La commande 'chuser' permet de modifier les caractéristiques d'une utilisateur AIX.
On peut ainsi modifier le répertoire de base, le groupe principal ou les limites de consommation de ressources.
Pour autoriser à pouvoir se connecter à un serveur à distance et au travers du réseau, on peut lancer la commande :
# chuser rlogin=true user1
De même, il est possible de modifier la taille maximale des fichiers en utilisant la commande :
# chuser fsize=-1 user1 # Ici, nous enlevons toute limite pour cet utilisateur 'user1'.
Ci-dessous la documentation officielle de la commande en V6.1.
chuser Command
Purpose
Changes user attributes.
Syntax
chuser [ -R load_module ] Attribute=Value ... Name
Description
Attention: Do not use the chuser command if you have a Network Information Service (NIS) database installed on
your system.
The chuser command changes attributes for the user identified by the Name parameter. The user name must
already exist. To change an attribute, specify the attribute name and the new value with the Attribute=Value
parameter. The following files contain local user attributes that are set by this command:
* /etc/passwd
* /etc/security/environ
* /etc/security/limits
* /etc/security/user
* /etc/security/user.roles
* /etc/security/audit/config
* /etc/group
* /etc/security/group
To change attributes for a user with an alternate Identification and Authentication (I&A) mechanism, the -R
flag can be used to specify the I&A load module that user is defined under. If the -R flag is not specified,
the chuser command treats the user as a local user. Load modules are defined in the
/usr/lib/security/methods.cfg file.
If you specify a single incorrect attribute or attribute value with the chuser command, the command does not
change any attribute.
You can use the Users application in Web-based System Manager (wsm) or the System Management Interface Tool
(SMIT) smit chuser fast path to change user characteristics.
Changing the ID for an account can compromise system security and as a result one should not do so. However,
when the ID is changed using the chuser command, ID collision checking is also controlled by the dist_uniqid
attribute in the usw stanza of the /etc/security/login.cfg file. The behavior of ID collision control is the
same as that described for the mkuser command.
Restrictions on Changing Users
To ensure the integrity of user information, some restrictions apply when using the chuser command. Only the
root user or users with UserAdmin authorization can use the chuser command to perform the following tasks:
* Make a user an administrative user by setting the admin attribute to true.
* Change any attributes of an administrative user.
* Add a user to an administrative group.
An administrative group is a group with the admin attribute set to true. Members of the security group can
change the attributes of non-administrative users and add users to non-administrative groups.
The chuser command manipulates local user data only. You cannot use it to change data in registry servers like
NIS and DCE.
Flags
Item
Description
-R load_module
Specifies the loadable I&A module used to change the user's attributes.
Attributes
If you have the proper authority, you can set the following user attributes:
Item
Description
account_locked
Indicates if the user account is locked. Possible values include:
true
The user's account is locked. The values yes, true, and always are equivalent. The user is denied
access to the system.
false
The user's account is not locked. The values no, false, and never are equivalent. The user is
allowed access to the system. This is the default value.
admin
Defines the administrative status of the user. Possible values are:
true
The user is an administrator. Only the root user can change the attributes of users defined as
administrators.
false
The user is not an administrator. This is the default value.
admgroups
Lists the groups the user administrates. The Value parameter is a comma-separated list of group names.
auditclasses
Lists the user's audit classes. The Value parameter is a list of comma-separated classes, or a value of
ALL to indicate all audit classes.
auth1
Lists the primary methods for authenticating the user. The Value parameter is a comma-separated list of
Method;Name pairs. The Method parameter is the name of the authentication method. The Name parameter is
the user to authenticate. If you do not specify a Name parameter, the name of the invoking login program
is used.
Valid authentication methods are defined in the /etc/security/login.cfg file. By default, the SYSTEM
method and local password authentication are used. The NONE method indicates that no primary
authentication check is made.
auth2
Lists the secondary methods used to authenticate the user. The Value parameter is a comma-separated list
of Method;Name pairs. The Method parameter is the name of the authentication method. The Name parameter
value is the user to authenticate.
If this attribute is not specified, the default is NONE, indicating that no secondary authentication
check is made. Valid authentication methods are defined in the /etc/security/login.cfg file. If you do
not specify a Name parameter, the name of the invoking login program is used.
capabilities
Defines the system privileges (capabilities) which are granted to a user by the login or su commands.
Valid capabilities are:
CAP_AACCT
Performed Advanced Accounting operations.
CAP_ARM_APPLICATION
A process has the ability to use the ARM (Application Response Measurement) services.
CAP_BYPASS_RAC_VMM
A process has the ability to bypass restrictions on VMM resource usage.
CAP_EWLM_AGENT
A process has the ability to use the EWLM (Enterprise Workload Manager) AIX system services. This
capability is typically only granted to the userid that runs the EWLM product's Managed Server
Component.
CAP_NUMA_ATTACH
A process has the ability to bind to specific resources.
CAP_PROPAGATE
All capabilities are inherited by child processes.
The value is a comma-separated list of zero or more capability names.
core
Specifies the soft limit for the largest core file a user's process can create. The Value parameter is an
integer representing the number of 512-byte blocks.
core_compress
Enables or disables core file compression. Valid values for this attribute are On and Off. If this
attribute has a value of On, compression is enabled; otherwise, compression is disabled. The default
value of this attribute is Off.
core_hard
Specifies the largest core file a user's process can create. The Value parameter is an integer
representing the number of 512-byte blocks..
core_naming
Selects a choice of core file naming strategies. Valid values for this attribute are On and Off. A value
of On enables core file naming in the form core.pid.time, which is the same as what the CORE_NAMING
environment variable does. A value of Off uses the default name of core.
core_path
Enables or disables core file path specification. Valid values for this attribute are On and Off. If this
attribute has a value of On, core files will be placed in the directory specified by core_pathname (the
feature is enabled); otherwise, core files are placed in the user's current working directory. The
default value of this attribute is Off.
core_pathname
Specifies a location to be used to place core files, if the core_path attribute is set to On. If this is
not set and core_path is set to On, core files will be placed in the user's current working directory.
This attribute is limited to 256 characters.
cpu
Identifies the soft limit for the largest amount of system unit time (in seconds) that a user's process
can use. The Value parameter is an integer. All negative values are considered as unlimited.
cpu_hard
Identifies the largest amount of system unit time (in seconds) that a user's process can use. The Value
parameter is an integer. The default value is -1 which turns off restrictions.
daemon
Indicates whether the user specified by the Name parameter can run programs using the cron daemon or the
src (system resource controller) daemon. Possible values are:
true
The user can initiate cron and src sessions. This is the default.
false
The user cannot initiate cron and src sessions.
data
Specifies the soft limit for the largest data segment for a user's process. The Value parameter is an
integer representing the number of 512-byte blocks. The minimum allowable value for this attribute is
1272. Specify -1 to make it unlimited.
data_hard
Specifies the largest data segment for a user's process. The Value parameter is an integer representing
the number of 512-byte blocks. The minimum allowable value for this attribute is 1272. Specify -1 to make
it unlimited.
default_roles
Specifies the default roles for the user. The Value parameter, a comma-separated list of valid role
names, can only contain roles assigned to the user in the roles attribute. You can use the ALL keyword to
signify that the default roles for the user are all their assigned roles.
dictionlist
Defines the password dictionaries used by the composition restrictions when checking new passwords.
The password dictionaries are a list of comma-separated absolute path names, evaluated from left to
right. All dictionary files and directories must be write protected from all users except root. The
dictionary files are formatted one word per line. The word starts in the first column and terminates with
a newline character. Only 7 bit ASCII words are supported for passwords.
If you install the text processing tool on your system, the recommended dictionary file is the
/usr/share/dict/words file.
domains
Defines the list of domains that the user belongs to.
expires
Identifies the expiration date of the account. The Value parameter is a 10-character string in the
MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years
1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire.
The default is 0. See the date command for more information.
fsize
Defines the soft limit for the largest file a user's process can create or extend. The Value parameter is
an integer representing the number of 512-byte blocks. To make files greater than 2G, specify -1 or
unlimited. The minimum value for this attribute is 8192.
fsize_hard
Defines the largest file a user's process can create or extend. The Value parameter is an integer
representing the number of 512-byte blocks. To make files greater than 2G, specify -1 or unlimited. The
minimum value for this attribute is 8192.
gecos
Supplies general information about the user specified by the Name parameter. The Value parameter is a
string with no embedded : (colon) characters and cannot end with the characters '#!'.
groups
Identifies the groups the user belongs to. The Value parameter is a comma-separated list of group names.
histexpire
Defines the period of time (in weeks) that a user cannot reuse a password. The value is a decimal integer
string. The default is 0, indicating that no time limit is set. Only an administrative user can change
this attribute.
histsize
Defines the number of previous passwords a user cannot reuse. The value is a decimal integer string. The
default is 0. Only an administrative user can change this attribute.
home
Identifies the home directory of the user specified by the Name parameter. The Value parameter is a full
path name.
id
Specifies the user ID. The Value parameter is a unique integer string. Changing this attribute
compromises system security and, for this reason, you should not change this attribute.
login
Indicates whether the user can log in to the system with the login command. Possible values are:
true
The user can log in to the system. This is the default.
false
The user cannot log in to the system.
loginretries
Defines the number of unsuccessful login attempts allowed after the last successful login before the
system locks the account. The value is a decimal integer string. A zero or negative value indicates that
no limit exists. Once the user's account is locked, the user will not be able to log in until the system
administrator resets the user's unsuccessful_login_count attribute in the /etc/security/lastlog file to
be less than the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \
unsuccessful_login_count=0
Item
Description
logintimes
Defines the days and times that the user is allowed to access the system. The value is a comma-separated
list of entries in one of the following formats:
[!]:<time>-<time>
[!]<day>[-<day>][:<time>-<time>]
[!]<month>[<daynum>][-<month>[<daynum>]][:<time>-<time>]
Possible values for <day> include mon, tues, w, THU, Friday, sat, and SUNDAY. Indicate the day value as
any abbreviated day of the week; however, the abbreviation must be unique with respect to both day and
month names. The range of days can be circular, such as Tuesday-Monday. Day names are case insensitive.
Possible values for <time> include times specified in 24-hour military format. Precede the time value
with a : (colon) and specify a string of 4 characters. Leading zeros are required. Thus, 0800 (8am) is
valid while 800 is not valid. An entry consisting of only a specified time period applies to every day.
The start hour must be less than the end hour. The time period cannot flow into the next day.
Possible values for <month> include Jan, F, march, apr, and s. Indicate the month value as any
abbreviated month; however, the abbreviation must be unique with respect to both day and month names. The
range of months can be circular, such as September-June. Month names are case insensitive.
Possible values for <daynum> include days 1-31 of a month. This value is checked against the specified
month. Specify the month value as either a 1 or 2 character string. A month specified without a daynum
value indicates the first or last day of the month, depending on if the month is the start or end month
specified, respectively.
Entries prefixed with ! (exclamation point) deny access to the system and are called DENY entries.
Entries without the ! prefix allow access and are called ACCESS entries. The ! prefix applies to single
entries and must prefix each entry. Currently, the system allows 200 entries per user.
This attribute is internationalized. Month and day names can be entered and are displayed in the language
specified by the locales variables set for the system. The relative order of the month and day values are
also internationalized; the <month><daynum> and <daynum><month> formats are accepted.
The system evaluates entries in the following order:
1 All DENY entries. If an entry matches the system time, the user is denied access and the ALLOW
entries are not processed.
2 All ALLOW entries, if no DENY entries exist. If an ALLOW entry matches the system time, the user
is allowed access. If an ALLOW entry does not match the system time, the user is denied access. If
no ALLOW entry exists, the user is permitted to log in.
maxage
Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is
a decimal integer string. The default is a value of 0, indicating no maximum age. Range: 0 to 52
maxexpired
Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password.
After this defined time, only an administrative user can change the password. The value is a decimal
integer string. The default is -1, indicating restriction is set. If the maxexpired attribute is 0, the
password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is
ignored. Range: 0 to 52 (a root user is exempt from maxexpired)
maxrepeats
Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is
meaningless, the default value of 8 indicates that there is no maximum number. The value is a decimal
integer string. Range: 0 to 8
maxulogs
Specifies the maximum number of concurrent logins per user. If the concurrent login number for a user
exceeds the maximum number of allowed logins, the login is denied.
minage
Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal
integer string. The default is a value of 0, indicating no minimum age. Range: 0 to 52
minalpha
Defines the minimum number of alphabetic characters that must be in a new password. The value is a
decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to 8
mindiff
Defines the minimum number of characters required in a new password that were not in the old password.
The value is a decimal integer string. The default is a value of 0, indicating no minimum number. Range:
0 to 8
minlen
Defines the minimum length of a password. The value is a decimal integer string. The default is a value
of 0, indicating no minimum length. The maximum value allowed is 8. This attribute is determined by for
more information minlen and/or 'minalpha + minother', whichever is greater. 'minalpha + minother' should
never be greater than 8. If 'minalpha + minother' is greater than 8, then the effective value for
minother is reduced to '8 - minalpha'.
minother
Defines the minimum number of non-alphabetic characters that must be in a new password. The value is a
decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to 8
nofiles
Defines the soft limit for the number of file descriptors a user process may have open at one time. The
Value parameter is an integer.
nofiles_hard
Defines the hard limit for the number of file descriptors a user process may have open at one time. The
Value parameter is an integer. The default value is -1, which sets the limit to the maximum allowed by
the system.
nproc
Defines the soft limit on the number of processes a user can have running at one time. The Value
parameter is an integer equal to or greater than 1. The default value is -1, which sets the limit to the
maximum allowed by the system.
nproc_hard
Defines the hard limit on the number of processes a user can have running at one time. The Value
parameter is an integer equal to or greater than 1. The default value is -1, which sets the limit to the
maximum allowed by the system.
pgrp
Identifies the user's primary group. The Value parameter must contain a valid group name and cannot be a
null value.
projects
Defines the list of projects to which the user's processes can be assigned. The value is a list of
comma-separated project names and is evaluated from left to right. The project name should be a valid
project name as defined in the system. If an invalid project name is found on the list, it will be
reported as an error.
pwdchecks
Defines the password restriction methods enforced on new passwords. The value is a list of comma-
separated method names and is evaluated from left to right. A method name is either an absolute path name
or a path name relative to /usr/lib of an executable load module.
pwdwarntime
Defines the number of days before the system issues a warning that a password change is required. The
value is a decimal integer string. A zero or negative value indicates that no message is issued. The
value must be less than the difference of the maxage and minage attributes. Values greater than this
difference are ignored and a message is issued when the minage value is reached.
rcmds
Controls the remote execution of the r-commands (rsh, rexec, and rcp). Possible values are as follows:
allow
Allows this user to perform remote command execution. This is the default value.
deny
Denies this user the ability to use remote command execution.
hostlogincontrol
Specifies that the ability of remote command execution is determined by the hostsallowedlogin and
hostsdeniedlogin attributes. The user is only allowed to execute remote commands on a target
system if the user (or target user) is allowed to log in the target system. This value is
typically used for users defined in a centralized user database, such as LDAP, where the user
might be allowed to log in to some systems but not others.
Note: The rcmds attribute controls only remote command execution. It does not control r-command
functionality to open a remote shell. Login functions such as this are controlled by the rlogin,
hostsallowedlogin, and hostsdeniedlogin attributes.
Although the deprecated ttys attribute value !rsh, which is effectively the same as setting the rcmds
attribute to deny, is still supported for purposes of backward compatibility, the rcmds attribute should
be used instead to control the execution of r-commands.
rlogin
Permits access to the account from a remote location with the telnet orrlogin commands. Possible values
are:
true
The user account can be accessed remotely. This is the default rlogin value.
false
The user cannot be accessed remotely.
roles
Lists the administrative roles for this user. The Value parameter is a list of role names, separated by
commas.
rss
The soft limit for the largest amount of physical memory a user's process can allocate. The Value
parameter is a decimal integer string specified in units of 512-byte blocks. This value is not currently
enforced by the system.
rss_hard
The largest amount of physical memory a user's process can allocate. The Value parameter is a decimal
integer string specified in units of 512-byte blocks. This value is not currently enforced by the system.
shell
Defines the program run for the user at session initiation. The Value parameter is a full path name.
stack
Specifies the soft limit for the largest process stack segment for a user's process. The Value parameter
is an integer representing the number of 512-byte blocks to allot. The minimum allowable value for this
attribute is 49.
stack_hard
Specifies the largest process stack segment of a user's process. The Value parameter is an integer
representing the number of 512-byte blocks to allot. The minimum allowable value for this attribute is
49. The largest allowable value for this parameter is 2147483647.
su
Indicates whether another user can switch to the specified user account with the su command. Possible
values are:
true
Another user can switch to the specified account. This is the default.
false
Another user cannot switch to the specified account.
sugroups
Lists the groups that can use the su command to switch to the specified user account. The Value parameter
is a comma-separated list of group names, or a value of ALL to indicate all groups. An ! (exclamation
point) in front of a group name excludes that group. If this attribute is not specified, all groups can
switch to this user account with the su command.
sysenv
Identifies the system-state (protected) environment. The Value parameter is a set of comma-separated
Attribute=Value pairs as specified in the /etc/security/environ file.
threads
Specifies the soft limit for the largest number of threads that a user process can create. The Value
parameter is an integer equal to or greater than 1, representing the number of threads each user process
can create. This limit is enforced by both the kernel and the user space pthread library.
threads_hard
Specifies the largest possible number of threads that a user process can create. The Value parameter is
an integer equal to or greater than 1, representing the number of threads each user process can create.
This limit is enforced by both the kernel and the user space pthread library.
tpath
Indicates the user's trusted path status. The possible values are:
always
The user can only execute trusted processes. This implies that the user's initial program is in
the trusted shell or some other trusted process.
no tsh
The user cannot invoke the trusted shell on a trusted path. If the user enters the secure
attention key (SAK) after logging in, the login session ends.
nosak
The secure attention key (SAK) is disabled for all processes run by the user. Use this value if
the user transfers binary data that may contain the SAK sequence. This is the default value.
on
The user has normal trusted path characteristics and can invoke a trusted path (enter a trusted
shell) with the secure attention key (SAK).
ttys
Lists the terminals that can access the account specified by the Name parameter. The Value parameter is a
comma-separated list of full path names, or a value of ALL to indicate all terminals. An ! (exclamation
point) in front of a terminal name excludes that terminal. If this attribute is not specified, all
terminals can access the user account.
umask
Determines file permissions. This value, along with the permissions of the creating process, determines a
file's permissions when the file is created. The default is 022.
usrenv
Defines the user-state (unprotected) environment. The Value parameter is a set of comma-separated
Attribute=Value pairs as specified in the /etc/security/environ file.
efs_keystore_access
Specifies the database type of the user keystore. You can specify the following values:
file
Creates the /var/efs/users/usrname/keystore keystore file associated with the user.
none
Keystore is not created. All the other keystore attributes have no effect.
The default value is file.
Restriction: The attribute is valid only when the system is EFS-enabled.
efs_adminks_access
Represents the database type for the efs_admin keystore. The only valid value is file.
Restriction: The attribute is valid only when the system is EFS-enabled.
efs_initialks_mode
Specifies the initial mode of the user keystore. You can specify the following values:
admin
Root or other security privileged system users can open the keystore using the admin key and reset
the keystore password.
guard
Root users cannot open the keystore using the admin key or reset the keystore password.
The default value is admin.
The attribute specifies the initial mode of the user keystore. You can use the attribute with the mkuser
command. After the keystore has been created, changing the attribute value with the chuser, chgroup, or
chsec command, or manual editing does not change the mode of the keystore unless the keystore is deleted
and a new one is created. To change the keystore mode, use the efskeymgr command.
Restriction: The attribute is valid only when the system is EFS-enabled.
efs_allowksmodechangebyuser
Specifies whether the mode can be changed. You can specify the following values:
* yes
* no
The default value is yes.
Restriction: The attribute is valid only when the system is EFS-enabled.
efs_keystore_algo
Specifies the algorithm that is used to generate the private key of the user during the keystore
creation. You can specify the following values:
* RSA_1024
* RSA_2048
* RSA_4096
The default value is RSA_1024.
You can use the attribute with the mkuser command. After the keystore has been created, changing the
value of this attribute with the chuser, chgroup, or chsec command, or manual editing does not regenerate
the private key unless the keystore is deleted and a new one is created. To change the algorithm for the
keys, use the efskeymgr command.
Restriction: The attribute is valid only when the system is EFS-enabled.
efs_file_algo
Specifies the encryption algorithm for user files. You can specify the following values:
* AES_128_CBC
* AES_128_ECB
* AES_192_CBC
* AES_192_ECB
* AES_256_CBC
* AES_256_ECB
The default value is AES_128_CBC.
Restriction: The attribute is valid only when the system is EFS-enabled.
minsl
Defines the minimum sensitivity-clearance level that the user can have.
Note: This attribute is valid only for Trusted AIX. The valid values are defined in the "Clearances"
section of the /etc/security/enc/LabelEncodings file for the system. The value must be defined in
quotation marks if it has white spaces. The minsl value must be dominated by the defsl value for the
user.
maxsl
Defines the maximum sensitivity-clearance level that the user can have.
Note: This attribute is valid only for Trusted AIX. The valid values are defined in the "Clearances"
section of the /etc/security/enc/LabelEncodings file. The value must be defined in quotation marks if it
has white spaces. The maxsl value must dominate the defsl value for the user.
defsl
Defines the default sensitivity level that the user is assigned during login.
Note: This attribute is valid only for Trusted AIX. The valid values are defined in the "Clearances"
section of the /etc/security/enc/LabelEncodings file. The value must be defined in quotation marks if it
has white spaces. The defsl value must dominate the minsl value and be dominated by the maxsl value.
mintl
Defines the minimum integrity clearance level that the user can have.
Note: This attribute is valid only for Trusted AIX. The valid values are defined in the "Sensitivity
labels" section of the /etc/security/enc/LabelEncodings file . If the optional "Integrity labels" section
is defined in the /etc/security/enc/LabelEncodings file, the value must be from this section. The value
must be defined in quotation marks if it contains white spaces. The mintl value must be dominated by the
deftl value for the user.
maxtl
Defines the maximum integrity clearance level that the user can have.
Note: This attribute is valid only for Trusted AIX. The valid values are defined in the "Sensitivity
labels" section of the /etc/security/enc/LabelEncodings file . If the optional "Integrity labels" section
is defined in the /etc/security/enc/LabelEncodings file, the value must be from this section. The value
must be defined in quotation marks if it contains white spaces. The maxtl value must dominate the deftl
value for the user.
deftl
Defines the default integrity clearance level that the user is assigned during login.
Note: This attribute is valid only for Trusted AIX. The valid values are defined in the "Sensitivity
labels" section of the /etc/security/enc/LabelEncodings file . If the optional "Integrity labels" section
is defined in the /etc/security/enc/LabelEncodings file, the value must be from this section. The value
must be defined in quotation marks if it contains white spaces. The deftl value must dominate the mintl
value and be dominated by the maxtl value.
minloweralpha
Defines the minimum number of lower case alphabetic characters that must be in a new password. The value
is a decimal integer string. The default is a value of 0, indicating no minimum number. Range: 0 to
PW_PASSLEN.
minupperalpha
Defines the minimum number of upper case alphabetic characters that must be in a new password. The value
is a decimal integer string. The default is a value of 0,indicating no minimum number. Range: 0 to
PW_PASSLEN.
mindigit
Defines the minimum number of digits that must be in a new password. The value is a decimal integer
string. The default is a value of 0, indicating no minimum number. Range: 0 to PW_PASSLEN.
minspecialchar
Defines the minimum number of special characters that must be in a new password. The value is a decimal
integer string. The default is a value of 0, indicating no minimum number. Range: 0 to PW_PASSLEN.
Security
Access Control
This command must grant execute (x) access only to the root user and the security group. This command must be
installed as a program in the trusted computing base (TCB). The command must be owned by the root user with
the setuid (SUID) bit set.
On a Trusted AIX system, only users with the aix.mls.clear.write authorization can modify the attributes
minsl, maxsl, defsl, mintl, maxtl and deftl.
Auditing Events
Event
Information
USER_Change
user, attributes
Files Accessed
Mode
File
rw
/etc/passwd
rw
/etc/security/user
rw
/etc/security/user.roles
rw
/etc/security/limits
rw
/etc/security/environ
rw
/etc/security/audit/config
rw
/etc/group
rw
/etc/security/group
r
/etc/security/enc/LabelEncodings
r
/etc/security/domains
Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged
users can run privileged operations. For more information about authorizations and privileges, see Privileged
Command Database in Security. For a list of privileges and the authorizations associated with this command,
see the lssecattr command or the getcmdattr subcommand. To get the full functionality of the command, besides
the accessauths, the role should also have the following authorizations:
* aix.security.user.audit
* aix.security.role.assign
* aix.security.group.change
Limitations
Changing a user's attributes may not be supported by all loadable I&A modules. If the loadable I&A module does
not support changing a user's attributes, an error is reported.
Examples
1 To enable user smith to access this system remotely, type:
chuser rlogin=true smith
2 To change the expiration date for the davis user account to 8 a.m., 1 May, 1995, type:
chuser expires=0501080095 davis
3 To add davis to the groups finance and accounting, type:
chuser groups=finance,accounting davis
4 To change the user davis, who was created with the LDAP load module, to not be allowed remote access,
type:
chuser -R LDAP rlogin=false davis
5 To change the domains of the user davis, type:
chuser domains=INTRANET,APPLICATION davis
Files
Item
Description
/usr/bin/chuser
Contains the chuser command.
/etc/passwd
Contains the basic attributes of users.
/etc/group
Contains the basic attributes of groups.
/etc/security/group
Contains the extended attributes of groups.
/etc/security/user
Contains the extended attributes of users.
/etc/security/user.roles
Contains the administrative role attributes of users.
/etc/security/lastlog
Contains the last login attributes of users.
/etc/security/limits
Defines resource quotas and limits for each user.
/etc/security/audit/config
Contains audit configuration information.
/etc/security/environ
Contains the environment attributes of users.
/etc/security/enc/LabelEncodings
Contains the label definitions for the Trusted AIX system.
/etc/security/domains
Contains the valid domain definitions for the system.
