[packages/shadow.git] / shadow-login.defs

#
# /etc/login.defs - Configuration control definitions for the login package.
#
#	$Id$
#
# Three items must be defined:  MAIL_DIR, ENV_SUPATH, and ENV_PATH.
# If unspecified, some arbitrary (and possibly incorrect) value will
# be assumed.  All other items are optional - if not specified then
# the described action or option will be inhibited.
#
# Comment lines (lines beginning with "#") and blank lines are ignored.
#
# Modified for Linux.  --marekm

#
# Delay in seconds before being allowed another attempt after a login failure
#
FAIL_DELAY		3

#
# Enable logging and display of /var/log/faillog login failure info.
#
FAILLOG_ENAB		yes

#
# Enable display of unknown usernames when login failures are recorded.
#
LOG_UNKFAIL_ENAB	no

#
# Enable logging of successful logins
#
LOG_OK_LOGINS		no

#
# Enable logging and display of /var/log/lastlog login time info.
#
LASTLOG_ENAB		yes

#
# Enable checking and display of mailbox status upon login.
#
# Disable if the shell startup files already check for mail
# ("mailx -e" or equivalent).
#
MAIL_CHECK_ENAB		yes

#
# Enable additional checks upon password changes.
#
OBSCURE_CHECKS_ENAB	yes

#
# Enable checking of time restrictions specified in /etc/porttime.
#
PORTTIME_CHECKS_ENAB	yes

#
# Enable setting of ulimit, umask, and niceness from passwd gecos field.
#
QUOTAS_ENAB		yes

#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes

#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names.  Root logins will be allowed only
# upon these devices.
#
CONSOLE		/etc/securetty
#CONSOLE	console:tty01:tty02:tty03:tty04

#
# If defined, all su activity is logged to this file.
#
#SULOG_FILE	/var/log/sulog

#
# If defined, ":" delimited list of "message of the day" files to
# be displayed upon login.
#
MOTD_FILE	/etc/motd
#MOTD_FILE	/etc/motd:/usr/lib/news/news-motd

#
# If defined, this file will be output before each login prompt.
#
#ISSUE_FILE	/etc/issue

#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100  tty01".
#
#TTYTYPE_FILE	/etc/ttytype

#
# If defined, login failures will be logged here in a utmp format.
# last, when invoked as lastb, will read /var/log/btmp, so...
#
FTMP_FILE	/var/log/btmpx

#
# If defined, name of file whose presence which will inhibit non-root
# logins.  The contents of this file should be a message indicating
# why logins are inhibited.
#
NOLOGINS_FILE	/etc/nologin

#
# If defined, the command name to display when running "su -".  For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su".  If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME		su

#
# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#   QMAIL_DIR is for Qmail
#
#QMAIL_DIR	Maildir
MAIL_DIR	/var/mail
#MAIL_FILE	.mail

#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE	.hushlogin
#HUSHLOGIN_FILE	/etc/hushlogins

#
# If defined, the presence of this value in an /etc/passwd "shell" field will
# disable logins for that user, although "su" will still be allowed.
#
# XXX this does not seem to be implemented yet...  --marekm
# no, it was implemented but I ripped it out ;-) -- jfh
NOLOGIN_STR	NOLOGIN

#
# If defined, either a TZ environment parameter spec or the
# fully-rooted pathname of a file containing such a spec.
#
#ENV_TZ		TZ=CST6CDT
#ENV_TZ		/etc/tzname

#
# If defined, an HZ environment parameter spec.
#
# for Linux/x86
ENV_HZ		HZ=100
# For Linux/Alpha...
#ENV_HZ		HZ=1024

#
# *REQUIRED*  The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
ENV_PATH	PATH=/bin:/usr/bin

#
# Terminal permissions
#
#	TTYGROUP	Login tty will be assigned this group ownership.
#	TTYPERM		Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
TTYGROUP	tty
TTYPERM		0600

#
# Login configuration initializations:
#
#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
#	UMASK		Default "umask" value.
#	ULIMIT		Default "ulimit" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
# The ULIMIT is used only if the system supports it.
# (now it works with setrlimit too; ulimit is in 512-byte units)
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
#ERASECHAR	0177
#KILLCHAR	025
UMASK		022
#ULIMIT		2097152

#
# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
PASS_MIN_LEN	8
PASS_WARN_AGE	5

#
# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts.  If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
#
SU_WHEEL_ONLY	no

#
# If compiled with cracklib support, where are the dictionaries
#
CRACKLIB_DICTPATH	/usr/share/dict

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN			  500
UID_MAX			60000

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN			  500
GID_MAX			60000

#
# Max number of login retries if password is bad
#
LOGIN_RETRIES		5

#
# Max time in seconds for login
#
LOGIN_TIMEOUT		60

#
# Maximum number of attempts to change password if rejected (too easy)
#
PASS_CHANGE_TRIES	5

#
# Warn about weak passwords (but still allow them) if you are root.
#
PASS_ALWAYS_WARN	yes

#
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN		8

#
# Require password before chfn/chsh can make any changes.
#
CHFN_AUTH		yes

#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone).  If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
# 
CHFN_RESTRICT		yes

#
# Password prompt (%s will be replaced by user name).
#
# XXX - it doesn't work correctly yet, for now leave it commented out
# to use the default which is just "Password: ".
#LOGIN_STRING		"%s's Password: "

#
# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm.  Default is "no".
#
MD5_CRYPT_ENAB	yes

#
# List of groups to add to the user's supplementary group set
# when logging in on the console (as determined by the CONSOLE
# setting).  Default is none.
#
# Use with caution - it is possible for users to gain permanent
# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
#CONSOLE_GROUPS		floppy:audio:cdrom

#
# Should login be allowed if we can't cd to the home directory?
# Default in no.
#
DEFAULT_HOME	yes

#
# If this file exists and is readable, login environment will be
# read from it.  Every line should be in the form name=value.
#
ENVIRON_FILE	/etc/environment

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD	/usr/sbin/userdel_local

#
# When prompting for password without echo, getpass() can optionally
# display a random number (in the range 1 to GETPASS_ASTERISKS) of '*'
# characters for each character typed.  This feature is designed to
# confuse people looking over your shoulder when you enter a password :-).
# Also, the new getpass() accepts both Backspace (8) and Delete (127)
# keys to delete previous character (to cope with different terminal
# types), Control-U to delete all characters, and beeps when there are
# no more characters to delete, or too many characters entered.
#
# Setting GETPASS_ASTERISKS to 1 results in more traditional behaviour -
# exactly one '*' displayed for each character typed.
#
# Setting GETPASS_ASTERISKS to 0 disables the '*' characters (Backspace,
# Delete, Control-U and beep continue to work as described above).
#
# Setting GETPASS_ASTERISKS to -1 reverts to the traditional getpass()
# without any new features.  This is the default.
#
#GETPASS_ASTERISKS 1

#
# Enable setting of the umask group bits to be the same as owner bits
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
# the same as gid, and username is the same as the primary group name.
#
# This also enables userdel to remove user groups if no members exist.
#
#USERGROUPS_ENAB yes
Commit	Line	Data
846764b4 ER	1	#
	2	# /etc/login.defs - Configuration control definitions for the login package.
	3	#
	4	# $Id$
	5	#
	6	# Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH.
	7	# If unspecified, some arbitrary (and possibly incorrect) value will
	8	# be assumed. All other items are optional - if not specified then
	9	# the described action or option will be inhibited.
	10	#
	11	# Comment lines (lines beginning with "#") and blank lines are ignored.
	12	#
	13	# Modified for Linux. --marekm
	14
	15	#
	16	# Delay in seconds before being allowed another attempt after a login failure
	17	#
	18	FAIL_DELAY 3
	19
	20	#
	21	# Enable logging and display of /var/log/faillog login failure info.
	22	#
	23	FAILLOG_ENAB yes
	24
	25	#
	26	# Enable display of unknown usernames when login failures are recorded.
	27	#
	28	LOG_UNKFAIL_ENAB no
	29
	30	#
	31	# Enable logging of successful logins
	32	#
	33	LOG_OK_LOGINS no
	34
	35	#
	36	# Enable logging and display of /var/log/lastlog login time info.
	37	#
	38	LASTLOG_ENAB yes
	39
	40	#
	41	# Enable checking and display of mailbox status upon login.
	42	#
	43	# Disable if the shell startup files already check for mail
	44	# ("mailx -e" or equivalent).
	45	#
	46	MAIL_CHECK_ENAB yes
	47
	48	#
	49	# Enable additional checks upon password changes.
	50	#
	51	OBSCURE_CHECKS_ENAB yes
	52
	53	#
	54	# Enable checking of time restrictions specified in /etc/porttime.
	55	#
	56	PORTTIME_CHECKS_ENAB yes
	57
	58	#
	59	# Enable setting of ulimit, umask, and niceness from passwd gecos field.
	60	#
	61	QUOTAS_ENAB yes
	62
	63	#
	64	# Enable "syslog" logging of su activity - in addition to sulog file logging.
65	# SYSLOG_SG_ENAB does the same for newgrp and sg.
66	#
67	SYSLOG_SU_ENAB yes
68	SYSLOG_SG_ENAB yes
69
70	#
71	# If defined, either full pathname of a file containing device names or
72	# a ":" delimited list of device names. Root logins will be allowed only
73	# upon these devices.
74	#
75	CONSOLE /etc/securetty
76	#CONSOLE console:tty01:tty02:tty03:tty04
77
78	#
79	# If defined, all su activity is logged to this file.
80	#
81	#SULOG_FILE /var/log/sulog
82
83	#
84	# If defined, ":" delimited list of "message of the day" files to
85	# be displayed upon login.
86	#
87	MOTD_FILE /etc/motd
88	#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
89
90	#
91	# If defined, this file will be output before each login prompt.
92	#
93	#ISSUE_FILE /etc/issue
94
95	#
96	# If defined, file which maps tty line to TERM environment parameter.
97	# Each line of the file is in a format something like "vt100 tty01".
98	#
99	#TTYTYPE_FILE /etc/ttytype
100
101	#
102	# If defined, login failures will be logged here in a utmp format.
103	# last, when invoked as lastb, will read /var/log/btmp, so...
104	#
d57127bc	105	FTMP_FILE /var/log/btmpx
846764b4 ER	106
	107	#
	108	# If defined, name of file whose presence which will inhibit non-root
	109	# logins. The contents of this file should be a message indicating
	110	# why logins are inhibited.
	111	#
	112	NOLOGINS_FILE /etc/nologin
	113
	114	#
	115	# If defined, the command name to display when running "su -". For
	116	# example, if this is defined as "su" then a "ps" will display the
	117	# command is "-su". If not defined, then "ps" would display the
	118	# name of the shell actually being run, e.g. something like "-sh".
	119	#
	120	SU_NAME su
	121
	122	#
d61ad957 AM	123	# REQUIRED
	124	# Directory where mailboxes reside, _or_ name of file, relative to the
	125	# home directory. If you _do_ define both, MAIL_DIR takes precedence.
	126	# QMAIL_DIR is for Qmail
	127	#
	128	#QMAIL_DIR Maildir
d57127bc	129	MAIL_DIR /var/mail
d61ad957 AM	130	#MAIL_FILE .mail
d61ad957 AM	131
846764b4 ER	132	#
	133	# If defined, file which inhibits all the usual chatter during the login
	134	# sequence. If a full pathname, then hushed mode will be enabled if the
	135	# user's name or shell are found in the file. If not a full pathname, then
	136	# hushed mode will be enabled if the file exists in the user's home directory.
	137	#
	138	HUSHLOGIN_FILE .hushlogin
	139	#HUSHLOGIN_FILE /etc/hushlogins
	140
	141	#
	142	# If defined, the presence of this value in an /etc/passwd "shell" field will
	143	# disable logins for that user, although "su" will still be allowed.
	144	#
	145	# XXX this does not seem to be implemented yet... --marekm
	146	# no, it was implemented but I ripped it out ;-) -- jfh
	147	NOLOGIN_STR NOLOGIN
	148
	149	#
	150	# If defined, either a TZ environment parameter spec or the
	151	# fully-rooted pathname of a file containing such a spec.
	152	#
	153	#ENV_TZ TZ=CST6CDT
	154	#ENV_TZ /etc/tzname
	155
	156	#
	157	# If defined, an HZ environment parameter spec.
	158	#
	159	# for Linux/x86
	160	ENV_HZ HZ=100
	161	# For Linux/Alpha...
	162	#ENV_HZ HZ=1024
	163
	164	#
	165	# REQUIRED The default PATH settings, for superuser and normal users.
	166	#
	167	# (they are minimal, add the rest in the shell startup files)
	168	ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
	169	ENV_PATH PATH=/bin:/usr/bin
	170
	171	#
	172	# Terminal permissions
	173	#
	174	# TTYGROUP Login tty will be assigned this group ownership.
	175	# TTYPERM Login tty will be set to this permission.
	176	#
	177	# If you have a "write" program which is "setgid" to a special group
	178	# which owns the terminals, define TTYGROUP to the group number and
	179	# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign
	180	# TTYPERM to either 622 or 600.
	181	#
	182	TTYGROUP tty
	183	TTYPERM 0600
	184
	185	#
	186	# Login configuration initializations:
	187	#
	188	# ERASECHAR Terminal ERASE character ('\010' = backspace).
	189	# KILLCHAR Terminal KILL character ('\025' = CTRL/U).
	190	# UMASK Default "umask" value.
	191	# ULIMIT Default "ulimit" value.
	192	#
	193	# The ERASECHAR and KILLCHAR are used only on System V machines.
	194	# The ULIMIT is used only if the system supports it.
	195	# (now it works with setrlimit too; ulimit is in 512-byte units)
196	#
197	# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
198	#
a37c4e97 ER	199	#ERASECHAR 0177
a37c4e97 ER	200	#KILLCHAR 025
846764b4 ER	201	UMASK 022
	202	#ULIMIT 2097152
	203
	204	#
d61ad957 AM	205	# Password aging controls:
	206	#
	207	# PASS_MAX_DAYS Maximum number of days a password may be used.
	208	# PASS_MIN_DAYS Minimum number of days allowed between password changes.
	209	# PASS_MIN_LEN Minimum acceptable password length.
	210	# PASS_WARN_AGE Number of days warning given before a password expires.
	211	#
	212	PASS_MAX_DAYS 99999
	213	PASS_MIN_DAYS 0
d57127bc ER	214	PASS_MIN_LEN 8
d57127bc ER	215	PASS_WARN_AGE 5
846764b4 ER	216
	217	#
	218	# If "yes", the user must be listed as a member of the first gid 0 group
	219	# in /etc/group (called "root" on most Linux systems) to be able to "su"
	220	# to uid 0 accounts. If the group doesn't exist or is empty, no one
	221	# will be able to "su" to uid 0.
	222	#
	223	SU_WHEEL_ONLY no
	224
	225	#
	226	# If compiled with cracklib support, where are the dictionaries
	227	#
d57127bc	228	CRACKLIB_DICTPATH /usr/share/dict
d61ad957 AM	229
	230	#
	231	# Min/max values for automatic uid selection in useradd
	232	#
d57127bc	233	UID_MIN 500
d61ad957 AM	234	UID_MAX 60000
	235
	236	#
	237	# Min/max values for automatic gid selection in groupadd
	238	#
d57127bc	239	GID_MIN 500
d61ad957 AM	240	GID_MAX 60000
d61ad957 AM	241
846764b4 ER	242	#
	243	# Max number of login retries if password is bad
	244	#
	245	LOGIN_RETRIES 5
	246
	247	#
	248	# Max time in seconds for login
	249	#
	250	LOGIN_TIMEOUT 60
	251
	252	#
	253	# Maximum number of attempts to change password if rejected (too easy)
	254	#
	255	PASS_CHANGE_TRIES 5
	256
	257	#
	258	# Warn about weak passwords (but still allow them) if you are root.
	259	#
	260	PASS_ALWAYS_WARN yes
	261
	262	#
	263	# Number of significant characters in the password for crypt().
	264	# Default is 8, don't change unless your crypt() is better.
	265	# Ignored if MD5_CRYPT_ENAB set to "yes".
	266	#
	267	#PASS_MAX_LEN 8
	268
d61ad957 AM	269	#
	270	# Require password before chfn/chsh can make any changes.
	271	#
	272	CHFN_AUTH yes
	273
	274	#
846764b4 ER	275	# Which fields may be changed by regular users using chfn - use
	276	# any combination of letters "frwh" (full name, room number, work
	277	# phone, home phone). If not defined, no changes are allowed.
	278	# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
	279	#
d57127bc	280	CHFN_RESTRICT yes
846764b4 ER	281
	282	#
	283	# Password prompt (%s will be replaced by user name).
	284	#
	285	# XXX - it doesn't work correctly yet, for now leave it commented out
	286	# to use the default which is just "Password: ".
	287	#LOGIN_STRING "%s's Password: "
	288
	289	#
	290	# Only works if compiled with MD5_CRYPT defined:
	291	# If set to "yes", new passwords will be encrypted using the MD5-based
	292	# algorithm compatible with the one used by recent releases of FreeBSD.
	293	# It supports passwords of unlimited length and longer salt strings.
	294	# Set to "no" if you need to copy encrypted passwords to other systems
	295	# which don't understand the new algorithm. Default is "no".
d61ad957	296	#
d57127bc	297	MD5_CRYPT_ENAB yes
846764b4 ER	298
	299	#
	300	# List of groups to add to the user's supplementary group set
	301	# when logging in on the console (as determined by the CONSOLE
	302	# setting). Default is none.
	303	#
	304	# Use with caution - it is possible for users to gain permanent
	305	# access to these groups, even when not logged in on the console.
	306	# How to do it is left as an exercise for the reader...
	307	#
	308	#CONSOLE_GROUPS floppy:audio:cdrom
	309
	310	#
	311	# Should login be allowed if we can't cd to the home directory?
	312	# Default in no.
	313	#
	314	DEFAULT_HOME yes
	315
	316	#
	317	# If this file exists and is readable, login environment will be
	318	# read from it. Every line should be in the form name=value.
	319	#
	320	ENVIRON_FILE /etc/environment
d61ad957 AM	321
	322	#
	323	# If defined, this command is run when removing a user.
	324	# It should remove any at/cron/print jobs etc. owned by
	325	# the user to be removed (passed as the first argument).
	326	#
	327	#USERDEL_CMD /usr/sbin/userdel_local
	328
	329	#
846764b4 ER	330	# When prompting for password without echo, getpass() can optionally
	331	# display a random number (in the range 1 to GETPASS_ASTERISKS) of '*'
	332	# characters for each character typed. This feature is designed to
	333	# confuse people looking over your shoulder when you enter a password :-).
	334	# Also, the new getpass() accepts both Backspace (8) and Delete (127)
	335	# keys to delete previous character (to cope with different terminal
	336	# types), Control-U to delete all characters, and beeps when there are
	337	# no more characters to delete, or too many characters entered.
	338	#
	339	# Setting GETPASS_ASTERISKS to 1 results in more traditional behaviour -
	340	# exactly one '*' displayed for each character typed.
	341	#
	342	# Setting GETPASS_ASTERISKS to 0 disables the '*' characters (Backspace,
	343	# Delete, Control-U and beep continue to work as described above).
d61ad957	344	#
846764b4 ER	345	# Setting GETPASS_ASTERISKS to -1 reverts to the traditional getpass()
	346	# without any new features. This is the default.
	347	#
	348	#GETPASS_ASTERISKS 1
d61ad957	349
846764b4 ER	350	#
	351	# Enable setting of the umask group bits to be the same as owner bits
	352	# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
	353	# the same as gid, and username is the same as the primary group name.
	354	#
	355	# This also enables userdel to remove user groups if no members exist.
	356	#
d57127bc	357	#USERGROUPS_ENAB yes
0e2613ba	358