Simpler Navigation coming for Servers and Operating Systems
Coming soon: a much simpler Servers and Operating Systems section of the Community. We will combine many of the older boards, and you won't have to click through so many levels to get at the information you need. If you are looking for an older board and do not find it, check the consolidated boards, as the posts are still there.
Showing results for 
Search instead for 
Did you mean: 

/etc/default/security versus /var/adm/userdb

Go to solution
john guardian
Super Advisor

/etc/default/security versus /var/adm/userdb

"security" is system wide while "userdb" will individually override "security". Can anyone give a good case for allowing the use of userdb, i.e., is it used for "roles"?



john guardian
Super Advisor

Re: /etc/default/security versus /var/adm/userdb

You'd think, that with 20+ views, an answer would be forthcoming. Or is everyone just "cherry picking" Q&A postings?

Honored Contributor

Re: /etc/default/security versus /var/adm/userdb

Example 1:

You have an application that is being run on a particular user account. The application requires that the account must not be disabled, but nobody is supposed to directly login to that account. You have used sshd_config, PAM configuration and/or other means to prevent anybody from directly logging on as the application user.


There is a requirement that all users' passwords must expire in 90-day intervals. After implementing this system-wide using /etc/default/security, this requirement applies to the application user too. So now you have a time-bomb in your system: you must refresh the password on the application user account, even though you have blocked any possibility to actually login with that account. If you don't do this, the application stops working.


Solution: after a careful consideration and documentation of your precautions, use userdb to waive the 90-day password renewal requirement for the application user account only.


Example 2:

You have a standard policy that requires all users' passwords to expire in 90-day intervals, implemented in /etc/default/security.

Then the cranky old CIO says: "I don't want to deal with this. Make it so I don't have to."

john guardian
Super Advisor

Re: /etc/default/security versus /var/adm/userdb

Thx. Just needed some outside confirmation. Unfortunately, management doesn't "trust" its own people; they need to see the answer coming from an impartial, external source to believe it.