Understanding account database files

An important distinction between UNIX^® systems is how account information is stored. This affects the interaction of accounts across different types of UNIX systems, and governs how programs access this data. The account database files fall into two categories: UNIX system files (those defined in the System V Interface Definition) and the trusted facility database files that extend System V security. These files are supported and maintained by the system to ensure compatibility with other UNIX systems.

System V files:

/etc/passwd

This publicly readable file is present on most UNIX systems and contains both account data (such as user ID number, login shell) and (on some systems) an encrypted account password. Password aging information is also supported. The format is documented in passwd(4). It can be edited by experienced administrators, but using the Account Manager is the preferred method for adding and maintaining user accounts -- see ``Editing the /etc/passwd file''.

/etc/shadow

This file is readable only by root. It contains the encrypted password otherwise found in the /etc/passwd file. The format is documented in shadow(4).

/etc/default/passwd and /etc/default/login

These contain default account information and are documented in passwd(1) and login(1), respectively.

Trusted facility database files:

/etc/security/ia/master

This is a non-human readable file containing the same information found in /etc/passwd and /etc/shadow.

/etc/security/ia/index

This is a non-human readable file containing a list of user accounts.

/etc/security/tcb/privs

The file privilege database contains the privileges necessary to run system commands. See ``A file-Based privilege mechanism'' for more information.

/etc/security/tfm/users/*

This directory contains the authorizations assigned to each user. See ``Assigning authorizations'' for information on using the Account Manager and ``Adding commands for a user'' for a description of the command-line interface.

/etc/security/tfm/roles/*

This directory contains the authorizations assigned to each administrative role. See ``TFM and administrative roles'' for more information.

Other files:

/usr/lib/scoadmin/account/PrivTable

This file contains the system authorizations, the associated commands or SCOadmin managers, and the requisite privileges that go with them. See PrivTable(4) for more information.