etc-gentoo/login.defs

#
# /etc/login.defs - Configuration control definitions for the shadow package.
#
#	$Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $
#

#
# Delay in seconds before being allowed another attempt after a login failure
# Note: When PAM is used, some modules may enfore a minimal delay (e.g.
#       pam_unix enforces a 2s delay)
#
FAIL_DELAY		3

#
# Enable logging and display of /var/log/faillog login failure info.
#
#FAILLOG_ENAB 

#
# Enable display of unknown usernames when login failures are recorded.
#
LOG_UNKFAIL_ENAB	no

#
# Enable logging of successful logins
#
LOG_OK_LOGINS		no

#
# Enable logging and display of /var/log/lastlog login time info.
#
#LASTLOG_ENAB 

#
# Enable checking and display of mailbox status upon login.
#
# Disable if the shell startup files already check for mail
# ("mailx -e" or equivalent).
#
#MAIL_CHECK_ENAB 

#
# Enable additional checks upon password changes.
#
#OBSCURE_CHECKS_ENAB 

#
# Enable checking of time restrictions specified in /etc/porttime.
#
#PORTTIME_CHECKS_ENAB 

#
# Enable setting of ulimit, umask, and niceness from passwd gecos field.
#
#QUOTAS_ENAB 

#
# Enable "syslog" logging of su activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp and sg.
#
SYSLOG_SU_ENAB		yes
SYSLOG_SG_ENAB		yes

#
# If defined, either full pathname of a file containing device names or
# a ":" delimited list of device names.  Root logins will be allowed only
# upon these devices.
#
CONSOLE		/etc/securetty
#CONSOLE	console:tty01:tty02:tty03:tty04

#
# If defined, all su activity is logged to this file.
#
#SULOG_FILE	/var/log/sulog

#
# If defined, ":" delimited list of "message of the day" files to
# be displayed upon login.
#
#MOTD_FILE 
#MOTD_FILE 

#
# If defined, this file will be output before each login prompt.
#
#ISSUE_FILE	/etc/issue

#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format something like "vt100  tty01".
#
#TTYTYPE_FILE	/etc/ttytype

#
# If defined, login failures will be logged here in a utmp format.
# last, when invoked as lastb, will read /var/log/btmp, so...
#
#FTMP_FILE 

#
# If defined, name of file whose presence which will inhibit non-root
# logins.  The contents of this file should be a message indicating
# why logins are inhibited.
#
#NOLOGINS_FILE 

#
# If defined, the command name to display when running "su -".  For
# example, if this is defined as "su" then a "ps" will display the
# command is "-su".  If not defined, then "ps" would display the
# name of the shell actually being run, e.g. something like "-sh".
#
SU_NAME		su

#
# *REQUIRED*
#   Directory where mailboxes reside, _or_ name of file, relative to the
#   home directory.  If you _do_ define both, MAIL_DIR takes precedence.
#
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail

#
# If defined, file which inhibits all the usual chatter during the login
# sequence.  If a full pathname, then hushed mode will be enabled if the
# user's name or shell are found in the file.  If not a full pathname, then
# hushed mode will be enabled if the file exists in the user's home directory.
#
HUSHLOGIN_FILE	.hushlogin
#HUSHLOGIN_FILE	/etc/hushlogins

#
# If defined, either a TZ environment parameter spec or the
# fully-rooted pathname of a file containing such a spec.
#
#ENV_TZ		TZ=CST6CDT
#ENV_TZ		/etc/tzname

#
# If defined, an HZ environment parameter spec.
#
# for Linux/x86
#ENV_HZ 
# For Linux/Alpha...
#ENV_HZ 

#
# *REQUIRED*  The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
ENV_SUPATH	PATH=/sbin:/bin:/usr/sbin:/usr/bin
ENV_PATH	PATH=/bin:/usr/bin

#
# Terminal permissions
#
#	TTYGROUP	Login tty will be assigned this group ownership.
#	TTYPERM		Login tty will be set to this permission.
#
# If you have a "write" program which is "setgid" to a special group
# which owns the terminals, define TTYGROUP to the group number and
# TTYPERM to 0620.  Otherwise leave TTYGROUP commented out and assign
# TTYPERM to either 622 or 600.
#
TTYGROUP	tty
TTYPERM		0600

#
# Login configuration initializations:
#
#	ERASECHAR	Terminal ERASE character ('\010' = backspace).
#	KILLCHAR	Terminal KILL character ('\025' = CTRL/U).
#	ULIMIT		Default "ulimit" value.
#
# The ERASECHAR and KILLCHAR are used only on System V machines.
# The ULIMIT is used only if the system supports it.
# (now it works with setrlimit too; ulimit is in 512-byte units)
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
ERASECHAR	0177
KILLCHAR	025
#ULIMIT		2097152

# Default initial "umask" value used by login on non-PAM enabled systems.
# Default "umask" value for pam_umask on PAM enabled systems.
# UMASK is also used by useradd and newusers to set the mode of new home
# directories.
# 022 is the default value, but 027, or even 077, could be considered
# better for privacy. There is no One True Answer here: each sysadmin
# must make up her mind.
UMASK		022

#
# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
PASS_MAX_DAYS	99999
PASS_MIN_DAYS	0
#PASS_MIN_LEN 
PASS_WARN_AGE	7

#
# If "yes", the user must be listed as a member of the first gid 0 group
# in /etc/group (called "root" on most Linux systems) to be able to "su"
# to uid 0 accounts.  If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
#
#SU_WHEEL_ONLY 

#
# If compiled with cracklib support, where are the dictionaries
#
#CRACKLIB_DICTPATH 

#
# Min/max values for automatic uid selection in useradd
#
UID_MIN			 1000
UID_MAX			60000
# System accounts
SYS_UID_MIN		  101
SYS_UID_MAX		  999

#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN			 1000
GID_MAX			60000
# System accounts
SYS_GID_MIN		  101
SYS_GID_MAX		  999

#
# Max number of login retries if password is bad
#
LOGIN_RETRIES		5

#
# Max time in seconds for login
#
LOGIN_TIMEOUT		60

#
# Maximum number of attempts to change password if rejected (too easy)
#
#PASS_CHANGE_TRIES 

#
# Warn about weak passwords (but still allow them) if you are root.
#
#PASS_ALWAYS_WARN 

#
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
#PASS_MAX_LEN		8

#
# Require password before chfn/chsh can make any changes.
#
#CHFN_AUTH 

#
# Which fields may be changed by regular users using chfn - use
# any combination of letters "frwh" (full name, room number, work
# phone, home phone).  If not defined, no changes are allowed.
# For backward compatibility, "yes" = "rwh" and "no" = "frwh".
# 
CHFN_RESTRICT		rwh

#
# Password prompt (%s will be replaced by user name).
#
# XXX - it doesn't work correctly yet, for now leave it commented out
# to use the default which is just "Password: ".
#LOGIN_STRING		"%s's Password: "

#
# Only works if compiled with MD5_CRYPT defined:
# If set to "yes", new passwords will be encrypted using the MD5-based
# algorithm compatible with the one used by recent releases of FreeBSD.
# It supports passwords of unlimited length and longer salt strings.
# Set to "no" if you need to copy encrypted passwords to other systems
# which don't understand the new algorithm.  Default is "no".
#
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
# This variable is deprecated. You should use ENCRYPT_METHOD.
#
#MD5_CRYPT_ENAB	no

#
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
# If set to MD5 , MD5-based algorithm will be used for encrypting password
# If set to SHA256, SHA256-based algorithm will be used for encrypting password
# If set to SHA512, SHA512-based algorithm will be used for encrypting password
# If set to DES, DES-based algorithm will be used for encrypting password (default)
# Overrides the MD5_CRYPT_ENAB option
#
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
#ENCRYPT_METHOD DES

#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
#
# Define the number of SHA rounds.
# With a lot of rounds, it is more difficult to brute forcing the password.
# But note also that it more CPU resources will be needed to authenticate
# users.
#
# If not specified, the libc will choose the default number of rounds (5000).
# The values must be inside the 1000-999999999 range.
# If only one of the MIN or MAX values is set, then this value will be used.
# If MIN > MAX, the highest value will be used.
#
# SHA_CRYPT_MIN_ROUNDS 5000
# SHA_CRYPT_MAX_ROUNDS 5000

#
# List of groups to add to the user's supplementary group set
# when logging in on the console (as determined by the CONSOLE
# setting).  Default is none.
#
# Use with caution - it is possible for users to gain permanent
# access to these groups, even when not logged in on the console.
# How to do it is left as an exercise for the reader...
#
#CONSOLE_GROUPS		floppy:audio:cdrom

#
# Should login be allowed if we can't cd to the home directory?
# Default in no.
#
DEFAULT_HOME	yes

#
# If this file exists and is readable, login environment will be
# read from it.  Every line should be in the form name=value.
#
#ENVIRON_FILE 

#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD	/usr/sbin/userdel_local

#
# Enable setting of the umask group bits to be the same as owner bits
# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is
# the same as gid, and username is the same as the primary group name.
#
# This also enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes

#
# If set to a non-nul number, the shadow utilities will make sure that
# groups never have more than this number of users on one line.
# This permit to support split groups (groups split into multiple lines,
# with the same group ID, to avoid limitation of the line length in the
# group file).
#
# 0 is the default value and disables this feature.
#
#MAX_MEMBERS_PER_GROUP	0

#
# If useradd should create home directories for users by default (non
# system users only)
# This option is overridden with the -M or -m flags on the useradd command
# line.
#
#CREATE_HOME     yes
saving uncommitted changes in /etc prior to emerge run 2015-02-27 00:58:55 +00:00			`#`
			`# /etc/login.defs - Configuration control definitions for the shadow package.`
			`#`
			`# $Id: login.defs 3189 2010-03-26 11:53:06Z nekral-guest $`
			`#`

			`#`
			`# Delay in seconds before being allowed another attempt after a login failure`
			`# Note: When PAM is used, some modules may enfore a minimal delay (e.g.`
			`# pam_unix enforces a 2s delay)`
			`#`
			`FAIL_DELAY 3`

			`#`
			`# Enable logging and display of /var/log/faillog login failure info.`
			`#`
			`#FAILLOG_ENAB`

			`#`
			`# Enable display of unknown usernames when login failures are recorded.`
			`#`
			`LOG_UNKFAIL_ENAB no`

			`#`
			`# Enable logging of successful logins`
			`#`
			`LOG_OK_LOGINS no`

			`#`
			`# Enable logging and display of /var/log/lastlog login time info.`
			`#`
			`#LASTLOG_ENAB`

			`#`
			`# Enable checking and display of mailbox status upon login.`
			`#`
			`# Disable if the shell startup files already check for mail`
			`# ("mailx -e" or equivalent).`
			`#`
			`#MAIL_CHECK_ENAB`

			`#`
			`# Enable additional checks upon password changes.`
			`#`
			`#OBSCURE_CHECKS_ENAB`

			`#`
			`# Enable checking of time restrictions specified in /etc/porttime.`
			`#`
			`#PORTTIME_CHECKS_ENAB`

			`#`
			`# Enable setting of ulimit, umask, and niceness from passwd gecos field.`
			`#`
			`#QUOTAS_ENAB`

			`#`
			`# Enable "syslog" logging of su activity - in addition to sulog file logging.`
			`# SYSLOG_SG_ENAB does the same for newgrp and sg.`
			`#`
			`SYSLOG_SU_ENAB yes`
			`SYSLOG_SG_ENAB yes`

			`#`
			`# If defined, either full pathname of a file containing device names or`
			`# a ":" delimited list of device names. Root logins will be allowed only`
			`# upon these devices.`
			`#`
			`CONSOLE /etc/securetty`
			`#CONSOLE console:tty01:tty02:tty03:tty04`

			`#`
			`# If defined, all su activity is logged to this file.`
			`#`
			`#SULOG_FILE /var/log/sulog`

			`#`
			`# If defined, ":" delimited list of "message of the day" files to`
			`# be displayed upon login.`
			`#`
			`#MOTD_FILE`
			`#MOTD_FILE`

			`#`
			`# If defined, this file will be output before each login prompt.`
			`#`
			`#ISSUE_FILE /etc/issue`

			`#`
			`# If defined, file which maps tty line to TERM environment parameter.`
			`# Each line of the file is in a format something like "vt100 tty01".`
			`#`
			`#TTYTYPE_FILE /etc/ttytype`

			`#`
			`# If defined, login failures will be logged here in a utmp format.`
			`# last, when invoked as lastb, will read /var/log/btmp, so...`
			`#`
			`#FTMP_FILE`

			`#`
			`# If defined, name of file whose presence which will inhibit non-root`
			`# logins. The contents of this file should be a message indicating`
			`# why logins are inhibited.`
			`#`
			`#NOLOGINS_FILE`

			`#`
			`# If defined, the command name to display when running "su -". For`
			`# example, if this is defined as "su" then a "ps" will display the`
			`# command is "-su". If not defined, then "ps" would display the`
			`# name of the shell actually being run, e.g. something like "-sh".`
			`#`
			`SU_NAME su`

			`#`
			`# REQUIRED`
			`# Directory where mailboxes reside, _or_ name of file, relative to the`
			`# home directory. If you _do_ define both, MAIL_DIR takes precedence.`
			`#`
			`MAIL_DIR /var/spool/mail`
			`#MAIL_FILE .mail`

			`#`
			`# If defined, file which inhibits all the usual chatter during the login`
			`# sequence. If a full pathname, then hushed mode will be enabled if the`
			`# user's name or shell are found in the file. If not a full pathname, then`
			`# hushed mode will be enabled if the file exists in the user's home directory.`
			`#`
			`HUSHLOGIN_FILE .hushlogin`
			`#HUSHLOGIN_FILE /etc/hushlogins`

			`#`
			`# If defined, either a TZ environment parameter spec or the`
			`# fully-rooted pathname of a file containing such a spec.`
			`#`
			`#ENV_TZ TZ=CST6CDT`
			`#ENV_TZ /etc/tzname`

			`#`
			`# If defined, an HZ environment parameter spec.`
			`#`
			`# for Linux/x86`
			`#ENV_HZ`
			`# For Linux/Alpha...`
			`#ENV_HZ`

			`#`
			`# REQUIRED The default PATH settings, for superuser and normal users.`
			`#`
			`# (they are minimal, add the rest in the shell startup files)`
			`ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin`
			`ENV_PATH PATH=/bin:/usr/bin`

			`#`
			`# Terminal permissions`
			`#`
			`# TTYGROUP Login tty will be assigned this group ownership.`
			`# TTYPERM Login tty will be set to this permission.`
			`#`
			`# If you have a "write" program which is "setgid" to a special group`
			`# which owns the terminals, define TTYGROUP to the group number and`
			`# TTYPERM to 0620. Otherwise leave TTYGROUP commented out and assign`
			`# TTYPERM to either 622 or 600.`
			`#`
			`TTYGROUP tty`
			`TTYPERM 0600`

			`#`
			`# Login configuration initializations:`
			`#`
			`# ERASECHAR Terminal ERASE character ('\010' = backspace).`
			`# KILLCHAR Terminal KILL character ('\025' = CTRL/U).`
			`# ULIMIT Default "ulimit" value.`
			`#`
			`# The ERASECHAR and KILLCHAR are used only on System V machines.`
			`# The ULIMIT is used only if the system supports it.`
			`# (now it works with setrlimit too; ulimit is in 512-byte units)`
			`#`
			`# Prefix these values with "0" to get octal, "0x" to get hexadecimal.`
			`#`
			`ERASECHAR 0177`
			`KILLCHAR 025`
			`#ULIMIT 2097152`

			`# Default initial "umask" value used by login on non-PAM enabled systems.`
			`# Default "umask" value for pam_umask on PAM enabled systems.`
			`# UMASK is also used by useradd and newusers to set the mode of new home`
			`# directories.`
			`# 022 is the default value, but 027, or even 077, could be considered`
			`# better for privacy. There is no One True Answer here: each sysadmin`
			`# must make up her mind.`
			`UMASK 022`

			`#`
			`# Password aging controls:`
			`#`
			`# PASS_MAX_DAYS Maximum number of days a password may be used.`
			`# PASS_MIN_DAYS Minimum number of days allowed between password changes.`
			`# PASS_MIN_LEN Minimum acceptable password length.`
			`# PASS_WARN_AGE Number of days warning given before a password expires.`
			`#`
			`PASS_MAX_DAYS 99999`
			`PASS_MIN_DAYS 0`
			`#PASS_MIN_LEN`
			`PASS_WARN_AGE 7`

			`#`
			`# If "yes", the user must be listed as a member of the first gid 0 group`
			`# in /etc/group (called "root" on most Linux systems) to be able to "su"`
			`# to uid 0 accounts. If the group doesn't exist or is empty, no one`
			`# will be able to "su" to uid 0.`
			`#`
			`#SU_WHEEL_ONLY`

			`#`
			`# If compiled with cracklib support, where are the dictionaries`
			`#`
			`#CRACKLIB_DICTPATH`

			`#`
			`# Min/max values for automatic uid selection in useradd`
			`#`
			`UID_MIN 1000`
			`UID_MAX 60000`
			`# System accounts`
			`SYS_UID_MIN 101`
			`SYS_UID_MAX 999`

			`#`
			`# Min/max values for automatic gid selection in groupadd`
			`#`
			`GID_MIN 1000`
			`GID_MAX 60000`
			`# System accounts`
			`SYS_GID_MIN 101`
			`SYS_GID_MAX 999`

			`#`
			`# Max number of login retries if password is bad`
			`#`
			`LOGIN_RETRIES 5`

			`#`
			`# Max time in seconds for login`
			`#`
			`LOGIN_TIMEOUT 60`

			`#`
			`# Maximum number of attempts to change password if rejected (too easy)`
			`#`
			`#PASS_CHANGE_TRIES`

			`#`
			`# Warn about weak passwords (but still allow them) if you are root.`
			`#`
			`#PASS_ALWAYS_WARN`

			`#`
			`# Number of significant characters in the password for crypt().`
			`# Default is 8, don't change unless your crypt() is better.`
			`# Ignored if MD5_CRYPT_ENAB set to "yes".`
			`#`
			`#PASS_MAX_LEN 8`

			`#`
			`# Require password before chfn/chsh can make any changes.`
			`#`
			`#CHFN_AUTH`

			`#`
			`# Which fields may be changed by regular users using chfn - use`
			`# any combination of letters "frwh" (full name, room number, work`
			`# phone, home phone). If not defined, no changes are allowed.`
			`# For backward compatibility, "yes" = "rwh" and "no" = "frwh".`
			`#`
			`CHFN_RESTRICT rwh`

			`#`
			`# Password prompt (%s will be replaced by user name).`
			`#`
			`# XXX - it doesn't work correctly yet, for now leave it commented out`
			`# to use the default which is just "Password: ".`
			`#LOGIN_STRING "%s's Password: "`

			`#`
			`# Only works if compiled with MD5_CRYPT defined:`
			`# If set to "yes", new passwords will be encrypted using the MD5-based`
			`# algorithm compatible with the one used by recent releases of FreeBSD.`
			`# It supports passwords of unlimited length and longer salt strings.`
			`# Set to "no" if you need to copy encrypted passwords to other systems`
			`# which don't understand the new algorithm. Default is "no".`
			`#`
			`# Note: If you use PAM, it is recommended to use a value consistent with`
			`# the PAM modules configuration.`
			`#`
			`# This variable is deprecated. You should use ENCRYPT_METHOD.`
			`#`
			`#MD5_CRYPT_ENAB no`

			`#`
			`# Only works if compiled with ENCRYPTMETHOD_SELECT defined:`
			`# If set to MD5 , MD5-based algorithm will be used for encrypting password`
			`# If set to SHA256, SHA256-based algorithm will be used for encrypting password`
			`# If set to SHA512, SHA512-based algorithm will be used for encrypting password`
			`# If set to DES, DES-based algorithm will be used for encrypting password (default)`
			`# Overrides the MD5_CRYPT_ENAB option`
			`#`
			`# Note: If you use PAM, it is recommended to use a value consistent with`
			`# the PAM modules configuration.`
			`#`
			`#ENCRYPT_METHOD DES`

			`#`
			`# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.`
			`#`
			`# Define the number of SHA rounds.`
			`# With a lot of rounds, it is more difficult to brute forcing the password.`
			`# But note also that it more CPU resources will be needed to authenticate`
			`# users.`
			`#`
			`# If not specified, the libc will choose the default number of rounds (5000).`
			`# The values must be inside the 1000-999999999 range.`
			`# If only one of the MIN or MAX values is set, then this value will be used.`
			`# If MIN > MAX, the highest value will be used.`
			`#`
			`# SHA_CRYPT_MIN_ROUNDS 5000`
			`# SHA_CRYPT_MAX_ROUNDS 5000`

			`#`
			`# List of groups to add to the user's supplementary group set`
			`# when logging in on the console (as determined by the CONSOLE`
			`# setting). Default is none.`
			`#`
			`# Use with caution - it is possible for users to gain permanent`
			`# access to these groups, even when not logged in on the console.`
			`# How to do it is left as an exercise for the reader...`
			`#`
			`#CONSOLE_GROUPS floppy:audio:cdrom`

			`#`
			`# Should login be allowed if we can't cd to the home directory?`
			`# Default in no.`
			`#`
			`DEFAULT_HOME yes`

			`#`
			`# If this file exists and is readable, login environment will be`
			`# read from it. Every line should be in the form name=value.`
			`#`
			`#ENVIRON_FILE`

			`#`
			`# If defined, this command is run when removing a user.`
			`# It should remove any at/cron/print jobs etc. owned by`
			`# the user to be removed (passed as the first argument).`
			`#`
			`#USERDEL_CMD /usr/sbin/userdel_local`

			`#`
			`# Enable setting of the umask group bits to be the same as owner bits`
			`# (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is`
			`# the same as gid, and username is the same as the primary group name.`
			`#`
			`# This also enables userdel to remove user groups if no members exist.`
			`#`
			`USERGROUPS_ENAB yes`

			`#`
			`# If set to a non-nul number, the shadow utilities will make sure that`
			`# groups never have more than this number of users on one line.`
			`# This permit to support split groups (groups split into multiple lines,`
			`# with the same group ID, to avoid limitation of the line length in the`
			`# group file).`
			`#`
			`# 0 is the default value and disables this feature.`
			`#`
			`#MAX_MEMBERS_PER_GROUP 0`

			`#`
			`# If useradd should create home directories for users by default (non`
			`# system users only)`
			`# This option is overridden with the -M or -m flags on the useradd command`
			`# line.`
			`#`
			`#CREATE_HOME yes`