Attributes of User and Role Accounts
Warning When Removing User Accounts
Attributes of User and Role Accounts
Each new user and role account has the following attributes defined when the account is added by the System Administrator:
| - | A login name (the username) and identification number (the UID) |
| - | A home directory (a location where the user stores files) |
| - |
A password that authenticates a user or role.
The user enters the user account's password to gain access to the system. Roles do not log in directly. After logging in, an authorized user must enter the role's password in order to be able to assume the role. The initial user's or role's password is either typed in or chosen from a generated list by the administrator. |
| - |
A login shell
Roles always have an adminstrator's shell assigned. (An administrator's shell is any of the profile shells described on the pfexec(1M) man page.) By default, user accounts have the Bourne shell, sh(1), assigned when the account is created using the Add User Wizard. The System Administrator can create a template that assigns another shell, either by choosing C Shell, Korn Shell, BASH, T Shell, Z Shell, or Other from the menu. Selecting Other allows the administrator to type in the pathname of one of the profile shells, /bin/pfsh, /bin/pfcsh, or /bin/pfksh, or of any other shell. |
| - | A mailbox (a file on the mail server that holds unread mail--the "inbox") |
| - | Membership in a primary group and in optional supplementary groups |
Each Trusted Solaris user and role account also has the following extended attributes:
| - |
A method for choosing a new password:
either automatic (machine-generated passwords), or
manual (user-chosen passwords)
The password
can be changed as follows:
|
| - |
A set of password options expressed in days:
|
| - | A clearance (the highest label at which the user can work) |
| - |
A minimum label (the lowest label at which the user can work)
NOTE: The clearance and the minimum label together define the set of labels at which the user can work. |
| - | Two label viewing-related options that specify whether labels are shown or hidden overall, and if labels are shown, whether the user is allowed to see the administrative labels ADMIN_LOW and ADMIN_HIGH |
| - | An idle time, which specifies how long the workstation can remain inactive before the "idle command" (next item) is performed |
| - | An idle command, which specifies whether to lock the screen or logout if the workstation is idle more than the length of time specified in "idle time" (previous item) |
| - | A type, either "normal" or "role" |
| - | Optional: for users, one or more roles that the user can assume |
| - | Mandatory for roles and optional for users: one or more rights profiles |
NOTE: Default values for most of the extended attributes are implictly applied to user accounts if the Security Administrator does not specify other values. The policy.conf(4) file contains system-wide defaults for the idle action and idle time, the label view, the method of password generation, and whether the account is locked after a specified number of failed login attempts with the wrong password. The default policy.conf file also assigns the Basic Solaris User rights profile to all users. If desired, Security Administrator can modify policy.conf to change the defaults or to assign one or more system-wide authorizations using the AUTHS_GRANTED= keyword.For more about any of the above terms and concepts, see the Solaris System Administration Guide and the Trusted Solaris Administration Overview, Administrator's Procedures, and Label Administration manuals, which are available on the AnswerBook CDs shipped with the system and atThe default label attributes (minimum label, clearance, default label view, and whether labels are hidden) are specified by the Security Administrator in the label_encodings(4) file.
http://docs.sun.com.
Also see About User and Role Account Management, Getting Started With Users Tools, and Rights of Users and Roles.
Top ^When you add a user or role, User Manager and Role Manager set up the user's or role's home directory by doing the following:
/ directory, which is a regular directory (not an MLD) at ADMIN_LOW because root only has the single label of ADMIN_LOW assigned.
/etc/skel to the home directory
auto_home database if the home directory
is specified to be automounted. The home directory
is then automatically mounted on a mount point that is usually named /home/username).
NOTE: When you add a user, if the User Manager is unable to contact the specified home directory server, a message tells you the user was added but the home directory could not be created. See Home Directory Not Created in Troubleshooting.
Even if the user account that is being deleted has one of these directories
as its home directory, the following directories cannot be removed:
/,
/etc, /usr, /home, /var,
/opt, /tmp, and /proc.
/etc/skel directory
contains default initialization files to be copied into the account's home directory. The administrator can modify the files in the directory or add
additional files.
In Trusted Solaris, any files in the skeleton directory are
copied into the first SLD created at the account's minimum label.
The user or role can then modify the files.
NOTE:The user or role
should create a copy_files(4) or link_files(4)
file in the initial SLD to list the initialization files that need to
be copied or linked into subsequent SLDs created for the user.
Without the initialization files for the user's shell being
available in the subsequent SLDs, the user's environment
cannot be created properly when the user works at any other
label.
The default files are copied and renamed as follows.
| Original Name | Name After Copy |
|---|---|
local.login
|
.login
|
local.cshrc
|
.cshrc
|
local.profile
|
.profile
|
Trusted Solaris provides an /etc/skel/tsol directory for role's initialization files, which are copied to the role's home directories and renamed:
| Original Name | Name After Copy |
|---|---|
role.link_files
|
.link_files
|
role.profile
|
.profile
|
For additional information about user initialization files, see "Customizing a User's Work Environment" in the Solaris System Administration Guide. Several important differences exist in Trusted Solaris in how initialization files are used, as described in "Managing Startup Files" in the Trusted Solaris Administration Overview.
Top ^The initialization file sourced at login are:
| Shells | Initialization Files |
|---|---|
| C shell, csh(1M), and Adminstrator's C shell, pfcsh(1M) | /etc/.login and $HOME/.login |
| Bourne shell, sh(1M), Korn shell, ksh(1M), Adminstrator's Bourne shell, pfsh(1M), and Administrator's Korn shell, pfksh(1M) | /etc/.profile and $HOME/.profile |
The initialization files that are sourced when any terminal except dtterm(1) launches a shell are:
| Shells | Initialization Files |
|---|---|
| C shell, csh(1M), and Adminstrator's C shell, pfcsh(1M) | $HOME/.cshrc and $HOME/.login |
| Bourne shell, sh(1M), and Adminstrator's Bourne shell, pfsh(1M) | $HOME/.profile |
| Korn shell, ksh(1M), and Administrator's Korn shell, pfksh(1M) | $HOME/.profile, and file specified with ENV variable |
NOTE: To force dtterm to launch a new shell as a login shell,
the administrator or the user can make sure that a
.Xdefaults-<hostname>
file (with "hostname"
replaced with the hostname of the home directory server) is in the account's home directory
with the following entry:
Dtterm*/LoginShell: true
Any files added to the skeleton directory are copied without being renamed. Recommended additions are shown in the table below:
| File | What to Include in the Files |
|---|---|
.Xdefaults-<hostname>
|
Dtterm*LoginShell: true
|
.copy_files
.link_files
|
List the
.Xdefaults-<hostname>
and any other files that should be copied or linked
to subsequent home directory SLDs.
|
User ID numbers 0 through 99 are reserved for system accounts. If you specify a new system account, you can assign it one of these UIDs, but you should not use these UIDs for regular user accounts.
By definition, root is always UID 0, daemon
is UID 1, and pseudo-user bin has UID 2.
nobody, UID 60002 is noaccess, and UID 65534 is nobody4.