1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
|
diff --git i/etc/login.defs w/etc/login.defs
index 114dbcd9..4cb8cdf5 100644
--- i/etc/login.defs
+++ w/etc/login.defs
@@ -3,6 +3,8 @@
#
# $Id$
#
+# This file is adapted for the use on Arch Linux.
+# Options unsupported due to the use of util-linux or PAM are commented.
#
# Delay in seconds before being allowed another attempt after a login failure
@@ -14,7 +16,7 @@ FAIL_DELAY 3
#
# Enable logging and display of /var/log/faillog login(1) failure info.
#
-FAILLOG_ENAB yes
+# FAILLOG_ENAB is currently not supported
#
# Enable display of unknown usernames when login(1) failures are recorded.
@@ -24,12 +26,12 @@ LOG_UNKFAIL_ENAB no
#
# Enable logging of successful logins
#
-LOG_OK_LOGINS no
+# LOG_OK_LOGINS is currently not supported
#
# Enable logging and display of /var/log/lastlog login(1) time info.
#
-LASTLOG_ENAB yes
+# LASTLOG_ENAB is currently not supported
#
# Limit the highest user ID number for which the lastlog entries should
@@ -46,28 +48,28 @@ LASTLOG_ENAB yes
# Disable if the shell startup files already check for mail
# ("mailx -e" or equivalent).
#
-MAIL_CHECK_ENAB yes
+# MAIL_CHECK_ENAB is currently not supported
#
# Enable additional checks upon password changes.
#
-OBSCURE_CHECKS_ENAB yes
+# OBSCURE_CHECKS_ENAB is currently not supported
#
# Enable checking of time restrictions specified in /etc/porttime.
#
-PORTTIME_CHECKS_ENAB yes
+# PORTTIME_CHECKS_ENAB is currently not supported
#
# Enable setting of ulimit, umask, and niceness from passwd(5) gecos field.
#
-QUOTAS_ENAB yes
+# QUOTAS_ENAB is currently not supported
#
# Enable "syslog" logging of su(1) activity - in addition to sulog file logging.
# SYSLOG_SG_ENAB does the same for newgrp(1) and sg(1).
#
-SYSLOG_SU_ENAB yes
+# SYSLOG_SU_ENAB is currently not supported
SYSLOG_SG_ENAB yes
#
@@ -75,44 +77,43 @@ SYSLOG_SG_ENAB yes
# a ":" delimited list of device names. Root logins will be allowed only
# from these devices.
#
-CONSOLE /etc/securetty
-#CONSOLE console:tty01:tty02:tty03:tty04
+# CONSOLE is currently not supported
#
# If defined, all su(1) activity is logged to this file.
#
-#SULOG_FILE /var/log/sulog
+# SULOG_FILE is currently not supported
#
# If defined, ":" delimited list of "message of the day" files to
# be displayed upon login.
#
-MOTD_FILE /etc/motd
+MOTD_FILE
#MOTD_FILE /etc/motd:/usr/lib/news/news-motd
#
# If defined, this file will be output before each login(1) prompt.
#
-#ISSUE_FILE /etc/issue
+# ISSUE_FILE is currently not supported
#
# If defined, file which maps tty line to TERM environment parameter.
# Each line of the file is in a format similar to "vt100 tty01".
#
-#TTYTYPE_FILE /etc/ttytype
+# TTYTYPE_FILE is currently not supported
#
# If defined, login(1) failures will be logged here in a utmp format.
# last(1), when invoked as lastb(1), will read /var/log/btmp, so...
#
-FTMP_FILE /var/log/btmp
+# FTMP_FILE is currently not supported
#
# If defined, name of file whose presence will inhibit non-root
# logins. The content of this file should be a message indicating
# why logins are inhibited.
#
-NOLOGINS_FILE /etc/nologin
+# NOLOGINS_FILE is currently not supported
#
# If defined, the command name to display when running "su -". For
@@ -120,7 +121,7 @@ NOLOGINS_FILE /etc/nologin
# command as "-su". If not defined, then ps(1) will display the
# name of the shell actually being run, e.g. something like "-sh".
#
-SU_NAME su
+# SU_NAME is currently not supported
#
# *REQUIRED*
@@ -143,23 +144,22 @@ HUSHLOGIN_FILE .hushlogin
# If defined, either a TZ environment parameter spec or the
# fully-rooted pathname of a file containing such a spec.
#
-#ENV_TZ TZ=CST6CDT
-#ENV_TZ /etc/tzname
+# ENV_TZ is currently not supported
#
# If defined, an HZ environment parameter spec.
#
# for Linux/x86
-ENV_HZ HZ=100
+# ENV_HZ HZ=100
# For Linux/Alpha...
-#ENV_HZ HZ=1024
+# ENV_HZ is currently not supported
#
# *REQUIRED* The default PATH settings, for superuser and normal users.
#
# (they are minimal, add the rest in the shell startup files)
-ENV_SUPATH PATH=/sbin:/bin:/usr/sbin:/usr/bin
-ENV_PATH PATH=/bin:/usr/bin
+ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
+ENV_PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/bin
#
# Terminal permissions
@@ -188,9 +188,9 @@ TTYPERM 0600
#
# Prefix these values with "0" to get octal, "0x" to get hexadecimal.
#
-ERASECHAR 0177
-KILLCHAR 025
-#ULIMIT 2097152
+# ERASECHAR is currently not supported
+# KILLCHAR is currently not supported
+# ULIMIT is currently not supported
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
@@ -199,7 +199,7 @@ KILLCHAR 025
# 022 is the default value, but 027, or even 077, could be considered
# for increased privacy. There is no One True Answer here: each sysadmin
# must make up their mind.
-UMASK 022
+UMASK 077
# HOME_MODE is used by useradd(8) and newusers(8) to set the mode for new
# home directories.
@@ -216,7 +216,7 @@ UMASK 022
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
-PASS_MIN_LEN 5
+# PASS_MIN_LEN is currently not supported
PASS_WARN_AGE 7
#
@@ -225,12 +225,12 @@ PASS_WARN_AGE 7
# to uid 0 accounts. If the group doesn't exist or is empty, no one
# will be able to "su" to uid 0.
#
-SU_WHEEL_ONLY no
+# SU_WHEEL_ONLY is currently not supported
#
# If compiled with cracklib support, sets the path to the dictionaries
#
-CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
+# CRACKLIB_DICTPATH is currently not supported
#
# Min/max values for automatic uid selection in useradd(8)
@@ -238,7 +238,7 @@ CRACKLIB_DICTPATH /var/cache/cracklib/cracklib_dict
UID_MIN 1000
UID_MAX 60000
# System accounts
-SYS_UID_MIN 101
+SYS_UID_MIN 500
SYS_UID_MAX 999
# Extra per user uids
SUB_UID_MIN 100000
@@ -251,7 +251,7 @@ SUB_UID_COUNT 65536
GID_MIN 1000
GID_MAX 60000
# System accounts
-SYS_GID_MIN 101
+SYS_GID_MIN 500
SYS_GID_MAX 999
# Extra per user group ids
SUB_GID_MIN 100000
@@ -271,24 +271,24 @@ LOGIN_TIMEOUT 60
#
# Maximum number of attempts to change password if rejected (too easy)
#
-PASS_CHANGE_TRIES 5
+# PASS_CHANGE_TRIES is currently not supported
#
# Warn about weak passwords (but still allow them) if you are root.
#
-PASS_ALWAYS_WARN yes
+# PASS_ALWAYS_WARN is currently not supported
#
# Number of significant characters in the password for crypt().
# Default is 8, don't change unless your crypt() is better.
# Ignored if MD5_CRYPT_ENAB set to "yes".
#
-#PASS_MAX_LEN 8
+# PASS_MAX_LEN is currently not supported
#
# Require password before chfn(1)/chsh(1) can make any changes.
#
-CHFN_AUTH yes
+# CHFN_AUTH is currently not supported
#
# Which fields may be changed by regular users using chfn(1) - use
@@ -303,7 +303,7 @@ CHFN_RESTRICT rwh
#
# XXX - it doesn't work correctly yet, for now leave it commented out
# to use the default which is just "Password: ".
-#LOGIN_STRING "%s's Password: "
+# LOGIN_STRING is currently not supported
#
# Only works if compiled with MD5_CRYPT defined:
@@ -318,7 +318,7 @@ CHFN_RESTRICT rwh
#
# This variable is deprecated. You should use ENCRYPT_METHOD instead.
#
-#MD5_CRYPT_ENAB no
+# MD5_CRYPT_ENAB is currently not supported
#
# Only works if compiled with ENCRYPTMETHOD_SELECT defined:
@@ -334,7 +334,7 @@ CHFN_RESTRICT rwh
# Note: If you use PAM, it is recommended to use a value consistent with
# the PAM modules configuration.
#
-#ENCRYPT_METHOD DES
+ENCRYPT_METHOD SHA512
#
# Only works if ENCRYPT_METHOD is set to SHA256 or SHA512.
@@ -390,7 +390,7 @@ CHFN_RESTRICT rwh
# access to these groups, even when not logged in from the console.
# How to do it is left as an exercise for the reader...
#
-#CONSOLE_GROUPS floppy:audio:cdrom
+# CONSOLE_GROUPS is currently not supported
#
# Should login be allowed if we can't cd to the home directory?
@@ -410,7 +410,7 @@ NONEXISTENT /nonexistent
# If this file exists and is readable, login environment will be
# read from it. Every line should be in the form name=value.
#
-ENVIRON_FILE /etc/environment
+# ENVIRON_FILE is currently not supported
#
# If defined, this command is run when removing a user.
@@ -465,7 +465,7 @@ USERGROUPS_ENAB yes
# Set to "yes" to prevent for all accounts
# Set to "superuser" to prevent for UID 0 / root (default)
# Set to "no" to not prevent for any account (dangerous, historical default)
-PREVENT_NO_AUTH superuser
+# PREVENT_NO_AUTH is currently not supported
#
# Select the HMAC cryptography algorithm.
|