diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 20:46:53 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 20:46:53 +0000 |
commit | 19da58be2d9359a9641381feb559be0b918ef710 (patch) | |
tree | 109724175f07436696f51b14b5abbd3f4d704d6d /man/man1 | |
parent | Initial commit. (diff) | |
download | shadow-19da58be2d9359a9641381feb559be0b918ef710.tar.xz shadow-19da58be2d9359a9641381feb559be0b918ef710.zip |
Adding upstream version 1:4.13+dfsg1.upstream/1%4.13+dfsg1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'man/man1')
-rw-r--r-- | man/man1/chage.1 | 214 | ||||
-rw-r--r-- | man/man1/chfn.1 | 163 | ||||
-rw-r--r-- | man/man1/chsh.1 | 121 | ||||
-rw-r--r-- | man/man1/expiry.1 | 74 | ||||
-rw-r--r-- | man/man1/getsubids.1 | 82 | ||||
-rw-r--r-- | man/man1/gpasswd.1 | 234 | ||||
-rw-r--r-- | man/man1/groups.1 | 65 | ||||
-rw-r--r-- | man/man1/id.1 | 62 | ||||
-rw-r--r-- | man/man1/login.1 | 489 | ||||
-rw-r--r-- | man/man1/newgidmap.1 | 100 | ||||
-rw-r--r-- | man/man1/newgrp.1 | 98 | ||||
-rw-r--r-- | man/man1/newuidmap.1 | 100 | ||||
-rw-r--r-- | man/man1/passwd.1 | 367 | ||||
-rw-r--r-- | man/man1/sg.1 | 97 | ||||
-rw-r--r-- | man/man1/su.1 | 450 |
15 files changed, 2716 insertions, 0 deletions
diff --git a/man/man1/chage.1 b/man/man1/chage.1 new file mode 100644 index 0000000..37f72d1 --- /dev/null +++ b/man/man1/chage.1 @@ -0,0 +1,214 @@ +'\" t +.\" Title: chage +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "CHAGE" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +chage \- change user password expiry information +.SH "SYNOPSIS" +.HP \w'\fBchage\fR\ 'u +\fBchage\fR [\fIoptions\fR] \fILOGIN\fR +.SH "DESCRIPTION" +.PP +The +\fBchage\fR +command changes the number of days between password changes and the date of the last password change\&. This information is used by the system to determine when a user must change their password\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBchage\fR +command are: +.PP +\fB\-d\fR, \fB\-\-lastday\fR\ \&\fILAST_DAY\fR +.RS 4 +Set the number of days since January 1st, 1970 when the password was last changed\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. If the +\fILAST_DAY\fR +is set to +\fI0\fR +the user is forced to change his password on the next log on\&. +.RE +.PP +\fB\-E\fR, \fB\-\-expiredate\fR\ \&\fIEXPIRE_DATE\fR +.RS 4 +Set the date or number of days since January 1, 1970 on which the user\*(Aqs account will no longer be accessible\&. The date may also be expressed in the format YYYY\-MM\-DD (or the format more commonly used in your area)\&. A user whose account is locked must contact the system administrator before being able to use the system again\&. +.sp +For example the following can be used to set an account to expire in 180 days: +.sp +.if n \{\ +.RS 4 +.\} +.nf + chage \-E $(date \-d +180days +%Y\-%m\-%d) + +.fi +.if n \{\ +.RE +.\} +.sp +Passing the number +\fI\-1\fR +as the +\fIEXPIRE_DATE\fR +will remove an account expiration date\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-i\fR, \fB\-\-iso8601\fR +.RS 4 +When printing dates, use YYYY\-MM\-DD format\&. +.RE +.PP +\fB\-I\fR, \fB\-\-inactive\fR\ \&\fIINACTIVE\fR +.RS 4 +Set the number of days of inactivity after a password has expired before the account is locked\&. The +\fIINACTIVE\fR +option is the number of days of inactivity\&. A user whose account is locked must contact the system administrator before being able to use the system again\&. +.sp +Passing the number +\fI\-1\fR +as the +\fIINACTIVE\fR +will remove an account\*(Aqs inactivity\&. +.RE +.PP +\fB\-l\fR, \fB\-\-list\fR +.RS 4 +Show account aging information\&. +.RE +.PP +\fB\-m\fR, \fB\-\-mindays\fR\ \&\fIMIN_DAYS\fR +.RS 4 +Set the minimum number of days between password changes to +\fIMIN_DAYS\fR\&. A value of zero for this field indicates that the user may change their password at any time\&. +.RE +.PP +\fB\-M\fR, \fB\-\-maxdays\fR\ \&\fIMAX_DAYS\fR +.RS 4 +Set the maximum number of days during which a password is valid\&. When +\fIMAX_DAYS\fR +plus +\fILAST_DAY\fR +is less than the current day, the user will be required to change their password before being able to use their account\&. This occurrence can be planned for in advance by use of the +\fB\-W\fR +option, which provides the user with advance warning\&. +.sp +Passing the number +\fI\-1\fR +as +\fIMAX_DAYS\fR +will remove checking a password\*(Aqs validity\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-W\fR, \fB\-\-warndays\fR\ \&\fIWARN_DAYS\fR +.RS 4 +Set the number of days of warning before a password change is required\&. The +\fIWARN_DAYS\fR +option is the number of days prior to the password expiring that a user will be warned their password is about to expire\&. +.RE +.PP +If none of the options are selected, +\fBchage\fR +operates in an interactive fashion, prompting the user with the current values for all of the fields\&. Enter the new value to change the field, or leave the line blank to use the current value\&. The current value is displayed between a pair of +\fI[ ]\fR +marks\&. +.SH "NOTE" +.PP +The +\fBchage\fR +program requires a shadow password file to be available\&. +.PP +The chage program will report only the information from the shadow password file\&. This implies that configuration from other sources (e\&.g\&. LDAP or empty password hash field from the passwd file) that affect the user\*(Aqs login will not be shown in the chage output\&. +.PP +The +\fBchage\fR +program will also not report any inconsistency between the shadow and passwd files (e\&.g\&. missing x in the passwd file)\&. The +\fBpwck\fR +can be used to check for this kind of inconsistencies\&. +.PP +The +\fBchage\fR +command is restricted to the root user, except for the +\fB\-l\fR +option, which may be used by an unprivileged user to determine when their password or account is due to expire\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.SH "EXIT VALUES" +.PP +The +\fBchage\fR +command exits with the following values: +.PP +\fI0\fR +.RS 4 +success +.RE +.PP +\fI1\fR +.RS 4 +permission denied +.RE +.PP +\fI2\fR +.RS 4 +invalid command syntax +.RE +.PP +\fI15\fR +.RS 4 +can\*(Aqt find the shadow password file +.RE +.SH "SEE ALSO" +.PP +\fBpasswd\fR(5), +\fBshadow\fR(5)\&. diff --git a/man/man1/chfn.1 b/man/man1/chfn.1 new file mode 100644 index 0000000..d73f7f1 --- /dev/null +++ b/man/man1/chfn.1 @@ -0,0 +1,163 @@ +'\" t +.\" Title: chfn +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "CHFN" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +chfn \- change real user name and information +.SH "SYNOPSIS" +.HP \w'\fBchfn\fR\ 'u +\fBchfn\fR [\fIoptions\fR] [\fILOGIN\fR] +.SH "DESCRIPTION" +.PP +The +\fBchfn\fR +command changes user fullname, office room number, office phone number, and home phone number information for a user\*(Aqs account\&. This information is typically printed by +\fBfinger\fR(1) +and similar programs\&. A normal user may only change the fields for her own account, subject to the restrictions in +/etc/login\&.defs\&. (The default configuration is to prevent users from changing their fullname\&.) The superuser may change any field for any account\&. Additionally, only the superuser may use the +\fB\-o\fR +option to change the undefined portions of the GECOS field\&. +.PP +These fields must not contain any colons\&. Except for the +\fIother\fR +field, they should not contain any comma or equal sign\&. It is also recommended to avoid non\-US\-ASCII characters, but this is only enforced for the phone numbers\&. The +\fIother\fR +field is used to store accounting information used by other applications\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBchfn\fR +command are: +.PP +\fB\-f\fR, \fB\-\-full\-name\fR\ \&\fIFULL_NAME\fR +.RS 4 +Change the user\*(Aqs full name\&. +.RE +.PP +\fB\-h\fR, \fB\-\-home\-phone\fR\ \&\fIHOME_PHONE\fR +.RS 4 +Change the user\*(Aqs home phone number\&. +.RE +.PP +\fB\-o\fR, \fB\-\-other\fR\ \&\fIOTHER\fR +.RS 4 +Change the user\*(Aqs other GECOS information\&. This field is used to store accounting information used by other applications, and can be changed only by a superuser\&. +.RE +.PP +\fB\-r\fR, \fB\-\-room\fR\ \&\fIROOM_NUMBER\fR +.RS 4 +Change the user\*(Aqs room number\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-u\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-w\fR, \fB\-\-work\-phone\fR\ \&\fIWORK_PHONE\fR +.RS 4 +Change the user\*(Aqs office phone number\&. +.RE +.PP +If none of the options are selected, +\fBchfn\fR +operates in an interactive fashion, prompting the user with the current values for all of the fields\&. Enter the new value to change the field, or leave the line blank to use the current value\&. The current value is displayed between a pair of +\fB[ ]\fR +marks\&. Without options, +\fBchfn\fR +prompts for the current user account\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBCHFN_AUTH\fR (boolean) +.RS 4 +If +\fIyes\fR, the +\fBchfn\fR +program will require authentication before making any changes, unless run by the superuser\&. +.RE +.PP +\fBCHFN_RESTRICT\fR (string) +.RS 4 +This parameter specifies which values in the +\fIgecos\fR +field of the +/etc/passwd +file may be changed by regular users using the +\fBchfn\fR +program\&. It can be any combination of letters +\fIf\fR, +\fIr\fR, +\fIw\fR, +\fIh\fR, for Full name, Room number, Work phone, and Home phone, respectively\&. For backward compatibility, +\fIyes\fR +is equivalent to +\fIrwh\fR +and +\fIno\fR +is equivalent to +\fIfrwh\fR\&. If not specified, only the superuser can make any changes\&. The most restrictive setting is better achieved by not installing +\fBchfn\fR +SUID\&. +.RE +.PP +\fBLOGIN_STRING\fR (string) +.RS 4 +The string used for prompting a password\&. The default is to use "Password: ", or a translation of that string\&. If you set this variable, the prompt will not be translated\&. +.sp +If the string contains +\fI%s\fR, this will be replaced by the user\*(Aqs name\&. +.RE +.SH "FILES" +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.SH "SEE ALSO" +.PP +\fBchsh\fR(1), +\fBlogin.defs\fR(5), +\fBpasswd\fR(5)\&. diff --git a/man/man1/chsh.1 b/man/man1/chsh.1 new file mode 100644 index 0000000..97458a4 --- /dev/null +++ b/man/man1/chsh.1 @@ -0,0 +1,121 @@ +'\" t +.\" Title: chsh +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "CHSH" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +chsh \- change login shell +.SH "SYNOPSIS" +.HP \w'\fBchsh\fR\ 'u +\fBchsh\fR [\fIoptions\fR] [\fILOGIN\fR] +.SH "DESCRIPTION" +.PP +The +\fBchsh\fR +command changes the user login shell\&. This determines the name of the user\*(Aqs initial login command\&. A normal user may only change the login shell for her own account; the superuser may change the login shell for any account\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBchsh\fR +command are: +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-s\fR, \fB\-\-shell\fR\ \&\fISHELL\fR +.RS 4 +The name of the user\*(Aqs new login shell\&. Setting this field to blank causes the system to select the default login shell\&. +.RE +.PP +If the +\fB\-s\fR +option is not selected, +\fBchsh\fR +operates in an interactive fashion, prompting the user with the current login shell\&. Enter the new value to change the shell, or leave the line blank to use the current one\&. The current shell is displayed between a pair of +\fI[ ]\fR +marks\&. +.SH "NOTE" +.PP +The only restriction placed on the login shell is that the command name must be listed in +/etc/shells, unless the invoker is the superuser, and then any value may be added\&. An account with a restricted login shell may not change her login shell\&. For this reason, placing +/bin/rsh +in +/etc/shells +is discouraged since accidentally changing to a restricted shell would prevent the user from ever changing her login shell back to its original value\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBCHSH_AUTH\fR (boolean) +.RS 4 +If +\fIyes\fR, the +\fBchsh\fR +program will require authentication before making any changes, unless run by the superuser\&. +.RE +.PP +\fBLOGIN_STRING\fR (string) +.RS 4 +The string used for prompting a password\&. The default is to use "Password: ", or a translation of that string\&. If you set this variable, the prompt will not be translated\&. +.sp +If the string contains +\fI%s\fR, this will be replaced by the user\*(Aqs name\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shells +.RS 4 +List of valid login shells\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "SEE ALSO" +.PP +\fBchfn\fR(1), +\fBlogin.defs\fR(5), +\fBpasswd\fR(5)\&. diff --git a/man/man1/expiry.1 b/man/man1/expiry.1 new file mode 100644 index 0000000..6f5a120 --- /dev/null +++ b/man/man1/expiry.1 @@ -0,0 +1,74 @@ +'\" t +.\" Title: expiry +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "EXPIRY" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +expiry \- check and enforce password expiration policy +.SH "SYNOPSIS" +.HP \w'\fBexpiry\fR\ 'u +\fBexpiry\fR \fIoption\fR +.SH "DESCRIPTION" +.PP +The +\fBexpiry\fR +command checks (\fB\-c\fR) the current password expiration and forces (\fB\-f\fR) changes when required\&. It is callable as a normal user command\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBexpiry\fR +command are: +.PP +\fB\-c\fR, \fB\-\-check\fR +.RS 4 +Check the password expiration of the current user\&. +.RE +.PP +\fB\-f\fR, \fB\-\-force\fR +.RS 4 +Force a password change if the current user has an expired password\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.SH "SEE ALSO" +.PP +\fBpasswd\fR(5), +\fBshadow\fR(5)\&. diff --git a/man/man1/getsubids.1 b/man/man1/getsubids.1 new file mode 100644 index 0000000..2d92334 --- /dev/null +++ b/man/man1/getsubids.1 @@ -0,0 +1,82 @@ +'\" t +.\" Title: getsubids +.\" Author: Iker Pedrosa +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "GETSUBIDS" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +getsubids \- get the subordinate id ranges for a user +.SH "SYNOPSIS" +.HP \w'\fBgetsubids\fR\ 'u +\fBgetsubids\fR [\fIoptions\fR] \fIUSER\fR +.SH "DESCRIPTION" +.PP +The +\fBgetsubids\fR +command lists the subordinate user ID ranges for a given user\&. The subordinate group IDs can be listed using the +\fB\-g\fR +option\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBgetsubids\fR +command are: +.PP +\fB\-g\fR +.RS 4 +List the subordinate group ID ranges\&. +.RE +.PP +\fB\-h\fR +.RS 4 +Display help message and exit\&. +.RE +.SH "EXAMPLE" +.PP +For example, to obtain the subordinate UIDs of the testuser: +.PP +.if n \{\ +.RS 4 +.\} +.nf +$ getsubids testuser +0: testuser 100000 65536 +.fi +.if n \{\ +.RE +.\} +.PP +This command output provides (in order from left to right) the list index, username, UID range start, and number of UIDs in range\&. +.SH "SEE ALSO" +.PP +\fBlogin.defs\fR(5), +\fBnewgidmap\fR(1), +\fBnewuidmap\fR(1), +\fBsubgid\fR(5), +\fBsubuid\fR(5), +\fBuseradd\fR(8), +\fBuserdel\fR(8)\&. +\fBusermod\fR(8), diff --git a/man/man1/gpasswd.1 b/man/man1/gpasswd.1 new file mode 100644 index 0000000..e11bcdf --- /dev/null +++ b/man/man1/gpasswd.1 @@ -0,0 +1,234 @@ +'\" t +.\" Title: gpasswd +.\" Author: Rafal Maszkowski +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "GPASSWD" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +gpasswd \- administer /etc/group and /etc/gshadow +.SH "SYNOPSIS" +.HP \w'\fBgpasswd\fR\ 'u +\fBgpasswd\fR [\fIoption\fR] \fIgroup\fR +.SH "DESCRIPTION" +.PP +The +\fBgpasswd\fR +command is used to administer +/etc/group, and /etc/gshadow\&. Every group can have +administrators, +members and a password\&. +.PP +System administrators can use the +\fB\-A\fR +option to define group administrator(s) and the +\fB\-M\fR +option to define members\&. They have all rights of group administrators and members\&. +.PP +\fBgpasswd\fR +called by +a group administrator +with a group name only prompts for the new password of the +\fIgroup\fR\&. +.PP +If a password is set the members can still use +\fBnewgrp\fR(1) +without a password, and non\-members must supply the password\&. +.SS "Notes about group passwords" +.PP +Group passwords are an inherent security problem since more than one person is permitted to know the password\&. However, groups are a useful tool for permitting co\-operation between different users\&. +.SH "OPTIONS" +.PP +Except for the +\fB\-A\fR +and +\fB\-M\fR +options, the options cannot be combined\&. +.PP +The options which apply to the +\fBgpasswd\fR +command are: +.PP +\fB\-a\fR, \fB\-\-add\fR\ \&\fIuser\fR +.RS 4 +Add the +\fIuser\fR +to the named +\fIgroup\fR\&. +.RE +.PP +\fB\-d\fR, \fB\-\-delete\fR\ \&\fIuser\fR +.RS 4 +Remove the +\fIuser\fR +from the named +\fIgroup\fR\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-Q\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-r\fR, \fB\-\-remove\-password\fR +.RS 4 +Remove the password from the named +\fIgroup\fR\&. The group password will be empty\&. Only group members will be allowed to use +\fBnewgrp\fR +to join the named +\fIgroup\fR\&. +.RE +.PP +\fB\-R\fR, \fB\-\-restrict\fR +.RS 4 +Restrict the access to the named +\fIgroup\fR\&. The group password is set to "!"\&. Only group members with a password will be allowed to use +\fBnewgrp\fR +to join the named +\fIgroup\fR\&. +.RE +.PP +\fB\-A\fR, \fB\-\-administrators\fR\ \&\fIuser\fR,\&.\&.\&. +.RS 4 +Set the list of administrative users\&. +.RE +.PP +\fB\-M\fR, \fB\-\-members\fR\ \&\fIuser\fR,\&.\&.\&. +.RS 4 +Set the list of group members\&. +.RE +.SH "CAVEATS" +.PP +This tool only operates on the +/etc/group +and /etc/gshadow files\&. +Thus you cannot change any NIS or LDAP group\&. This must be performed on the corresponding server\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBENCRYPT_METHOD\fR (string) +.RS 4 +This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&. +.sp +It can take one of these values: +\fIDES\fR +(default), +\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see +crypt(5) +for recommendations\&. +.sp +Note: this parameter overrides the +\fBMD5_CRYPT_ENAB\fR +variable\&. +.RE +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.PP +\fBMD5_CRYPT_ENAB\fR (boolean) +.RS 4 +Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to +\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to +\fIno\fR +if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is +\fIno\fR\&. +.sp +This variable is superseded by the +\fBENCRYPT_METHOD\fR +variable or by any command line option used to configure the encryption algorithm\&. +.sp +This variable is deprecated\&. You should use +\fBENCRYPT_METHOD\fR\&. +.RE +.PP +\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number) +.RS 4 +When +\fBENCRYPT_METHOD\fR +is set to +\fISHA256\fR +or +\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&. +.sp +With a lot of rounds, it is more difficult to brute forcing the password\&. But note also that more CPU resources will be needed to authenticate users\&. +.sp +If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&. +.sp +The values must be inside the 1000\-999,999,999 range\&. +.sp +If only one of the +\fBSHA_CRYPT_MIN_ROUNDS\fR +or +\fBSHA_CRYPT_MAX_ROUNDS\fR +values is set, then this value will be used\&. +.sp +If +\fBSHA_CRYPT_MIN_ROUNDS\fR +> +\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.SH "SEE ALSO" +.PP +\fBnewgrp\fR(1), +\fBgroupadd\fR(8), +\fBgroupdel\fR(8), +\fBgroupmod\fR(8), +\fBgrpck\fR(8), +\fBgroup\fR(5), \fBgshadow\fR(5)\&. diff --git a/man/man1/groups.1 b/man/man1/groups.1 new file mode 100644 index 0000000..7b9fbf2 --- /dev/null +++ b/man/man1/groups.1 @@ -0,0 +1,65 @@ +'\" t +.\" Title: groups +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "GROUPS" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +groups \- display current group names +.SH "SYNOPSIS" +.HP \w'\fBgroups\fR\ 'u +\fBgroups\fR [\fIuser\fR] +.SH "DESCRIPTION" +.PP +The +\fBgroups\fR +command displays the current group names or ID values\&. If the value does not have a corresponding entry in +/etc/group, the value will be displayed as the numerical group value\&. The optional +\fIuser\fR +parameter will display the groups for the named user\&. +.SH "NOTE" +.PP +Systems which do not support supplementary groups (see +\fBinitgroups\fR(3)) will have the information from +/etc/group +reported\&. The user must use +\fBnewgrp\fR +or +\fBsg\fR +to change his current real and effective group ID\&. +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.SH "SEE ALSO" +.PP +\fBnewgrp\fR(1), +\fBgetgid\fR(2), +\fBgetgroups\fR(2), +\fBgetuid\fR(2), +\fBinitgroups\fR(3)\&. diff --git a/man/man1/id.1 b/man/man1/id.1 new file mode 100644 index 0000000..010db36 --- /dev/null +++ b/man/man1/id.1 @@ -0,0 +1,62 @@ +'\" t +.\" Title: id +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "ID" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +id \- display current user and group ID names +.SH "SYNOPSIS" +.HP \w'\fBid\fR\ 'u +\fBid\fR [\-a] +.SH "DESCRIPTION" +.PP +The +\fBid\fR +command displays the current real and effective user and group ID names or values\&. If the value does not have a corresponding entry in +/etc/passwd +or +/etc/group, the value will be displayed without the corresponding name\&. The optional +\fB\-a\fR +flag will display the group set on systems which support supplementary groups (see +\fBinitgroups\fR(3))\&. +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.SH "SEE ALSO" +.PP +\fBgetgid\fR(2), +\fBgetgroups\fR(2), +\fBgetuid\fR(2), +\fBinitgroups\fR(3) diff --git a/man/man1/login.1 b/man/man1/login.1 new file mode 100644 index 0000000..eaa39db --- /dev/null +++ b/man/man1/login.1 @@ -0,0 +1,489 @@ +'\" t +.\" Title: login +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "LOGIN" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +login \- begin session on the system +.SH "SYNOPSIS" +.HP \w'\fBlogin\fR\ 'u +\fBlogin\fR [\-p] [\-h\ \fIhost\fR] [\fIusername\fR] [\fIENV=VAR\fR...] +.HP \w'\fBlogin\fR\ 'u +\fBlogin\fR [\-p] [\-h\ \fIhost\fR] \-f \fIusername\fR +.HP \w'\fBlogin\fR\ 'u +\fBlogin\fR [\-p] \-r\ \fIhost\fR +.SH "DESCRIPTION" +.PP +The +\fBlogin\fR +program is used to establish a new session with the system\&. It is normally invoked automatically by responding to the +\fIlogin:\fR +prompt on the user\*(Aqs terminal\&. +\fBlogin\fR +may be special to the shell and may not be invoked as a sub\-process\&. When called from a shell, +\fBlogin\fR +should be executed as +\fBexec login\fR +which will cause the user to exit from the current shell (and thus will prevent the new logged in user to return to the session of the caller)\&. Attempting to execute +\fBlogin\fR +from any shell but the login shell will produce an error message\&. +.PP +The user is then prompted for a password, where appropriate\&. Echoing is disabled to prevent revealing the password\&. Only a small number of password failures are permitted before +\fBlogin\fR +exits and the communications link is severed\&. +.PP +If password aging has been enabled for your account, you may be prompted for a new password before proceeding\&. You will be forced to provide your old password and the new password before continuing\&. Please refer to +\fBpasswd\fR(1) +for more information\&. +.PP +After a successful login, you will be informed of any system messages and the presence of mail\&. You may turn off the printing of the system message file, +/etc/motd, by creating a zero\-length file +\&.hushlogin +in your login directory\&. The mail message will be one of "\fIYou have new mail\&.\fR", "\fIYou have mail\&.\fR", or "\fINo Mail\&.\fR" according to the condition of your mailbox\&. +.PP +Your user and group ID will be set according to their values in the +/etc/passwd +file\&. The value for +\fB$HOME\fR, +\fB$SHELL\fR, +\fB$PATH\fR, +\fB$LOGNAME\fR, and +\fB$MAIL\fR +are set according to the appropriate fields in the password entry\&. Ulimit, umask and nice values may also be set according to entries in the GECOS field\&. +.PP +On some installations, the environmental variable +\fB$TERM\fR +will be initialized to the terminal type on your tty line, as specified in +/etc/ttytype\&. +.PP +An initialization script for your command interpreter may also be executed\&. Please see the appropriate manual section for more information on this function\&. +.PP +A subsystem login is indicated by the presence of a "*" as the first character of the login shell\&. The given home directory will be used as the root of a new file system which the user is actually logged into\&. +.PP +The +\fBlogin\fR +program is NOT responsible for removing users from the utmp file\&. It is the responsibility of +\fBgetty\fR(8) +and +\fBinit\fR(8) +to clean up apparent ownership of a terminal session\&. If you use +\fBlogin\fR +from the shell prompt without +\fBexec\fR, the user you use will continue to appear to be logged in even after you log out of the "subsession"\&. +.SH "OPTIONS" +.PP +\fB\-f\fR +.RS 4 +Do not perform authentication, user is preauthenticated\&. +.sp +Note: In that case, +\fIusername\fR +is mandatory\&. +.RE +.PP +\fB\-h\fR +.RS 4 +Name of the remote host for this login\&. +.RE +.PP +\fB\-p\fR +.RS 4 +Preserve environment\&. +.RE +.PP +\fB\-r\fR +.RS 4 +Perform autologin protocol for rlogin\&. +.RE +.PP +The +\fB\-r\fR, +\fB\-h\fR +and +\fB\-f\fR +options are only used when +\fBlogin\fR +is invoked by root\&. +.SH "CAVEATS" +.PP +This version of +\fBlogin\fR +has many compilation options, only some of which may be in use at any particular site\&. +.PP +The location of files is subject to differences in system configuration\&. +.PP +The +\fBlogin\fR +program is NOT responsible for removing users from the utmp file\&. It is the responsibility of +\fBgetty\fR(8) +and +\fBinit\fR(8) +to clean up apparent ownership of a terminal session\&. If you use +\fBlogin\fR +from the shell prompt without +\fBexec\fR, the user you use will continue to appear to be logged in even after you log out of the "subsession"\&. +.PP +As with any program, +\fBlogin\fR\*(Aqs appearance can be faked\&. If non\-trusted users have physical access to a machine, an attacker could use this to obtain the password of the next person coming to sit in front of the machine\&. Under Linux, the SAK mechanism can be used by users to initiate a trusted path and prevent this kind of attack\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBCONSOLE\fR (string) +.RS 4 +If defined, either full pathname of a file containing device names (one per line) or a ":" delimited list of device names\&. Root logins will be allowed only upon these devices\&. +.sp +If not defined, root will be allowed on any device\&. +.sp +The device should be specified without the /dev/ prefix\&. +.RE +.PP +\fBCONSOLE_GROUPS\fR (string) +.RS 4 +List of groups to add to the user\*(Aqs supplementary groups set when logging in on the console (as determined by the CONSOLE setting)\&. Default is none\&. + +Use with caution \- it is possible for users to gain permanent access to these groups, even when not logged in on the console\&. +.RE +.PP +\fBDEFAULT_HOME\fR (boolean) +.RS 4 +Indicate if login is allowed if we can\*(Aqt cd to the home directory\&. Default is no\&. +.sp +If set to +\fIyes\fR, the user will login in the root (/) directory if it is not possible to cd to her home directory\&. +.RE +.PP +\fBENV_HZ\fR (string) +.RS 4 +If set, it will be used to define the HZ environment variable when a user login\&. The value must be preceded by +\fIHZ=\fR\&. A common value on Linux is +\fIHZ=100\fR\&. +.RE +.PP +\fBENV_PATH\fR (string) +.RS 4 +If set, it will be used to define the PATH environment variable when a regular user login\&. The value is a colon separated list of paths (for example +\fI/bin:/usr/bin\fR) and can be preceded by +\fIPATH=\fR\&. The default value is +\fIPATH=/bin:/usr/bin\fR\&. +.RE +.PP +\fBENV_SUPATH\fR (string) +.RS 4 +If set, it will be used to define the PATH environment variable when the superuser login\&. The value is a colon separated list of paths (for example +\fI/sbin:/bin:/usr/sbin:/usr/bin\fR) and can be preceded by +\fIPATH=\fR\&. The default value is +\fIPATH=/sbin:/bin:/usr/sbin:/usr/bin\fR\&. +.RE +.PP +\fBENV_TZ\fR (string) +.RS 4 +If set, it will be used to define the TZ environment variable when a user login\&. The value can be the name of a timezone preceded by +\fITZ=\fR +(for example +\fITZ=CST6CDT\fR), or the full path to the file containing the timezone specification (for example +/etc/tzname)\&. +.sp +If a full path is specified but the file does not exist or cannot be read, the default is to use +\fITZ=CST6CDT\fR\&. +.RE +.PP +\fBENVIRON_FILE\fR (string) +.RS 4 +If this file exists and is readable, login environment will be read from it\&. Every line should be in the form name=value\&. +.sp +Lines starting with a # are treated as comment lines and ignored\&. +.RE +.PP +\fBERASECHAR\fR (number) +.RS 4 +Terminal ERASE character (\fI010\fR += backspace, +\fI0177\fR += DEL)\&. +.sp +The value can be prefixed "0" for an octal value, or "0x" for an hexadecimal value\&. +.RE +.PP +\fBFAIL_DELAY\fR (number) +.RS 4 +Delay in seconds before being allowed another attempt after a login failure\&. +.RE +.PP +\fBFAILLOG_ENAB\fR (boolean) +.RS 4 +Enable logging and display of +/var/log/faillog +login failure info\&. +.RE +.PP +\fBFAKE_SHELL\fR (string) +.RS 4 +If set, +\fBlogin\fR +will execute this shell instead of the users\*(Aq shell specified in +/etc/passwd\&. +.RE +.PP +\fBFTMP_FILE\fR (string) +.RS 4 +If defined, login failures will be logged in this file in a utmp format\&. +.RE +.PP +\fBHUSHLOGIN_FILE\fR (string) +.RS 4 +If defined, this file can inhibit all the usual chatter during the login sequence\&. If a full pathname is specified, then hushed mode will be enabled if the user\*(Aqs name or shell are found in the file\&. If not a full pathname, then hushed mode will be enabled if the file exists in the user\*(Aqs home directory\&. +.RE +.PP +\fBISSUE_FILE\fR (string) +.RS 4 +If defined, this file will be displayed before each login prompt\&. +.RE +.PP +\fBKILLCHAR\fR (number) +.RS 4 +Terminal KILL character (\fI025\fR += CTRL/U)\&. +.sp +The value can be prefixed "0" for an octal value, or "0x" for an hexadecimal value\&. +.RE +.PP +\fBLASTLOG_ENAB\fR (boolean) +.RS 4 +Enable logging and display of /var/log/lastlog login time info\&. +.RE +.PP +\fBLOGIN_RETRIES\fR (number) +.RS 4 +Maximum number of login retries in case of bad password\&. +.RE +.PP +\fBLOGIN_STRING\fR (string) +.RS 4 +The string used for prompting a password\&. The default is to use "Password: ", or a translation of that string\&. If you set this variable, the prompt will not be translated\&. +.sp +If the string contains +\fI%s\fR, this will be replaced by the user\*(Aqs name\&. +.RE +.PP +\fBLOGIN_TIMEOUT\fR (number) +.RS 4 +Max time in seconds for login\&. +.RE +.PP +\fBLOG_OK_LOGINS\fR (boolean) +.RS 4 +Enable logging of successful logins\&. +.RE +.PP +\fBLOG_UNKFAIL_ENAB\fR (boolean) +.RS 4 +Enable display of unknown usernames when login failures are recorded\&. +.sp +Note: logging unknown usernames may be a security issue if an user enter her password instead of her login name\&. +.RE +.PP +\fBMAIL_CHECK_ENAB\fR (boolean) +.RS 4 +Enable checking and display of mailbox status upon login\&. +.sp +You should disable it if the shell startup files already check for mail ("mailx \-e" or equivalent)\&. +.RE +.PP +\fBMAIL_DIR\fR (string) +.RS 4 +The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&. The parameter CREATE_MAIL_SPOOL in +/etc/default/useradd +determines whether the mail spool should be created\&. +.RE +.PP +\fBMAIL_FILE\fR (string) +.RS 4 +Defines the location of the users mail spool files relatively to their home directory\&. +.RE +.PP +The +\fBMAIL_DIR\fR +and +\fBMAIL_FILE\fR +variables are used by +\fBuseradd\fR, +\fBusermod\fR, and +\fBuserdel\fR +to create, move, or delete the user\*(Aqs mail spool\&. +.PP +If +\fBMAIL_CHECK_ENAB\fR +is set to +\fIyes\fR, they are also used to define the +\fBMAIL\fR +environment variable\&. +.PP +\fBMOTD_FILE\fR (string) +.RS 4 +If defined, ":" delimited list of "message of the day" files to be displayed upon login\&. +.RE +.PP +\fBNOLOGINS_FILE\fR (string) +.RS 4 +If defined, name of file whose presence will inhibit non\-root logins\&. The contents of this file should be a message indicating why logins are inhibited\&. +.RE +.PP +\fBPORTTIME_CHECKS_ENAB\fR (boolean) +.RS 4 +Enable checking of time restrictions specified in +/etc/porttime\&. +.RE +.PP +\fBQUOTAS_ENAB\fR (boolean) +.RS 4 +Enable setting of resource limits from +/etc/limits +and ulimit, umask, and niceness from the user\*(Aqs passwd gecos field\&. +.RE +.PP +\fBTTYGROUP\fR (string), \fBTTYPERM\fR (string) +.RS 4 +The terminal permissions: the login tty will be owned by the +\fBTTYGROUP\fR +group, and the permissions will be set to +\fBTTYPERM\fR\&. +.sp +By default, the ownership of the terminal is set to the user\*(Aqs primary group and the permissions are set to +\fI0600\fR\&. +.sp +\fBTTYGROUP\fR +can be either the name of a group or a numeric group identifier\&. +.sp +If you have a +\fBwrite\fR +program which is "setgid" to a special group which owns the terminals, define TTYGROUP to the group number and TTYPERM to 0620\&. Otherwise leave TTYGROUP commented out and assign TTYPERM to either 622 or 600\&. +.RE +.PP +\fBTTYTYPE_FILE\fR (string) +.RS 4 +If defined, file which maps tty line to TERM environment parameter\&. Each line of the file is in a format something like "vt100 tty01"\&. +.RE +.PP +\fBULIMIT\fR (number) +.RS 4 +Default +\fBulimit\fR +value\&. +.RE +.PP +\fBUMASK\fR (number) +.RS 4 +The file mode creation mask is initialized to this value\&. If not specified, the mask will be initialized to 022\&. +.sp +\fBuseradd\fR +and +\fBnewusers\fR +use this mask to set the mode of the home directory they create if +\fBHOME_MODE\fR +is not set\&. +.sp +It is also used by +\fBlogin\fR +to define users\*(Aq initial umask\&. Note that this mask can be overridden by the user\*(Aqs GECOS line (if +\fBQUOTAS_ENAB\fR +is set) or by the specification of a limit with the +\fIK\fR +identifier in +\fBlimits\fR(5)\&. +.RE +.PP +\fBUSERGROUPS_ENAB\fR (boolean) +.RS 4 +Enable setting of the umask group bits to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007) for non\-root users, if the uid is the same as gid, and username is the same as the primary group name\&. +.sp +If set to +\fIyes\fR, +\fBuserdel\fR +will remove the user\*(Aqs group if it contains no more members, and +\fBuseradd\fR +will create by default a group with the name of the user\&. +.RE +.SH "FILES" +.PP +/var/run/utmp +.RS 4 +List of current login sessions\&. +.RE +.PP +/var/log/wtmp +.RS 4 +List of previous login sessions\&. +.RE +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/motd +.RS 4 +System message of the day file\&. +.RE +.PP +/etc/nologin +.RS 4 +Prevent non\-root users from logging in\&. +.RE +.PP +/etc/ttytype +.RS 4 +List of terminal types\&. +.RE +.PP +$HOME/\&.hushlogin +.RS 4 +Suppress printing of system messages\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "SEE ALSO" +.PP +\fBmail\fR(1), +\fBpasswd\fR(1), +\fBsh\fR(1), +\fBsu\fR(1), +\fBlogin.defs\fR(5), +\fBnologin\fR(5), +\fBpasswd\fR(5), +\fBsecuretty\fR(5), +\fBgetty\fR(8)\&. diff --git a/man/man1/newgidmap.1 b/man/man1/newgidmap.1 new file mode 100644 index 0000000..c60cf7f --- /dev/null +++ b/man/man1/newgidmap.1 @@ -0,0 +1,100 @@ +'\" t +.\" Title: newgidmap +.\" Author: Eric Biederman +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "NEWGIDMAP" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +newgidmap \- set the gid mapping of a user namespace +.SH "SYNOPSIS" +.HP \w'\fBnewgidmap\fR\ 'u +\fBnewgidmap\fR \fIpid\fR \fIgid\fR \fIlowergid\fR \fIcount\fR [\fIgid\fR\ \fIlowergid\fR\ \fIcount\fR\ [\ \fI\&.\&.\&.\fR\ ]] +.SH "DESCRIPTION" +.PP +The +\fBnewgidmap\fR +sets +/proc/[pid]/gid_map +based on its command line arguments and the gids allowed\&. Subgid delegation can either be managed via +/etc/subgid +or through the configured NSS subid module\&. These options are mutually exclusive\&. +.PP +Note that the root group is not exempted from the requirement for a valid +/etc/subgid +entry\&. +.PP +After the pid argument, +\fBnewgidmap\fR +expects sets of 3 integers: +.PP +gid +.RS 4 +Beginning of the range of GIDs inside the user namespace\&. +.RE +.PP +lowergid +.RS 4 +Beginning of the range of GIDs outside the user namespace\&. +.RE +.PP +count +.RS 4 +Length of the ranges (both inside and outside the user namespace)\&. +.RE +.PP +\fBnewgidmap\fR +verifies that the caller is the owner of the process indicated by +\fBpid\fR +and that for each of the above sets, each of the GIDs in the range [lowergid, lowergid+count) is allowed to the caller according to +/etc/subgid +before setting +/proc/[pid]/gid_map\&. +.PP +Note that newgidmap may be used only once for a given process\&. +.SH "OPTIONS" +.PP +There currently are no options to the +\fBnewgidmap\fR +command\&. +.SH "FILES" +.PP +/etc/subgid +.RS 4 +List of user\*(Aqs subordinate group IDs\&. +.RE +.PP +/proc/[pid]/gid_map +.RS 4 +Mapping of gids from one between user namespaces\&. +.RE +.SH "SEE ALSO" +.PP +\fBlogin.defs\fR(5), +\fBnewusers\fR(8), +\fBsubgid\fR(5), +\fBuseradd\fR(8), +\fBuserdel\fR(8), +\fBusermod\fR(8)\&. diff --git a/man/man1/newgrp.1 b/man/man1/newgrp.1 new file mode 100644 index 0000000..312e6ca --- /dev/null +++ b/man/man1/newgrp.1 @@ -0,0 +1,98 @@ +'\" t +.\" Title: newgrp +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "NEWGRP" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +newgrp \- log in to a new group +.SH "SYNOPSIS" +.HP \w'\fBnewgrp\fR\ 'u +\fBnewgrp\fR [\-] [\fIgroup\fR] +.SH "DESCRIPTION" +.PP +The +\fBnewgrp\fR +command is used to change the current group ID during a login session\&. If the optional +\fB\-\fR +flag is given, the user\*(Aqs environment will be reinitialized as though the user had logged in, otherwise the current environment, including current working directory, remains unchanged\&. +.PP +\fBnewgrp\fR +changes the current real group ID to the named group, or to the default group listed in +/etc/passwd +if no group name is given\&. +\fBnewgrp\fR +also tries to add the group to the user groupset\&. If not root, the user will be prompted for a password if she does not have a password (in +/etc/shadow +if this user has an entry in the shadowed password file, or in +/etc/passwd +otherwise) and the group does, or if the user is not listed as a member and the group has a password\&. The user will be denied access if the group password is empty and the user is not listed as a member\&. +.PP +If there is an entry for this group in +/etc/gshadow, then the list of members and the password of this group will be taken from this file, otherwise, the entry in +/etc/group +is considered\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBSYSLOG_SG_ENAB\fR (boolean) +.RS 4 +Enable "syslog" logging of +\fBsg\fR +activity\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.SH "SEE ALSO" +.PP +\fBid\fR(1), +\fBlogin\fR(1), +\fBsu\fR(1), +\fBsg\fR(1), +\fBgpasswd\fR(1), +\fBgroup\fR(5), \fBgshadow\fR(5)\&. diff --git a/man/man1/newuidmap.1 b/man/man1/newuidmap.1 new file mode 100644 index 0000000..d4dda67 --- /dev/null +++ b/man/man1/newuidmap.1 @@ -0,0 +1,100 @@ +'\" t +.\" Title: newuidmap +.\" Author: Eric Biederman +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "NEWUIDMAP" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +newuidmap \- set the uid mapping of a user namespace +.SH "SYNOPSIS" +.HP \w'\fBnewuidmap\fR\ 'u +\fBnewuidmap\fR \fIpid\fR \fIuid\fR \fIloweruid\fR \fIcount\fR [\fIuid\fR\ \fIloweruid\fR\ \fIcount\fR\ [\ \fI\&.\&.\&.\fR\ ]] +.SH "DESCRIPTION" +.PP +The +\fBnewuidmap\fR +sets +/proc/[pid]/uid_map +based on its command line arguments and the uids allowed\&. Subuid delegation can either be managed via +/etc/subuid +or through the configured NSS subid module\&. These options are mutually exclusive\&. +.PP +Note that the root user is not exempted from the requirement for a valid +/etc/subuid +entry\&. +.PP +After the pid argument, +\fBnewuidmap\fR +expects sets of 3 integers: +.PP +uid +.RS 4 +Beginning of the range of UIDs inside the user namespace\&. +.RE +.PP +loweruid +.RS 4 +Beginning of the range of UIDs outside the user namespace\&. +.RE +.PP +count +.RS 4 +Length of the ranges (both inside and outside the user namespace)\&. +.RE +.PP +\fBnewuidmap\fR +verifies that the caller is the owner of the process indicated by +\fBpid\fR +and that for each of the above sets, each of the UIDs in the range [loweruid, loweruid+count) is allowed to the caller according to +/etc/subuid +before setting +/proc/[pid]/uid_map\&. +.PP +Note that newuidmap may be used only once for a given process\&. +.SH "OPTIONS" +.PP +There currently are no options to the +\fBnewuidmap\fR +command\&. +.SH "FILES" +.PP +/etc/subuid +.RS 4 +List of user\*(Aqs subordinate user IDs\&. +.RE +.PP +/proc/[pid]/uid_map +.RS 4 +Mapping of uids from one between user namespaces\&. +.RE +.SH "SEE ALSO" +.PP +\fBlogin.defs\fR(5), +\fBnewusers\fR(8), +\fBsubuid\fR(5), +\fBuseradd\fR(8), +\fBusermod\fR(8), +\fBuserdel\fR(8)\&. diff --git a/man/man1/passwd.1 b/man/man1/passwd.1 new file mode 100644 index 0000000..cc1a46e --- /dev/null +++ b/man/man1/passwd.1 @@ -0,0 +1,367 @@ +'\" t +.\" Title: passwd +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "PASSWD" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +passwd \- change user password +.SH "SYNOPSIS" +.HP \w'\fBpasswd\fR\ 'u +\fBpasswd\fR [\fIoptions\fR] [\fILOGIN\fR] +.SH "DESCRIPTION" +.PP +The +\fBpasswd\fR +command changes passwords for user accounts\&. A normal user may only change the password for their own account, while the superuser may change the password for any account\&. +\fBpasswd\fR +also changes the account or associated password validity period\&. +.SS "Password Changes" +.PP +The user is first prompted for their old password, if one is present\&. This password is then encrypted and compared against the stored password\&. The user has only one chance to enter the correct password\&. The superuser is permitted to bypass this step so that forgotten passwords may be changed\&. +.PP +After the password has been entered, password aging information is checked to see if the user is permitted to change the password at this time\&. If not, +\fBpasswd\fR +refuses to change the password and exits\&. +.PP +The user is then prompted twice for a replacement password\&. The second entry is compared against the first and both are required to match in order for the password to be changed\&. +.PP +Then, the password is tested for complexity\&. As a general guideline, passwords should consist of 6 to 8 characters including one or more characters from each of the following sets: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +lower case alphabetics +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +digits 0 thru 9 +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +punctuation marks +.RE +.PP +Care must be taken not to include the system default erase or kill characters\&. +\fBpasswd\fR +will reject any password which is not suitably complex\&. +.SS "Hints for user passwords" +.PP +The security of a password depends upon the strength of the encryption algorithm and the size of the key space\&. The legacy +\fIUNIX\fR +System encryption method is based on the NBS DES algorithm\&. More recent methods are now recommended (see +\fBENCRYPT_METHOD\fR)\&. The size of the key space depends upon the randomness of the password which is selected\&. +.PP +Compromises in password security normally result from careless password selection or handling\&. For this reason, you should not select a password which appears in a dictionary or which must be written down\&. The password should also not be a proper name, your license number, birth date, or street address\&. Any of these may be used as guesses to violate system security\&. +.PP +You can find advice on how to choose a strong password on http://en\&.wikipedia\&.org/wiki/Password_strength +.SH "OPTIONS" +.PP +The options which apply to the +\fBpasswd\fR +command are: +.PP +\fB\-a\fR, \fB\-\-all\fR +.RS 4 +This option can be used only with +\fB\-S\fR +and causes show status for all users\&. +.RE +.PP +\fB\-d\fR, \fB\-\-delete\fR +.RS 4 +Delete a user\*(Aqs password (make it empty)\&. This is a quick way to disable a password for an account\&. It will set the named account passwordless\&. +.RE +.PP +\fB\-e\fR, \fB\-\-expire\fR +.RS 4 +Immediately expire an account\*(Aqs password\&. This in effect can force a user to change their password at the user\*(Aqs next login\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-i\fR, \fB\-\-inactive\fR\ \&\fIINACTIVE\fR +.RS 4 +This option is used to disable an account after the password has been expired for a number of days\&. After a user account has had an expired password for +\fIINACTIVE\fR +days, the user may no longer sign on to the account\&. +.RE +.PP +\fB\-k\fR, \fB\-\-keep\-tokens\fR +.RS 4 +Indicate password change should be performed only for expired authentication tokens (passwords)\&. The user wishes to keep their non\-expired tokens as before\&. +.RE +.PP +\fB\-l\fR, \fB\-\-lock\fR +.RS 4 +Lock the password of the named account\&. This option disables a password by changing it to a value which matches no possible encrypted value (it adds a \(aa!\(aa at the beginning of the password)\&. +.sp +Note that this does not disable the account\&. The user may still be able to login using another authentication token (e\&.g\&. an SSH key)\&. To disable the account, administrators should use +\fBusermod \-\-expiredate 1\fR +(this set the account\*(Aqs expire date to Jan 2, 1970)\&. +.sp +Users with a locked password are not allowed to change their password\&. +.RE +.PP +\fB\-n\fR, \fB\-\-mindays\fR\ \&\fIMIN_DAYS\fR +.RS 4 +Set the minimum number of days between password changes to +\fIMIN_DAYS\fR\&. A value of zero for this field indicates that the user may change their password at any time\&. +.RE +.PP +\fB\-q\fR, \fB\-\-quiet\fR +.RS 4 +Quiet mode\&. +.RE +.PP +\fB\-r\fR, \fB\-\-repository\fR\ \&\fIREPOSITORY\fR +.RS 4 +change password in +\fIREPOSITORY\fR +repository +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-S\fR, \fB\-\-status\fR +.RS 4 +Display account status information\&. The status information consists of 7 fields\&. The first field is the user\*(Aqs login name\&. The second field indicates if the user account has a locked password (L), has no password (NP), or has a usable password (P)\&. The third field gives the date of the last password change\&. The next four fields are the minimum age, maximum age, warning period, and inactivity period for the password\&. These ages are expressed in days\&. +.RE +.PP +\fB\-u\fR, \fB\-\-unlock\fR +.RS 4 +Unlock the password of the named account\&. This option re\-enables a password by changing the password back to its previous value (to the value before using the +\fB\-l\fR +option)\&. +.RE +.PP +\fB\-w\fR, \fB\-\-warndays\fR\ \&\fIWARN_DAYS\fR +.RS 4 +Set the number of days of warning before a password change is required\&. The +\fIWARN_DAYS\fR +option is the number of days prior to the password expiring that a user will be warned that their password is about to expire\&. +.RE +.PP +\fB\-x\fR, \fB\-\-maxdays\fR\ \&\fIMAX_DAYS\fR +.RS 4 +Set the maximum number of days a password remains valid\&. After +\fIMAX_DAYS\fR, the password is required to be changed\&. +.sp +Passing the number +\fI\-1\fR +as +\fIMAX_DAYS\fR +will remove checking a password\*(Aqs validity\&. +.RE +.SH "CAVEATS" +.PP +Password complexity checking may vary from site to site\&. The user is urged to select a password as complex as he or she feels comfortable with\&. +.PP +Users may not be able to change their password on a system if NIS is enabled and they are not logged into the NIS server\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBENCRYPT_METHOD\fR (string) +.RS 4 +This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&. +.sp +It can take one of these values: +\fIDES\fR +(default), +\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see +crypt(5) +for recommendations\&. +.sp +Note: this parameter overrides the +\fBMD5_CRYPT_ENAB\fR +variable\&. +.RE +.PP +\fBMD5_CRYPT_ENAB\fR (boolean) +.RS 4 +Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to +\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to +\fIno\fR +if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is +\fIno\fR\&. +.sp +This variable is superseded by the +\fBENCRYPT_METHOD\fR +variable or by any command line option used to configure the encryption algorithm\&. +.sp +This variable is deprecated\&. You should use +\fBENCRYPT_METHOD\fR\&. +.RE +.PP +\fBOBSCURE_CHECKS_ENAB\fR (boolean) +.RS 4 +Enable additional checks upon password changes\&. +.RE +.PP +\fBPASS_ALWAYS_WARN\fR (boolean) +.RS 4 +Warn about weak passwords (but still allow them) if you are root\&. +.RE +.PP +\fBPASS_CHANGE_TRIES\fR (number) +.RS 4 +Maximum number of attempts to change password if rejected (too easy)\&. +.RE +.PP +\fBPASS_MAX_LEN\fR (number), \fBPASS_MIN_LEN\fR (number) +.RS 4 +Number of significant characters in the password for crypt()\&. +\fBPASS_MAX_LEN\fR +is 8 by default\&. Don\*(Aqt change unless your crypt() is better\&. This is ignored if +\fBMD5_CRYPT_ENAB\fR +set to +\fIyes\fR\&. +.RE +.PP +\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number) +.RS 4 +When +\fBENCRYPT_METHOD\fR +is set to +\fISHA256\fR +or +\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&. +.sp +With a lot of rounds, it is more difficult to brute forcing the password\&. But note also that more CPU resources will be needed to authenticate users\&. +.sp +If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&. +.sp +The values must be inside the 1000\-999,999,999 range\&. +.sp +If only one of the +\fBSHA_CRYPT_MIN_ROUNDS\fR +or +\fBSHA_CRYPT_MAX_ROUNDS\fR +values is set, then this value will be used\&. +.sp +If +\fBSHA_CRYPT_MIN_ROUNDS\fR +> +\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "EXIT VALUES" +.PP +The +\fBpasswd\fR +command exits with the following values: +.PP +\fI0\fR +.RS 4 +success +.RE +.PP +\fI1\fR +.RS 4 +permission denied +.RE +.PP +\fI2\fR +.RS 4 +invalid combination of options +.RE +.PP +\fI3\fR +.RS 4 +unexpected failure, nothing done +.RE +.PP +\fI4\fR +.RS 4 +unexpected failure, +passwd +file missing +.RE +.PP +\fI5\fR +.RS 4 +passwd +file busy, try again +.RE +.PP +\fI6\fR +.RS 4 +invalid argument to option +.RE +.SH "SEE ALSO" +.PP +\fBchpasswd\fR(8), +\fBpasswd\fR(5), +\fBshadow\fR(5), +\fBlogin.defs\fR(5), +\fBusermod\fR(8)\&. diff --git a/man/man1/sg.1 b/man/man1/sg.1 new file mode 100644 index 0000000..860c58e --- /dev/null +++ b/man/man1/sg.1 @@ -0,0 +1,97 @@ +'\" t +.\" Title: sg +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "SG" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +sg \- execute command as different group ID +.SH "SYNOPSIS" +.HP \w'\fBsg\fR\ 'u +\fBsg\fR [\-] [group\ [\-c\ ]\ command] +.SH "DESCRIPTION" +.PP +The +\fBsg\fR +command works similar to +\fBnewgrp\fR +but accepts a command\&. The command will be executed with the +/bin/sh +shell\&. With most shells you may run +\fBsg\fR +from, you need to enclose multi\-word commands in quotes\&. Another difference between +\fBnewgrp\fR +and +\fBsg\fR +is that some shells treat +\fBnewgrp\fR +specially, replacing themselves with a new instance of a shell that +\fBnewgrp\fR +creates\&. This doesn\*(Aqt happen with +\fBsg\fR, so upon exit from a +\fBsg\fR +command you are returned to your previous group ID\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBSYSLOG_SG_ENAB\fR (boolean) +.RS 4 +Enable "syslog" logging of +\fBsg\fR +activity\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.SH "SEE ALSO" +.PP +\fBid\fR(1), +\fBlogin\fR(1), +\fBnewgrp\fR(1), +\fBsu\fR(1), +\fBgpasswd\fR(1), +\fBgroup\fR(5), \fBgshadow\fR(5)\&. diff --git a/man/man1/su.1 b/man/man1/su.1 new file mode 100644 index 0000000..a7c5cb3 --- /dev/null +++ b/man/man1/su.1 @@ -0,0 +1,450 @@ +'\" t +.\" Title: su +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: User Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "SU" "1" "11/08/2022" "shadow\-utils 4\&.13" "User Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +su \- change user ID or become superuser +.SH "SYNOPSIS" +.HP \w'\fBsu\fR\ 'u +\fBsu\fR [\fIoptions\fR] [\fI\-\fR] [\fIusername\fR\ [\ \fIargs\fR\ ]] +.SH "DESCRIPTION" +.PP +The +\fBsu\fR +command is used to become another user during a login session\&. Invoked without a +\fBusername\fR, +\fBsu\fR +defaults to becoming the superuser\&. The +\fB\-\fR +option may be used to provide an environment similar to what the user would expect had the user logged in directly\&. The +\fB\-c\fR +option may be used to treat the next argument as a command by most shells\&. +.PP +Options are recognized everywhere in the argument list\&. You can use the +\fB\-\-\fR +argument to stop option parsing\&. The +\fB\-\fR +option is special: it is also recognized after +\fB\-\-\fR, but has to be placed before +\fBusername\fR\&. +.PP +The user will be prompted for a password, if appropriate\&. Invalid passwords will produce an error message\&. All attempts, both valid and invalid, are logged to detect abuse of the system\&. +.PP +The current environment is passed to the new shell\&. The value of +\fB$PATH\fR +is reset to +/bin:/usr/bin +for normal users, or +/sbin:/bin:/usr/sbin:/usr/bin +for the superuser\&. This may be changed with the +\fBENV_PATH\fR +and +\fBENV_SUPATH\fR +definitions in +/etc/login\&.defs\&. +.PP +A subsystem login is indicated by the presence of a "*" as the first character of the login shell\&. The given home directory will be used as the root of a new file system which the user is actually logged into\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBsu\fR +command are: +.PP +\fB\-c\fR, \fB\-\-command\fR\ \&\fICOMMAND\fR +.RS 4 +Specify a command that will be invoked by the shell using its +\fB\-c\fR\&. +.sp +The executed command will have no controlling terminal\&. This option cannot be used to execute interactive programs which need a controlling TTY\&. +.RE +.PP +\fB\-\fR, \fB\-l\fR, \fB\-\-login\fR +.RS 4 +Provide an environment similar to what the user would expect had the user logged in directly\&. +.sp +When +\fB\-\fR +is used, it must be specified before any +\fBusername\fR\&. For portability it is recommended to use it as last option, before any +\fBusername\fR\&. The other forms (\fB\-l\fR +and +\fB\-\-login\fR) do not have this restriction\&. +.RE +.PP +\fB\-s\fR, \fB\-\-shell\fR\ \&\fISHELL\fR +.RS 4 +The shell that will be invoked\&. +.sp +The invoked shell is chosen from (highest priority first): +.PP +.RS 4 +The shell specified with \-\-shell\&. +.RE +.PP +.RS 4 +If +\fB\-\-preserve\-environment\fR +is used, the shell specified by the +\fB$SHELL\fR +environment variable\&. +.RE +.PP +.RS 4 +The shell indicated in the +/etc/passwd +entry for the target user\&. +.RE +.PP +.RS 4 +/bin/sh +if a shell could not be found by any above method\&. +.RE +.sp +If the target user has a restricted shell (i\&.e\&. the shell field of this user\*(Aqs entry in +/etc/passwd +is not listed in +/etc/shells), then the +\fB\-\-shell\fR +option or the +\fB$SHELL\fR +environment variable won\*(Aqt be taken into account, unless +\fBsu\fR +is called by root\&. +.RE +.PP +\fB\-m\fR, \fB\-p\fR, \fB\-\-preserve\-environment\fR +.RS 4 +Preserve the current environment, except for: +.PP +\fB$PATH\fR +.RS 4 +reset according to the +/etc/login\&.defs +options +\fBENV_PATH\fR +or +\fBENV_SUPATH\fR +(see below); +.RE +.PP +\fB$IFS\fR +.RS 4 +reset to +\(lq<space><tab><newline>\(rq, if it was set\&. +.RE +.sp +If the target user has a restricted shell, this option has no effect (unless +\fBsu\fR +is called by root)\&. +.sp +Note that the default behavior for the environment is the following: +.PP +.RS 4 +The +\fB$HOME\fR, +\fB$SHELL\fR, +\fB$USER\fR, +\fB$LOGNAME\fR, +\fB$PATH\fR, and +\fB$IFS\fR +environment variables are reset\&. +.RE +.PP +.RS 4 +If +\fB\-\-login\fR +is not used, the environment is copied, except for the variables above\&. +.RE +.PP +.RS 4 +If +\fB\-\-login\fR +is used, the +\fB$TERM\fR, +\fB$COLORTERM\fR, +\fB$DISPLAY\fR, and +\fB$XAUTHORITY\fR +environment variables are copied if they were set\&. +.RE +.PP +.RS 4 +If +\fB\-\-login\fR +is used, the +\fB$TZ\fR, +\fB$HZ\fR, and +\fB$MAIL\fR +environment variables are set according to the +/etc/login\&.defs +options +\fBENV_TZ\fR, +\fBENV_HZ\fR, +\fBMAIL_DIR\fR, and +\fBMAIL_FILE\fR +(see below)\&. +.RE +.PP +.RS 4 +If +\fB\-\-login\fR +is used, other environment variables might be set by the +\fBENVIRON_FILE\fR +file (see below)\&. +.RE +.sp +.RE +.SH "CAVEATS" +.PP +This version of +\fBsu\fR +has many compilation options, only some of which may be in use at any particular site\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBCONSOLE\fR (string) +.RS 4 +If defined, either full pathname of a file containing device names (one per line) or a ":" delimited list of device names\&. Root logins will be allowed only upon these devices\&. +.sp +If not defined, root will be allowed on any device\&. +.sp +The device should be specified without the /dev/ prefix\&. +.RE +.PP +\fBCONSOLE_GROUPS\fR (string) +.RS 4 +List of groups to add to the user\*(Aqs supplementary groups set when logging in on the console (as determined by the CONSOLE setting)\&. Default is none\&. + +Use with caution \- it is possible for users to gain permanent access to these groups, even when not logged in on the console\&. +.RE +.PP +\fBDEFAULT_HOME\fR (boolean) +.RS 4 +Indicate if login is allowed if we can\*(Aqt cd to the home directory\&. Default is no\&. +.sp +If set to +\fIyes\fR, the user will login in the root (/) directory if it is not possible to cd to her home directory\&. +.RE +.PP +\fBENV_HZ\fR (string) +.RS 4 +If set, it will be used to define the HZ environment variable when a user login\&. The value must be preceded by +\fIHZ=\fR\&. A common value on Linux is +\fIHZ=100\fR\&. +.RE +.PP +\fBENVIRON_FILE\fR (string) +.RS 4 +If this file exists and is readable, login environment will be read from it\&. Every line should be in the form name=value\&. +.sp +Lines starting with a # are treated as comment lines and ignored\&. +.RE +.PP +\fBENV_PATH\fR (string) +.RS 4 +If set, it will be used to define the PATH environment variable when a regular user login\&. The value is a colon separated list of paths (for example +\fI/bin:/usr/bin\fR) and can be preceded by +\fIPATH=\fR\&. The default value is +\fIPATH=/bin:/usr/bin\fR\&. +.RE +.PP +\fBENV_SUPATH\fR (string) +.RS 4 +If set, it will be used to define the PATH environment variable when the superuser login\&. The value is a colon separated list of paths (for example +\fI/sbin:/bin:/usr/sbin:/usr/bin\fR) and can be preceded by +\fIPATH=\fR\&. The default value is +\fIPATH=/sbin:/bin:/usr/sbin:/usr/bin\fR\&. +.RE +.PP +\fBENV_TZ\fR (string) +.RS 4 +If set, it will be used to define the TZ environment variable when a user login\&. The value can be the name of a timezone preceded by +\fITZ=\fR +(for example +\fITZ=CST6CDT\fR), or the full path to the file containing the timezone specification (for example +/etc/tzname)\&. +.sp +If a full path is specified but the file does not exist or cannot be read, the default is to use +\fITZ=CST6CDT\fR\&. +.RE +.PP +\fBLOGIN_STRING\fR (string) +.RS 4 +The string used for prompting a password\&. The default is to use "Password: ", or a translation of that string\&. If you set this variable, the prompt will not be translated\&. +.sp +If the string contains +\fI%s\fR, this will be replaced by the user\*(Aqs name\&. +.RE +.PP +\fBMAIL_CHECK_ENAB\fR (boolean) +.RS 4 +Enable checking and display of mailbox status upon login\&. +.sp +You should disable it if the shell startup files already check for mail ("mailx \-e" or equivalent)\&. +.RE +.PP +\fBMAIL_DIR\fR (string) +.RS 4 +The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&. The parameter CREATE_MAIL_SPOOL in +/etc/default/useradd +determines whether the mail spool should be created\&. +.RE +.PP +\fBMAIL_FILE\fR (string) +.RS 4 +Defines the location of the users mail spool files relatively to their home directory\&. +.RE +.PP +The +\fBMAIL_DIR\fR +and +\fBMAIL_FILE\fR +variables are used by +\fBuseradd\fR, +\fBusermod\fR, and +\fBuserdel\fR +to create, move, or delete the user\*(Aqs mail spool\&. +.PP +If +\fBMAIL_CHECK_ENAB\fR +is set to +\fIyes\fR, they are also used to define the +\fBMAIL\fR +environment variable\&. +.PP +\fBQUOTAS_ENAB\fR (boolean) +.RS 4 +Enable setting of resource limits from +/etc/limits +and ulimit, umask, and niceness from the user\*(Aqs passwd gecos field\&. +.RE +.PP +\fBSULOG_FILE\fR (string) +.RS 4 +If defined, all su activity is logged to this file\&. +.RE +.PP +\fBSU_NAME\fR (string) +.RS 4 +If defined, the command name to display when running "su \-"\&. For example, if this is defined as "su" then a "ps" will display the command is "\-su"\&. If not defined, then "ps" would display the name of the shell actually being run, e\&.g\&. something like "\-sh"\&. +.RE +.PP +\fBSU_WHEEL_ONLY\fR (boolean) +.RS 4 +If +\fIyes\fR, the user must be listed as a member of the first gid 0 group in +/etc/group +(called +\fIroot\fR +on most Linux systems) to be able to +\fBsu\fR +to uid 0 accounts\&. If the group doesn\*(Aqt exist or is empty, no one will be able to +\fBsu\fR +to uid 0\&. +.RE +.PP +\fBSYSLOG_SU_ENAB\fR (boolean) +.RS 4 +Enable "syslog" logging of +\fBsu\fR +activity \- in addition to sulog file logging\&. +.RE +.PP +\fBUSERGROUPS_ENAB\fR (boolean) +.RS 4 +Enable setting of the umask group bits to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007) for non\-root users, if the uid is the same as gid, and username is the same as the primary group name\&. +.sp +If set to +\fIyes\fR, +\fBuserdel\fR +will remove the user\*(Aqs group if it contains no more members, and +\fBuseradd\fR +will create by default a group with the name of the user\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "EXIT VALUES" +.PP +On success, +\fBsu\fR +returns the exit value of the command it executed\&. +.PP +If this command was terminated by a signal, +\fBsu\fR +returns the number of this signal plus 128\&. +.PP +If su has to kill the command (because it was asked to terminate, and the command did not terminate in time), +\fBsu\fR +returns 255\&. +.PP +Some exit values from +\fBsu\fR +are independent from the executed command: +.PP +\fI0\fR +.RS 4 +success (\fB\-\-help\fR +only) +.RE +.PP +\fI1\fR +.RS 4 +System or authentication failure +.RE +.PP +\fI126\fR +.RS 4 +The requested command was not found +.RE +.PP +\fI127\fR +.RS 4 +The requested command could not be executed +.RE +.SH "SEE ALSO" +.PP +\fBlogin\fR(1), +\fBlogin.defs\fR(5), +\fBsg\fR(1), +\fBsh\fR(1)\&. |