Sorry for the long delay, I expected an email that never came.
Since my original discussion has been archived, I'm including its content with my comments at the bottom
Hello All,
I'm trying to modify an account to set the gecos field per our standards on Solaris 11.3.
/usr/sbin/usermod -c "account,generic,owner" account
UX: /usr/sbin/usermod: ERROR: Cannot modify account. Marked as read-only.
UX: /usr/sbin/usermod: ERROR: Permission denied.
How/where do I change this read-only attribute ?
vipw or vi'ing /etc/passwd is not an option as we support 1000s of servers ant the gecos is set by automation.
Daniel
Darren Moffat-Oracle Oct 26, 2017 11:06 AM (in response to deesea)
Are you attempting to modify one of the system accounts delivered as part of Solaris ? Doing so is NOT supported (beyond setting a password for the root account). Any such attempted will actually be undone on the next 'pkg upgrade' or 'pkg fix' and will cause 'pkg verify' to fail and indicate the system is broken.
If this is not for a system delivered account then you need to find the entry for the account in one of the /etc/user_attr.d/ files and remove the "RO" from the third column. Do NOT do that to a system account or one delivered via IPS package. If it is delivered from an IPS package then change the source and republish the package instead.
- Darren
Oracle Solaris Engineering Security Architect
From Daniel:
accounts in question are
adm
daemon
dcsvcs
dladm
ikeuser
lp
netadm
netcfg
orarom
osccfbck
pkg5srv
zfssnap
So, they are system and application accounts. What if I put them RW temporarily, or move temporarily /etc/user_attrs or /etc/user_attrs.d/xxx, change the gecos and put them back on? And I would rerun my script to change the gecos again after a pkg upgrade or fix. Would this "break" the system?
This is important for our QAR, Quarterly Access Review, to identify if an account is a personal or service account.