The /etc/default/security file has a number of possible settings, but the majority are ignored (silently) in non-Trusted systems. Specifically, the password history is kept in a Trusted directory so h=no history is kept in a non-Trusted system.
It is important to retire the use of which and whereis to determine where a command is found. POSIX shells (ksh, HP's sh, bash, etc) all have the right command: type
type passwd
(type is an alias to whence -v) To see how which and whereis are ineffective, try this:
which let
whereis let
type let
The let command is indeed a valid task within the shell but which and whereis have no clue. And which is actually a csh script! But it gets worse: which and whereis do NOT follow the $PATH values so the following shows how an unwitting user might run the wrong command:
cat /dev/null > ./su
export PATH=.:$PATH
which su
whereis su
type su
The last command (type su) shows what is going to happen and it is the only action that counts! The user will run something called su in the current working directory--a very bad situation. So type (or whence -v) should always be used to determine where a command is located.
In the example above, the ordinary user seems to be getting passwd from a non-existant directory: /bin YES, /bin is NOT a directory and like Solaris and other Unix's that follow the V.4 standard for filesystem layout, /bin disappeared and became /usr/bin. Now for the last 10 years or so, /bin (and /lib) have existed as a transition crutch (actually a symbolic link) but will someday disappear or at least become optional rather than the default. /bin should look like this:
ll /bin
lr-xr-xr-t 1 root sys 8 Dec 19 2002 /bin@ -> /usr/bin
If instead you get a list of files, you've been hacked or at least someone with root privileges has messed up a critically important directory link. If the link is OK, then you'll need to find out why /bin/passwd is being located by which rather than /usr/bin. This behavior can be duplicated with:
export PATH=/bin:$PATH
but that is a bad situation since it is a non-standard PATH value. In HP-UX, the PATH variable is set in /etc/profile and /etc/csh.login by reading /etc/PATH, so check /etc/PATH for non-standard locations. /etc/PATH can be a big security risk if it includes directories with world-writable permissions (perhaps /usr/local/bin?).
So to make sure you are really running ANY command, always use a full pathname as in:
/usr/bin/passwd -f
Bill Hassell, sysadmin
