Manualshelf

Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions
41424344454647484950
NOTE: Shadow passwords are not supported with LDAP-UX. Instead, LDAP-UX provides
the ability to hide user passwords in the directory server itself. LDAP-UX also enforces
centralized security policies, similar to /etc/shadow, based on the security policy of
the directory server.
Shadow passwords are not supported by the applications that expect passwords to reside
in /etc/passwd.
For more information, see the following manpages:
passwd(1), pwck(1M), pwconv(1M), pwunconv(1M), getspent(3C), putspent(3C),
nsswitch.conf(4), passwd(4), security(4), shadow(4)
2.4.6 Eliminating Pseudo-Accounts and Protecting Key Subsystems in /etc/passwd
By tradition, the /etc/passwd file contains numerous “pseudo-accounts,” which are
entries not associated with individual users and which do not have true interactive login
shells.
Some of these entries, such as date, who, sync, and tty, evolved strictly for user
convenience, providing commands that could be executed without logging in. To tighten
security, they have been eliminated in the distributed /etc/passwd so that these
programs can be run only by a user who is logged in.
Other such entries remain in /etc/passwd because they are owners of files. Programs
with owners such as adm, bin, daemon, hpdb, lp, and uucp encompass entire
subsystems, and represent a special case. Because they grant access to files they protect
or use, these programs must be allowed to function as pseudo-accounts, with entries
listed in /etc/passwd. The customary pseudo- and special accounts are shown in
Example 2-1.
Example 2-1 Pseudo- and Special System Accounts
root::0:3::/:/sbin/sh
daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:
adm:*:4:4::/var/adm:/sbin/sh
uucp:*:5:3::/var/spool/uucppublic:/usr/lbin/uucp/uucico
lp:*:9:7::/var/spool/lp:/sbin/sh
nuucp:*:11:11::/var/spool/uucppublic:/usr/lbin/uucp/uucico
hpdb:*:27:1:ALLBASE:/:/sbin/sh
nobody:*:-2:-2::/:
The key to the privileged status of these subsystems is their ability to grant access to
programs under their jurisdiction without granting root access (uid 0). Instead, the
setuid bit for the executable file is set and the effective user of the process corresponds
2.4 Managing Passwords 45