security.4 (2012 03)

ManualsBrandsHP ManualsSoftwareHP-UX Manpages

security(4) security(4)

The PASSWORD_POLICY_STRICT

attribute is only valid if the

libpam_unix

patch PHCO_40838 or later is installed.

Default value:

PASSWORD_POLICY_STRICT=0

PASSWORD_WARNDAYS

This attribute controls the default number of days before password expiration that a

user is to be warned that the password must be changed. This value, if speciﬁed, is

used by the authentication subsystem during the password change process in the

case where aging restrictions do not already exist for the given user. The value

takes effect after the password change. This attribute applies only to local users on

shadow password systems. The passwd -w option can be used to override this

value for a speciﬁc user.

PASSWORD_WARNDAYS=

N Users are warned N days before their password

expires. N can be an integer from 0 to 441.

Default value:

PASSWORD_WARNDAYS=0

(no warning)

SU_DEFAULT_PATH

This attribute deﬁnes a new default

PATH environment value to be set when su to a

non-superuser account is done. Refer to su(1).

SU_DEFAULT_PATH=new_PATH

The

PATH environment variable is set to new_PATH when the

su command is

invoked. The path value is not validated. This attribute does not apply to a

superuser account, and is applicable only when the ’

-’ option is not used with the

su command.

Default value: If this attribute is not deﬁned or if it is commented out,

PATH is not

changed.

SU_KEEP_ENV_VARS

This attribute forces su to propagate certain ’unsafe’ environment variables to its

child process despite the security risk of doing so. Refer to su(1).

By default,

su does not export the environment variables HOME, ENV, IFS,

SHLIB_PATH or LD_* because they could be maliciously misused. Any combina-

tion of these can be speciﬁed in this entry, with a comma separating the variables.

Currently, no other environment variables may be speciﬁed in this way. This may

change in future HP-UX releases as security needs require.

SU_KEEP_ENV_VARS=

var1 ,var2,... ,varN

Default value: If this attribute is not deﬁned or if it is commented out, these

environment variables will not be propagated by the

su command.

SU_ROOT_GROUP

This attribute deﬁnes the root group name for the su command. Refer to su(1).

SU_ROOT_GROUP=group_name The root group name is set to the speciﬁed sym-

bolic group name. The su command enforces the restriction that a non-superuser

must be a member of the speciﬁed root group to be allowed to su to root. This does

not alter password checking.

Default value: If this attribute is not deﬁned or if it is commented out, there is no

default value. In this case, a non superuser is allowed to

su to root without being

bound by root group restrictions.

UMASK This attribute controls umask() of all sessions initiated via pam_hpsec. This

attribute is supported for users in all name server switch repositories, such as local,

NIS and LDAP. This attribute is enforced in the pam_hpsec service module, and

requires that the pam_hpsec module be conﬁgured in /etc/pam.conf. See

pam_hpsec (5). It accepts values from 0 to 0777 as an unsigned octal integer (must

have a leading zero to denote octal). The system-wide default deﬁned here may be

overridden by deﬁning a per-user value in /var/adm/userdb (described in

userdb(4)).

UMASK=default_umask

HP-UX 11i Version 3: March 2012 − 7 − Hewlett-Packard Company 7