--- etc/login.defs +++ etc/login.defs 2012/11/13 16:30:57 @@ -1,8 +1,6 @@ # # /etc/login.defs - Configuration control definitions for the shadow package. # -# $Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $ -# # # Delay in seconds before being allowed another attempt after a login failure @@ -12,11 +10,6 @@ FAIL_DELAY 3 # -# Enable logging and display of /var/log/faillog login failure info. -# -FAILLOG_ENAB yes - -# # Enable display of unknown usernames when login failures are recorded. # LOG_UNKFAIL_ENAB no @@ -27,34 +20,6 @@ LOG_OK_LOGINS no # -# Enable logging and display of /var/log/lastlog login time info. -# -LASTLOG_ENAB yes - -# -# Enable checking and display of mailbox status upon login. -# -# Disable if the shell startup files already check for mail -# ("mailx -e" or equivalent). -# -MAIL_CHECK_ENAB yes - -# -# Enable additional checks upon password changes. -# -OBSCURE_CHECKS_ENAB yes - -# -# Enable checking of time restrictions specified in /etc/porttime. -# -PORTTIME_CHECKS_ENAB yes - -# -# Enable setting of ulimit, umask, and niceness from passwd gecos field. -# -QUOTAS_ENAB yes - -# # Enable "syslog" logging of su activity - in addition to sulog file logging. # SYSLOG_SG_ENAB does the same for newgrp and sg. # @@ -82,75 +47,31 @@ #MOTD_FILE /etc/motd:/usr/lib/news/news-motd # -# If defined, this file will be output before each login prompt. -# -#ISSUE_FILE /etc/issue - -# # If defined, file which maps tty line to TERM environment parameter. # Each line of the file is in a format something like "vt100 tty01". # #TTYTYPE_FILE /etc/ttytype # -# If defined, login failures will be logged here in a utmp format. -# last, when invoked as lastb, will read /var/log/btmp, so... -# -FTMP_FILE /var/log/btmp - -# -# If defined, name of file whose presence which will inhibit non-root -# logins. The contents of this file should be a message indicating -# why logins are inhibited. -# -NOLOGINS_FILE /etc/nologin - -# -# If defined, the command name to display when running "su -". For -# example, if this is defined as "su" then a "ps" will display the -# command is "-su". If not defined, then "ps" would display the -# name of the shell actually being run, e.g. something like "-sh". -# -SU_NAME su - -# -# *REQUIRED* -# Directory where mailboxes reside, _or_ name of file, relative to the -# home directory. If you _do_ define both, MAIL_DIR takes precedence. -# -MAIL_DIR /var/spool/mail -#MAIL_FILE .mail - -# # If defined, file which inhibits all the usual chatter during the login # sequence. If a full pathname, then hushed mode will be enabled if the # user's name or shell are found in the file. If not a full pathname, then # hushed mode will be enabled if the file exists in the user's home directory. # -HUSHLOGIN_FILE .hushlogin -#HUSHLOGIN_FILE /etc/hushlogins - -# -# If defined, either a TZ environment parameter spec or the -# fully-rooted pathname of a file containing such a spec. -# -#ENV_TZ TZ=CST6CDT -#ENV_TZ /etc/tzname - -# -# If defined, an HZ environment parameter spec. -# -# for Linux/x86 -ENV_HZ HZ=100 -# For Linux/Alpha... -#ENV_HZ HZ=1024 +#HUSHLOGIN_FILE .hushlogin +HUSHLOGIN_FILE /etc/hushlogins # # *REQUIRED* The default PATH settings, for superuser and normal users. # # (they are minimal, add the rest in the shell startup files) ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin -ENV_PATH PATH=/bin:/usr/bin +ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin + +# +# The default PATH settings for root (used by login): +# +ENV_ROOTPATH /sbin:/bin:/usr/sbin:/usr/bin # # Terminal permissions @@ -164,24 +85,20 @@ # TTYPERM to either 622 or 600. # TTYGROUP tty -TTYPERM 0600 +TTYPERM 0620 # # Login configuration initializations: # # ERASECHAR Terminal ERASE character ('\010' = backspace). # KILLCHAR Terminal KILL character ('\025' = CTRL/U). -# ULIMIT Default "ulimit" value. # # The ERASECHAR and KILLCHAR are used only on System V machines. -# The ULIMIT is used only if the system supports it. -# (now it works with setrlimit too; ulimit is in 512-byte units) # # Prefix these values with "0" to get octal, "0x" to get hexadecimal. # ERASECHAR 0177 KILLCHAR 025 -#ULIMIT 2097152 # Default initial "umask" value used by login on non-PAM enabled systems. # Default "umask" value for pam_umask on PAM enabled systems. @@ -197,49 +114,44 @@ # # PASS_MAX_DAYS Maximum number of days a password may be used. # PASS_MIN_DAYS Minimum number of days allowed between password changes. -# PASS_MIN_LEN Minimum acceptable password length. # PASS_WARN_AGE Number of days warning given before a password expires. # PASS_MAX_DAYS 99999 PASS_MIN_DAYS 0 -PASS_MIN_LEN 5 PASS_WARN_AGE 7 # -# If "yes", the user must be listed as a member of the first gid 0 group -# in /etc/group (called "root" on most Linux systems) to be able to "su" -# to uid 0 accounts. If the group doesn't exist or is empty, no one -# will be able to "su" to uid 0. -# -SU_WHEEL_ONLY no - -# -# If compiled with cracklib support, where are the dictionaries -# -CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict - -# # Min/max values for automatic uid selection in useradd # +# SYS_UID_MIN to SYS_UID_MAX inclusive is the range for +# UIDs for dynamically allocated administrative and system accounts. +# UID_MIN to UID_MAX inclusive is the range of UIDs of dynamically +# allocated user accounts. +# UID_MIN 1000 UID_MAX 60000 # System accounts -SYS_UID_MIN 101 -SYS_UID_MAX 999 +SYS_UID_MIN 100 +SYS_UID_MAX 499 # # Min/max values for automatic gid selection in groupadd # +# SYS_GID_MIN to SYS_GID_MAX inclusive is the range for +# GIDs for dynamically allocated administrative and system groups. +# GID_MIN to GID_MAX inclusive is the range of GIDs of dynamically +# allocated groups. +# GID_MIN 1000 GID_MAX 60000 # System accounts -SYS_GID_MIN 101 -SYS_GID_MAX 999 +SYS_GID_MIN 100 +SYS_GID_MAX 499 # # Max number of login retries if password is bad # -LOGIN_RETRIES 5 +LOGIN_RETRIES 3 # # Max time in seconds for login @@ -247,28 +159,6 @@ LOGIN_TIMEOUT 60 # -# Maximum number of attempts to change password if rejected (too easy) -# -PASS_CHANGE_TRIES 5 - -# -# Warn about weak passwords (but still allow them) if you are root. -# -PASS_ALWAYS_WARN yes - -# -# Number of significant characters in the password for crypt(). -# Default is 8, don't change unless your crypt() is better. -# Ignored if MD5_CRYPT_ENAB set to "yes". -# -#PASS_MAX_LEN 8 - -# -# Require password before chfn/chsh can make any changes. -# -CHFN_AUTH yes - -# # Which fields may be changed by regular users using chfn - use # any combination of letters "frwh" (full name, room number, work # phone, home phone). If not defined, no changes are allowed. @@ -277,13 +167,6 @@ CHFN_RESTRICT rwh # -# Password prompt (%s will be replaced by user name). -# -# XXX - it doesn't work correctly yet, for now leave it commented out -# to use the default which is just "Password: ". -#LOGIN_STRING "%s's Password: " - -# # Only works if compiled with MD5_CRYPT defined: # If set to "yes", new passwords will be encrypted using the MD5-based # algorithm compatible with the one used by recent releases of FreeBSD. @@ -345,16 +228,12 @@ DEFAULT_HOME yes # -# If this file exists and is readable, login environment will be -# read from it. Every line should be in the form name=value. -# -ENVIRON_FILE /etc/environment - -# # If defined, this command is run when removing a user. # It should remove any at/cron/print jobs etc. owned by # the user to be removed (passed as the first argument). # +# See USERDEL_PRECMD/POSTCMD below. +# #USERDEL_CMD /usr/sbin/userdel_local # @@ -364,7 +243,7 @@ # # This also enables userdel to remove user groups if no members exist. # -USERGROUPS_ENAB yes +USERGROUPS_ENAB no # # If set to a non-nul number, the shadow utilities will make sure that @@ -383,5 +262,41 @@ # This option is overridden with the -M or -m flags on the useradd command # line. # -#CREATE_HOME yes +CREATE_HOME no + +# +# User/group names must match the following regex expression. +# The default is [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\?, +# but be aware that the result could depend on the locale settings. +# +#CHARACTER_CLASS [A-Za-z_][A-Za-z0-9_.-]*[A-Za-z0-9_.$-]\? +CHARACTER_CLASS [ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_][ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.-]*[ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_.$-]\? + +# +# If defined, this command is run when adding a group. +# It should rebuild any NIS database etc. to add the +# new created group. +# +GROUPADD_CMD /usr/sbin/groupadd.local + +# +# If defined, this command is run when adding a user. +# It should rebuild any NIS database etc. to add the +# new created account. +# +USERADD_CMD /usr/sbin/useradd.local + +# +# If defined, this command is run before removing a user. +# It should remove any at/cron/print jobs etc. owned by +# the user to be removed. +# +USERDEL_PRECMD /usr/sbin/userdel-pre.local + +# +# If defined, this command is run after removing a user. +# It should rebuild any NIS database etc. to remove the +# account from it. +# +USERDEL_POSTCMD /usr/sbin/userdel-post.local