HP-UX Reference (11i v3 07/02) - 4 File Formats (vol 8)
s
security(4) security(4)
changed. This value is used by the authentication subsystem during the password
change process in the case where aging restrictions do not already exist for the user.
The value is stored persistently and takes effect after the password change. This
attribute applies only to local users and does not apply to trusted systems. The
passwd -n option can be used to override this value for a specific user.
PASSWORD_MINDAYS=
N A new password cannot be changed until at least N days
since it was last changed. N can be an integer from 0 to 441.
Default value:
PASSWORD_MINDAYS=0
PASSWORD_WARNDAYS
This attribute controls the default number of days before password expiration that a
user is to be warned that the password must be changed. This value, if specified, is
used by the authentication subsystem during the password change process in the case
where aging restrictions do not already exist for the given user. The value takes
effect after the password change. This attribute applies only to local users on shadow
password systems. The passwd -w option can be used to override this value for a
specific user.
PASSWORD_WARNDAYS=
N Users are warned N days before their password
expires. N can be an integer from 0 to 441.
Default value:
PASSWORD_WARNDAYS=0
(no warning)
SU_DEFAULT_PATH
This attribute defines a new default PATH environment value to be set when su to a
non-superuser account is done. Refer to su(1).
SU_DEFAULT_PATH=
new_PATH
The
PATH environment variable is set to new_PATH when the
su command is
invoked. The path value is not validated. This attribute does not apply to a superuser
account, and is applicable only when the "-" option is not used with the
su command.
Default value: If this attribute is not defined or if it is commented out,
PATH is not
changed.
SU_KEEP_ENV_VARS
This attribute forces su to propagate certain ’unsafe’ environment variables to its
child process despite the security risk of doing so. Refer to su(1).
By default, su does not export the environment variables HOME, ENV, IFS,
SHLIB_PATH or LD_* because they could be maliciously misused. Any combination
of these can be specified in this entry, with a comma separating the variables.
Currently, no other environment variables may be specified in this way. This may
change in future HP-UX releases as security needs require.
SU_KEEP_ENV_VARS=
var1,var2,...,varN
Default value: If this attribute is not defined or if it is commented out, these environ-
ment variables will not be propagated by the
su command.
SU_ROOT_GROUP
This attribute defines the root group name for the su command. Refer to su(1).
SU_ROOT_GROUP=group_name The root group name is set to the specified symbolic
group name. The su command enforces the restriction that a non-superuser must be
a member of the specified root group to be allowed to su to root. This does not alter
password checking.
Default value: If this attribute is not defined or if it is commented out, there is no
default value. In this case, a non superuser is allowed to su to root without being
bound by root group restrictions.
UMASK This attribute controls umask() of all sessions initiated via pam_hpsec . This attri-
bute is supported for users in all name server switch repositories, such as local, NIS
and LDAP. This attribute is enforced in the pam_hpsec service module, and
requires that the pam_hpsec module be configured in /etc/pam.conf. See
pam_hpsec(5). It accepts values from 0 to 0777 as an unsigned octal integer (must
have a leading zero to denote octal). The system-wide default defined here may be
416 Hewlett-Packard Company − 5 − HP-UX 11i Version 3: February 2007