userdbset(1M)

NAME

userdbset — modify information in the user database, /var/adm/userdb

SYNOPSIS

/usr/sbin/userdbset -u name attr=value [attr=value ...]

/usr/sbin/userdbset -d -u name [-i]

/usr/sbin/userdbset -d -u name attr [attr...]

/usr/sbin/userdbset -d -a attr [attr...]

/usr/sbin/userdbset [-u name] -f filename

DESCRIPTION

userdbset modifies the per-user information residing in the user database, /var/adm/userdb. A per-user value in the user database overrides any system-wide default configured in /etc/default/security. See userdb(4) and security(4) for more details about the user database and system-wide defaults, respectively.

If one or more attr=value arguments are specified on the command line, userdbget initializes or modifies each attribute specified by attr to the specified value for the specified user name.

Options

The following options are recognized:

-a: Modify specified attributes for all users.
-d: Delete attributes; the /etc/default/security (see security(4)) system-wide default will then apply. If one or more attr arguments are specified, only those attributes are deleted. Otherwise, if no attr arguments are specified, all configurable attributes are deleted for the specified user name.
-f filename: Import the contents of filename into the user database. Each line in the data file, filename, must be in the following format: username attr=value. The output of userdbget is in this format and can be used as the input file. See the -f example in the EXAMPLES section.
-i: Remove internal attributes in addition to the configurable ones. Internal attributes are not user configurable and are normally modified only by programs that enforce system security. The file /etc/security.dsc indicates which attributes are configurable and which are internal.
-u name: Initialize, modify or delete specified attributes for the specified user name.

Authorizations

In order to invoke userdbset, the user must either be root (running with effective uid of 0) or, if the Role-Based Access Control (RBAC) version B.11.23.04 is installed, have the appropriate authorization(s). Users with the appropriate authorizations can use userdbset to add, modify or delete security attributes for other users, but are prohibited from changing the security attributes for local root users. Only root users can add, modify or delete the security attributes of local root users. When the RBAC B.11.23.04 product is installed, the following is a list of the required authorizations for running userdbset with particular options:

hpux.security.attribute.write,*: Allows the user to invoke userdbset. The user will also need specific authorizations to modify or delete the various attributes in the user database.
hpux.security.attribute.delete, attr: Allows the user to delete the per-user attribute (attr) named in the object of the authorization pair. An object of "*" will allow the user to delete any attribute.
hpux.security.attribute.modify, attr: Allows the user to initialize or modify the per-user attribute (attr) named in the object of the authorization pair. An object of "*" will allow the user to initialize or modify any attribute.
hpux.security.attribute.import,*: Allows the user to import user attributes into the user database using the -f option. Users with this authorization are allowed to import attributes for all users, including local root users.

Notes

userdbset validates attributes and attribute values based on information in /etc/security.dsc. The validation of an attribute fails if:

Any specified attr is not listed in /etc/security.dsc.
/etc/security.dsc does not allow a per-user value for the attr.
name is not a valid user.
/etc/security.dsc allows the attr only for local users, and name is not in /etc/passwd.
The value of an attr is not within the range specified in /etc/security.dsc.

RETURN VALUE

userdbset exits with one of the following values:

0: success
1: invalid user
2: invalid usage
3: insufficient permission to access the user database
4: file system error
5: invalid attribute; /etc/security.dsc does not allow a per-user value
6: an attribute value is not within the range specified in /etc/security.dsc
7: block overflow
8: entry overflow
9: database lock failure
10: database is disabled; see userdb(4)
11: invalid user name
12: not a local user

EXAMPLES

In the following example, the first command deletes all of the configurable attributes for user joe, while retaining the internal attributes. At this point, the system-wide defaults in /etc/default/security apply. The second command sets joe's minimum password length to 7 and UMASK to 0022 (the leading zero denotes an octal value).

/usr/sbin/userdbset -d -u joe 
/usr/sbin/userdbset -u joe MIN_PASSWORD_LENGTH=7 UMASK=0022 

The next command deletes the minimum password length, which causes the system-wide default to be used.

/usr/sbin/userdbset -d -u amy MIN_PASSWORD_LENGTH

The following example deletes the user-specific audit flag for all users. The system-wide default will then apply for all users.

/usr/sbin/userdbset -d -a AUDIT_FLAG

The following example saves the configurable attributes for all users (-a option) into a file, saved_attributes.txt, using the userdbget command. If needed, the attributes can then be restored at a later point by importing the file with userdbset. The second command imports the configurable attributes into the user database.

/usr/sbin/userdbget -a > saved_attributes.txt
/usr/sbin/userdbset -f saved_attributes.txt

FILES

/var/adm/userdb: user database
/etc/default/security: security defaults configuration file
/etc/security.dsc: security attributes description file