Administering user accounts

Understanding account database files

An important distinction between UNIX systems is how account information is stored. This affects the interaction of accounts across different types of UNIX systems, and governs how programs access this data. The account database files fall into two categories: UNIX system files (those defined in the System V Interface Definition) and the Trusted Computing Base (TCB) files that extend System V security. These files are supported and maintained by the system to ensure compatibility with other UNIX systems.

System V files:

/etc/passwd. This publicly readable file is present on most UNIX systems and contains both account data (user ID number, login shell, and so forth) and (on some systems) an encrypted account password. Password aging information is also supported. The format is documented in passwd(F). It can be edited by experienced administrators, but using the Account Manager is the preferred method for adding and maintaining user accounts -- see ``Editing the /etc/passwd file''.
/etc/shadow. This file is readable only by root. It contains the encrypted password otherwise found in the /etc/passwd file. The format is documented in the shadow(F) manual page. This file exists by default in all security profiles except Low, where it still can be created using pwconv(ADM). See ``Configuring the shadow password file''.
/etc/default/passwd and /etc/default/login. These contain default account information and are documented in passwd(C) and login(M), respectively. (In many cases, information in these files is duplicated in the Protected Password and System Defaults database.)

TCB files:

Protected Password database (/tcb/files/auth/[a-z]/username). This database implements the requirements for the C2 level of trust as defined by the Trusted Computing System Evaluation Criteria (TCSEC). It contains the encrypted password of the user. If the user has specific system privileges, password parameters, and so forth that override the System Defaults database, they are stored here. The format of this file is described in authcap(F).
System Defaults database (/etc/auth/system/default). This contains the system-wide account defaults. The contents of this file are determined by the security profiles selected (Low, Traditional, Improved, or High). The contents of this file can be changed dynamically to affect all user accounts, unless a user has specific values set. The format of this file is described in the authcap(F) manual page.

All database files are updated automatically when a change is made from the Account Manager or the command line.

NOTE: In the event of a discrepancy between these files, either the UNIX System V files or the TCB databases are used as the master to bring them into agreement. In the Low and Traditional security profiles the UNIX System V files are the master. You can also configure which set of files is used as the master set -- see ``Configuring database precedence and recovery''.