Detailed Analysis of /etc/login.defs in Linux Systems: Functions, Configuration and Distribution Differences

In Linux systems, /etc/login.defs is a crucial configuration file that controls core behaviors related to user account and password management. As part of the shadow-utils package, this file defines default behaviors for user creation, password policies, home directory settings, and more. This article will provide an in-depth analysis of the functions of /etc/login.defs and compare the differences between CentOS 8 and Ubuntu 24.04.

I. Basic Concepts and Role of /etc/login.defs

1.1 What is /etc/login.defs?

/etc/login.defs is a configuration file in Linux systems used to define default behaviors for user account and password management. It is provided by the shadow-utils package and affects core user management commands such as useradd, usermod, userdel, and passwd.

1.2 Configuration File Priority

It’s important to note that configurations in /etc/login.defs may be overridden by:

• Command-line parameters (e.g., useradd -m to force home directory creation)
• PAM (Pluggable Authentication Modules) settings
• User-specific custom configurations

1.3 Relationship with PAM

Although /etc/login.defs defines many password policy-related configurations, in modern Linux systems, much of the actual password verification and policy enforcement is handled by PAM modules. In particular, advanced features like password complexity checking and password history typically need to be set in PAM configuration files (such as /etc/pam.d/system-auth).

1.4 /etc/login.defs Configuration Overview

The following diagram illustrates the main functional areas of the /etc/login.defs file and configuration differences between CentOS 8 and Ubuntu 24.04:

This diagram provides a visual representation of the core functional modules of the /etc/login.defs file, including password policy configuration, user/group ID range settings, home directory configuration, and key differences between two major Linux distributions.

II. Detailed Explanation of login.defs Configuration in CentOS 8

2.1 Mail Directory Configuration

MAIL_DIR        /var/spool/mail

• Detailed Function: Defines the default storage directory for user mailboxes in the system. When creating new users, the system creates corresponding mailbox files under this directory using the username.
• Actual Effect: For example, for user john, the mailbox file would be located at /var/spool/mail/john
• Priority Note: If both MAIL_DIR and MAIL_FILE are defined, MAIL_DIR takes precedence

2.2 Password Policy Configuration

PASS_MAX_DAYS   99999  # Maximum password age in days
PASS_MIN_DAYS   0      # Minimum password age in days
PASS_MIN_LEN    5      # Minimum password length
PASS_WARN_AGE   7      # Days before password expiration to warn

• PASS_MAX_DAYS:
  • Sets the maximum validity period of passwords; the default value of 99999 days effectively means passwords never expire
  • In enterprise environments, for security reasons, shorter periods (such as 90 days) are typically set
  • Affects command: passwd -x DAYS username
• PASS_MIN_DAYS:
  • Defines the minimum number of days a user must wait after changing their password before they can change it again
  • A value of 0 means users can change their password at any time
  • Can prevent users from circumventing password history restrictions by frequently changing passwords
  • Affects command: passwd -n DAYS username
• PASS_MIN_LEN:
  • Specifies the minimum required password length
  • Note: This setting only serves as a default; actual password length restrictions are usually enforced by PAM modules
  • In modern systems, this parameter may be overridden by settings in pam_cracklib.so or pam_pwquality.so modules in /etc/pam.d/system-auth
• PASS_WARN_AGE:
  • Defines how many days before password expiration to start warning the user
  • Gives users sufficient time to prepare to change their password, avoiding inability to log in due to sudden password expiration
  • Affects command: passwd -w DAYS username

2.3 User and Group ID Ranges

UID_MIN         1000  # Minimum UID for regular users
UID_MAX        60000  # Maximum UID for regular users
SYS_UID_MIN     201   # Minimum UID for system accounts
SYS_UID_MAX     999   # Maximum UID for system accounts

GID_MIN         1000  # Minimum GID for regular groups
GID_MAX        60000  # Maximum GID for regular groups
SYS_GID_MIN     201   # Minimum GID for system groups
SYS_GID_MAX     999   # Maximum GID for system groups

• Regular User/Group ID Range:
  • IDs starting from 1000 are typically assigned to regular users and groups
  • This is to avoid conflicts with system and service account IDs
  • When using useradd to create a new user, the next available UID starting from UID_MIN will be automatically assigned
• System Account/Group ID Range:
  • IDs in the range 201-999 are typically reserved for system services and applications
  • These accounts usually don’t require login shells or home directories
  • These accounts are created for various system services (such as sshd, apache, etc.) during system installation

2.4 User Deletion Behavior Configuration

USERDEL_CMD    /usr/sbin/userdel_local

• Function Description: Defines additional custom commands to execute when deleting a user
• Typical Usage: Used to perform cleanup operations such as deleting a user’s crontab tasks, print queue tasks, temporary files, etc.
• Default Status: This option is usually undefined on most systems and needs to be manually configured by administrators based on requirements
• Implementation Method: A custom script can be created containing all cleanup operations needed when a user is deleted

2.5 Home Directory Configuration

CREATE_HOME     yes  # Whether to create home directories by default
UMASK           077  # Default permission mask for home directories

• CREATE_HOME:
  • Controls whether the useradd command creates user home directories by default
  • When set to yes, a corresponding home directory will be automatically created under /home when creating a new user
  • Can be overridden by command-line parameters -m (force creation) or -M (no creation)
• UMASK:
  • Defines the permission mask used when creating user home directories
  • CentOS 8 defaults to 077, meaning newly created home directories have permissions 700 (only user can read, write, execute)
  • This setting also affects default permissions for newly created files and directories
  • When used in conjunction with USERGROUPS_ENAB, it may affect the actual umask value applied

2.6 User Group Management Configuration

USERGROUPS_ENAB yes  # Whether to delete private groups with no members

• Function Description: Controls whether to delete a user’s primary group when deleting the user (if the group has no other members)
• Additional Effect: In CentOS systems, when this option is set to yes and UMASK is set to 022, the actual umask applied may become 002 (providing write permissions for group)
• Security Consideration: Enabling this option helps keep the system’s groups tidy, avoiding a large number of unused groups

2.7 Password Encryption Method

ENCRYPT_METHOD SHA512  # Password encryption algorithm

• Function Description: Specifies the encryption hash algorithm for user passwords
• Recommended Option: SHA512 is the currently recommended secure algorithm, providing higher security than earlier MD5 and SHA256
• Implementation Details: This algorithm is used to generate password hash values stored in the /etc/shadow file
• Historical Comparison: Early Linux systems used the DES algorithm, while modern systems have all migrated to more secure hash algorithms

III. Detailed Explanation of login.defs Configuration in Ubuntu 24.04

3.1 Mail Directory Configuration

MAIL_DIR        /var/mail

• Function Description: Defines the storage directory for user mailboxes in the system
• Difference from CentOS: Ubuntu uses /var/mail as the default mail directory, while CentOS uses /var/spool/mail
• Practical Application: On Ubuntu systems, user mailbox files are stored under /var/mail/username

3.2 Password Policy Configuration

PASS_MAX_DAYS   99999
PASS_MIN_DAYS   0
PASS_WARN_AGE   7

• Main Feature: Ubuntu 24.04 does not have a PASS_MIN_LEN configuration item
• Alternative Mechanism: Ubuntu uses PAM’s pam_pwquality module to control password complexity and minimum length
• Configuration Location: Detailed password policy settings are typically defined in the /etc/security/pwquality.conf file
• PAM Integration: Password quality checking is integrated into the system through the /etc/pam.d/common-password configuration file

3.3 User and Group ID Ranges

UID_MIN                  1000
UID_MAX                 60000
SYS_UID_MIN               100
SYS_UID_MAX               999

GID_MIN                  1000
GID_MAX                 60000
SYS_GID_MIN               100
SYS_GID_MAX               999

• Regular User/Group ID Range: Same as CentOS, starting from 1000
• System Account/Group ID Range: Ubuntu uses 100-999, while CentOS uses 201-999
• Impact of Difference: On Ubuntu, system service accounts may use more ID ranges, including values between 100-200

3.4 User Deletion Behavior Configuration

USERDEL_CMD    /usr/sbin/userdel-local

• Function Description: Same as CentOS, defines additional custom commands to execute when deleting a user
• Path Difference: Ubuntu uses userdel-local, while CentOS uses userdel_local (difference between underscore and hyphen)
• Implementation Recommendation: This script can be created to perform Ubuntu-specific cleanup tasks

3.5 Home Directory Configuration

CREATE_HOME     yes
UMASK           022  # Note: Ubuntu defaults to 022, while CentOS defaults to 077

• CREATE_HOME: Same as CentOS, creates user home directories by default
• UMASK: Ubuntu defaults to 022, which is an important security difference
  • Under Ubuntu, newly created home directories have permissions 755 (user can read, write, execute; group and others can read, execute)
  • This is more permissive than CentOS’s 077 setting (permissions 700)
  • This difference reflects the different security philosophies of the two distributions

3.6 User Group Management Configuration

USERGROUPS_ENAB yes

• Function Description: Same as CentOS, controls whether to delete a user’s primary group when deleting the user if it has no members
• Interaction with UMASK: In Ubuntu, when UMASK is 022 and USERGROUPS_ENAB is yes, the actual umask applied is usually 002
• Group Permission Impact: This allows newly created files to have group write permissions by default, facilitating team collaboration

3.7 Password Encryption Method

ENCRYPT_METHOD SHA512

• Function Description: Same as CentOS, specifies the encryption hash algorithm for user passwords
• Security Strength: SHA512 provides sufficient security strength and is the standard choice for modern Linux systems

3.8 Terminal Permission Configuration

TTYGROUP        tty
TTYMODE         0600
ERASECHAR       0177
KILLCHAR        025

• TTYGROUP: Defines the group that terminal devices belong to, usually the tty group
• TTYMODE: Sets the default permission for terminal devices to 0600, ensuring only the owner can read and write
• ERASECHAR: Defines the control character used to delete a single character (ASCII 0177 corresponds to the backspace key)
• KILLCHAR: Defines the control character used to delete an entire line (ASCII 025 corresponds to Ctrl+U)
• Missing Item: These terminal-related configurations are usually not present in CentOS 8’s login.defs

3.9 Sub-UID and Sub-GID Configuration (Ubuntu-specific)

SUB_UID_MIN     100000
SUB_UID_MAX     600100000
SUB_UID_COUNT   65536
SUB_GID_MIN     100000
SUB_GID_MAX     600100000
SUB_GID_COUNT   65536

• Function Description: Defines user and group ID mapping ranges for Linux containers (such as LXC, Docker)
• Use Case: These configurations support user namespace functionality, allowing privileged operations within containers to run as unprivileged users on the host
• Security Value: Provides an additional isolation layer, enhancing the security of container technology
• CentOS Difference: CentOS 8 typically does not include these configurations in login.defs by default

IV. Comparative Analysis of CentOS 8 and Ubuntu 24.04 Configurations

4.1 Core Configuration Differences

4.2 Differences in Security Philosophy

• CentOS Security Philosophy:
  • More conservative security policy, using stricter permission settings by default (UMASK 077)
  • Clearer ID boundaries between system accounts and regular accounts (system accounts start from 201)
  • More traditional configuration approach, focused on server stability
• Ubuntu Security Philosophy:
  • Balances security and usability, with relatively permissive default permissions (UMASK 022)
  • Better adapted to modern container technology and cloud environments
  • More actively adopts new Linux security features
  • Implements more granular password policy control through PAM modules

V. Practical Application and Best Practices for login.defs

5.1 Security Hardening Recommendations

• Password Policy Adjustment:

  # Recommended password policy for enterprise environments
  PASS_MAX_DAYS   90    # Change password every 90 days
  PASS_MIN_DAYS   7     # Cannot change password again within 7 days
  PASS_WARN_AGE   14    # Start warning 14 days in advance
  

• UMASK Setting Optimization:

  # For server environments, more strict permissions are recommended
  UMASK           027    # User can read, write, execute; group can read, execute; others have no permissions
  

• User ID Range Adjustment:
  • For large enterprise environments, UID_MAX can be adjusted to accommodate more users
  • Ensure SYS_UID range matches application requirements

5.2 Working with PAM

To implement a complete user security policy, login.defs needs to work together with PAM configurations:

1. Password Complexity Checking: Configure in /etc/pam.d/common-password (Ubuntu) or /etc/pam.d/system-auth (CentOS)

2. Password History: Prevent users from reusing old passwords

3. Account Lockout Policy: Set login failure counts and lockout durations

5.3 Special Configuration for Container Environments

For environments running containers, especially Ubuntu systems:

• Ensure SUB_UID and SUB_GID configurations are appropriate, allocating sufficient ID ranges for each user
• Use /etc/subuid and /etc/subgid files to configure sub-ID mapping for specific users
• For production environments, consider adjusting SUB_UID_COUNT to meet container requirements

VI. Conclusion

/etc/login.defs is a key configuration file in Linux systems that controls user account and password management behavior. Through the detailed analysis in this article, we can see:

1. Core Functions: This file defines various default behaviors for user creation, password policies, home directory settings, etc.

2. Distribution Differences: There are significant differences in configurations between CentOS 8 and Ubuntu 24.04, reflecting different security philosophies and usage scenarios

3. Configuration Priority: Command-line parameters and PAM settings may override configurations in login.defs

4. Modern Trends: Newer distributions like Ubuntu delegate more password policy control to PAM and add support for container technology

5. Best Practices: In practical environments, default configurations should be adjusted according to security requirements and usage scenarios, and work together with PAM to implement a comprehensive user security policy

Correctly understanding and configuring /etc/login.defs is crucial for maintaining the security and user management efficiency of Linux systems. Whether managing personal servers or enterprise-level systems, it should be appropriately adjusted based on specific needs.