| 1 | # |
|---|
| 2 | # /etc/login.defs - Configuration control definitions for the login package. |
|---|
| 3 | # |
|---|
| 4 | # $Id: login.defs 2758 2006-10-16 14:27:08Z erwin $ |
|---|
| 5 | # |
|---|
| 6 | # Three items must be defined: MAIL_DIR, ENV_SUPATH, and ENV_PATH. |
|---|
| 7 | # If unspecified, some arbitrary (and possibly incorrect) value will |
|---|
| 8 | # be assumed. All other items are optional - if not specified then |
|---|
| 9 | # the described action or option will be inhibited. |
|---|
| 10 | # |
|---|
| 11 | # Comment lines (lines beginning with "#") and blank lines are ignored. |
|---|
| 12 | # |
|---|
| 13 | # Modified for Linux. --marekm |
|---|
| 14 | |
|---|
| 15 | # |
|---|
| 16 | # Delay in seconds before being allowed another attempt after a login failure |
|---|
| 17 | # |
|---|
| 18 | FAIL_DELAY 3 |
|---|
| 19 | |
|---|
| 20 | # |
|---|
| 21 | # Enable display of unknown usernames when login failures are recorded. |
|---|
| 22 | # |
|---|
| 23 | LOG_UNKFAIL_ENAB no |
|---|
| 24 | |
|---|
| 25 | # |
|---|
| 26 | # Enable logging of successful logins |
|---|
| 27 | # |
|---|
| 28 | LOG_OK_LOGINS no |
|---|
| 29 | |
|---|
| 30 | # |
|---|
| 31 | # Enable "syslog" logging of su activity - in addition to sulog file logging. |
|---|
| 32 | # SYSLOG_SG_ENAB does the same for newgrp and sg. |
|---|
| 33 | # |
|---|
| 34 | SYSLOG_SU_ENAB yes |
|---|
| 35 | SYSLOG_SG_ENAB yes |
|---|
| 36 | |
|---|
| 37 | # |
|---|
| 38 | # If defined, either full pathname of a file containing device names or |
|---|
| 39 | # a ":" delimited list of device names. Root logins will be allowed only |
|---|
| 40 | # upon these devices. |
|---|
| 41 | # |
|---|
| 42 | CONSOLE /etc/securetty |
|---|
| 43 | #CONSOLE console:tty01:tty02:tty03:tty04 |
|---|
| 44 | |
|---|
| 45 | # |
|---|
| 46 | # If defined, all su activity is logged to this file. |
|---|
| 47 | # |
|---|
| 48 | #SULOG_FILE /var/log/sulog |
|---|
| 49 | |
|---|
| 50 | # |
|---|
| 51 | # If defined, file which maps tty line to TERM environment parameter. |
|---|
| 52 | # Each line of the file is in a format something like "vt100 tty01". |
|---|
| 53 | # |
|---|
| 54 | #TTYTYPE_FILE /etc/ttytype |
|---|
| 55 | |
|---|
| 56 | # |
|---|
| 57 | # If defined, the command name to display when running "su -". For |
|---|
| 58 | # example, if this is defined as "su" then a "ps" will display the |
|---|
| 59 | # command is "-su". If not defined, then "ps" would display the |
|---|
| 60 | # name of the shell actually being run, e.g. something like "-sh". |
|---|
| 61 | # |
|---|
| 62 | SU_NAME su |
|---|
| 63 | |
|---|
| 64 | # |
|---|
| 65 | # *REQUIRED* |
|---|
| 66 | # Directory where mailboxes reside, _or_ name of file, relative to the |
|---|
| 67 | # home directory. If you _do_ define both, MAIL_DIR takes precedence. |
|---|
| 68 | # |
|---|
| 69 | MAIL_DIR /var/spool/mail |
|---|
| 70 | |
|---|
| 71 | # |
|---|
| 72 | # If defined, file which inhibits all the usual chatter during the login |
|---|
| 73 | # sequence. If a full pathname, then hushed mode will be enabled if the |
|---|
| 74 | # user's name or shell are found in the file. If not a full pathname, then |
|---|
| 75 | # hushed mode will be enabled if the file exists in the user's home directory. |
|---|
| 76 | # |
|---|
| 77 | HUSHLOGIN_FILE .hushlogin |
|---|
| 78 | #HUSHLOGIN_FILE /etc/hushlogins |
|---|
| 79 | |
|---|
| 80 | # |
|---|
| 81 | # *REQUIRED* The default PATH settings, for superuser and normal users. |
|---|
| 82 | # |
|---|
| 83 | # (they are minimal, add the rest in the shell startup files) |
|---|
| 84 | ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin |
|---|
| 85 | ENV_PATH PATH=/bin:/usr/bin |
|---|
| 86 | |
|---|
| 87 | # |
|---|
| 88 | # Terminal permissions |
|---|
| 89 | # |
|---|
| 90 | # TTYGROUP Login tty will be assigned this group ownership. |
|---|
| 91 | # TTYPERM Login tty will be set to this permission. |
|---|
| 92 | # |
|---|
| 93 | # If you have a "write" program which is "setgid" to a special group |
|---|
| 94 | # which owns the terminals, define TTYGROUP to the group number and |
|---|
| 95 | # TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign |
|---|
| 96 | # TTYPERM to either 622 or 600. |
|---|
| 97 | # |
|---|
| 98 | TTYGROUP tty |
|---|
| 99 | TTYPERM 0600 |
|---|
| 100 | |
|---|
| 101 | # |
|---|
| 102 | # Login configuration initializations: |
|---|
| 103 | # |
|---|
| 104 | # ERASECHAR Terminal ERASE character ('\010' = backspace). |
|---|
| 105 | # KILLCHAR Terminal KILL character ('\025' = CTRL/U). |
|---|
| 106 | # UMASK Default "umask" value. |
|---|
| 107 | # |
|---|
| 108 | # The ERASECHAR and KILLCHAR are used only on System V machines. |
|---|
| 109 | # The ULIMIT is used only if the system supports it. |
|---|
| 110 | # (now it works with setrlimit too; ulimit is in 512-byte units) |
|---|
| 111 | # |
|---|
| 112 | # Prefix these values with "0" to get octal, "0x" to get hexadecimal. |
|---|
| 113 | # |
|---|
| 114 | ERASECHAR 0177 |
|---|
| 115 | KILLCHAR 025 |
|---|
| 116 | UMASK 022 |
|---|
| 117 | |
|---|
| 118 | # |
|---|
| 119 | # Password aging controls: |
|---|
| 120 | # |
|---|
| 121 | # PASS_MAX_DAYS Maximum number of days a password may be used. |
|---|
| 122 | # PASS_MIN_DAYS Minimum number of days allowed between password changes. |
|---|
| 123 | # PASS_WARN_AGE Number of days warning given before a password expires. |
|---|
| 124 | # |
|---|
| 125 | PASS_MAX_DAYS 99999 |
|---|
| 126 | PASS_MIN_DAYS 0 |
|---|
| 127 | PASS_WARN_AGE 7 |
|---|
| 128 | |
|---|
| 129 | # |
|---|
| 130 | # Min/max values for automatic uid selection in useradd |
|---|
| 131 | # |
|---|
| 132 | UID_MIN 500 |
|---|
| 133 | UID_MAX 980 |
|---|
| 134 | |
|---|
| 135 | # |
|---|
| 136 | # Min/max values for automatic gid selection in groupadd |
|---|
| 137 | # |
|---|
| 138 | GID_MIN 100 |
|---|
| 139 | GID_MAX 400 |
|---|
| 140 | |
|---|
| 141 | # |
|---|
| 142 | # Max number of login retries if password is bad |
|---|
| 143 | # |
|---|
| 144 | LOGIN_RETRIES 3 |
|---|
| 145 | |
|---|
| 146 | # |
|---|
| 147 | # Max time in seconds for login |
|---|
| 148 | # |
|---|
| 149 | LOGIN_TIMEOUT 60 |
|---|
| 150 | |
|---|
| 151 | # |
|---|
| 152 | # Which fields may be changed by regular users using chfn - use |
|---|
| 153 | # any combination of letters "frwh" (full name, room number, work |
|---|
| 154 | # phone, home phone). If not defined, no changes are allowed. |
|---|
| 155 | # For backward compatibility, "yes" = "rwh" and "no" = "frwh". |
|---|
| 156 | # |
|---|
| 157 | CHFN_RESTRICT rwh |
|---|
| 158 | |
|---|
| 159 | # |
|---|
| 160 | # List of groups to add to the user's supplementary group set |
|---|
| 161 | # when logging in on the console (as determined by the CONSOLE |
|---|
| 162 | # setting). Default is none. |
|---|
| 163 | # |
|---|
| 164 | # Use with caution - it is possible for users to gain permanent |
|---|
| 165 | # access to these groups, even when not logged in on the console. |
|---|
| 166 | # How to do it is left as an exercise for the reader... |
|---|
| 167 | # |
|---|
| 168 | #CONSOLE_GROUPS floppy:audio:cdrom |
|---|
| 169 | |
|---|
| 170 | # |
|---|
| 171 | # Should login be allowed if we can't cd to the home directory? |
|---|
| 172 | # Default in no. |
|---|
| 173 | # |
|---|
| 174 | DEFAULT_HOME yes |
|---|
| 175 | |
|---|
| 176 | # |
|---|
| 177 | # If defined, this command is run when removing a user. |
|---|
| 178 | # It should remove any at/cron/print jobs etc. owned by |
|---|
| 179 | # the user to be removed (passed as the first argument). |
|---|
| 180 | # |
|---|
| 181 | #USERDEL_CMD /usr/sbin/userdel_local |
|---|
| 182 | |
|---|
| 183 | # |
|---|
| 184 | # When prompting for password without echo, getpass() can optionally |
|---|
| 185 | # display a random number (in the range 1 to GETPASS_ASTERISKS) of '*' |
|---|
| 186 | # characters for each character typed. This feature is designed to |
|---|
| 187 | # confuse people looking over your shoulder when you enter a password :-). |
|---|
| 188 | # Also, the new getpass() accepts both Backspace (8) and Delete (127) |
|---|
| 189 | # keys to delete previous character (to cope with different terminal |
|---|
| 190 | # types), Control-U to delete all characters, and beeps when there are |
|---|
| 191 | # no more characters to delete, or too many characters entered. |
|---|
| 192 | # |
|---|
| 193 | # Setting GETPASS_ASTERISKS to 1 results in more traditional behaviour - |
|---|
| 194 | # exactly one '*' displayed for each character typed. |
|---|
| 195 | # |
|---|
| 196 | # Setting GETPASS_ASTERISKS to 0 disables the '*' characters (Backspace, |
|---|
| 197 | # Delete, Control-U and beep continue to work as described above). |
|---|
| 198 | # |
|---|
| 199 | # Setting GETPASS_ASTERISKS to -1 reverts to the traditional getpass() |
|---|
| 200 | # without any new features. This is the default. |
|---|
| 201 | # |
|---|
| 202 | GETPASS_ASTERISKS 0 |
|---|
| 203 | |
|---|
| 204 | # |
|---|
| 205 | # Enable setting of the umask group bits to be the same as owner bits |
|---|
| 206 | # (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is |
|---|
| 207 | # the same as gid, and username is the same as the primary group name. |
|---|
| 208 | # |
|---|
| 209 | # This also enables userdel to remove user groups if no members exist. |
|---|
| 210 | # |
|---|
| 211 | USERGROUPS_ENAB yes |
|---|
| 212 | |
|---|
