chuser Attribute=Value ... Name
Attention: Do not use the chuser command if you have a Network Information Service (NIS) database installed on your system.
The chuser command changes attributes for the user identified by the Name parameter. The user name must already exist as an alphanumeric string of 8 bytes or less. To change an attribute, specify the attribute name and the new value with the Attribute=Value parameter. The following files contain user attributes that are set by this command:
If you specify a single incorrect attribute or attribute value with the chuser command, the command does not change any attribute. You can use the Web-based System Manager Users application (wsm users fast path) run this command. You could also use the System Management Interface Tool (SMIT) smit chuser fast path to run this command.
To ensure the integrity of user information, some restrictions apply when using the chuser command. Only the root user can use the chuser command to perform the following tasks:
An administrative group is a group with the admin attribute set to true. Members of the security group can change the attributes of nonadministrative users and add users to nonadministrative groups.
The chuser command manipulates local user data only. You cannot use it to change data in registry servers like NIS and DCE.
If you have the proper authority you can set the following user attributes:
account_locked | Indicates if the user account is locked. Possible values include:
|
admin | Defines the administrative status of the user. Possible values are:
|
admgroups | Lists the groups the user administrates. The Value parameter is a comma-separated list of group names. |
auditclasses | Lists the user's audit classes. The Value parameter is a list of comma-separated classes, or a value of ALL to indicate all audit classes. |
auth1 | Lists the primary methods for authenticating the user. The Value parameter
is a comma-separated list of Method;Name pairs. The Method
parameter is the name of the authentication method. The Name parameter is the user to
authenticate. If you do not specify a Name parameter, the name of the invoking login
program is used.
Valid authentication methods are defined in the /etc/security/login.cfg file. By default, the SYSTEM method and local password authentication are used. The NONE method indicates that no primary authentication check is made. |
auth2 | Lists the secondary methods used to authenticate the user. The Value
parameter is a comma-separated list of Method;Name pairs. The
Method parameter is the name of the authentication method. The Name parameter
value is the user to authenticate.
If this attribute is not specified, the default is NONE, indicating that no secondary authentication check is made. Valid authentication methods are defined in the /etc/security/login.cfg file. If you do not specify a Name parameter, the name of the invoking login program is used. |
core | Specifies the soft limit for the largest core file a user's process can create. The Value parameter is an integer representing the number of 512-byte blocks. |
core_hard | Specifies the largest core file a user's process can create. The Value parameter is an integer representing the number of 512-byte blocks. This atrribute applies to AIX Version 4.2 or later. |
cpu | Identifies the soft limit for the largest amount of system unit time (in seconds) that a user's process can use. The Value parameter is an integer. The default value is -1 which turns off restrictions. |
cpu_hard | Identifies the largest amount of system unit time (in seconds) that a user's process can use. The Value parameter is an integer. The default value is -1 which turns off restrictions. This atrribute applies to AIX Version 4.2 or later. |
daemon | Indicates whether the user specified by the Name parameter can run programs using
the cron daemon or the src (system resource controller) daemon. Possible
values are:
|
data | Specifies the soft limit for the largest data segment for a user's process. The Value parameter is an integer representing the number of 512-byte blocks. The minimum allowable value for this attribute is 1272. |
data_hard | Specifies the largest data segment for a user's process. The Value parameter is an integer representing the number of 512-byte blocks. The minimum allowable value for this attribute is 1272. This atrribute applies to AIX Version 4.2 or later. |
dictionlist | Defines the password dictionaries used by the composition restrictions when checking
new passwords.
The password dictionaries are a list of comma-separated absolute path names, evaluated from left to right. All dictionary files and directories must be write protected from all users except root. The dictionary files are formatted one word per line. The word starts in the first column and terminates with a newline character. Only 7 bit ASCII words are supported for passwords. If you install text processing on your system, the recommended dictionary file is the /usr/share/dict/words file. |
expires | Identifies the expiration date of the account. The Value parameter is a 10-character string in the MMDDhhmmyy form, where MM = month, DD = day, hh = hour, mm = minute, and yy = last 2 digits of the years 1939 through 2038. All characters are numeric. If the Value parameter is 0, the account does not expire. The default is 0. See the date command for more information. |
fsize | Defines the soft limit for the largest file a user's process can create or extend. The Value parameter is an integer representing the number of 512-byte blocks. The minimum value for this attribute is 8192. |
fsize_hard | Defines the largest file a user's process can create or extend. The Value parameter is an integer representing the number of 512-byte blocks. The minimum value for this attribute is 8192. This atrribute applies to AIX Version 4.2 or later. |
gecos | Supplies general information about the user specified by the Name parameter. The Value parameter is a string with no embedded : (colon) characters and cannot end with the characters '#! '. |
groups | Identifies the groups the user belongs to. The Value parameter is a comma-separated list of group names. |
histexpire | Defines the period of time (in weeks) that a user cannot reuse a password. The value is a decimal integer string. The default is 0, indicating that no time limit is set. Only an administrative user can change this attribute. |
histsize | Defines the number of previous passwords a user cannot reuse. The value is a decimal integer string. The default is 0. Only an administrative user can change this attribute. |
home | Identifies the home directory of the user specified by the Name parameter. The Value parameter is a full path name. |
id | Specifies the user ID. The Value parameter is a unique integer string. Changing this attribute compromises system security and, for this reason, you should not change this attribute. |
login | Indicates whether the user can log in to the system with the login
command. Possible values are:
|
loginretries | Defines the number of unsuccessful login attempts allowed after the last successful
login before the system locks the account. The value is a decimal integer string. A zero or
negative value indicates that no limit exists. Once the user's account is locked, the user
will not be able to log in until the system administrator resets the user's
unsuccessful_login_count attribute in the /etc/security/lastlog file to be less than
the value of loginretries. To do this, enter the following:
chsec -f /etc/security/lastlog -s username -a \ unsuccessful_login_count=0 |
logintimes | Defines the days and times that the user is allowed to access the system. The value is
a comma-separated list of entries in one of the following formats:
[!]:<time>-<time> [!]<day>[-<day>][:<time>-<time>] [!]<month>[<daynum>][-<month>[<daynum>]][:<time>-<time>] Possible values for <day> include mon, tues, w, THU, Friday, sat, and SUNDAY. Indicate the day value as any abbreviated day of the week; however, the abbreviation must be unique with respect to both day and month names. The range of days can be circular, such as Tuesday-Monday. Day names are case insensitive. Possible values for <time> include times specified in 24-hour military format. Precede the time value with a : (colon) and specify a string of 4 characters. Leading zeros are required. Thus, 0800 (8am) is valid while 800 is not valid. An entry consisting of only a specified time period applies to every day. The start hour must be less than the end hour. The time period cannot flow into the next day. Possible values for <month> include Jan, F, march, apr, and s. Indicate the month value as any abbreviated month; however, the abbreviation must be unique with respect to both day and month names. The range of months can be circular, such as September-June. Month names are case insensitive. Possible values for <daynum> include days 1-31 of a month. This value is checked against the specified month. Specify the month value as either a 1 or 2 character string. A month specified without a daynum value indicates the first or last day of the month, depending on if the month is the start or end month specified, respectively. Entries prefixed with ! (exclamation point) deny access to the system and are called DENY entries. Entries without the ! prefix allow access and are called ACCESS entries. The ! prefix applies to single entries and must prefix each entry. Currently, the system allows 200 entries per user. This attribute is internationalized. Month and day names can be entered and are displayed in the language specified by the locales variables set for the system. The relative order of the month and day values are also internationalized; the <month><daynum> and <daynum><month> formats are accepted. The system evaluates entries in the following order:
|
maxage | Defines the maximum age (in weeks) of a password. The password must be changed by this time. The value is a decimal integer string. The default is a value of 0, indicating no maximum age. |
maxexpired | Defines the maximum time (in weeks) beyond the maxage value that a user can change an expired password. After this defined time, only an administrative user can change the password. The value is a decimal integer string. The default is -1, indicating restriction is set. If the maxexpired attribute is 0, the password expires when the maxage value is met. If the maxage attribute is 0, the maxexpired attribute is ignored. |
maxrepeats | Defines the maximum number of times a character can be repeated in a new password. Since a value of 0 is meaningless, the default value of 8 indicates that there is no maximum number. The value is a decimal integer string. |
minage | Defines the minimum age (in weeks) a password must be before it can be changed. The value is a decimal integer string. The default is a value of 0, indicating no minimum age. |
minalpha | Defines the minimum number of alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. |
mindiff | Defines the minimum number of characters required in a new password that were not in the old password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. |
minlen | Defines the minimum length of a password. The value is a decimal integer string. The default is a value of 0, indicating no minimum length. The maximum value allowed is 8. This attribute is determined by the minalpha attribute added to the minother attribute. If the result of this addition is greater than the minlen attribute, the minimum length is set to the result. |
minother | Defines the minimum number of non-alphabetic characters that must be in a new password. The value is a decimal integer string. The default is a value of 0, indicating no minimum number. |
nofiles | Defines the soft limit for the number of file descriptors a user process may have open at one time. The Value parameter is an integer. |
nofiles_hard | Defines the hard limit for the number of file descriptors a user process may have open at one time. The Value parameter is an integer. The default value is -1, which sets the limit to the maximum allowed by the system. |
pgrp | Identifies the user's primary group. The Value parameter must contain a valid group name and cannot be a null value. |
pwdchecks | Defines the password restriction methods enforced on new passwords. The value is a list of comma-separated method names and is evaluated from left to right. A method name is either an absolute path name or a path name relative to /usr/lib of an executable load module. |
pwdwarntime | Defines the number of days before the system issues a warning that a password change is required. The value is a decimal integer string. A zero or negative value indicates that no message is issued. The value must be less than the difference of the maxage and minage attributes. Values greater than this difference are ignored and a message is issued when the minage value is reached. |
rlogin | Permits access to the account from a remote location with the telnet or rlogin commands. Possible values
are:
|
roles | Lists the administrative roles for this user. The Value parameter is a list of role names, separated by commas. |
rss | The soft limit forthe largest amount of physical memory a user's process can allocate.The Value parameter is a decimal integer string specified in units of 512-byte blocks. This value is not currently enforced by the system. |
rss_hard | The largest amount of physical memory a user's process can allocate. The Value parameter is a decimal integer string specified in units of 512-byte blocks. This value is not currently enforced by the system. This atrribute applies to AIX Version 4.2 or later. |
shell | Defines the program run for the user at session initiation. The Value parameter is a full path name. |
stack | Specifies the soft limit for the largest process stack segment for a user's process. The Value parameter is an integer representing the number of 512-byte blocks to allot. The minimum allowable value for this attribute is 49. |
stack_hard | Specifies the largest process stack segment for a user's process. The Value parameter is an integer representing the number of 512-byte blocks to allot. The minimum allowable value for this attribute is 49. This atrribute applies to AIX Version 4.2 or later. |
su | Indicates whether another user can switch to the specified user account with the
su command. Possible values are:
|
sugroups | Lists the groups that can use the su command to switch to the specified user account. The Value parameter is a comma-separated list of group names, or a value of ALL to indicate all groups. An ! (exclamation point) in front of a group name excludes that group. If this attribute is not specified, all groups can switch to this user account with the su command. |
sysenv | Identifies the system-state (protected) environment. The Value parameter is a set of comma-separated Attribute=Value pairs as specified in the /etc/security/environ file. |
tpath | Indicates the user's trusted path status. The possible values are:
|
ttys | Lists the terminals that can access the account specified by the Name parameter. The Value parameter is a comma-separated list of full path names, or a value of ALL to indicate all terminals. An ! (exclamation point) in front of a terminal name excludes that terminal. If this attribute is not specified, all terminals can access the user account. |
umask | Determines file permissions. This value, along with the permissions of the creating process, determines a file's permissions when the file is created. The default is 022. |
usrenv | Defines the user-state (unprotected) environment. The Value parameter is a set of comma-separated Attribute=Value pairs as specified in the /etc/security/environ file. |
Access Control: This command should grant execute (x) access only to the root user and the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.
Mode | File |
---|---|
rw | /etc/passwd |
rw | /etc/security/user |
rw | /etc/security/user.roles |
rw | /etc/security/limits |
rw | /etc/security/environ |
rw | /etc/security/audit/config |
rw | /etc/group |
rw | /etc/security/group |
Event | Information |
---|---|
USER_Change | user, attributes |
chuser rlogin=true smith
chuser expires=0501080095 davis
chuser groups=finance,accounting davis
/usr/bin/chuser | Contains the chuser command. |
/etc/passwd | Contains the basic attributes of users. |
/etc/group | Contains the basic attributes of groups. |
/etc/security/group | Contains the extended attributes of groups. |
/etc/security/user | Contains the extended attributes of users. |
/etc/security/user.roles | Contains the administrative role attributes of users. |
/etc/security/lastlog | Contains the last login attributes of users. |
/etc/security/limits | Defines resource quotas and limits for each user. |
/etc/security/audit/config | Contains audit configuration information. |
/etc/security/environ | Contains the environment attributes of users. |
The chfn command, chgroup command, chgrpmem command, chsh command, lsgroup command, lsuser command, mkgroup command, mkuser command, passwd command, pwdadm command, rmgroup command, rmuser command, setgroups command, setsenv command, su command.
Security Administration in AIX Version 4.3 System Management Guide: Operating System and Devices.
Setting up and running Web-based System Management in AIX Version 4.3 System Management Guide: Operating System and Devices.
Administrative Roles Overview in AIX Version 4.3 System Management Guide: Operating System and Devices .