

Default value:

UMASK=0

Notes

Use the functions deﬁned in secdef (3) to read the values of the attributes deﬁned in this ﬁle.

The usage, possible values and default value of each of the attributes described in this manpage is

deﬁned in the

/etc/security.dsc ﬁle.

The behavior of some attributes is affected by the time zone. For these attributes the time zone is deter-

mined by the ﬁrst line of the form TZ

=timezone in the ﬁle /etc/TIMEZONE. If the time zone is not

speciﬁed in this ﬁle, it is obtained from the ﬁle /etc/default/tz, as described in tzset (3C).

EXAMPLES

The following are examples of

LOGIN_TIMES usage.

SaSu:Wk1800-2400

The user can login to the system all day on weekends and after 6:00 pm on week days.

HP-UX 11i Version 3: September 2011 − 7 − Hewlett-Packard Company 7