HP-UX Reference (11i v2 07/12) - 4 File Formats (vol 8)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

351

352

353

354

355

356

357

358

359

360

security(4) security(4)

releases as security needs require.

SU_KEEP_ENV_VARS=

var1,var2,...,varN

Default value: If this attribute is not deﬁned or if it is commented out, these environment

variables will not be propagated by the

command.

SU_ROOT_GROUP

This attribute deﬁnes the root group name for the

su command. Refer to su(1).

SU_ROOT_GROUP=

group_name The root group name is set to the speciﬁed symbolic

group name. The

su command enforces the restriction that a non-superuser must be a

member of the speciﬁed root group to be allowed to

su to root. This does not alter pass-

word checking.

Default value: If this attribute is not deﬁned or if it is commented out, there is no default

value. In this case, a non superuser is allowed to

su to root without being bound by root

group restrictions.

UMASK This attribute controls umask() of all sessions initiated via

pam_unix and/or

pam_hpsec. See pam_unix(5) and/or pam_hpsec(5). It accepts values from 0 to 0777 as

an unsigned octal integer (must have a leading zero to denote octal). If the TrustedMigra-

tion product is installed, the system-wide default deﬁned here may be overridden by

deﬁning a per-user value in /var/adm/userdb

(described in userdb(4)).

UMASK=default_umask

The umask is set or restricted further with the value of default_umask. For trusted sys-

tems, the

umask is also restricted so as not to exceed SEC_DEFAULT_MODE

deﬁned in

/usr/include/hpsecurity.h

Default value:

UMASK=0

Notes

Use the functions deﬁned in secdef(3) to read the values of the attributes deﬁned in this ﬁle.

If the TrustedMigration product is installed, the usage, possible values and default value of each of the

attributes described in this manpage is deﬁned in the /etc/security.dsc

ﬁle.

The behavior of some attributes is affected by the time zone. For these attributes the time zone is deter-

mined by the ﬁrst line of the form TZ

=timezone in the ﬁle

/etc/TIMEZONE. If the time zone is not

speciﬁed in this ﬁle, it is obtained from the ﬁle

/etc/default/tz

, as described in tzset(3).

EXAMPLES

The following are examples of

LOGIN_TIMES usage.

SaSu:Wk1800-2400

The user can login to the system all day on weekends and after 6:00 pm on week days.

MoWeFr1000-1400:TuThSu0800-1700

The user can login to the system on Monday, Wednesday and Friday from 10:00 am to 2:00 pm and on

Tuesday, Thursday, and Sunday from 8:00 am to 5:00 pm.

Any0400-1300

The user can login to the system every day from 4:00 am until 1:00 pm.

Any No day or time restrictions. This is the default.

Mo1800-2400:Tu0000-0300

The user can login to the system any time between Monday after 6:00 pm until Tuesday at 3:00 am.

Mo0000-0300:Mo1800-2400

The user can only login to the system on Mondays between midnight and 3:00 am or after 6:00 pm on

Mondays.

The following example is related to the AUTH_MAXTRIES attribute. When an account has been locked

due to too many authentication failures, root can unlock the account with this command:

userdbset -d -u username auth_failures

or by su’ing to the account. See userdbset(1M).

HP-UX 11i Version 2: December 2007 Update − 6 − Hewlett-Packard Company 351