Chapter 1: Administering user accounts

Chapter 1: Administering user accounts

Chapter 1
Administering user accounts

User accounts help the system administrator keep track of the people using the system and control their access to system resources. Accounts also help organize user files and control their access by other users.

There are several aspects to account administration:

The Account Manager interface provides a convenient, interactive way to perform most account administration tasks.

The Account Manager interface

The Account Manager allows you to create or modify user accounts. You can start the Account Manager in any of these ways:

Double-click on the Account Manager icon in the System Administration window on the Desktop.
Start the SCOadmin launcher by entering scoadmin on the command line, then selecting Account Manager.
Enter scoadmin account manager on the command line (or abbreviate to scoadmin a).

For more information on using SCOadmin managers, see ``Administering your system with SCOadmin'' in the SCO OpenServer Handbook.

The main display of the Account Manager includes a list of accounts on the system. The icons (or characters) in the ``Status'' column indicate the type of account and its status. By default, the Status information is not displayed to keep startup time to a minimum. To display status information, select Show Status from the Options menu.

WARNING: If you have a large number of accounts on the system, the collection of status information takes a long time and will delay startup of the Account Manager. We recommend not using the Show Status selection under these circumstances.

You can display a list of groups on the system by selecting Groups from the View menu.

Figure 1-1 Account Manager status icons

Authorization

When run from an account other than root, use of the Account Manager requires the auth authorization. See ``Assigning subsystem authorizations'' for more information.

About default selections

Many selections of the Account Manager have multiple choices: Yes and No (or a single numerical value), and Default. When you choose the Default option, you are not simply using a static value that is copied into the user's account. Instead, you are configuring the account to use a default value that can change dynamically. That is, you can change the system default value that immediately affects all accounts. With this in mind, you can configure user accounts to use either a specific static value, or a dynamic one associated with most users.

Adding and modifying user accounts

In the Account Manager, select Add New User from the Users menu, or select a user from the list and select Modify from the Users menu.

When adding a new user, you need only enter a name and assign a password. If you select Set password later, the user will not be able to log in until you assign one as described in ``Setting or changing a user password''.

You can alter any of these attributes (system defaults are used if you do not):

User ID number
Comment (optional)
Password
Login shell
Distribution (local or NIS) as described in ``Managing distributed user accounts'' in the Networking Guide
Home directory
Login group
Group membership
Login controls and locks
Powers -- including authorizations and privileges
User type
Priority of the user's processes

NOTE: Remote administration (using the Open Host selection of the Host menu) requires user equivalence on the machine you plan to administer. The remote machine must recognize the account being used to administer users on the local machine. See ``Adding user equivalence'' in the Networking Guide for more information. As on the local machine, non-root accounts require the auth authorization to run the Account Manager. See ``Assigning subsystem authorizations'' for more information.

To change the system default values, select User Defaults from the Options menu.

You can also create users on the command line:

useradd username

Default values are used unless overridden by command line options described in the useradd(ADM) manual page.

See also:

Using account templates

Account templates are files that contain a list of account attributes (such as group membership or privileges) for use with the account command line utilities. Templates make it easier to specify attributes that would otherwise require a long command line.

NOTE: Templates do not work with the Account Manager. They are are designed for use with command line utilities only.

Here is an example template, template1, that specifies several attributes, including group membership, kernel privileges, login restrictions, password restrictions, and authorizations:

   { groups { gedemondan czillian dillian type41 oolakash } }
   { kernelAuths { chown execsuid su } }
   { maxLoginAttempts 8 }
   { passwdExpirationTime 60 }
   { passwdLifetime 120 }
   { passwdRunGenerator 1 }
   { subsystemAuths { printerstat printqueue queryspace } }

Templates can be used to create new accounts, modify existing accounts, or change the system defaults.

Here is an example that creates a new account for user mavrac that uses template1:

useradd -X template1 mavrac

The new account will use all the default account values except for those listed in the template file. To modify an existing account for the same user, you would simply substitute usermod for useradd.

You can also modify account defaults using a template file. Assuming you wanted to replace the current system defaults with the values in template1, you would use this command:

usermod -D -X template1

You can use the userls command to list account attributes that you can in turn use to create a template. For example, this command directs the attributes for user mavrac into a file:

userls -l mavrac -A > template1

You must edit the output from userls because it contains all attributes, including status information that cannot be changed (such as last login time), but you can us it as a basis for a template file.

See also:

userls(ADM) manual page
groupadd(ADM) manual page
groupls(ADM) manual page

Removing or retiring a user account

In the Account Manager, select a user name, then select Delete or Retire from the Users menu. If you are operating with the Improved or High security profiles, only Retire is available.

Removing or retiring a user account does not remove the user's files; the system administrator must do this manually by deleting the directory. In addition, there may be other files that belong to the user. See ``Changing ownership of files with an obsolete UID/GID'' for more information.

NOTE: When operating with the High (C2) security profile, a user is never removed from the system. Once assigned, a UID is never reused. Instead, a user account is ``retired,'' or removed from service. Under other profiles, a user can be completely removed from the system. To allow UIDs to be reused regardless of the security profile, you can define REUSEID=YES in /etc/default/login.

See also:

``Reactivating a retired user account''
rmuser(ADM) manual page (for command line interface)
unretire(ADM) manual page (for command line interface)

Reactivating a retired user account

Use the unretire(ADM) command, substituting the account name for username:

unretire username

The user should then be able to log in to the account.

NOTE: When operating under the High (C2) security profile, a user is never removed from the system. Therefore unretire will not function under the High security profile.

Setting and changing user and group IDs (UID/GID)

Each user and group is assigned an identification number (UID or GID). This ID number is stamped on all files, directories, and processes on local and NFS-mounted filesystems. When you create a new user or group, a new UID or GID number is automatically assigned, but you can specify another by entering it in the text field.

WARNING: Within a network environment, each user and group must have a unique identification number across the entire network, rather than just on the home machine. For more information, see ``Establishing user equivalence'' in the Networking Guide and Chapter 9, ``Configuring the Network Information Service (NIS)'' in the Networking Guide.

To change the ID number for an existing user or group, use the usermod(ADM) or groupmod(ADM) command. Changing an ID number of a user or group does not change the ID on files owned by the user or group; the system administrator must do this manually as described in ``Changing ownership of files with an obsolete UID/GID''.

To alter the range of UIDs from which you select for new users, select User Defaults from the Options menu. To alter the range of GIDs from which you select for new groups, Group Defaults from the Options menu.

NOTE: When operating under the High security profile, a UID cannot be changed. Under other profiles, UIDs can be changed without restriction.

See also:

usermod(ADM) manual page (for command line interface)
groupmod(ADM) manual page (for command line interface)
``Managing groups''
``Setting the group ID for file creation in a directory''

Changing ownership of files with an obsolete UID/GID

If you have changed or removed a UID or GID, you must change the ownership of their files and check your filesystems for orphaned files. Files without a real owner have a number in the owner and/or group name fields:

   -rw-r--r--   1 obie     pub        68476 Nov 16 12:06 accts.s
   -rw-r--r--   1 15625    pub          508 Oct 31 11:15 balance
   -rw-r--r--   1 obie     pub        40596 Aug 31 13:19 report.2

In this example, the file balance is an orphaned file. The number appears because files are stamped with the ID number rather than the user or group name.

Use the find(C) utility to locate and change the ownership of files. This command line finds all files on the system owned by user UID and changes ownership to user newowner:

find / -user UID -print | xargs -t chown newowner

This variation changes the group ownership:

find / -user GID -print | xargs -t chgrp newgroup

NOTE: These examples assume a search of the entire system (including all mounted filesystems whether local or imported). To restrict the search to a single filesystem, use the pathname instead of /. In addition, you can skip mounted filesystems by including the -mount option, or restrict the search to local filesystems with the -local option.

Instead of changing the ownership, you can perform other actions, such as archiving the files; see ``Locating files''.

See also:

find(C) manual page
xargs(C) manual page

Changing user login groups

In the Account Manager, select a user name, then select Modify from the Users menu. Use the Change Group Membership button to change the value in the ``Login Group'' field.

The login group is the default group to which the user belongs. Files and directories created by the user are owned by this group. Users can temporarily change their login group using the sg(C) command.

NOTE: If you add a user to a group that does not exist, you are given the opportunity to create it. When a user's login group is set this way, the group will not be added to the ``Member of'' column. This is normal.

To change the system default login group, select User Defaults from the Options menu.

See also:

``Managing groups''
``Changing a user's group membership''
usermod(ADM) manual page (for command line interface)

Changing a user's group membership

In the Account Manager, select a user name, then select Modify from the Users menu. Click on the Change Group Membership button.

To add user to a group, select an entry in the ``Other Groups'' column and click on the Add button.

To remove a user from a group, select an entry in the ``Member of'' column and click on the Remove button.

You can search for a specified group by entering the name in the ``Search for:'' field.

To change the set of default groups assigned to new users, select User Defaults from the Options menu.

NOTE: There is a limit to the number of groups a user can be a member of at one time. See ``Changing the limit on simultaneous group membership'' for more information.

See also:

``Managing groups''
``Changing user login groups''
usermod(ADM) manual page (for command line interface)

Changing user login shells

In the Account Manager, select a user name, then select Modify from the Users menu. Use the Login Shell button to select from the available login shells.

To change the system default login shell, select User Defaults from the Options menu.

Each shell has one or more environment files specific to that shell (for example, .profile and .kshrc for ksh(C)). To add environment files to the home directory, select Add Shell Environment Files to Home Directory. (This button has no effect on a newly created home directory; environment files are always added in this case.)

See also:

``What happens when you log in'' in the Operating System User's Guide
Appendix D, ``Sample shell startup files'' in the Operating System User's Guide
usermod(ADM) manual page (for command line interface)
``Adding and modifying default environment files''

Login shells

These shells are available:

Bourne shell (/bin/sh): First shell to be developed; includes wildcards, basic command language. Also available in a restricted version.
C shell (/bin/csh): Different language syntax from Bourne and Korn shell family (similar to the C programming language). Includes command history recall (reuse of recently issued commands without retyping them), aliases (defining alternative names for commands), and limited ability to redirect input and output.
Korn shell (/bin/ksh): Compatible superset of Bourne shell facilities; includes command history editing (editing and reissuing previously typed commands interactively) and aliases. In addition, supports job control (manipulation of background processes), and extended language syntax. Recommended shell. Also available in a restricted version.
SCO shell (scosh): Menu-based shell (character interface).
uucp: Non-interactive shell for UUCP login accounts that use uucico(ADM). Do not assign this to a normal user account. See ``Creating login accounts for sites dialing in''.

See also:

Chapter 10, ``Configuring and working with the shells'' in the Operating System User's Guide

Restricted shells

There are restricted versions of the Bourne and Korn shells (rsh and rksh) that prohibit changing directory with cd, setting the value of $PATH, using command names containing slashes, and redirecting output using > and >>.

Changing user home directories

In the Account Manager, select the user name, then select Modify from the Users menu. Use the Change Home Directory button to display the home directory options (only the first three are available when you add a new user):

Home Directory or Home Directory Base Path: allows you to enter the home directory name. When changing user defaults, the base path is the directory where all home directories will reside (example: /usr).
Home Directory Permissions: allows other users in the same group or any others to access the user's home directory. This option is only available when creating a new directory or modifying the default location of user directories.
Create Home Directory: adds the new home directory to the system. Deselect this option if you wish to use an existing directory.
Move Files from Old Home Directory: moves all the user's existing files to the new home directory.

To change the system default location, select User Defaults from the Options menu.

NOTE: Changing the system default location for home directories does not move existing accounts; only new accounts are placed in the new location.

Changing user type

Optional user type labels are provided for sites wishing to distinguish between different types of users.

NOTE: Retired accounts have the type of ``retired,'' so if you set the type to this value the account is promptly retired. Otherwise, user types are merely informational labels. They do not confer any special privileges. The user type attribute is not accessible from the Account Manager.

To change the type for an account, use this command line:

usermod -x "{userType type}" user

where user s the name of the account and type is one of:

root
operator
sso
admin
pseudo
general
retired

To change the system default used for account creation, use this command line:

usermod -D -x "{userType type}"

By default user accounts have the type label of ``general'', and you need not change it. Anonymous accounts like sysinfo and uucp have the label ``pseudo-user''. Each pseudo-user has an accountable user, who is considered responsible for that account. (For example, root, an individual, is defined as the accountable user for all pseudo-user accounts.)

Changing user priority

The priority setting determines the scheduling priority for the user's processes: the greater the value, the higher the priority.

To change the priority for an account, use this command line:

usermod -x "{nice value}" username

Processes using traditional scheduling have priorities 0 (low) to 127 (high); processes using real-time scheduling have priorities 128 to 255.

To change the system default used for account creation, use this command line:

usermod -D -x "{nice value}"

See also:

nice(C) manual page

Adding and modifying default environment files

You can modify the default configuration files that are added to the home directory for a new account. For example, csh(C) has prototype .login and .cshrc files that are installed in a user's directory when csh is selected as that user's login shell. Each shell has a directory of these prototype files in /usr/lib/mkuser.

NOTE: There are also system-wide files in /etc that initialize the Bourne/Korn and C-shell environment. See ``Modifying .profile and .login files'' for more information.

You can also add login shells (and configuration files) to the set of login shells available from the Account Manager. Examine the existing files and follow their example. Make sure the permissions and ownership are consistent with these files. When you install the files, the new shell is available in the Account Manager.

See also:

Appendix D, ``Sample shell startup files'' in the Operating System User's Guide

Managing groups

Groups allow you to control access to files and directories by creating workgroups. These tasks are associated with groups:

WARNING: Do not change the GIDs of any default system groups.

See also:

``About groups''

About groups

Groups allow sets of users to share files. The group permissions on a file or directory determine whether members of a group can access them.

You can set the group of a file or directory by changing its properties from the Desktop or by using the chgrp(C) command. For more information on properties, see ``Controlling file permissions'' in Using the Desktop.

A user can be a member of several groups at once, and can access any file or directory that is within their group set (if group permissions allow). This membership set is known as the supplemental group list. By default, files created by a user have the group ID of their login group. Users can change their current working group (also known as effective group ID) or manipulate their supplemental group list with the sg(C) command.

NOTE: When files are created in a directory, the group ownership is determined by the setting of the GID bit. See ``Setting the group ID for file creation in a directory''.

See also:

``Access control for files and directories'' in the Operating System User's Guide
``Changing the limit on simultaneous group membership''

Adding or modifying a group

In the Account Manager, select Add New Group from the Groups menu. Enter the group name. You can change the suggested group ID number by overwriting the text field.

To modify an existing group, select Group from the View menu, select a group name, then select Modify from the Groups menu.

To add user to the group, select an entry in the ``Other Users'' column and click on the Add button.

To remove a user from the group, select an entry ``Users In Group'' column and click on the Remove button. You can also search for a user name to select.

To alter the range of GIDs from which you select for new groups, select Group Defaults from the Options menu.

To create groups on the command line:

groupadd groupname

Default values are used unless overridden by command line options -- see groupadd(ADM).

NOTE: You can also edit the file /etc/group to add or modify groups as desired, but using the Account Manager or groupadd is recommended.

See also:

``Removing a group''

Removing a group

In the Account Manager, select Group from the View menu, then select the group name. Then, select Delete from the Groups menu.

Removing a group does not change the GID of files on the system. The administrator must do this manually. See ``Changing ownership of files with an obsolete UID/GID'' for more information.

See also:

``Adding or modifying a group''
groupdel(ADM) manual page (for command line interface)

Setting the group ID for file creation in a directory

By default, the GID (group identifier) of a newly created file is set to the GID of the creating process or user. Setting the SGID bit on a directory causes all subsequent new files to take the GID of that directory. This makes it easier for users to share files, because it ensures that all files will have the same GID, even if the users don't have the same login group.

To set the SGID bit on a directory, use this command, substituting the directory name for directory:

chmod g+s directory

To remove the bit, replace the ``+'' with a ``-'' in the chmod command.

Changing the limit on simultaneous group membership

The maximum number of groups that a user can be in at one time is 8 by default. There are no warning messages displayed when this number is exceeded, but when the sg(C) command is used to extend a user's group list using the verbose option (-v), this error message is displayed:

   sg: unable to add group group as supplemental group list full

This limit is controlled by the NGROUPS tunable kernel parameter. To change this value, use the Hardware/Kernel Manager or the configure(ADM) command. Select category 7, ``User and group configuration'', then change the value of NGROUPS. The kernel must then be relinked and booted for the new value to take effect. See ``Relinking the kernel'' in the SCO OpenServer Handbook for more information.

Managing passwords

Passwords are the first line of defense against unauthorized users. Protect your system by requiring passwords for all user accounts.

These tasks are associated with passwords:

Setting or changing a user password
Controlling password expiration
Controlling password selection -- including the use and generation of passwords, their length and obviousness
Setting passwords for dial-in lines

Setting or changing a user password

In the Account Manager, select a user name, then select Change Password from the Users menu.

You have these options:

Enter a new password: allows you to create a new password.
Keep existing password: retains the current password (this option is not available during account creation).
Use machine generated password: allows you to generate a password for the user.
Remove password: deletes the password and allows the user to log in without one.
Force password change at next login: forces users to change their password the next time they log in.

If you are entering a new password, type it in the ``Enter Password'' field (the password is not displayed). You are then switched to the ``Confirm Password'' field to enter it once more.

Use the Generate a password button to create a password for a user. Generated passwords are pronounceable, meaning that they are nonsense words rather than just random strings of letters (for example: juhahiwa). The password is automatically entered in the password fields; click on OK to accept the password, otherwise click on the Generate... button until a satisfactory password is generated.

Users can also generate their own passwords, unless you prevent them from running the generator. See ``Allowing users to generate passwords'' for more information.

See also:

Table 1-1, ``Password checking by security profile''
passwd(C) manual page (for command line interface)

Controlling password expiration

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Expiration.

System defaults are used unless you use the default toggle buttons to unstipple the text fields:

Days allowed between changes: sets how long users must wait before they can change their password again. This prevents users from changing their passwords when they expire and then immediately changing them back to the previous one.
Days until password expires: sets how long a password is valid. When the password expires, the user is prompted to set a new password when they log in.
Days until account is locked: sets the interval between the time when the password expires and the account is automatically locked (preventing the user from logging in). Also known as the ``password lifetime''.

To change the system default values, use these commands:

usermod -D -x "{passwdMinChangeTime value}"
usermod -D -x "{passwdExpirationTime value}"
usermod -D -x "{passwdLifeTime value}"

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above commands.

NOTE: The Low and Traditional security profiles use password restrictions that are very lenient: passwords do not expire, accounts are not locked, and there is no minimum interval between password changes.

The default account initialization files (.cshrc, .profile, .kshrc, and so forth) automatically execute the prwarn(C) utility at login time to warn users about impending password expiration.

See also:

``Locking or unlocking a user account''
usermod(ADM) manual page (for command line interface)

Controlling password selection

Password selection constraints give the administrator these capabilities:

Allowing accounts without passwords

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

To permit a user to log in without a password, set Password Required to No. Accounts without passwords are a major security risk. To use the system default value, set it to Default.

To change the system default value, use this command line:

usermod -D -x "{passwdNullAllowed value}"

where value is either 1 (no password required) or 0 (a password is required).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

WARNING: Removing the requirement for passwords does not delete existing passwords. The administrator must change each password as described in ``Setting or changing a user password'' and set the password to blank, or use the passwd(C) command line.

Preventing users from changing their passwords

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

Set User can choose own to No. Users will then have to get passwords from the accounts administrator when their passwords expire, or the password generator will create them. To use the system default value, set it to Default.

To change the system default value, use this command line:

usermod -D -x "{passwdChooseOwn value}"

where value is either 1 (users can choose their own password) or 0 (a password is supplied by the administrator or the password generator).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Allowing users to generate passwords

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

You can choose to have the system generate passwords automatically for users. This guards against users picking ``obvious'' passwords that a knowledgeable intruder could guess, given some personal facts about the user.

To permit users to generate (but not choose) a new password, set User can run generator to Yes. To use the system default value, set it to Default.

To change the system default value, use this command line:

usermod -D -x "{passwdRunGenerator value}"

where value is either 1 (the user can run the generator) or 0 (the user cannot).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Restricting password obviousness

An important part of password control is ensuring that passwords are difficult to guess without being too complex to remember. You can prevent users from using passwords that are too easy to guess, like dictionary words or system names.

In the Account Manager, select a user name, then select Password Restrictions from the Users menu, then select Selection.

Set Check for Obviousness to Yes to run complex checks on passwords. The meaning of Yes and No varies with the security profile level chosen. To use the system default value, set it to Default. The meaning can also be set independent of the security profile as described in ``Customizing password checking''.

To change the system default value, use this command line:

usermod -D -x "{passwdCheckedForObviousness value}"

where value is either 1 (use complex checks) or 0 (use less restrictive checks).

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Table 1-1 Password checking by security profile

 Security        Check for Obviousness
 Defaults        No            Yes
 -------------------------------------------
 Low             -             -
 Traditional     System V      System V-plus
 Improved/High   goodpw weak   goodpw strong

System V (traditional UNIX System V checking) checks that a password:

is not a rotation of login name (moving characters from beginning to end of the word and vice versa)
contains at least 2 alphabetic and 1 non-alphabetic characters
contains at least 3 characters different from old password
has a minimum length defined by PASSLENGTH in /etc/default/passwd or, if PASSLENGTH is undefined or set to an asterisk (*), pass a special length check based on the delay between login attempts and the password lifetime for that user

System V-plus (System V with additions) checks that a password is:

not a palindrome
not a group or user name

goodpw weak checks that a password does:

not contain the strings ``SCO'', ``XENIX'', or ``UNIX'' (defined in /usr/lib/goodpw/reject)
not contain a user, group, machine, or alias name
pass special length checks based on character mixes (these override the set minimum length and are defined in /usr/lib/goodpw/match):
- If a password consists of all alphabetic characters of the same case, it must have a length of at least 6.
- If the password consists of two types of alphanumeric characters, it must have a length of at least 5.
- If the password consists only of non-alphanumerics (symbols), or a mixture of uppercase, lowercase and numerics, it must have a length of at least 4.

goodpw strong (goodpw weak plus additional checks) checks that a password:

does not contain a dictionary word
is not a rotation of a user, group, machine, alias name, or dictionary word

The goodpw(ADM) checks are defined in the /etc/default/goodpw file and supplemented or modified by files in the /usr/lib/goodpw directory. Refer to ``Customizing password checking'' for more information.

NOTE: Obviousness checking will prevent certain penetrations based on dictionary checking, but such repeated break-in attempts are better controlled with login limits -- see ``Setting login restrictions on terminals''. Obviousness checks increase the time required to change a password.

For information on using the command line interface, see the usermod(ADM) manual page.

Customizing password checking

The goodpw(ADM) utility also allows you to customize password checking. The file /etc/default/goodpw contains the password control settings. These settings allow you to specify if passwords are checked against dictionary words, word rotations, and user, group, and system names.

NOTE: Password checking can also be set by editing /etc/default/passwd and changing the value of GOODPW as follows:

YES use goodpw
NO use standard UNIX system checking
NONE perform no password checking

You can also define regular expressions (character combinations and arrangements) that all passwords must match (or not match) with the files /usr/lib/goodpw/match and /usr/lib/goodpw/reject, respectively. See goodpw(ADM) for more information.

Setting password length

Password length is controlled by three parameters:

minimum length
maximum generated length -- the limit on passwords created by the password generator
number of significant segments -- see ``Password compatibility across UNIX systems''

The maximum length of non-generated passwords is 80 characters.

To reconfigure the minimum length, change the value of PASSLENGTH in /etc/default/passwd. If PASSLENGTH is removed from the file or is set to an asterisk (PASSLENGTH=*), the value is calculated by the system; see ``Restricting password obviousness'' for more information.

You can configure the generated length for individual users with the Account Manager. Select a user name, then select Password Restrictions from the Users menu, then select Selection.

To change the system default value, use this command line:

usermod -D -x "{passwdGeneratedLength value}"

where value has a maximum value of 80.

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

See also:

``Allowing users to generate passwords''

Setting passwords for dial-in lines

You can define special dial-in passwords on selected tty lines, requiring selected classes of users to enter dial-in passwords. Logging information, including the last time of connection, is stored just as with normal logins.

Specific dial-in lines that require passwords are defined in the file /etc/dialups. The format is one tty device name per line, for example:

   /dev/tty1A
   /dev/tty5C

The actual dialup passwords are kept in the file /etc/d_passwd. The password format is the same one used in /etc/passwd. The first field (``user name'') in /etc/d_passwd is not a user name, but the name of a shell program (for example, /bin/sh) used in /etc/passwd. If the login shell of the user attempting to log in (on a tty line listed in /etc/dialups) is listed in /etc/d_passwd, then the user is prompted for the dial-in password stored in /etc/d_passwd.

Use this command line for creating a dial-in password:

passwd -m dialname

Change the password for dialup shell dialname (listed in /etc/d_passwd). If dialname begins with a slash (/) the entire shell name must match. Otherwise the password for every shell whose basename is dialname is changed. Only the superuser can change a dialup shell password.

Setting login restrictions

Login restrictions help protect your system by locking out unauthorized users. These restrictions make it difficult for an unauthorized user to use repeated login attempts to guess a user password and gain entry:

Setting login restrictions on accounts

You can prevent unauthorized use of an account by restricting the number of consecutive failed logins. When this limit is exceeded, the account is locked.

In the Account Manager, select a user name, then select Login Controls from the Users menu.

Enter a value in the ``Failed login attempts allowed before account is locked'' field or click on the default of button to select the system default.

To lock or unlock an account, see ``Locking or unlocking a user account''.

To change the system default value, use this command line:

usermod -D -x "{maxLoginAttempts value}"

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

NOTE: Terminal restrictions provide greater control over the login process.

See also:

usermod(ADM) manual page (for command line interface)
``Setting login restrictions on terminals''

Setting login restrictions on terminals

You can prevent unauthorized access to your system with login restrictions on terminals. Repeated login attempts are typically associated with trying to crack an account password.

Use the Terminal Manager located in the System directory of the SCOadmin hierarchy. To set login restrictions on all terminals, select Defaults. To change the settings for an individual terminal, select Examine.

You can control these attributes:

Consecutive unsuccessful logins: sets the number of consecutive unsuccessful login attempts before the terminal is locked. A value of ``INFINITE'' or ``infinite'' disables this type of lock for the terminal.
Delay between attempts: sets the interval between login prompts. The message Wait for login retry: is displayed between login attempts.
Time to complete login: sets the maximum interval for a login attempt. When this period expires, the login is considered unsuccessful and the process is restarted (unless the number of unsuccessful attempts has been exceeded).

After five login attempts, the login session is a aborted and a new one is started after the ``Delay between login attempts'' elapses. The five-login limit cannot be changed. When a login session occurs over a modem connection, the consequence of aborting the session is that the modem disconnects.

NOTE: Locks on the system console are ignored when the superuser logs in. This is to avoid a complete lock-out of all users everywhere. Because this special login is allowed, you should physically protect the system console.

See also:

``Logging unsuccessful login attempts''

Locking or unlocking a user account

In the Account Manager, select a user name, then select Login Controls from the Users menu.

To lock an account, click on the Lock Account button. When an account has been locked, the Unlock Account button appears instead.

If a lock has been applied to the account, it is listed under ``Current Account Lock Status''. An account can be locked because:

the administrator has locked the account
there were too many unsuccessful login attempts
the account password has expired

You can also unlock accounts from the command line:

passwd -u username

To lock an account, use the -l option.

See also:

Locking or unlocking a terminal

A terminal refers to the device file associated with the user login session (for example, /dev/tty01 or /dev/ttyp00).

Use the Terminal Manager located in the System directory of the SCOadmin hierarchy. To lock and unlock a terminal, respectively, select Lock or Unlock. When the prompt appears for the terminal, enter the name, (for example: tty01). When a terminal is locked, this message is displayed when an attempt is made to log in:

   Terminal is disabled -- see Authentication Administrator

Assigning user powers

The administrator has the option of granting (or restricting) special powers:

Assigning subsystem authorizations -- the ability to run administrative programs
Changing system privileges -- to set privileges on user processes
Allowing users to skip login messages
Allowing users to execute superuser commands -- to run utilities otherwise only executable by root
Controlling the use of job scheduling commands -- to schedule jobs with cron(C), at(C), and batch(C)

The Low and Traditional security profiles assign most of the capabilities described here by default and it should not be necessary to change them. With the High (C2) security profiles, few are assigned by default; most privileges are intended for users entrusted with system administration.

Assigning subsystem authorizations

Authorizations allow users to run certain system programs. Primary authorizations are intended for users entrusted with system administration. Secondary authorizations grant more limited capabilities.

In the Account Manager, select the user name, then select Authorizations from the Users menu.

To change authorizations, deselect the Use system default authorizations for this user account button. This allows you to assign a set of authorizations specific to this account.

To add an authorization, select an entry the ``Not authorized'' column and click on the Add button.

To remove an authorization, select an entry in the ``Authorized'' column and click on the Remove button.

To change the authorizations assigned by default, use this command:

usermod -D -x "{subsystemAuths {list}}"

where list is one or more authorizations separated by spaces.

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Primary authorizations

Primary authorizations effectively divide superuser powers into subsystems, allowing you to assign only the capabilities you want the user to have. Use secondary authorizations to assign more limited capabilities to normal users.

Users lacking the required authorization to run a SCOadmin manager will see the message You are not authorized to run...

WARNING: The auth subsystem authorization should only be assigned to persons entrusted with account administration. Never assign auth by default because it permits users to make changes to any account, including root. The backup, sysadmin, and passwd authorizations can be similarly abused -- do not assign them lightly.

Table 1-2 Primary authorizations

 ----------------------------------------------------------------------------
 Authorization   SCOadmin             Powers
                 Manager
 ----------------------------------------------------------------------------
 mem             −                    access to system data tables, listing
                                      all processes on the system
 terminal        −                    unrestricted use of the write(C) 
                                      command
 lp              Printer Manager      administer printers
 backup          Backup Manager       perform backups
 auth            Account Manager      administer accounts and terminals:
                 Terminal Manager     adding users, changing passwords,
                                      controlling logins
 audit           Audit Manager        run system audits and generate reports
 cron            Cron Manager         control use of cron(C) at(C) and
                                      batch(C) commands
 root            −                    use any command found in
                                      /tcb/files/rootcmds -- see ``Allowing
                                      users to execute superuser commands'' 
 sysadmin        Filesystem Manager   alter mount configuration
 passwd          -                    manage system passwords using passwd(C)

NOTE: Certain SCOadmin managers require more than one authorization. For example, to run the Backup Manager (backup authorization), you also need the sysadmin authorization (to mount filesystems).

Secondary authorizations

Secondary authorizations allow limited access by users to resources that would otherwise be tightly controlled (for example, without the printqueue authorization, users would only be able to see their own jobs when they use the lpstat command). They are useful when running the Improved or High security profiles to provide behavior that is more consistent with other UNIX systems.

Table 1-3 Secondary authorizations

 -----------------------------------------------------------------------
 Secondary       Parent          Powers
 authorization   authorization
 -----------------------------------------------------------------------
 audittrail      audit           generate personal audit reports on
                                 one's own activities
 backup_create   backup          create (but not restore) backups
 restore         backup          restore (but not create) backups
 queryspace      backup          use df(C) command to query disk space
 printqueue      lp              view all jobs in queue using lpstat(C) 
 printerstat     lp              use printer enable/disable commands
 su              auth            access the root (superuser) account and
                                 other accounts.  Access still requires
                                 a password; see ``Accessing other
                                 accounts with su(C)'' for more
                                 information.
 shutdown        root            use the Shutdown Manager or shutdown in
                                 conjunction with the asroot(ADM) 
                                 command as described in ``Allowing
                                 users to execute superuser commands''

NOTE: When the primary authorization for a subsystem is granted, the secondary authorizations for that subsystem are also granted. (For example, the lp authorization carries the printqueue and printerstat authorizations.)

Changing system privileges

System privileges allow user processes to execute specific operating system services. For example, the ability to change ownership of a file is governed by the chown privilege. (The chown privilege allows the use of the chown(S) system call that enables chown(C) to work.)

In the Account Manager, select the user name, then select Privileges from the Users menu.

To change privileges assigned, deselect the Use system default privileges for this user account button. This allows you to assign a set of privileges specific to this account.

To add a privilege, select an entry the ``Not allowed'' column and click on the Add button.

To remove a privilege, select an entry in the ``Allowed'' column and click on the Remove button.

To change the privileges assigned by default, use this command:

usermod -D -x "{privs {list}}"

where list is one or more privileges separated by spaces.

You can change the value for an individual user with the usermod(ADM) command by omiting the -D option and appending the user name to the above command.

Table 1-4 System privileges

 ----------------------------------------------------------------------------------
 Privilege              Allows user processes to
 ----------------------------------------------------------------------------------
 configaudit            configure audit subsystem parameters
 writeaudit             write audit records to the audit trail
 execsuid               run set-UID programs
 chmodsugid             to set set-UID and set-GID bit on files
 chown                  to change the owner of an object
 suspendaudit           suspend operating system auditing of the process

NOTE: Restricted chown is required for NIST FIPS 151-1 conformance. The chown privilege should not be assigned to users if you wish to conform to NIST FIPS 151-1 requirements. The kernel parameter CHOWN_RES also controls this behavior; see the Performance Guide for more information.

Under the Low and Traditional security profiles, most system privileges are assigned by default and should not require modification. Under the High security profile, chmodsugid is not assigned by default. Most users require only execsuid to perform routine tasks. If the user needs to create files with the SUID or SGID bits, they must have chmodsugid. To change ownership of a file (``give it away''), the chown privilege is required. If a user does not have this privilege, ownership of files can only be changed by root. The audit privileges (configaudit, writeaudit, and suspendaudit) should never be assigned to anyone other than the audit administrator. They are intended for use by a program designed to run as a trusted application.

See also:

System privileges and authorizations

If you are operating with the High and Improved security profiles, you must assign certain system privileges when you assign subsystem authorizations. Although most of these are already assigned by default, they are listed in Table 1-5, ``Subsystem privilege requirements'' in case you modify the defaults. One exception is the audit subsystem, which requires the addition of the configaudit and suspendaudit privileges. These privileges should never be assigned by default, or to ordinary users.

NOTE: Under the Low and Traditional security profiles, most privileges are already assigned by default.

Table 1-5 Subsystem privilege requirements

 ---------------------------------------------------------------------------------
 Subsystem              Privilege required
 authorization
 ---------------------------------------------------------------------------------
 audit                  configaudit, execsuid, writeaudit
 auth                   execsuid, chown
 backup                 execsuid
 lp                     chown
 cron                   chmodsugid, chown, execsuid
 sysadmin               chmodsugid, chown, execsuid

Allowing users to skip login messages

You can permit users to skip the messages displayed at login time. To do this, make certain this line appears in /etc/default/login:

   ALLOWHUSH=YES

Users can then create an empty file called .hushlogin in their home directory that suppresses login messages.

Allowing users to execute superuser commands

It is possible to assign users the capability of executing root-only commands without giving them complete root powers. This is done using the asroot(ADM) utility to create a new authorization associated with the command you wish to assign. You can then add this authorization to any user. You can also assign the root subsystem authorization to permit the use of all commands configured with asroot. For example, when the shutdown authorization is assigned assigned to a user, they can execute the shutdown command like this:

/tcb/bin/asroot shutdown

The procedure for setting up a superuser command for this usage is described in detail in the asroot(ADM) manual page.

NOTE: When the system is configured with the High security profile, the asroot utility requires that the user's password be entered.

See also:

Accessing other accounts with su(C)

The su(C) utility (for ``superuser'') can be used to switch over to another account temporarily. It is primarily used to access the root account, when it is executed without an argument. Otherwise, it is used in this form:

su username

su prompts for the account password, and if it is correct, a Bourne shell is started under the other account. Transitions with su do not affect the login user ID (LUID), so login and audit records remain accurate.

If a dash (-) is included in the command (su -), the environment for that user is executed (including login shell, home directory, and so forth), making it essentially the same as logging in as that user. To exit the shell, enter exit or press <Ctrl>D and you are returned to your own account.

Users can su to an pseudo-user account if they own it. To access the root account (or any other account they are not responsible for), however, the user must have the su authorization. Refer to ``Assigning subsystem authorizations'' for more information.

NOTE: The Low, Traditional, and Improved security profiles assign the su authorization by default. Users can su to any account if they know the password. Under the High security profile, the su authorization is not assigned.

See also:

Logging su(C) usage

Use of the su(C) command is logged in the file /usr/adm/sulog like this:

   SU 07/08 22:32 + ttyp0 mavrac-root

The entry indicates the date, time, location, and name of the account using the command. The following information is logged if an entry for SULOG appears in /etc/default/su:

   SULOG=/usr/adm/sulog

See also:

``Checking and clearing system log files''

Controlling the use of job scheduling commands

You can control use of the cron(C), at(C), and batch(C) commands that schedule or delay the execution of processes. Use the Cron Manager located in the System directory of the SCOadmin hierarchy.

The Cron Manager performs these tasks:

NOTE: In addition to granting permission to use these commands, you must make sure that the users have the chmodsugid privilege.

See also:

``Scheduling your processes'' in the Operating System User's Guide

Changing the default permissions for job scheduling

The system is initially configured to permit use of the job scheduling commands by root, sys, adm and uucp only, denying access to other users.

To change the system defaults, make these selections in the Cron Manager (the first is for cron and the second for at and batch):

Authorize → Scheduled → Default
Authorize → Delayed → Default

These three selections are displayed:

None: Execution is not permitted for any users.
Allow: Allow all users to execute the command.
Deny: Deny all users access to the command.

The current behavior is highlighted. Use the arrow keys to select the behavior desired, or enter the first letter. Remember that users can be allowed or denied on an individual basis as well. The settings for individuals take precedence over the system defaults.

Changing the job scheduling permissions for a user

To change individual user permissions, make these selections in the Cron Manager (the first is for cron and the second for at and batch):

Authorize → Scheduled → User
Authorize → Delayed → User

The cursor is placed on the ``User:'' field. Enter the name of the user or press <F3> for a list of possible users. When the user name is selected, these selections are displayed:

Allow: Allow this user to execute the command.
Deny: Deny this user access to the command.

Use the arrow keys to select the behavior required. This setting overrides the system default.

Using environment files for the at or batch commands

It is also possible to define the environment in which at and batch commands execute. To edit the at and batch prototype files respectively, use these selections in the Cron Manager:

Authorize → Environment → At
Authorize → Environment → Batch

NOTE: Only root can make these selections.

These options edit the files /usr/lib/cron/.proto (for at) or /usr/lib/cron/.proto.b (for batch). These files are placed at the start of the shell script formed for all at and batch jobs. This script must conform to the usual /bin/sh syntax and contain some variables particular to the prototype file. These variables are:

$d: Current directory of the user at the time of submission.
$l: ulimit for the user at the time of submission.
$m: umask for the user at the time of submission.
$t: Time (in seconds past 1 Jan 1970) that the script is run.
$<: Replaced with the entire script that the user submits. Normally, this appears last in the file, after the prologue that you set up. If you decide to include information after this variable, the shell script may exit before reaching it.

Only the superuser can edit these files.

Example environment files

There are many uses for prototype files; two examples are shown below:

Run jobs in a particular queue at a lower priority by inserting a nice(C) command:
```
   nice -5 /bin/sh << 'END_OF_FILE'
   $<
   END_OF_FILE
```
Specify that a queue should execute commands using an alternative shell:
```
   /bin/csh << 'END_OF_FILE'
   $<
   END_OF_FILE
```

For most sites, the prototype files provided with the distribution should be sufficient.

Changing the system security profile

You were asked to choose a security profile at installation time. It is possible to later select a different profile by using the Security Profile Manager located in the System/Security directory of the SCOadmin hierarchy.

Use the Current security profile button to change the profile and select Save from the Security menu to save the new profile. You may be asked to reboot your system before the change takes effect.

WARNING: After using lower security profiles it is possible to select the Improved or High defaults, but this does not mean your system conforms to the requirements of a C2 system. By definition, a C2 system must adhere to the requirements from initial installation. This is because modifications made to the system while at the lower level potentially violate those associated with the higher level.

These profiles are available:

High: recommended for systems containing confidential information and accessed by many users. Passwords are strictly controlled and assigned to users; users cannot choose their own. User accounts cannot be removed or reactivated. All C2 features are engaged and account database corruption results in a lockout of all users until the administrator fixes the problem.
Improved: recommended for systems accessed by groups of users who can share information. Password expiration is more lenient and users can choose their own passwords. LUIDs are not enforced, and user accounts can be removed or reactivated as desired. Account database corruption results in system lockout.
Traditional: Provided for compatibility with other UNIX systems. Passwords do not expire and standard System V password checking is used. Passwords are not required. Database corruption is handled transparently.
Low: Recommended only for systems which are not publicly accessible and which have a small number of cooperating users. No C2 features are engaged and no password checking is done. The /etc/shadow does not exist by default.

The High and Improved defaults are designed to meet the requirements set forth by the Department of Defense's Trusted Computer System Evaluation Criteria (also known as TCSEC or the Orange Book).

You can change the security profile from the command line using relax(ADM). For example, this command sets the Improved profile:

relax improved

The security profiles are merely a set of values that can be customized as desired. If The security subsystem has been modified appears on the screen, that means that you have made changes to individual security parameters. Customized values are overwritten when you select a new profile.

Security profiles

A security profile is a set of pre-configured values for parameters that control the security behavior of your system, such as how long passwords last, or what privileges are assigned to users. Once you choose a profile, you can switch to another profile, or change any one of the dozens of parameters on an individual basis.

Table 1-6 System security profiles

 ------------------------------------------------------------------------------------------------
                                                                   Security profiles
 Security parameters                   Low            Traditional   Improved       High
 ------------------------------------------------------------------------------------------------
 Passwords 
 ------------------------------------------------------------------------------------------------
 Minimum days between changes          0              0             0              14
 Expiration time (days)                infinite       infinite      42             42
 Lifetime (days)                       infinite       infinite      365            90
 User can choose own                   yes            yes           yes            no
 User can run generator                yes            yes           yes            yes
 Maximum generated length              8              8             10             10
 Minimum length                        1              3             5              8
 Password triviality checks            none           System V      goodpw weak1   goodpw strong2
 Password obviousness checks           -              no            no1            yes2
 Password required to login            no             no            yes            yes
 Single user password required         yes            yes           yes            yes
 ------------------------------------------------------------------------------------------------
 Logins 
 ------------------------------------------------------------------------------------------------
 Maximum unsuccessful attempts         infinite       99            5/9            3/5
 (account/terminal)
 Delay between login attempts (secs)   0              1             2              2
 -- terminal only
 Time to complete login (secs) --      60             60            60             60
 terminal only
 ------------------------------------------------------------------------------------------------
 Authorizations 
 ------------------------------------------------------------------------------------------------
 Primary                               backup,        mem,          none           none 
                                       lp, mem,       terminal,
                                       terminal
 ------------------------------------------------------------------------------------------------
 Secondary                             audittrail,    audittrail,   audittrail,    queryspace
                                       queryspace,    printqueue,   queryspace,
                                       shutdown, su   queryspace,   printqueue,
                                                      su            su
 ------------------------------------------------------------------------------------------------
 Privileges 
 ------------------------------------------------------------------------------------------------
                                       chmodsugid,    chmodsugid,   chmodsugid,    chown,
                                       chown,         chown,        chown,         execsuid
                                       execsuid,      execsuid      execsuid
                                       suspendaudit
 ------------------------------------------------------------------------------------------------
 Default umask3                        022            022           027            077
 ------------------------------------------------------------------------------------------------
 C2 Features 
 LUID enforcement4                     no             no            no             yes
 STOPIO on devices4                    no             no            no             no
 SUID/SGID clear on write4             no             yes           yes            yes
 Users can be deleted5                 yes            yes           no             no
 Database corruption6                  recover        recover       lockout        lockout
 Database precedence7                  System V       System V      TCB            TCB
 ------------------------------------------------------------------------------------------------
 Other 
 ------------------------------------------------------------------------------------------------
 Users can schedule jobs               allow          allow         deny           deny
 Home directory permissions            755            755           750            700
 Dialup printers allowed               yes            yes           no             no
 Hushlogin allowed8                    yes            yes           yes            no
 Password for asroot(ADM)              no             no            no             yes
 Significant characters in passwords   8              8             80             80
 su(C) use logged                      no             yes           yes            yes
 /etc/shadow present                   no             yes           yes            yes

Notes:

Simple checks are made, such as ensuring at least three characters differ and that at least one character be non-alphabetic.
Thorough checks are made, including disallowing words that appear in the online dictionary.
These are located in /etc/profile and /etc/cshrc. A umask of 077 results in the creation of files that are readable only by the owner.
These features are explained in ``Disabling C2 features''.
A requirement central to C2 is that a user ID (UID) cannot be reused. This means that user accounts cannot be reused or reactivated after retirement. With the lower security profiles, user accounts can be removed rather than retired and user IDs can be altered or reused.
On a system that conforms to C2 requirements, users are locked out of a system when a security database becomes corrupted. This ensures that the system does not operate in a potentially non-secure state. In the lower defaults, the system attempts to correct inconsistencies automatically and displays a warning rather than locking out users.
Two sets of account databases are maintained: UNIX System V and trusted computing base (TCB) files. One set is used as a master when a discrepancy occurs. This is described in ``Configuring database precedence and recovery''.
This feature allows the suppression of login messages. See the login(M) manual page for information.

Understanding account database files

An important distinction between UNIX systems is how account information is stored. This affects the interaction of accounts across different types of UNIX systems, and governs how programs access this data. The account database files fall into two categories: UNIX system files (those defined in the System V Interface Definition) and the Trusted Computing Base (TCB) files that extend System V security. These files are supported and maintained by the system to ensure compatibility with other UNIX systems.

System V files:

/etc/passwd. This publicly readable file is present on most UNIX systems and contains both account data (user ID number, login shell, and so forth) and (on some systems) an encrypted account password. Password aging information is also supported. The format is documented in passwd(F). It can be edited by experienced administrators, but using the Account Manager is the preferred method for adding and maintaining user accounts -- see ``Editing the /etc/passwd file''.
/etc/shadow. This file is readable only by root. It contains the encrypted password otherwise found in the /etc/passwd file. The format is documented in the shadow(F) manual page. This file exists by default in all security profiles except Low, where it still can be created using pwconv(ADM). See ``Configuring the shadow password file''.
/etc/default/passwd and /etc/default/login. These contain default account information and are documented in passwd(C) and login(M), respectively. (In many cases, information in these files is duplicated in the Protected Password and System Defaults database.)

TCB files:

Protected Password database (/tcb/files/auth/[a-z]/username). This database implements the requirements for the C2 level of trust as defined by the Trusted Computing System Evaluation Criteria (TCSEC). It contains the encrypted password of the user. If the user has specific system privileges, password parameters, and so forth that override the System Defaults database, they are stored here. The format of this file is described in authcap(F).
System Defaults database (/etc/auth/system/default). This contains the system-wide account defaults. The contents of this file are determined by the security profiles selected (Low, Traditional, Improved, or High). The contents of this file can be changed dynamically to affect all user accounts, unless a user has specific values set. The format of this file is described in the authcap(F) manual page.

All database files are updated automatically when a change is made from the Account Manager or the command line.

NOTE: In the event of a discrepancy between these files, either the UNIX System V files or the TCB databases are used as the master to bring them into agreement. In the Low and Traditional security profiles the UNIX System V files are the master. You can also configure which set of files is used as the master set -- see ``Configuring database precedence and recovery''.

Configuring database precedence and recovery

When the Low or Traditional security profiles are configured on your system, inconsistencies between the TCB and UNIX System V database files are handled transparently without interrupting system operation. Under the higher security profiles, the TCB database files take precedence and any corruption or inconsistencies that occur result in a lockout of non-root users until the problem is corrected.

This behavior can be set independently of the security profile with the usermod(ADM) command.

To reconfigure database precedence, use this command:

usermod -D -x "{tcbDatabaseIsMaster value}"

where value is either 1 (yes) or 0 (no). If you set value to 0, the UNIX System V database files described in ``Understanding account database files'' are used as the master. The non-master database files are maintained only for consistency and are not relied upon for data used by the system.

To reconfigure how the system treats inconsistencies, use this command:

usermod -D -x "{integrityRequired value}"

where value is either 1 (lock out all users until problem is fixed) or 0 (generate warnings but do not lock out users). If set to 1, the administrator must log in on the override terminal as described in ``Using the override terminal''.

See also:

Editing the /etc/passwd file

Although using the Account Manager is preferred for adding and maintaining users and groups, administrators accustomed to editing /etc/passwd directly can simply do so -- unless your system is configured with the Improved or High security profiles. If this is so, you must also run the authck(ADM) command with the -p and -s options to update the accounts database. With the lower security profiles, you can edit /etc/passwd without running authck.

See also:

``Understanding account database files''
``Configuring database precedence and recovery''
``Configuring the shadow password file''
useradd(ADM) manual page (for command line interface)

Configuring the shadow password file

The /etc/shadow file contains the encrypted passwords otherwise found in /etc/passwd. If your system does not have the shadow file configured, you can create it with the pwconv(ADM) command. pwconv creates a new shadow file and removes the encrypted passwords from /etc/passwd. (When the /etc/shadow exists, /etc/passwd contains an ``x'' in the password field.) Use pwunconv(ADM) to remove the shadow file (and incorporate passwords into /etc/passwd).

NOTE: The /etc/shadow exists by default under all security profiles except Low.

See also:

shadow(F) manual page
passwd(F) manual page

Copying user accounts

Use the ap(ADM) utility to copy user accounts from other SCO systems. ap creates a profile containing all account data for one or more users. You need not use ap if NIS is configured.

WARNING: The ap utility does not create profiles that are portable to non-SCO UNIX systems. If you need to migrate UNIX accounts from a different vendor or from an SCO® XENIX® system, use the addxusers(ADM) utility described in ``Copying user accounts from SCO XENIX or non-SCO UNIX systems''.

Account information is gathered from the /etc/passwd file and the Protected Password database. Irrelevant information about the user (including unsuccessful logins, unsuccessful password changes, and the location and time of last login) is not included in the profile.

To create a profile and install it on another machine:

Log in as root and enter this command on the machine where the accounts reside:

ap -d -v usernames > profile.acct
where usernames is the list of one or more user names.
Log in as root and move the profile.acct file to the target machine (use tar, or cp if your machine is on a network).
Enter this command:

ap -r -f profile.acct usernames
The new account information is in place and ready for use.

See also:

``Administering NIS users and groups'' in the Networking Guide
``Copying user accounts to non-SCO UNIX systems''
``Copying user accounts from SCO XENIX or non-SCO UNIX systems''

Copying user accounts to non-SCO UNIX systems

You can migrate user accounts to other XENIX or UNIX systems by copying the /etc/passwd (and /etc/shadow, if applicable) to the target system. If the target system does not use /etc/shadow, run the pwunconv utility to consolidate the information into /etc/passwd before copying the file to the target system.

NOTE: If you need to migrate accounts to another SCO system, use the ap(ADM) utility described in ``Copying user accounts''.

See also:

``Copying user accounts from SCO XENIX or non-SCO UNIX systems''

Copying user accounts from SCO XENIX or non-SCO UNIX systems

Use the addxusers(ADM) utility to copy accounts from non-SCO UNIX systems (or SCO XENIX systems) to your system. addxusers accepts an edited /etc/passwd file as input and makes the necessary database modifications for use on your system. Refer to the addxusers(ADM) manual page for a complete procedure.

See also:

Password compatibility across UNIX systems

The password encryption scheme used by your SCO system maintains compatibility with other XENIX and UNIX system implementations, while providing the ability to create passwords with more than eight significant characters. However, if you are using the Improved or High security profiles, passwords of up to 80 characters are allowed, and these cannot be imported to UNIX systems from other vendors. To ensure compatibility, you can limit the number of characters considered significant when passwords are checked and encrypted.

To reconfigure the number of significant segments, use the command:

usermod -D -x "{passwdSignificantSegments value}"

where value is from 1 to 10. A value of 1 (instead of the 10 used in the Improved or High defaults) allows the encryption mechanism to ignore characters following the first eight, thus allowing complete compatibility with other systems.

WARNING: Most XENIX and UNIX systems will accept passwords longer than eight characters, but only use the first eight for encryption. This can cause unexpected results when moving an encrypted password string from one of these systems to an SCO system. If a password longer than eight characters has been used, such as ``narcissus'', only the first eight characters (``narcissu'') should be entered on an SCO system.

See also:

Troubleshooting the Account Manager

Most error messages displayed by the Account Manager are self-explanatory. In other cases, the error message will be generic, for example:

   Unable to create new user account: name

Error boxes of this type include a Details button to provide you with additional information. The problems reported fall into these categories:

Illegal specification for a user or group attribute

When creating or modifying users and groups, these conditions will cause an error:

a colon (:) or newline character in any attribute (including user name, home directory, comment)
a misspelled or nonexistent login shell (or path name)
an illegal user or group name (names cannot begin with a number or exceed 8 characters in length)
an illegal UID or GID number (they must fall within the minimum and maximum values listed in the User or Group selections of the Options menu in the Account Manager)

Remote administration problem

If you are performing remote administration, the remote system may be unreachable or there may be a configuration problem. You should also make certain there is user equivalence on the remote machine. See ``Troubleshooting TCP/IP'' in the Networking Guide or ``Adding user equivalence'' in the Networking Guide for more information.

Missing or corrupted database files

The Details may indicate file data (or the file itself) is missing, for example:

   The user name does not exist in /etc/passwd

This means that an account database entry in /etc/passwd is corrupted or the file itself is missing. Table 1-7 contains a list of critical files accessed by the Account Manager. Follow these steps to solve the problem:

Use the tcbck(ADM) command to determine if any files are missing:

tcbck
This will list any missing database files.
If no files are reported missing, or if only the file /tcb/files/auth/r/root is missing, use the authck(ADM) command to check the security databases and resolve inconsistencies:

authck -a -y
authck will regenerate the Protected Password database entry for root (/tcb/files/auth/r/root) and any other users it finds missing.
Check any files reported as missing in step 1 with more(C) to see if they contain information. If the command reports a file as not found or the file appears to be empty, follow the procedure in ``Restoring critical security database files'' in the SCO OpenServer Handbook. If there appears to be no problem, try the Account Manager again.

Table 1-7 Security-related files

 Filename                     Purpose
 ------------------------------------------------------------------
 /etc/auth/system/default     Default control database
 /etc/auth/system/authorize   Authorization database
 /etc/default/accounts        Account/group creation defaults
 /etc/group                   Group database
 /etc/passwd                  Account database
 /tcb/files/auth              Protected Password database directory

See also:

``Troubleshooting SCOadmin'' in the SCO OpenServer Handbook
``Checking the security databases'' in the SCO OpenServer Handbook
``Dealing with filesystem and database corruption''
``Checking system configuration'' in the SCO OpenServer Handbook