default(4)default(4)NAMEdefault - System default database file (Enhanced Security)
DESCRIPTION
The system default database is unique in that it defines system-wide
global values. It is designed to provide values for users and devices
at a global level so that an administrator is not required to replicate
values in user or device databases when they are all the same. In addi‐
tion to being easier to specify global values, it is also much easier
to make a global system change if necessary.
The system default database contains four types of values: System-wide
values that do not have corresponding specifications in any other sys‐
tem database. If a system-wide value is not specified in the default
database, then it is undefined. User values, which are typically spec‐
ified in a protected password database file. Terminal control values,
which are typically specified in the terminal control, database file.
Device assignment values, which are typically specified in the device
assignment database file.
The field names for each value type begin with an identifying prefix.
The following list of prefixes also lists the reference page that
explains the associated database: Defaults database field. (this ref‐
erence page) Terminal control database field. (ttys(4)) Protected
password database field. (prpasswd(4)) Device assignment database
field. (devassign(4))
System default parameters can be specified for fields found in the pro‐
tected password, terminal control, and device assignment databases.
When a specific entry is retrieved from one of these databases, a
structure called ufld that contains all of the explicitly specified
values is provided to the caller. A second structure, called sfld, is
also provided; it defines those values supplied from the system default
database.
Each of these structures has a corresponding flag structure called uflg
and sflg respectively that indicates which fields in each structure
have been specified and are valid for use. Programs honor the user-spe‐
cific or device-specific value if one is provided. Otherwise, programs
use the system default value if one has been specified. If neither
value is specified, the program may supply a reasonable default value
or abort.
The following fields are defined only in the defaults database:
This field contains the value, measured in seconds, used to control
whether a password expiration warning is given at login time. If the
password expiration time contained in the user's protected password
database file falls within this time interval (measured from the cur‐
rent system time), a warning is given. This field is a string that
specifies the full path name of the program or script to call for site-
specific security policy conformance decisions. This field contains
the name which is set by default to the string default. This flag
field is not currently used. This flag is for MLS+ compatibility only.
It's ignored in Tru64 UNIX Version 5.1B. This field is an ASCII iden‐
tifier of the security class supported by the system and is used for
informational purposes only. The choices include a1, b1, b2, b3, c1,
c2, and d. A boolean expression indicating that the password set by
the administrator should be set to expire immediately. This flag con‐
trols whether auto-migration requires a password change at the time it
creates the account, or whether it assumes the password was set at the
present time. It also controls the forced-expiration-required action
of dxchpwd when an administrator changes a user's password. A boolean
expression indicating that the ttys database is not updated during
logins. This flag (if set in the system defaults database) causes
login attempts (successful or not) to skip updating the ttys database.
This speeds up logins at the expense of not doing break-in evasion. A
boolean expression that causes a new extended profile to be created if
no extended profile exists, but there is a valid base profile. If this
flag (in the system defaults database) is set, and a user attempts to
log in with no extended profile, but the user does have a legitimate
BSD-style profile, an extended profile is created for that user (all
defaults, except where specific information is required, like username
and UID). A numeric value is seconds indicating how far into the
future a user-initiated vacation can be scheduled. If either
d_max_vacation_future or d_max_vacation_duration is zero, no user-ini‐
tiated use of the vacationing feature is possible. This field (in the
system defaults database) are zero (implicitly) as shipped. A numeric
value is seconds indicating how long a user-initiated scheduled vaca‐
tion can last. If either d_max_vacation_future or d_max_vacation_dura‐
tion is zero, no user-initiated use of the vacationing feature is pos‐
sible. This field (in the system defaults database) are zero (implic‐
itly) as shipped. A boolean expression that SIA vouching is accepted
from other authentication mechanisms. If this field is set (in the sys‐
tem defaults database), then other C2 mechanisms will not demand a
password of their own, if another preceding SIA mechanism has already
validated the user. (This is in support of mixing DCE+C2.) This does
mean that the C2 password controls do not mean much (if anything) when
DCE is up and in use, but is under admin control, and defaults off. It
can also be desirable to set this if using S/Key or smartcard support.
EXAMPLES
The following example is a typical system default database:
default:\
:d_name=default:\
:d_secclass=c2:\
:d_boot_authenticate@:\
:d_audit_enable@:\
:d_pw_expire_warning#3456000:\
:u_pwd=*:\
:u_minchg#0:u_maxlen#10:u_exp#15724800:u_life#31449600:\
:u_pickpw:u_genpwd:u_restrict@:u_nullpw@:\
:u_genchars:u_genletters:\
:u_maxtries#5:u_lock:\
:t_logdelay#2:t_maxtries#10:\
:chkent:
FILES
Specifies the pathname of the file.
SEE ALSO
Functions: getprdfent(3)
Files: authcap(4), devassign(4), prpasswd(4), ttys(4)default(4)