Manualshelf

HP-UX Reference (11i v1 00/12) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals
211212213214215216217218219220
__________________________________________________________________________________________________________________________________________________________________________________________________
__________________________________________________________________________________________________________________________________________________________________________________________________
STANDARD Printed by: Nora Chuang [nchuang] STANDARD
/build/1111/BRICK/man4/!!!intro.4
________________________________________________________________
___ ___
p
passwd(4) passwd(4)
SECURITY FEATURES
This section applies only to trusted systems. On a trusted system the password field always contains * by
default. Password and aging information are instead part of the Protected Password Database.
On trusted systems, the encrypted password for each user is stored in the file
/tcb/files/auth/c/user_name (where c is the first letter in user_name). Password information files
are not accessible to the public. The encrypted password can be longer than 13 characters. For example,
the password file for user david is stored in /tcb/files/auth/d/david. In addition to the pass-
word, the user profile in /tcb/files/auth/c/user_name also has many other fields, including:
numerical audit ID
numerical audit flag
Like /etc/passwd, this file is an ASCII file. Fields within each user’s entry are separated by colons.
Refer to authcap(4) and prpwd(4) for details. The passwords contained in /tcb/files/auth/c/* take
precedence over those contained in the encrypted password field of /etc/passwd . User authentication is
done using the encrypted passwords in this file. The password aging mechanism described in passwd(1),
under the section called SECURITY FEATURES, applies to this password.
For more information on converting to trusted system and on password, see Managing Systems and Work-
groups and sam(1M).
NETWORKING FEATURES
NIS
The
passwd file can have entries that begin with a plus (+) or minus (
-) sign in the first column. Such
lines are used to access the Network Information System network database. A line beginning with a plus
(
+) is used to incorporate entries from the Network Information System. There are three styles of
+
entries:
+ Insert the entire contents of the Network Information System password file at that point;
+name Insert the entry (if any) for name from the Network Information System at that point
+@name Insert the entries for all members of the network group name at that point.
If a
+ entry has a non-null password, directory, gecos, or shell field, they override what is contained in the
Network Information System. The numerical user ID and group ID fields cannot be overridden.
The passwd file can also have lines beginning with a minus (-), which disallow entries from the Network
Information System. There are two styles of
- entries:
-name Disallow any subsequent entries (if any) for name.
-@name Disallow any subsequent entries for all members of the network group name.
NIS Warnings
The plus (
+) and minus (-) features are NIS functionality; therefore, if NIS is not installed, they do not
work. Also, these features work only with /etc/passwd , but not with a system that has been converted
to a trusted system. When the system has been converted to a trusted system, the encrypted passwords
can be accessed only from the protected password database, /tcb/files/auth/*/*. Any user entry
in the Network Information System database also must have an entry in the protected password database.
The uid of 2 is reserved for remote root access by means of NFS. The user name usually given to this uid
is nobody. Since uids are stored as signed values, the following define is included in
<pwd.h> to match
the user
nobody.
UID_NOBODY (-2)
WARNINGS
The login shell for the root user (uid 0) must be /sbin/sh to guarantee it can always boot. Other shells
such as sh, ksh, and csh are all located under the /usr directory which may not be mounted during earlier
stages of the bootup process. Changing the login shell of the root user to a value other than /sbin/sh is
allowed but may result in a non-functional system.
The information kept in the gecos eld may conflict with unsupported or future uses of this field. Use of
the gecos field for keeping user identification information has not been formalized within any of the indus-
try standards. The current use of this field is derived from its use within the Berkeley Software Distribu-
tion. Future standards may define this field for other purposes.
Section 4202 2 HP-UX Release 11i: December 2000
___
___