passwd_override(5)passwd_override(5)NAMEpasswd_override - The registry database override file
DESCRIPTION
The dcelocal/etc/passwd_override administrative file lets you override
the password, GECOS, home directory, login shell, group membership, and
principal UNIX ID information stored in the network registry database.
The passwd_override file is stored on each host machine. Any changes
you make to it are in effect for the local machine only, and have no
effect on the centralized registry. You may find passwd_override
especially useful for excluding people from using certain machines,
establishing local root passwords, or tailoring local user environ‐
ments.
The passwd_override File Format
The format of the passwd_override entries is similar to entries in the
UNIX password file. The format is principal_name:passwd:princi‐
pal_uid:group_id:GECOS:home_dir:login_shell
In an override entry, principal_name, principal_uid, and group_id
fields are keyfields. You must enter one of them to identify the prin‐
cipal or group to which the overrides apply. The keyfield is used to
perform a lookup in the override file. The lookup is performed in
order as the entries are specified in an override entry: first by prin‐
cipal name, then by principal UNIX ID, and finally by group UNIX ID.
If you specify more than one keyfield in an override entry, the first
keyfield specified is used as the lookup key; subsequent keyfields are
used as overrides.
Field Descriptions
Each of the entries in the passwd_override file is described below. A
keyfield that contains a principal name that identifies the account to
which the overrides apply. Enter principal_name to apply the override
only to the account for the principal's primary name and not to any
accounts for the principal's aliases. The encrypted password. If you
specify an override in this field, the password you enter is in effect
for this local machine only.
When you override a principal's password, only the principal's local
credentials are obtained at login, not the principal's network creden‐
tials. Without network credentials, the principal cannot access the
network registry and obtain the information normally provided at net‐
work login. Therefore, you must supply all this information in the
password_override file entry. For overrides to passwords, you must
enter all fields in the override entry, including all keyfields.
You can also specify OMIT in the passwd field to disallow login on the
local machine. The use of OMIT in conjunction with an option to the
passwd_export command also prevents the inclusion of this principal in
the password file created by passwd_export. (See the section entitled
"Using OMIT," later in this command reference, for details.) An
encrypted principal UNIX ID. This field can function as a keyfield
(when the principal_name keyfield is not entered) or as an override
field (when the principal_name keyfield is entered). Enter princi‐
pal_uid and not principal_name when you want to apply the overrides to
all of a principal's accounts, including any accounts for the princi‐
pal's aliases. The principal_uid keyfield is especially useful for
overrides to root. For example, if root has an alias of virtuoso, an
override keyed by principal name applies only when root logs in as
root. An override keyed by root's principal_uid applies when root logs
in as root, as virtuoso, and under any other alias.
Enter principal_uid and principal_name to override the UNIX ID of the
named principal. A UNIX group ID. This field can function as a key‐
field, when no other keyfields are entered, or as a field containing an
override, when entered in conjunction with principal_name or princi‐
pal_uid.
Enter group_uid and no other keyfield (principal_name or principal_uid)
to apply the override to all members of the group identified by
group_uid. In this instance the group_uid field functions as a key‐
field, identifying the accounts to which to apply the overrides (that
is, accounts whose principal is a member of the specified group).
Enter group_uid and principal_name to change the group of the principal
identified by principal_name to the group identified by group_uid. The
change applies only to the account for the principal's primary name,
not to any accounts for the principal's aliases. Enter group_uid and
principal_uid to apply the group override to all of the principal's
accounts, including any for the principal's aliases. In these
instances the group_uid field functions as a field supplying override
information, not as a keyfield. The account's GECOS field. You can
specify an override in this field. To keep it unchanged, leave it
empty. The account's home directory. You can specify an override in
this field. To keep it unchanged, leave it empty. The account's log-
in shell. You can specify an override in this field. To keep it
unchanged, leave it empty.
Leaving Fields Blank
If you do not want to override an item, leave its field blank, separat‐
ing each blank field with a : (colon). (You must enter one of the key‐
fields, however, to identify the principal or group for which you are
creating overrides.) You are required to enter the colons associated
with any blank trailing fields.
Using OMIT
If you enter either the word OMIT or another invalid password string
(such as * (asterisk) or NO GOOD) in the passwd field, the principal
(or set of principals) will be unable to log in to the local machine.
If you specify OMIT and run passwd_export with the -x option, the named
principal (or set of principals) will not appear in the /etc/passwd
file produced by passwd_export.
You should also be aware that, if you have omitted principials from the
/etc/passwd file, information about those principals will not be avail‐
able to any programs that use the password file. For example, the ls
-l and the finger commands both access the password file to obtain fur‐
ther information about a principals. If the principal is omitted, no
password entry will exist and no information will be available. For
this reason, you should use OMIT to omit principals from the
/etc/passwd file only if your user community is very large and either
of the following conditions occur: The passwd file is taking up too
much space. User-ID-to-name mapping is too slow (during ls -l, for
example).
NOTES
Root can update entries in the override file for the local host by
using the passwd utility. Refer to the passwd reference page for
details.
EXAMPLES
To prevent the principal with a UNIX ID of 52 from logging in to the
local machine, the entry in the passwd_override file is as follows:
:exclude:52:::: To prevent members of the group identified by a UNIX ID
of 25 from logging in to a node and to omit them from inclusion in the
password file, put OMIT in the passwd field: :OMIT::25:::
Then run the following passwd_export command with the -x option to omit
these principals from /etc/passwd file: dcelocal/etc/passwd_export -x
To change the password, home directory, and initial shell for mozart's
account, the entry is as follows: mozart:sq1Rc1Urrb1L6:678:893:Wolfgang
A. Mozart:/aria/wolfgang:/bin/csh To override the home directory for
the account identified by mozart the entry is as follows:
mozart:::::/aria/wolfgang
RELATED INFORMATION
Commands: crypt(1), passwd(1), finger(1), login(1), adduser(8),
rgy_edit(1m), passwd_export(1m)
Functions: getpwent(3)
Files: group(5)passwd_override(5)
