Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX System Administrator's Guide: Security Management: HP-UX 11i Version 3 > Chapter 2 Administering User and System Security

Defining System Security Attributes


Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

Security attributes provide additional control of system configurations, adding security enhancements to passwords, logins, and auditing.

There are more than 20 attributes. These attributes are described in security(4) . The categories of attributes are summarized as follows:

Login attributes

These attributes control login activities, such as login times, number of logins allowed, and the number of login failures allowed before locking and account.

Password attributes

These attributes control password activities, such as password length, number of characters and their types, history depth, number of days to change a password, and password expiration.

Boot attributes

These attributes control boot authentication, defining which users are authorized to boot the system into single-user mode. See boot authentication information in Chapter 1.

Switch user (su) attributes

These attributes define the PATH environment value, root group name for the su command, and whether or not su should propagate certain environment variables. See su(1) for more information.

Audit attribute

This attribute controls whether or not users are to be audited. The audit attribute is checked during the login process. See audit(5) for more information about HP-UX auditing.

umask attribute

This attribute controls umask() of all sessions initiated by pam_unix or pam_hpsec. See pam_unix(5) and pam_hpsec(5) for more information. The umask attribute is checked during the login process.

The system uses these files to process the attributes:

  • /etc/default/security

  • /var/adm/userdb

  • /etc/security.dsc

  • /etc/passwd

  • /etc/shadow

Each attribute has a per-user value in only one of these locations: /etc/password, /etc/shadow, or the user database in /var/adm/userdb. Each attribute and its per-user location are explained in the security(4) manpage.

The system checks what attributes apply in the following ways:

  • The system examines the per-user attribute values in the /var/adm/userdb user database, the /etc/passwd file, or the /etc/shadow file.

  • If there is no per-user value, then the system examines the configurable systemwide default attributes in /etc/default/security.

  • If there are no configurable systemwide default attributes, then the system uses the default attributes in /etc/security.dsc.

The security attributes description file, /etc/security.dsc, lists the attributes you can define /etc/default/security and in the user database in /var/adm/userdb. Some attributes are configurable and some are internal. Do not modify the /etc/security.dsc file in any way.

Configuring Systemwide Attributes

The following steps explain how to define security attributes on a systemwide basis.

  1. Review the security(4) manpage, which explains the configurable systemwide default values for attributes. These attributes are configured in the /etc/default/security file, which is also explained in the security(4) manpage.

    If an attribute is not defined in the /etc/default/security file, then the default value defined in the /etc/security.dsc file will be used by the system. See the userdb(4) manpage for an explanation of the /etc/security.dsc file.

  2. To change a configurable systemwide default, edit the security defaults file, /etc/default/security, with a text editor such as vi. The file is world readable and root writable.

    Each line in the /etc/default/security file is either a comment or attribute configuration information. Comment lines begin with a pound (#) sign. Noncomment lines are in the form of attribute=value pairs, for example, PASSWORD_MAXDAYS=30.

Configuring Per-User Attributes

Use the following commands to configure specific attributes for individual users. When you configure per-user attributes, they override the systemwide defaults.


Changes the attribute for the specified user to override the systemwide default defined in the /etc/default/security file. For an example, see Section , and see userdbset(1M) for more information.


Displays the user-defined values for a specific user or all users. See userdbget(1M) for more information.


Verifies or fixes the user-defined values. See userdbck(1M) for more information.

For example, you can change PASSWORD_MAXDAYS from 60 to 30 days only for user amy. The password for amy is valid for 30 days instead of 60 days. For all other users, the systemwide value of 60 days applies.

Use the following procedure to change an attribute value for a user:

  1. Review the security(4) manpage, which explains the systemwide attributes and values, and how to set a per-user value. Not all attributes have a per-user value.

  2. Review the manpages for the userdbset, userdbget, and userdbck commands.

  3. Decide which users to modify and which attributes will apply to them. For example, you might want to have users in an accounting department change their passwords every 30 days and a classroom of students change their passwords every quarter.

  4. Use the userdbset command to change an attribute for a user.

    The per-user information is stored in a user database in the /var/adm/userdb directory. The user database is described in the userdb(4) manpage.

    You cannot use the userdbset command to configure all attributes. Some per-user values are defined in the /etc/passwd and /etc/shadow files. For more information, see security(4).

  5. Use the userdbget command to get user information.

Examples of Defining User-Specific Attributes with userdbset

In the following example, the userdbset command deletes all user-defined attributes for user joe. When joe logs in, the systemwide defaults in /etc/default/security will then apply to joe.

# /usr/sbin/userdbset -d -u joe

Next, userdbset sets the minimum password length to 7 and sets UMASK to 0022 (octal 022). These changes apply only to joe.

# /usr/sbin/userdbset -u joe MIN_PASSWORD_LENGTH=7 UMASK=0022

In the next example, userdbset displays all attributes for user amy:

# /usr/sbin/userdbget -u amy

In the display, the audit flag is enabled and the last login feature is disabled for amy.

INACTIVITY_MAXDAYS and the Shadow Password File

The INACTIVITY_MAXDAYS attribute defined in the /etc/default/security file controls whether to expire inactive accounts on a systemwide basis. To override the systemwide default and configure INACTIVITY_MAXDAYS on a per-user basis, use the useradd -f command or the usermod -f command. Use the userdel command to delete the per-user configuration. See useradd(1M), usermod(1M), and userdel(1M) manpages for more information.

You cannot use the userdbset command to configure the INACTIVITY_MAXDAYS on a per-user basis. The INACTIVITY_MAXDAYS attribute is related to the inactivity field of the shadow password file. The useradd and usermod commands modify the inactivity field of the shadow password file for the specified user. See the description of INACTIVITY_MAXDAYS in the security(4) manpage for more information.

Troubleshooting the User Database

Use the following procedures to troubleshoot the user database.

Problem 1: A user's security attributes seems to be misconfigured. If you suspect that user information is misconfigured in the user database, run the following command:

# userdbget -u username

The attributes configured for the user username are displayed. If an attribute is misconfigured, reconfigure the attribute.

Problem 2: The user database is not functioning properly. If you need to check the user database, enter the following command:

# userdbck

The userdbck command identifies and repairs problems in the user database.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2008 Hewlett-Packard Development Company, L.P.