Understanding account database files
An important distinction between
UNIX systems is how account information is stored.
This affects the interaction of accounts across different
types of UNIX systems, and governs how programs access this data.
The account database files fall into two categories: UNIX system files (those
defined in the System V Interface Definition) and the Trusted
Computing Base (TCB) files that extend System V security.
These files are supported and maintained by the
system to ensure compatibility with other UNIX systems.
System V files:
-
/etc/passwd. This publicly readable file is
present on most UNIX systems and contains both account data
(user ID number, login shell, and so forth)
and (on some systems) an encrypted account password.
Password aging information is also supported.
The format is documented in
passwd(F).
It can be edited by experienced administrators,
but using the Account Manager is the preferred
method for adding and maintaining user accounts --
see
``Editing the /etc/passwd file''.
-
/etc/shadow. This file is readable only by
root. It contains the encrypted password otherwise
found in the /etc/passwd file.
The format is documented in the
shadow(F)
manual page.
This file exists by default in all security profiles except
Low, where it still can be created using
pwconv(ADM).
See
``Configuring the shadow password file''.
-
/etc/default/passwd and /etc/default/login.
These contain default account
information and are documented in
passwd(C)
and
login(M),
respectively.
(In many cases, information in these files
is duplicated in the Protected Password
and System Defaults database.)
TCB files:
-
Protected Password database
(/tcb/files/auth/[a-z]/username).
This database implements the requirements for the C2 level of trust as
defined by the Trusted Computing System Evaluation Criteria (TCSEC).
It contains the encrypted password of the user.
If the user has specific system privileges, password parameters,
and so forth that override the System Defaults database, they are stored here.
The format of this file is described in
authcap(F).
-
System Defaults database (/etc/auth/system/default).
This contains the system-wide account defaults.
The contents of this file are determined by the security profiles
selected (Low, Traditional, Improved, or High).
The contents of this file can be changed dynamically to affect
all user accounts, unless a user has specific values set.
The format of this file is described in the
authcap(F)
manual page.
All database files are updated automatically when a change is made
from the Account Manager or the command line.
NOTE:
In the event of a discrepancy between these files, either
the UNIX System V files or the TCB databases are
used as the master to bring them into agreement.
In the Low and Traditional
security profiles
the UNIX System V files are the master.
You can also configure
which set of files is used as the master set -- see
``Configuring database precedence and recovery''.
Next topic:
Configuring database precedence and recovery
Previous topic:
Security profiles
© 2007 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 05 June 2007