#
-# /etc/login.defs - Configuration control definitions for the shadow package.
+# /etc/login.defs - Configuration control definitions for the login package.
#
-# $Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $
+# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
+# If unspecified, some arbitrary (and possibly incorrect) value will
+# be assumed. All other items are optional - if not specified then
+# the described action or option will be inhibited.
#
-
-#
-# Delay in seconds before being allowed another attempt after a login failure
-# Note: When PAM is used, some modules may enfore a minimal delay (e.g.
-# pam_unix enforces a 2s delay)
+# Comment lines (lines beginning with "#") and blank lines are ignored.
#
-FAIL_DELAY 3
+
+# REQUIRED for useradd/userdel/usermod
+# Directory where mailboxes reside, _or_ name of file, relative to the
+# home directory. If you _do_ define MAIL_DIR and MAIL_FILE,
+# MAIL_DIR takes precedence.
+#
+# Essentially:
+# - MAIL_DIR defines the location of users mail spool files
+# (for mbox use) by appending the username to MAIL_DIR as defined
+# below.
+# - MAIL_FILE defines the location of the users mail spool files as the
+# fully-qualified filename obtained by prepending the user home
+# directory before $MAIL_FILE
+#
+# NOTE: This is no more used for setting up users MAIL environment variable
+# which is, starting from shadow 4.0.12-1 in Debian, entirely the
+# job of the pam_mail PAM modules
+# See default PAM configuration files provided for
+# login, su, etc.
+#
+# This is a temporary situation: setting these variables will soon
+# move to /etc/default/useradd and the variables will then be
+# no more supported
+MAIL_DIR /var/mail
+#MAIL_FILE .mail
#
# Enable logging and display of /var/log/faillog login failure info.
+# This option conflicts with the pam_tally PAM module.
#
FAILLOG_ENAB yes
#
# Enable display of unknown usernames when login failures are recorded.
#
+# WARNING: Unknown usernames may become world readable.
+# See #290803 and #298773 for details about how this could become a security
+# concern
LOG_UNKFAIL_ENAB no
#
#
LOG_OK_LOGINS no
-#
-# Enable logging and display of /var/log/lastlog login time info.
-#
-LASTLOG_ENAB yes
-
-#
-# Enable checking and display of mailbox status upon login.
-#
-# Disable if the shell startup files already check for mail
-# ("mailx -e" or equivalent).
-#
-MAIL_CHECK_ENAB yes
-
-#
-# Enable additional checks upon password changes.
-#
-OBSCURE_CHECKS_ENAB yes
-
-#
-# Enable checking of time restrictions specified in /etc/porttime.
-#
-PORTTIME_CHECKS_ENAB yes
-
-#
-# Enable setting of ulimit, umask, and niceness from passwd gecos field.
-#
-QUOTAS_ENAB yes
-
#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
SYSLOG_SU_ENAB yes
SYSLOG_SG_ENAB yes
-#
-# If defined, either full pathname of a file containing device names or
-# a ":" delimited list of device names. Root logins will be allowed only
-# upon these devices.
-#
-CONSOLE /etc/securetty
-#CONSOLE console:tty01:tty02:tty03:tty04
-
#
# If defined, all su activity is logged to this file.
#
#SULOG_FILE /var/log/sulog
-#
-# If defined, ":" delimited list of "message of the day" files to
-# be displayed upon login.
-#
-MOTD_FILE /etc/motd
-#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
-
-#
-# If defined, this file will be output before each login prompt.
-#
-#ISSUE_FILE /etc/issue
-
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100 tty01".
#TTYTYPE_FILE /etc/ttytype
#
-# If defined, login failures will be logged here in a utmp format.
+# If defined, login failures will be logged here in a utmp format
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE /var/log/btmp
-#
-# If defined, name of file whose presence which will inhibit non-root
-# logins. The contents of this file should be a message indicating
-# why logins are inhibited.
-#
-NOLOGINS_FILE /etc/nologin
-
#
# If defined, the command name to display when running "su -". For
# example, if this is defined as "su" then a "ps" will display the
#
SU_NAME su
-#
-# *REQUIRED*
-# Directory where mailboxes reside, _or_ name of file, relative to the
-# home directory. If you _do_ define both, MAIL_DIR takes precedence.
-#
-MAIL_DIR /var/mail
-#MAIL_FILE .mail
-
#
# If defined, file which inhibits all the usual chatter during the login
# sequence. If a full pathname, then hushed mode will be enabled if the
HUSHLOGIN_FILE .hushlogin
#HUSHLOGIN_FILE /etc/hushlogins
-#
-# If defined, either a TZ environment parameter spec or the
-# fully-rooted pathname of a file containing such a spec.
-#
-#ENV_TZ TZ=CST6CDT
-#ENV_TZ /etc/tzname
-
-#
-# If defined, an HZ environment parameter spec.
-#
-# for Linux/x86
-ENV_HZ HZ=100
-# For Linux/Alpha...
-#ENV_HZ HZ=1024
-
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
+# In Debian /usr/bin/bsd-write or similar programs are setgid tty
+# However, the default and recommended value for TTYPERM is still 0600
+# to not allow anyone to write to anyone else console or terminal
+
+# Users can still allow other people to write them by issuing
+# the "mesg y" command.
+
TTYGROUP tty
TTYPERM 0600
#
# ERASECHAR Terminal ERASE character ('\010' = backspace).
# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
-# ULIMIT Default "ulimit" value.
+# UMASK Default "umask" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
-# The ULIMIT is used only if the system supports it.
-# (now it works with setrlimit too; ulimit is in 512-byte units)
+#
+# UMASK is the default umask value for pam_umask and is used by
+# useradd and newusers to set the mode of the new home directories.
+# 022 is the "historical" value in Debian for UMASK
+# 027, or even 077, could be considered better for privacy
+# There is no One True Answer here : each sysadmin must make up his/her
+# mind.
+#
+# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
+# for private user groups, i. e. the uid is the same as gid, and username is
+# the same as the primary group name: for these, the user permissions will be
+# used as group permissions, e. g. 022 will become 002.
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR 0177
KILLCHAR 025
-#ULIMIT 2097152
-
-# Default initial "umask" value used by login on non-PAM enabled systems.
-# Default "umask" value for pam_umask on PAM enabled systems.
-# UMASK is also used by useradd and newusers to set the mode of new home
-# directories.
-# 022 is the default value, but 027, or even 077, could be considered
-# better for privacy. There is no One True Answer here: each sysadmin
-# must make up her mind.
-UMASK 022
+UMASK 077
#
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
-# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
-PASS_MIN_LEN 5
PASS_WARN_AGE 7
-#
-# If "yes", the user must be listed as a member of the first gid 0 group
-# in /etc/group (called "root" on most Linux systems) to be able to "su"
-# to uid 0 accounts. If the group doesn't exist or is empty, no one
-# will be able to "su" to uid 0.
-#
-SU_WHEEL_ONLY no
-
-#
-# If compiled with cracklib support, where are the dictionaries
-#
-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
-
#
# Min/max values for automatic uid selection in useradd
#
SYS_GID_MAX 999
#
-# Max number of login retries if password is bad
+# Max number of login retries if password is bad. This will most likely be
+# overriden by PAM, since the default pam_unix module has it's own built
+# in of 3 retries. However, this is a safe fallback in case you are using
+# an authentication module that does not enforce PAM_MAXTRIES.
#
LOGIN_RETRIES 5
LOGIN_TIMEOUT 60
#
-# Maximum number of attempts to change password if rejected (too easy)
+# Which fields may be changed by regular users using chfn - use
+# any combination of letters "frwh" (full name, room number, work
+# phone, home phone). If not defined, no changes are allowed.
+# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
+#
+CHFN_RESTRICT rwh
+
+#
+# Should login be allowed if we can't cd to the home directory?
+# Default in no.
#
-PASS_CHANGE_TRIES 5
+DEFAULT_HOME yes
#
-# Warn about weak passwords (but still allow them) if you are root.
+# If defined, this command is run when removing a user.
+# It should remove any at/cron/print jobs etc. owned by
+# the user to be removed (passed as the first argument).
#
-PASS_ALWAYS_WARN yes
+#USERDEL_CMD /usr/sbin/userdel_local
#
-# Number of significant characters in the password for crypt().
-# Default is 8, don't change unless your crypt() is better.
-# Ignored if MD5_CRYPT_ENAB set to "yes".
+# If set to yes, userdel will remove the user's group if it contains no
+# more members, and useradd will create by default a group with the name
+# of the user.
+#
+# Other former uses of this variable such as setting the umask when
+# user==primary group are not used in PAM environments, such as Debian
#
-#PASS_MAX_LEN 8
+USERGROUPS_ENAB yes
#
-# Require password before chfn/chsh can make any changes.
+# Instead of the real user shell, the program specified by this parameter
+# will be launched, although its visible name (argv[0]) will be the shell's.
+# The program may do whatever it wants (logging, additional authentification,
+# banner, ...) before running the actual shell.
#
-CHFN_AUTH yes
+# FAKE_SHELL /bin/fakeshell
#
-# Which fields may be changed by regular users using chfn - use
-# any combination of letters "frwh" (full name, room number, work
-# phone, home phone). If not defined, no changes are allowed.
-# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
-#
-CHFN_RESTRICT rwh
+# If defined, either full pathname of a file containing device names or
+# a ":" delimited list of device names. Root logins will be allowed only
+# upon these devices.
+#
+# This variable is used by login and su.
+#
+CONSOLE /etc/securecty
+#CONSOLE console:tty01:tty02:tty03:tty04
#
-# Password prompt (%s will be replaced by user name).
+# List of groups to add to the user's supplementary group set
+# when logging in on the console (as determined by the CONSOLE
+# setting). Default is none.
+#
+# Use with caution - it is possible for users to gain permanent
+# access to these groups, even when not logged in on the console.
+# How to do it is left as an exercise for the reader...
+#
+# This variable is used by login and su.
#
-# XXX - it doesn't work correctly yet, for now leave it commented out
-# to use the default which is just "Password: ".
-#LOGIN_STRING "%s's Password: "
+#CONSOLE_GROUPS floppy:audio:cdrom
#
-# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm. Default is "no".
#
-# Note: If you use PAM, it is recommended to use a value consistent with
-# the PAM modules configuration.
-#
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB no
#
-# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
-# Note: If you use PAM, it is recommended to use a value consistent with
+# Note: It is recommended to use a value consistent with
# the PAM modules configuration.
#
-#ENCRYPT_METHOD DES
+ENCRYPT_METHOD SHA512
#
-# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
+# Only used if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password.
# SHA_CRYPT_MIN_ROUNDS 5000
# SHA_CRYPT_MAX_ROUNDS 5000
-#
-# List of groups to add to the user's supplementary group set
-# when logging in on the console (as determined by the CONSOLE
-# setting). Default is none.
-#
-# Use with caution - it is possible for users to gain permanent
-# access to these groups, even when not logged in on the console.
-# How to do it is left as an exercise for the reader...
-#
-#CONSOLE_GROUPS floppy:audio:cdrom
-
-#
-# Should login be allowed if we can't cd to the home directory?
-# Default in no.
-#
-DEFAULT_HOME yes
-
-#
-# If this file exists and is readable, login environment will be
-# read from it. Every line should be in the form name=value.
-#
-ENVIRON_FILE /etc/environment
-
-#
-# If defined, this command is run when removing a user.
-# It should remove any at/cron/print jobs etc. owned by
-# the user to be removed (passed as the first argument).
-#
-#USERDEL_CMD /usr/sbin/userdel_local
-
-#
-# Enable setting of the umask group bits to be the same as owner bits
-# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
-# the same as gid, and username is the same as the primary group name.
-#
-# This also enables userdel to remove user groups if no members exist.
-#
-#USERGROUPS_ENAB yes
-
-#
-# If set to a non-nul number, the shadow utilities will make sure that
-# groups never have more than this number of users on one line.
-# This permit to support split groups (groups split into multiple lines,
-# with the same group ID, to avoid limitation of the line length in the
-# group file).
-#
-# 0 is the default value and disables this feature.
-#
-#MAX_MEMBERS_PER_GROUP 0
-
-#
-# If useradd should create home directories for users by default (non
-# system users only)
-# This option is overridden with the -M or -m flags on the useradd command
-# line.
-#
-#CREATE_HOME yes
-
+################# OBSOLETED BY PAM ##############
+# #
+# These options are now handled by PAM. Please #
+# edit the appropriate file in /etc/pam.d/ to #
+# enable the equivelants of them. #
+# #
+#################################################
+
+#MOTD_FILE
+#DIALUPS_CHECK_ENAB
+#LASTLOG_ENAB
+#MAIL_CHECK_ENAB
+#OBSCURE_CHECKS_ENAB
+#PORTTIME_CHECKS_ENAB
+#SU_WHEEL_ONLY
+#CRACKLIB_DICTPATH
+#PASS_CHANGE_TRIES
+#PASS_ALWAYS_WARN
+#ENVIRON_FILE
+#NOLOGINS_FILE
+#ISSUE_FILE
+#PASS_MIN_LEN
+#PASS_MAX_LEN
+#ULIMIT
+#ENV_HZ
+#CHFN_AUTH
+#CHSH_AUTH
+#FAIL_DELAY
+
+################# OBSOLETED #######################
+# #
+# These options are no longer handled by shadow. #
+# #
+# Shadow utilities will display a warning if they #
+# still appear. #
+# #
+###################################################
+
+#CLOSE_SESSIONS
+#LOGIN_STRING
+#NO_PASSWORD_CONSOLE
+#QMAIL_DIR
TLD / packages / shadow.git / commitdiff