https://community.hpe.com/t5/operating-system-hp-ux/disabling-chfn/m-p/2424926#M913 ==&gt;<BR />"Security Restrictions <BR />You must have the owner kernel authorization <BR />and the syslo sensitivity label to run chfn.<BR /><BR />But where, exactly, are those terms defined and discussed? It seems that by default, any random user has appropriate privilege to run "chfn". How does one change this? (Just a pointer to an appropriate place to RTFM is sufficient.)"<BR />&lt;==<BR />I had the same question as you did. After some researching on the web I found that the terms '"owner" kernel authorization' and '"syslo" sensitivity label' come from HP's VirtualVault Operating System terminology. <BR />See priv(1) man page for the kernel authorizations in the VirtualVault reference PDF doc below:<BR /><A href="http://www.docs.hp.com/en/B5413-90057/B5413-90057.pdf" target="_blank">http://www.docs.hp.com/en/B5413-90057/B5413-90057.pdf</A><BR /> <BR />"A sensitivity label represents the sensitivity of a process or a filesystem object and the data each contains." <BR />taken from one of HP's patents on Trusted Gateway Agent for web server programs:<BR /><A href="http://www.freepatentsonline.com/5903732.html" target="_blank">http://www.freepatentsonline.com/5903732.html</A><BR /><BR />SYSLO is one of the predefined sensitivity labels defined by VirtualVault, as in VirtualVault Integrators guide.<BR /><A href="http://www.docs.hp.com/en/B5413-90031/B5413-90031.pdf" target="_blank">http://www.docs.hp.com/en/B5413-90031/B5413-90031.pdf</A> <BR /><BR /> Mon, 25 Dec 2006 18:28:42 GMT Chetan Javagal 2006-12-25T18:28:42Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-chfn/m-p/2424924#M911 Sorry if this is a no-brainer, but ... How does one disable "chfn" under HP-UX? We'd like to prevent people from changing the information in the gecos field of their password file entry. Just removing /usr/bin/chfn is no help, since all someone needs to do is to <BR />ln -s /usr/bin/passwd /some/dir/chfn <BR /><BR />and bingo, they have a working "chfn" command again. The manpage says <BR /><BR />Security Restrictions <BR />You must have the owner kernel authorization <BR />and the syslo sensitivity label to run chfn. <BR /><BR />But where, exactly, are those terms defined and discussed? It seems that by default, any random user has appropriate privilege to run "chfn". How does one change this? (Just a pointer to an appropriate place to RTFM is sufficient.) <BR /><BR /> Mon, 05 Jun 2000 18:25:19 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-chfn/m-p/2424924#M911 Jeff Pendleton 2000-06-05T18:25:19Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-chfn/m-p/2424925#M912 One thing I have done in the past was to change permission on chfn so that only root can use it, rename passwd to syspasswd.<BR />Create a simple program called passwd that is accessible by everyone that encompasses syspasswd but doesnt allow any other parameters to be passed to it. <BR />Basically using this type of method you can come up with a site specific solution.<BR /><BR />If you need more details let me know. Tue, 06 Jun 2000 00:14:02 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-chfn/m-p/2424925#M912 Anthony Goonetilleke 2000-06-06T00:14:02Z https://community.hpe.com/t5/operating-system-hp-ux/disabling-chfn/m-p/2424926#M913 ==&gt;<BR />"Security Restrictions <BR />You must have the owner kernel authorization <BR />and the syslo sensitivity label to run chfn.<BR /><BR />But where, exactly, are those terms defined and discussed? It seems that by default, any random user has appropriate privilege to run "chfn". How does one change this? (Just a pointer to an appropriate place to RTFM is sufficient.)"<BR />&lt;==<BR />I had the same question as you did. After some researching on the web I found that the terms '"owner" kernel authorization' and '"syslo" sensitivity label' come from HP's VirtualVault Operating System terminology. <BR />See priv(1) man page for the kernel authorizations in the VirtualVault reference PDF doc below:<BR /><A href="http://www.docs.hp.com/en/B5413-90057/B5413-90057.pdf" target="_blank">http://www.docs.hp.com/en/B5413-90057/B5413-90057.pdf</A><BR /> <BR />"A sensitivity label represents the sensitivity of a process or a filesystem object and the data each contains." <BR />taken from one of HP's patents on Trusted Gateway Agent for web server programs:<BR /><A href="http://www.freepatentsonline.com/5903732.html" target="_blank">http://www.freepatentsonline.com/5903732.html</A><BR /><BR />SYSLO is one of the predefined sensitivity labels defined by VirtualVault, as in VirtualVault Integrators guide.<BR /><A href="http://www.docs.hp.com/en/B5413-90031/B5413-90031.pdf" target="_blank">http://www.docs.hp.com/en/B5413-90031/B5413-90031.pdf</A> <BR /><BR /> Mon, 25 Dec 2006 18:28:42 GMT https://community.hpe.com/t5/operating-system-hp-ux/disabling-chfn/m-p/2424926#M913 Chetan Javagal 2006-12-25T18:28:42Z