Re: /etc/default/security versus /var/adm/userdb (233 Views)
Reply
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 1 of 4 (266 Views)
Accepted Solution

/etc/default/security versus /var/adm/userdb

"security" is system wide while "userdb" will individually override "security". Can anyone give a good case for allowing the use of userdb, i.e., is it used for "roles"?

 

Thanks.

Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 2 of 4 (244 Views)

Re: /etc/default/security versus /var/adm/userdb

You'd think, that with 20+ views, an answer would be forthcoming. Or is everyone just "cherry picking" Q&A postings?

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 3 of 4 (235 Views)

Re: /etc/default/security versus /var/adm/userdb

Example 1:

You have an application that is being run on a particular user account. The application requires that the account must not be disabled, but nobody is supposed to directly login to that account. You have used sshd_config, PAM configuration and/or other means to prevent anybody from directly logging on as the application user.

 

There is a requirement that all users' passwords must expire in 90-day intervals. After implementing this system-wide using /etc/default/security, this requirement applies to the application user too. So now you have a time-bomb in your system: you must refresh the password on the application user account, even though you have blocked any possibility to actually login with that account. If you don't do this, the application stops working.

 

Solution: after a careful consideration and documentation of your precautions, use userdb to waive the 90-day password renewal requirement for the application user account only.

 

Example 2:

You have a standard policy that requires all users' passwords to expire in 90-day intervals, implemented in /etc/default/security.

Then the cranky old CIO says: "I don't want to deal with this. Make it so I don't have to."

MK
Super Advisor
john guardian
Posts: 309
Registered: ‎09-26-2003
Message 4 of 4 (233 Views)

Re: /etc/default/security versus /var/adm/userdb

Thx. Just needed some outside confirmation. Unfortunately, management doesn't "trust" its own people; they need to see the answer coming from an impartial, external source to believe it.

The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.