diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 20:46:53 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-15 20:46:53 +0000 |
commit | 19da58be2d9359a9641381feb559be0b918ef710 (patch) | |
tree | 109724175f07436696f51b14b5abbd3f4d704d6d /man/man8 | |
parent | Initial commit. (diff) | |
download | shadow-19da58be2d9359a9641381feb559be0b918ef710.tar.xz shadow-19da58be2d9359a9641381feb559be0b918ef710.zip |
Adding upstream version 1:4.13+dfsg1.upstream/1%4.13+dfsg1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'man/man8')
-rw-r--r-- | man/man8/chgpasswd.8 | 210 | ||||
-rw-r--r-- | man/man8/chpasswd.8 | 214 | ||||
-rw-r--r-- | man/man8/faillog.8 | 165 | ||||
-rw-r--r-- | man/man8/groupadd.8 | 277 | ||||
-rw-r--r-- | man/man8/groupdel.8 | 150 | ||||
-rw-r--r-- | man/man8/groupmems.8 | 180 | ||||
-rw-r--r-- | man/man8/groupmod.8 | 252 | ||||
-rw-r--r-- | man/man8/grpck.8 | 255 | ||||
-rw-r--r-- | man/man8/grpconv.8 | 1 | ||||
-rw-r--r-- | man/man8/grpunconv.8 | 1 | ||||
-rw-r--r-- | man/man8/lastlog.8 | 141 | ||||
-rw-r--r-- | man/man8/logoutd.8 | 57 | ||||
-rw-r--r-- | man/man8/newusers.8 | 453 | ||||
-rw-r--r-- | man/man8/nologin.8 | 55 | ||||
-rw-r--r-- | man/man8/pwck.8 | 334 | ||||
-rw-r--r-- | man/man8/pwconv.8 | 193 | ||||
-rw-r--r-- | man/man8/pwunconv.8 | 1 | ||||
-rw-r--r-- | man/man8/sulogin.8 | 116 | ||||
-rw-r--r-- | man/man8/useradd.8 | 827 | ||||
-rw-r--r-- | man/man8/userdel.8 | 325 | ||||
-rw-r--r-- | man/man8/usermod.8 | 478 | ||||
-rw-r--r-- | man/man8/vigr.8 | 1 | ||||
-rw-r--r-- | man/man8/vipw.8 | 137 |
23 files changed, 4823 insertions, 0 deletions
diff --git a/man/man8/chgpasswd.8 b/man/man8/chgpasswd.8 new file mode 100644 index 0000000..67c1325 --- /dev/null +++ b/man/man8/chgpasswd.8 @@ -0,0 +1,210 @@ +'\" t +.\" Title: chgpasswd +.\" Author: Thomas Kłoczko <kloczek@pld.org.pl> +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "CHGPASSWD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +chgpasswd \- update group passwords in batch mode +.SH "SYNOPSIS" +.HP \w'\fBchgpasswd\fR\ 'u +\fBchgpasswd\fR [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +The +\fBchgpasswd\fR +command reads a list of group name and password pairs from standard input and uses this information to update a set of existing groups\&. Each line is of the format: +.PP +\fIgroup_name\fR:\fIpassword\fR +.PP +By default the supplied password must be in clear\-text, and is encrypted by +\fBchgpasswd\fR\&. +.PP +The default encryption algorithm can be defined for the system with the +\fBENCRYPT_METHOD\fR +variable of +/etc/login\&.defs, and can be overwritten with the +\fB\-e\fR, +\fB\-m\fR, or +\fB\-c\fR +options\&. +.PP +This command is intended to be used in a large system environment where many accounts are created at a single time\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBchgpasswd\fR +command are: +.PP +\fB\-c\fR, \fB\-\-crypt\-method\fR +.RS 4 +Use the specified method to encrypt the passwords\&. +.sp +The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods\&. +.RE +.PP +\fB\-e\fR, \fB\-\-encrypted\fR +.RS 4 +Supplied passwords are in encrypted form\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-m\fR, \fB\-\-md5\fR +.RS 4 +Use MD5 encryption instead of DES when the supplied passwords are not encrypted\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-s\fR, \fB\-\-sha\-rounds\fR +.RS 4 +Use the specified number of rounds to encrypt the passwords\&. +.sp +The value 0 means that the system will choose the default number of rounds for the crypt method (5000)\&. +.sp +A minimal value of 1000 and a maximal value of 999,999,999 will be enforced\&. +.sp +You can only use this option with the SHA256 or SHA512 crypt method\&. +.sp +By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in +/etc/login\&.defs\&. +.RE +.SH "CAVEATS" +.PP +Remember to set permissions or umask to prevent readability of unencrypted files by other users\&. +.PP +You should make sure the passwords and the encryption method respect the system\*(Aqs password policy\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBENCRYPT_METHOD\fR (string) +.RS 4 +This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&. +.sp +It can take one of these values: +\fIDES\fR +(default), +\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see +crypt(5) +for recommendations\&. +.sp +Note: this parameter overrides the +\fBMD5_CRYPT_ENAB\fR +variable\&. +.RE +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.PP +\fBMD5_CRYPT_ENAB\fR (boolean) +.RS 4 +Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to +\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to +\fIno\fR +if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is +\fIno\fR\&. +.sp +This variable is superseded by the +\fBENCRYPT_METHOD\fR +variable or by any command line option used to configure the encryption algorithm\&. +.sp +This variable is deprecated\&. You should use +\fBENCRYPT_METHOD\fR\&. +.RE +.PP +\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number) +.RS 4 +When +\fBENCRYPT_METHOD\fR +is set to +\fISHA256\fR +or +\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&. +.sp +With a lot of rounds, it is more difficult to brute forcing the password\&. But note also that more CPU resources will be needed to authenticate users\&. +.sp +If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&. +.sp +The values must be inside the 1000\-999,999,999 range\&. +.sp +If only one of the +\fBSHA_CRYPT_MIN_ROUNDS\fR +or +\fBSHA_CRYPT_MAX_ROUNDS\fR +values is set, then this value will be used\&. +.sp +If +\fBSHA_CRYPT_MIN_ROUNDS\fR +> +\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "SEE ALSO" +.PP +\fBgpasswd\fR(1), +\fBgroupadd\fR(8), +\fBlogin.defs\fR(5)\&. diff --git a/man/man8/chpasswd.8 b/man/man8/chpasswd.8 new file mode 100644 index 0000000..67b4156 --- /dev/null +++ b/man/man8/chpasswd.8 @@ -0,0 +1,214 @@ +'\" t +.\" Title: chpasswd +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "CHPASSWD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +chpasswd \- update passwords in batch mode +.SH "SYNOPSIS" +.HP \w'\fBchpasswd\fR\ 'u +\fBchpasswd\fR [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +The +\fBchpasswd\fR +command reads a list of user name and password pairs from standard input and uses this information to update a group of existing users\&. Each line is of the format: +.PP +\fIuser_name\fR:\fIpassword\fR +.PP +By default the passwords must be supplied in clear\-text, and are encrypted by +\fBchpasswd\fR\&. Also the password age will be updated, if present\&. +.PP +The default encryption algorithm can be defined for the system with the +\fBENCRYPT_METHOD\fR +or +\fBMD5_CRYPT_ENAB\fR +variables of +/etc/login\&.defs, and can be overwritten with the +\fB\-e\fR, +\fB\-m\fR, or +\fB\-c\fR +options\&. +.PP +\fBchpasswd\fR +first updates all the passwords in memory, and then commits all the changes to disk if no errors occurred for any user\&. +.PP +This command is intended to be used in a large system environment where many accounts are created at a single time\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBchpasswd\fR +command are: +.PP +\fB\-c\fR, \fB\-\-crypt\-method\fR\ \&\fIMETHOD\fR +.RS 4 +Use the specified method to encrypt the passwords\&. +.sp +The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods\&. +.sp +By default (if none of the +\fB\-c\fR, +\fB\-m\fR, or +\fB\-e\fR +options are specified), the encryption method is defined by the +\fBENCRYPT_METHOD\fR +or +\fBMD5_CRYPT_ENAB\fR +variables of +/etc/login\&.defs\&. +.RE +.PP +\fB\-e\fR, \fB\-\-encrypted\fR +.RS 4 +Supplied passwords are in encrypted form\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-m\fR, \fB\-\-md5\fR +.RS 4 +Use MD5 encryption instead of DES when the supplied passwords are not encrypted\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-s\fR, \fB\-\-sha\-rounds\fR\ \&\fIROUNDS\fR +.RS 4 +Use the specified number of rounds to encrypt the passwords\&. +.sp +The value 0 means that the system will choose the default number of rounds for the crypt method (5000)\&. +.sp +A minimal value of 1000 and a maximal value of 999,999,999 will be enforced\&. +.sp +You can only use this option with the SHA256 or SHA512 crypt method\&. +.sp +By default, the number of rounds is defined by the +\fBSHA_CRYPT_MIN_ROUNDS\fR +and +\fBSHA_CRYPT_MAX_ROUNDS\fR +variables in +/etc/login\&.defs\&. +.RE +.SH "CAVEATS" +.PP +Remember to set permissions or umask to prevent readability of unencrypted files by other users\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBENCRYPT_METHOD\fR (string) +.RS 4 +This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&. +.sp +It can take one of these values: +\fIDES\fR +(default), +\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see +crypt(5) +for recommendations\&. +.sp +Note: this parameter overrides the +\fBMD5_CRYPT_ENAB\fR +variable\&. +.RE +.PP +\fBMD5_CRYPT_ENAB\fR (boolean) +.RS 4 +Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to +\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to +\fIno\fR +if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is +\fIno\fR\&. +.sp +This variable is superseded by the +\fBENCRYPT_METHOD\fR +variable or by any command line option used to configure the encryption algorithm\&. +.sp +This variable is deprecated\&. You should use +\fBENCRYPT_METHOD\fR\&. +.RE +.PP +\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number) +.RS 4 +When +\fBENCRYPT_METHOD\fR +is set to +\fISHA256\fR +or +\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&. +.sp +With a lot of rounds, it is more difficult to brute forcing the password\&. But note also that more CPU resources will be needed to authenticate users\&. +.sp +If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&. +.sp +The values must be inside the 1000\-999,999,999 range\&. +.sp +If only one of the +\fBSHA_CRYPT_MIN_ROUNDS\fR +or +\fBSHA_CRYPT_MAX_ROUNDS\fR +values is set, then this value will be used\&. +.sp +If +\fBSHA_CRYPT_MIN_ROUNDS\fR +> +\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "SEE ALSO" +.PP +\fBpasswd\fR(1), +\fBnewusers\fR(8), +\fBlogin.defs\fR(5), +\fBuseradd\fR(8)\&. diff --git a/man/man8/faillog.8 b/man/man8/faillog.8 new file mode 100644 index 0000000..dd2285c --- /dev/null +++ b/man/man8/faillog.8 @@ -0,0 +1,165 @@ +'\" t +.\" Title: faillog +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "FAILLOG" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +faillog \- display faillog records or set login failure limits +.SH "SYNOPSIS" +.HP \w'\fBfaillog\fR\ 'u +\fBfaillog\fR [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +\fBfaillog\fR +displays the contents of the failure log database (/var/log/faillog)\&. It can also set the failure counters and limits\&. When +\fBfaillog\fR +is run without arguments, it only displays the faillog records of the users who had a login failure\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBfaillog\fR +command are: +.PP +\fB\-a\fR, \fB\-\-all\fR +.RS 4 +Display (or act on) faillog records for all users having an entry in the +faillog +database\&. +.sp +The range of users can be restricted with the +\fB\-u\fR +option\&. +.sp +In display mode, this is still restricted to existing users but forces the display of the faillog entries even if they are empty\&. +.sp +With the +\fB\-l\fR, +\fB\-m\fR, +\fB\-r\fR, +\fB\-t\fR +options, the users\*(Aq records are changed, even if the user does not exist on the system\&. This is useful to reset records of users that have been deleted or to set a policy in advance for a range of users\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-l\fR, \fB\-\-lock\-secs\fR\ \&\fISEC\fR +.RS 4 +Lock account for +\fISEC\fR +seconds after failed login\&. +.sp +Write access to +/var/log/faillog +is required for this option\&. +.RE +.PP +\fB\-m\fR, \fB\-\-maximum\fR\ \&\fIMAX\fR +.RS 4 +Set the maximum number of login failures after the account is disabled to +\fIMAX\fR\&. +.sp +Selecting a +\fIMAX\fR +value of 0 has the effect of not placing a limit on the number of failed logins\&. +.sp +The maximum failure count should always be 0 for +\fIroot\fR +to prevent a denial of services attack against the system\&. +.sp +Write access to +/var/log/faillog +is required for this option\&. +.RE +.PP +\fB\-r\fR, \fB\-\-reset\fR +.RS 4 +Reset the counters of login failures\&. +.sp +Write access to +/var/log/faillog +is required for this option\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-t\fR, \fB\-\-time\fR\ \&\fIDAYS\fR +.RS 4 +Display faillog records more recent than +\fIDAYS\fR\&. +.RE +.PP +\fB\-u\fR, \fB\-\-user\fR\ \&\fILOGIN\fR|\fIRANGE\fR +.RS 4 +Display faillog record or maintains failure counters and limits (if used with +\fB\-l\fR, +\fB\-m\fR +or +\fB\-r\fR +options) only for the specified user(s)\&. +.sp +The users can be specified by a login name, a numerical user ID, or a +\fIRANGE\fR +of users\&. This +\fIRANGE\fR +of users can be specified with a min and max values (\fIUID_MIN\-UID_MAX\fR), a max value (\fI\-UID_MAX\fR), or a min value (\fIUID_MIN\-\fR)\&. +.RE +.PP +When none of the +\fB\-l\fR, +\fB\-m\fR, or +\fB\-r\fR +options are used, +\fBfaillog\fR +displays the faillog record of the specified user(s)\&. +.SH "CAVEATS" +.PP +\fBfaillog\fR +only prints out users with no successful login since the last failure\&. To print out a user who has had a successful login since their last failure, you must explicitly request the user with the +\fB\-u\fR +flag, or print out all users with the +\fB\-a\fR +flag\&. +.SH "FILES" +.PP +/var/log/faillog +.RS 4 +Failure logging file\&. +.RE +.SH "SEE ALSO" +.PP +\fBlogin\fR(1), +\fBfaillog\fR(5)\&. diff --git a/man/man8/groupadd.8 b/man/man8/groupadd.8 new file mode 100644 index 0000000..af8afcf --- /dev/null +++ b/man/man8/groupadd.8 @@ -0,0 +1,277 @@ +'\" t +.\" Title: groupadd +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "GROUPADD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +groupadd \- create a new group +.SH "SYNOPSIS" +.HP \w'\fBgroupadd\fR\ 'u +\fBgroupadd\fR [\fIOPTIONS\fR] \fINEWGROUP\fR +.SH "DESCRIPTION" +.PP +The +\fBgroupadd\fR +command creates a new group account using the values specified on the command line plus the default values from the system\&. The new group will be entered into the system files as needed\&. +.PP +Groupnames may contain only lower and upper case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. Dashes are not allowed at the beginning of the groupname\&. Fully numeric groupnames and groupnames \&. or \&.\&. are also disallowed\&. +.PP +Groupnames may only be up to 32 characters long\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBgroupadd\fR +command are: +.PP +\fB\-f\fR, \fB\-\-force\fR +.RS 4 +This option causes the command to simply exit with success status if the specified group already exists\&. When used with +\fB\-g\fR, and the specified GID already exists, another (unique) GID is chosen (i\&.e\&. +\fB\-g\fR +is turned off)\&. +.RE +.PP +\fB\-g\fR, \fB\-\-gid\fR\ \&\fIGID\fR +.RS 4 +The numerical value of the group\*(Aqs ID\&. +\fIGID\fR +must be unique, unless the +\fB\-o\fR +option is used\&. The value must be non\-negative\&. The default is to use the smallest ID value greater than or equal to +\fBGID_MIN\fR +and greater than every other group\&. +.sp +See also the +\fB\-r\fR +option and the +\fBGID_MAX\fR +description\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-K\fR, \fB\-\-key\fR\ \&\fIKEY\fR=\fIVALUE\fR +.RS 4 +Overrides +/etc/login\&.defs +defaults (GID_MIN, GID_MAX and others)\&. Multiple +\fB\-K\fR +options can be specified\&. +.sp +Example: +\fB\-K\fR\ \&\fIGID_MIN\fR=\fI100\fR\ \& +\fB\-K\fR\ \&\fIGID_MAX\fR=\fI499\fR +.sp +Note: +\fB\-K\fR\ \&\fIGID_MIN\fR=\fI10\fR,\fIGID_MAX\fR=\fI499\fR +doesn\*(Aqt work yet\&. +.RE +.PP +\fB\-o\fR, \fB\-\-non\-unique\fR +.RS 4 +permits the creation of a group with an already used numerical ID\&. As a result, for this +\fIGID\fR, the mapping towards group +\fINEWGROUP\fR +may not be unique\&. +.RE +.PP +\fB\-p\fR, \fB\-\-password\fR\ \&\fIPASSWORD\fR +.RS 4 +defines an initial password for the group account\&. PASSWORD is expected to be encrypted, as returned by +\fBcrypt \fR(3)\&. +.sp +Without this option, the group account will be locked and with no password defined, i\&.e\&. a single exclamation mark in the respective field of ths system account file +/etc/group +or +/etc/gshadow\&. +.sp +\fBNote:\fR +This option is not recommended because the password (or encrypted password) will be visible by users listing the processes\&. +.sp +You should make sure the password respects the system\*(Aqs password policy\&. +.RE +.PP +\fB\-r\fR, \fB\-\-system\fR +.RS 4 +Create a system group\&. +.sp +The numeric identifiers of new system groups are chosen in the +\fBSYS_GID_MIN\fR\-\fBSYS_GID_MAX\fR +range, defined in +login\&.defs, instead of +\fBGID_MIN\fR\-\fBGID_MAX\fR\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-P\fR, \fB\-\-prefix\fR\ \&\fIPREFIX_DIR\fR +.RS 4 +Apply changes to configuration files under the root filesystem found under the directory +\fIPREFIX_DIR\fR\&. This option does not chroot and is intended for preparing a cross\-compilation target\&. Some limitations: NIS and LDAP users/groups are not verified\&. PAM authentication is using the host files\&. No SELINUX support\&. +.RE +.PP +\fB\-U\fR, \fB\-\-users\fR +.RS 4 +A list of usernames to add as members of the group\&. +.sp +The default behavior (if the +\fB\-g\fR, +\fB\-N\fR, and +\fB\-U\fR +options are not specified) is defined by the +\fBUSERGROUPS_ENAB\fR +variable in +/etc/login\&.defs\&. +.RE +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBGID_MAX\fR (number), \fBGID_MIN\fR (number) +.RS 4 +Range of group IDs used for the creation of regular groups by +\fBuseradd\fR, +\fBgroupadd\fR, or +\fBnewusers\fR\&. +.sp +The default value for +\fBGID_MIN\fR +(resp\&. +\fBGID_MAX\fR) is 1000 (resp\&. 60000)\&. +.RE +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.PP +\fBSYS_GID_MAX\fR (number), \fBSYS_GID_MIN\fR (number) +.RS 4 +Range of group IDs used for the creation of system groups by +\fBuseradd\fR, +\fBgroupadd\fR, or +\fBnewusers\fR\&. +.sp +The default value for +\fBSYS_GID_MIN\fR +(resp\&. +\fBSYS_GID_MAX\fR) is 101 (resp\&. +\fBGID_MIN\fR\-1)\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "CAVEATS" +.PP +You may not add a NIS or LDAP group\&. This must be performed on the corresponding server\&. +.PP +If the groupname already exists in an external group database such as NIS or LDAP, +\fBgroupadd\fR +will deny the group creation request\&. +.SH "EXIT VALUES" +.PP +The +\fBgroupadd\fR +command exits with the following values: +.PP +\fI0\fR +.RS 4 +success +.RE +.PP +\fI2\fR +.RS 4 +invalid command syntax +.RE +.PP +\fI3\fR +.RS 4 +invalid argument to option +.RE +.PP +\fI4\fR +.RS 4 +GID is already used (when called without +\fB\-o\fR) +.RE +.PP +\fI9\fR +.RS 4 +group name is already used +.RE +.PP +\fI10\fR +.RS 4 +can\*(Aqt update group file +.RE +.SH "SEE ALSO" +.PP +\fBchfn\fR(1), +\fBchsh\fR(1), +\fBpasswd\fR(1), +\fBgpasswd\fR(8), +\fBgroupdel\fR(8), +\fBgroupmod\fR(8), +\fBlogin.defs\fR(5), +\fBuseradd\fR(8), +\fBuserdel\fR(8), +\fBusermod\fR(8)\&. diff --git a/man/man8/groupdel.8 b/man/man8/groupdel.8 new file mode 100644 index 0000000..c9d5176 --- /dev/null +++ b/man/man8/groupdel.8 @@ -0,0 +1,150 @@ +'\" t +.\" Title: groupdel +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "GROUPDEL" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +groupdel \- delete a group +.SH "SYNOPSIS" +.HP \w'\fBgroupdel\fR\ 'u +\fBgroupdel\fR [\fIoptions\fR] \fIGROUP\fR +.SH "DESCRIPTION" +.PP +The +\fBgroupdel\fR +command modifies the system account files, deleting all entries that refer to +\fIGROUP\fR\&. The named group must exist\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBgroupdel\fR +command are: +.PP +\fB\-f\fR, \fB\-\-force\fR +.RS 4 +This option forces the removal of the group, even if there\*(Aqs some user having the group as the primary one\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-P\fR, \fB\-\-prefix\fR\ \&\fIPREFIX_DIR\fR +.RS 4 +Apply changes in the +\fIPREFIX_DIR\fR +directory and use the configuration files from the +\fIPREFIX_DIR\fR +directory\&. This option does not chroot and is intended for preparing a cross\-compilation target\&. Some limitations: NIS and LDAP users/groups are not verified\&. PAM authentication is using the host files\&. No SELINUX support\&. +.RE +.SH "CAVEATS" +.PP +You may not remove the primary group of any existing user\&. You must remove the user before you remove the group\&. +.PP +You should manually check all file systems to ensure that no files remain owned by this group\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.SH "EXIT VALUES" +.PP +The +\fBgroupdel\fR +command exits with the following values: +.PP +\fI0\fR +.RS 4 +success +.RE +.PP +\fI2\fR +.RS 4 +invalid command syntax +.RE +.PP +\fI6\fR +.RS 4 +specified group doesn\*(Aqt exist +.RE +.PP +\fI8\fR +.RS 4 +can\*(Aqt remove user\*(Aqs primary group +.RE +.PP +\fI10\fR +.RS 4 +can\*(Aqt update group file +.RE +.SH "SEE ALSO" +.PP +\fBchfn\fR(1), +\fBchsh\fR(1), +\fBpasswd\fR(1), +\fBgpasswd\fR(8), +\fBgroupadd\fR(8), +\fBgroupmod\fR(8), +\fBuseradd\fR(8), +\fBuserdel\fR(8), +\fBusermod\fR(8)\&. diff --git a/man/man8/groupmems.8 b/man/man8/groupmems.8 new file mode 100644 index 0000000..febe008 --- /dev/null +++ b/man/man8/groupmems.8 @@ -0,0 +1,180 @@ +'\" t +.\" Title: groupmems +.\" Author: George Kraft, IV +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "GROUPMEMS" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +groupmems \- administer members of a user\*(Aqs primary group +.SH "SYNOPSIS" +.HP \w'\fBgroupmems\fR\ 'u +\fBgroupmems\fR \-a\ \fIuser_name\fR | \-d\ \fIuser_name\fR | [\-g\ \fIgroup_name\fR] | \-l | \-p +.SH "DESCRIPTION" +.PP +The +\fBgroupmems\fR +command allows a user to administer their own group membership list without the requirement of superuser privileges\&. The +\fBgroupmems\fR +utility is for systems that configure its users to be in their own name sake primary group (i\&.e\&., guest / guest)\&. +.PP +Only the superuser, as administrator, can use +\fBgroupmems\fR +to alter the memberships of other groups\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBgroupmems\fR +command are: +.PP +\fB\-a\fR, \fB\-\-add\fR\ \&\fIuser_name\fR +.RS 4 +Add a user to the group membership list\&. +.sp +If the +/etc/gshadow +file exist, and the group has no entry in the +/etc/gshadow +file, a new entry will be created\&. +.RE +.PP +\fB\-d\fR, \fB\-\-delete\fR\ \&\fIuser_name\fR +.RS 4 +Delete a user from the group membership list\&. +.sp +If the +/etc/gshadow +file exist, the user will be removed from the list of members and administrators of the group\&. +.sp +If the +/etc/gshadow +file exist, and the group has no entry in the +/etc/gshadow +file, a new entry will be created\&. +.RE +.PP +\fB\-g\fR, \fB\-\-group\fR\ \&\fIgroup_name\fR +.RS 4 +The superuser can specify which group membership list to modify\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-l\fR, \fB\-\-list\fR +.RS 4 +List the group membership list\&. +.RE +.PP +\fB\-p\fR, \fB\-\-purge\fR +.RS 4 +Purge all users from the group membership list\&. +.sp +If the +/etc/gshadow +file exist, and the group has no entry in the +/etc/gshadow +file, a new entry will be created\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.SH "SETUP" +.PP +The +\fBgroupmems\fR +executable should be in mode +2710 +as user +\fIroot\fR +and in group +\fIgroups\fR\&. The system administrator can add users to group +\fIgroups\fR +to allow or disallow them using the +\fBgroupmems\fR +utility to manage their own group membership list\&. +.sp +.if n \{\ +.RS 4 +.\} +.nf + $ groupadd \-r groups + $ chmod 2710 groupmems + $ chown root\&.groups groupmems + $ groupmems \-g groups \-a gk4 + +.fi +.if n \{\ +.RE +.\} +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +secure group account information +.RE +.SH "SEE ALSO" +.PP +\fBchfn\fR(1), +\fBchsh\fR(1), +\fBpasswd\fR(1), +\fBgroupadd\fR(8), +\fBgroupdel\fR(8), +\fBuseradd\fR(8), +\fBuserdel\fR(8), +\fBusermod\fR(8)\&. diff --git a/man/man8/groupmod.8 b/man/man8/groupmod.8 new file mode 100644 index 0000000..371e6b1 --- /dev/null +++ b/man/man8/groupmod.8 @@ -0,0 +1,252 @@ +'\" t +.\" Title: groupmod +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "GROUPMOD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +groupmod \- modify a group definition on the system +.SH "SYNOPSIS" +.HP \w'\fBgroupmod\fR\ 'u +\fBgroupmod\fR [\fIoptions\fR] \fIGROUP\fR +.SH "DESCRIPTION" +.PP +The +\fBgroupmod\fR +command modifies the definition of the specified +\fIGROUP\fR +by modifying the appropriate entry in the group database\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBgroupmod\fR +command are: +.PP +\fB\-a\fR, \fB\-\-append\fR\ \&\fIGID\fR +.RS 4 +If group members are specified with \-U, append them to the existing member list, rather than replacing it\&. +.RE +.PP +\fB\-g\fR, \fB\-\-gid\fR\ \&\fIGID\fR +.RS 4 +The group ID of the given +\fIGROUP\fR +will be changed to +\fIGID\fR\&. +.sp +The value of +\fIGID\fR +must be a non\-negative decimal integer\&. This value must be unique, unless the +\fB\-o\fR +option is used\&. +.sp +Users who use the group as primary group will be updated to keep the group as their primary group\&. +.sp +Any files that have the old group ID and must continue to belong to +\fIGROUP\fR, must have their group ID changed manually\&. +.sp +No checks will be performed with regard to the +\fBGID_MIN\fR, +\fBGID_MAX\fR, +\fBSYS_GID_MIN\fR, or +\fBSYS_GID_MAX\fR +from +/etc/login\&.defs\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-n\fR, \fB\-\-new\-name\fR\ \&\fINEW_GROUP\fR +.RS 4 +The name of the group will be changed from +\fIGROUP\fR +to +\fINEW_GROUP\fR +name\&. +.RE +.PP +\fB\-o\fR, \fB\-\-non\-unique\fR +.RS 4 +When used with the +\fB\-g\fR +option, allow to change the group +\fIGID\fR +to a non\-unique value\&. +.RE +.PP +\fB\-p\fR, \fB\-\-password\fR\ \&\fIPASSWORD\fR +.RS 4 +The encrypted password, as returned by +\fBcrypt\fR(3)\&. +.sp +\fBNote:\fR +This option is not recommended because the password (or encrypted password) will be visible by users listing the processes\&. +.sp +You should make sure the password respects the system\*(Aqs password policy\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-P\fR, \fB\-\-prefix\fR\ \&\fIPREFIX_DIR\fR +.RS 4 +Apply changes in the +\fIPREFIX_DIR\fR +directory and use the configuration files from the +\fIPREFIX_DIR\fR +directory\&. This option does not chroot and is intended for preparing a cross\-compilation target\&. Some limitations: NIS and LDAP users/groups are not verified\&. PAM authentication is using the host files\&. No SELINUX support\&. +.RE +.PP +\fB\-U\fR, \fB\-\-users\fR +.RS 4 +A list of usernames to add as members of the group\&. +.sp +The default behavior (if the +\fB\-g\fR, +\fB\-N\fR, and +\fB\-U\fR +options are not specified) is defined by the +\fBUSERGROUPS_ENAB\fR +variable in +/etc/login\&.defs\&. +.RE +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.SH "EXIT VALUES" +.PP +The +\fBgroupmod\fR +command exits with the following values: +.PP +\fI0\fR +.RS 4 +E_SUCCESS: success +.RE +.PP +\fI2\fR +.RS 4 +E_USAGE: invalid command syntax +.RE +.PP +\fI3\fR +.RS 4 +E_BAD_ARG: invalid argument to option +.RE +.PP +\fI4\fR +.RS 4 +E_GID_IN_USE: group id already in use +.RE +.PP +\fI6\fR +.RS 4 +E_NOTFOUND: specified group doesn\*(Aqt exist +.RE +.PP +\fI9\fR +.RS 4 +E_NAME_IN_USE: group name already in use +.RE +.PP +\fI10\fR +.RS 4 +E_GRP_UPDATE: can\*(Aqt update group file +.RE +.PP +\fI11\fR +.RS 4 +E_CLEANUP_SERVICE: can\*(Aqt setup cleanup service +.RE +.PP +\fI12\fR +.RS 4 +E_PAM_USERNAME: can\*(Aqt determine your username for use with pam +.RE +.PP +\fI13\fR +.RS 4 +E_PAM_ERROR: pam returned an error, see syslog facility id groupmod for the PAM error message +.RE +.SH "SEE ALSO" +.PP +\fBchfn\fR(1), +\fBchsh\fR(1), +\fBpasswd\fR(1), +\fBgpasswd\fR(8), +\fBgroupadd\fR(8), +\fBgroupdel\fR(8), +\fBlogin.defs\fR(5), +\fBuseradd\fR(8), +\fBuserdel\fR(8), +\fBusermod\fR(8)\&. diff --git a/man/man8/grpck.8 b/man/man8/grpck.8 new file mode 100644 index 0000000..22a372d --- /dev/null +++ b/man/man8/grpck.8 @@ -0,0 +1,255 @@ +'\" t +.\" Title: grpck +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "GRPCK" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +grpck \- verify integrity of group files +.SH "SYNOPSIS" +.HP \w'\fBgrpck\fR\ 'u +\fBgrpck\fR [options] [\fIgroup\fR\ [\ \fIshadow\fR\ ]] +.SH "DESCRIPTION" +.PP +The +\fBgrpck\fR +command verifies the integrity of the groups information\&. It checks that all entries in +/etc/group +and /etc/gshadow +have the proper format and contain valid data\&. The user is prompted to delete entries that are improperly formatted or which have other uncorrectable errors\&. +.PP +Checks are made to verify that each entry has: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +the correct number of fields +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a unique and valid group name +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a valid group identifier +(/etc/group only) +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a valid list of members +and administrators +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a corresponding entry in the +/etc/gshadow +file (respectively +/etc/group +for the +gshadow +checks) +.RE +.PP +The checks for correct number of fields and unique group name are fatal\&. If an entry has the wrong number of fields, the user will be prompted to delete the entire line\&. If the user does not answer affirmatively, all further checks are bypassed\&. An entry with a duplicated group name is prompted for deletion, but the remaining checks will still be made\&. All other errors are warnings and the user is encouraged to run the +\fBgroupmod\fR +command to correct the error\&. +.PP +The commands which operate on the +/etc/group +and /etc/gshadow files +are not able to alter corrupted or duplicated entries\&. +\fBgrpck\fR +should be used in those circumstances to remove the offending entries\&. +.SH "OPTIONS" +.PP +The +\fB\-r\fR +and +\fB\-s\fR +options cannot be combined\&. +.PP +The options which apply to the +\fBgrpck\fR +command are: +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-r\fR, \fB\-\-read\-only\fR +.RS 4 +Execute the +\fBgrpck\fR +command in read\-only mode\&. This causes all questions regarding changes to be answered +\fIno\fR +without user intervention\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-s\fR, \fB\-\-sort\fR +.RS 4 +Sort entries in +/etc/group +and /etc/gshadow +by GID\&. +.RE +.PP +\fB\-S\fR, \fB\-\-silence\-warnings\fR +.RS 4 +Suppress more controversial warnings, in particular warnings about inconsistency between group members listed in +/etc/group +and +/etc/ghadow\&. +.RE +.PP +By default, +\fBgrpck\fR +operates on +/etc/group +and /etc/gshadow\&. The user may select alternate files with the +\fIgroup\fR +and \fIshadow\fR parameters\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.SH "EXIT VALUES" +.PP +The +\fBgrpck\fR +command exits with the following values: +.PP +\fI0\fR +.RS 4 +success +.RE +.PP +\fI1\fR +.RS 4 +invalid command syntax +.RE +.PP +\fI2\fR +.RS 4 +one or more bad group entries +.RE +.PP +\fI3\fR +.RS 4 +can\*(Aqt open group files +.RE +.PP +\fI4\fR +.RS 4 +can\*(Aqt lock group files +.RE +.PP +\fI5\fR +.RS 4 +can\*(Aqt update group files +.RE +.SH "SEE ALSO" +.PP +\fBgroup\fR(5), +\fBgroupmod\fR(8), +\fBgshadow\fR(5), +\fBpasswd\fR(5), +\fBpwck\fR(8), +\fBshadow\fR(5)\&. diff --git a/man/man8/grpconv.8 b/man/man8/grpconv.8 new file mode 100644 index 0000000..6eed9e8 --- /dev/null +++ b/man/man8/grpconv.8 @@ -0,0 +1 @@ +.so man8/pwconv.8 diff --git a/man/man8/grpunconv.8 b/man/man8/grpunconv.8 new file mode 100644 index 0000000..6eed9e8 --- /dev/null +++ b/man/man8/grpunconv.8 @@ -0,0 +1 @@ +.so man8/pwconv.8 diff --git a/man/man8/lastlog.8 b/man/man8/lastlog.8 new file mode 100644 index 0000000..ee7adca --- /dev/null +++ b/man/man8/lastlog.8 @@ -0,0 +1,141 @@ +'\" t +.\" Title: lastlog +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "LASTLOG" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +lastlog \- reports the most recent login of all users or of a given user +.SH "SYNOPSIS" +.HP \w'\fBlastlog\fR\ 'u +\fBlastlog\fR [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +\fBlastlog\fR +formats and prints the contents of the last login log +/var/log/lastlog +file\&. The +\fIlogin\-name\fR, +\fIport\fR, and +\fIlast login time\fR +will be printed\&. The default (no flags) causes lastlog entries to be printed, sorted by their order in +/etc/passwd\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBlastlog\fR +command are: +.PP +\fB\-b\fR, \fB\-\-before\fR\ \&\fIDAYS\fR +.RS 4 +Print only lastlog records older than +\fIDAYS\fR\&. +.RE +.PP +\fB\-C\fR, \fB\-\-clear\fR +.RS 4 +Clear lastlog record of a user\&. This option can be used only together with +\fB\-u\fR +(\fB\-\-user\fR))\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-S\fR, \fB\-\-set\fR +.RS 4 +Set lastlog record of a user to the current time\&. This option can be used only together with +\fB\-u\fR +(\fB\-\-user\fR))\&. +.RE +.PP +\fB\-t\fR, \fB\-\-time\fR\ \&\fIDAYS\fR +.RS 4 +Print the lastlog records more recent than +\fIDAYS\fR\&. +.RE +.PP +\fB\-u\fR, \fB\-\-user\fR\ \&\fILOGIN\fR|\fIRANGE\fR +.RS 4 +Print the lastlog record of the specified user(s)\&. +.sp +The users can be specified by a login name, a numerical user ID, or a +\fIRANGE\fR +of users\&. This +\fIRANGE\fR +of users can be specified with a min and max values (\fIUID_MIN\-UID_MAX\fR), a max value (\fI\-UID_MAX\fR), or a min value (\fIUID_MIN\-\fR)\&. +.RE +.PP +If the user has never logged in the message +\fI** Never logged in**\fR +will be displayed instead of the port and time\&. +.PP +Only the entries for the current users of the system will be displayed\&. Other entries may exist for users that were deleted previously\&. +.SH "NOTE" +.PP +The +lastlog +file is a database which contains info on the last login of each user\&. You should not rotate it\&. It is a sparse file, so its size on the disk is usually much smaller than the one shown by "\fBls \-l\fR" (which can indicate a really big file if you have in +passwd +users with a high UID)\&. You can display its real size with "\fBls \-s\fR"\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBLASTLOG_UID_MAX\fR (number) +.RS 4 +Highest user ID number for which the lastlog entries should be updated\&. As higher user IDs are usually tracked by remote user identity and authentication services there is no need to create a huge sparse lastlog file for them\&. +.sp +No +\fBLASTLOG_UID_MAX\fR +option present in the configuration means that there is no user ID limit for writing lastlog entries\&. +.RE +.SH "FILES" +.PP +/var/log/lastlog +.RS 4 +Database times of previous user logins\&. +.RE +.SH "CAVEATS" +.PP +Large gaps in UID numbers will cause the lastlog program to run longer with no output to the screen (i\&.e\&. if in lastlog database there is no entries for users with UID between 170 and 800 lastlog will appear to hang as it processes entries with UIDs 171\-799)\&. +.PP +Having high UIDs can create problems when handling the +<term> /var/log/lastlog</term> +with external tools\&. Although the actual file is sparse and does not use too much space, certain applications are not designed to identify sparse files by default and may require a specific option to handle them\&. diff --git a/man/man8/logoutd.8 b/man/man8/logoutd.8 new file mode 100644 index 0000000..115fe28 --- /dev/null +++ b/man/man8/logoutd.8 @@ -0,0 +1,57 @@ +'\" t +.\" Title: logoutd +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "LOGOUTD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +logoutd \- enforce login time restrictions +.SH "SYNOPSIS" +.HP \w'\fBlogoutd\fR\ 'u +\fBlogoutd\fR +.SH "DESCRIPTION" +.PP +\fBlogoutd\fR +enforces the login time and port restrictions specified in +/etc/porttime\&. +\fBlogoutd\fR +should be started from +/etc/rc\&. The +/var/run/utmp +file is scanned periodically and each user name is checked to see if the named user is permitted on the named port at the current time\&. Any login session which is violating the restrictions in +/etc/porttime +is terminated\&. +.SH "FILES" +.PP +/etc/porttime +.RS 4 +File containing port access\&. +.RE +.PP +/var/run/utmp +.RS 4 +List of current login sessions\&. +.RE diff --git a/man/man8/newusers.8 b/man/man8/newusers.8 new file mode 100644 index 0000000..58c05d8 --- /dev/null +++ b/man/man8/newusers.8 @@ -0,0 +1,453 @@ +'\" t +.\" Title: newusers +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "NEWUSERS" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +newusers \- update and create new users in batch +.SH "SYNOPSIS" +.HP \w'\fBnewusers\fR\ 'u +\fBnewusers\fR [\fIoptions\fR] [\fIfile\fR] +.SH "DESCRIPTION" +.PP +The +\fBnewusers\fR +command reads a +\fIfile\fR +(or the standard input by default) and uses this information to update a set of existing users or to create new users\&. Each line is in the same format as the standard password file (see +\fBpasswd\fR(5)) with the exceptions explained below: +.PP +pw_name:pw_passwd:pw_uid:pw_gid:pw_gecos:pw_dir:pw_shell +.PP +\fIpw_name\fR +.RS 4 +This is the name of the user\&. +.sp +It can be the name of a new user or the name of an existing user (or a user created before by +\fBnewusers\fR)\&. In case of an existing user, the user\*(Aqs information will be changed, otherwise a new user will be created\&. +.RE +.PP +\fIpw_passwd\fR +.RS 4 +This field will be encrypted and used as the new value of the encrypted password\&. +.RE +.PP +\fIpw_uid\fR +.RS 4 +This field is used to define the UID of the user\&. +.sp +If the field is empty, a new (unused) UID will be defined automatically by +\fBnewusers\fR\&. +.sp +If this field contains a number, this number will be used as the UID\&. +.sp +If this field contains the name of an existing user (or the name of a user created before by +\fBnewusers\fR), the UID of the specified user will be used\&. +.sp +If the UID of an existing user is changed, the files ownership of the user\*(Aqs file should be fixed manually\&. +.RE +.PP +\fIpw_gid\fR +.RS 4 +This field is used to define the primary group ID for the user\&. +.sp +If this field contains the name of an existing group (or a group created before by +\fBnewusers\fR), the GID of this group will be used as the primary group ID for the user\&. +.sp +If this field is a number, this number will be used as the primary group ID of the user\&. If no groups exist with this GID, a new group will be created with this GID, and the name of the user\&. +.sp +If this field is empty, a new group will be created with the name of the user and a GID will be automatically defined by +\fBnewusers\fR +to be used as the primary group ID for the user and as the GID for the new group\&. +.sp +If this field contains the name of a group which does not exist (and was not created before by +\fBnewusers\fR), a new group will be created with the specified name and a GID will be automatically defined by +\fBnewusers\fR +to be used as the primary group ID for the user and GID for the new group\&. +.RE +.PP +\fIpw_gecos\fR +.RS 4 +This field is copied in the GECOS field of the user\&. +.RE +.PP +\fIpw_dir\fR +.RS 4 +This field is used to define the home directory of the user\&. +.sp +If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group\&. Note that +\fInewusers does not create parent directories \fR +of the new user\*(Aqs home directory\&. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure\&. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified\&. +.sp +If the home directory of an existing user is changed, +\fBnewusers\fR +does not move or copy the content of the old directory to the new location\&. This should be done manually\&. +.RE +.PP +\fIpw_shell\fR +.RS 4 +This field defines the shell of the user\&. No checks are performed on this field\&. +.RE +.PP +\fBnewusers\fR +first tries to create or change all the specified users, and then write these changes to the user or group databases\&. If an error occurs (except in the final writes to the databases), no changes are committed to the databases\&. +.PP +This command is intended to be used in a large system environment where many accounts are updated at a single time\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBnewusers\fR +command are: +.PP +\fB\-\-badname\fR\ \& +.RS 4 +Allow names that do not conform to standards\&. +.RE +.PP +\fB\-c\fR, \fB\-\-crypt\-method\fR +.RS 4 +Use the specified method to encrypt the passwords\&. +.sp +The available methods are DES, MD5, NONE, and SHA256 or SHA512 if your libc support these methods\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-r\fR, \fB\-\-system\fR +.RS 4 +Create a system account\&. +.sp +System users will be created with no aging information in +/etc/shadow, and their numeric identifiers are chosen in the +\fBSYS_UID_MIN\fR\-\fBSYS_UID_MAX\fR +range, defined in +login\&.defs, instead of +\fBUID_MIN\fR\-\fBUID_MAX\fR +(and their +\fBGID\fR +counterparts for the creation of groups)\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-s\fR, \fB\-\-sha\-rounds\fR +.RS 4 +Use the specified number of rounds to encrypt the passwords\&. +.sp +The value 0 means that the system will choose the default number of rounds for the crypt method (5000)\&. +.sp +A minimal value of 1000 and a maximal value of 999,999,999 will be enforced\&. +.sp +You can only use this option with the SHA256 or SHA512 crypt method\&. +.sp +By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in +/etc/login\&.defs\&. +.RE +.SH "CAVEATS" +.PP +The input file must be protected since it contains unencrypted passwords\&. +.PP +You should make sure the passwords and the encryption method respect the system\*(Aqs password policy\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBENCRYPT_METHOD\fR (string) +.RS 4 +This defines the system default encryption algorithm for encrypting passwords (if no algorithm are specified on the command line)\&. +.sp +It can take one of these values: +\fIDES\fR +(default), +\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see +crypt(5) +for recommendations\&. +.sp +Note: this parameter overrides the +\fBMD5_CRYPT_ENAB\fR +variable\&. +.RE +.PP +\fBGID_MAX\fR (number), \fBGID_MIN\fR (number) +.RS 4 +Range of group IDs used for the creation of regular groups by +\fBuseradd\fR, +\fBgroupadd\fR, or +\fBnewusers\fR\&. +.sp +The default value for +\fBGID_MIN\fR +(resp\&. +\fBGID_MAX\fR) is 1000 (resp\&. 60000)\&. +.RE +.PP +\fBHOME_MODE\fR (number) +.RS 4 +The mode for new home directories\&. If not specified, the +\fBUMASK\fR +is used to create the mode\&. +.sp +\fBuseradd\fR +and +\fBnewusers\fR +use this to set the mode of the home directory they create\&. +.RE +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.PP +\fBMD5_CRYPT_ENAB\fR (boolean) +.RS 4 +Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to +\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to +\fIno\fR +if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is +\fIno\fR\&. +.sp +This variable is superseded by the +\fBENCRYPT_METHOD\fR +variable or by any command line option used to configure the encryption algorithm\&. +.sp +This variable is deprecated\&. You should use +\fBENCRYPT_METHOD\fR\&. +.RE +.PP +\fBPASS_MAX_DAYS\fR (number) +.RS 4 +The maximum number of days a password may be used\&. If the password is older than this, a password change will be forced\&. If not specified, \-1 will be assumed (which disables the restriction)\&. +.RE +.PP +\fBPASS_MIN_DAYS\fR (number) +.RS 4 +The minimum number of days allowed between password changes\&. Any password changes attempted sooner than this will be rejected\&. If not specified, 0 will be assumed (which disables the restriction)\&. +.RE +.PP +\fBPASS_WARN_AGE\fR (number) +.RS 4 +The number of days warning given before a password expires\&. A zero means warning is given only upon the day of expiration, a negative value means no warning is given\&. If not specified, no warning will be provided\&. +.RE +.PP +\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number) +.RS 4 +When +\fBENCRYPT_METHOD\fR +is set to +\fISHA256\fR +or +\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&. +.sp +With a lot of rounds, it is more difficult to brute forcing the password\&. But note also that more CPU resources will be needed to authenticate users\&. +.sp +If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&. +.sp +The values must be inside the 1000\-999,999,999 range\&. +.sp +If only one of the +\fBSHA_CRYPT_MIN_ROUNDS\fR +or +\fBSHA_CRYPT_MAX_ROUNDS\fR +values is set, then this value will be used\&. +.sp +If +\fBSHA_CRYPT_MIN_ROUNDS\fR +> +\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&. +.RE +.PP +\fBSUB_GID_MIN\fR (number), \fBSUB_GID_MAX\fR (number), \fBSUB_GID_COUNT\fR (number) +.RS 4 +If +/etc/subuid +exists, the commands +\fBuseradd\fR +and +\fBnewusers\fR +(unless the user already have subordinate group IDs) allocate +\fBSUB_GID_COUNT\fR +unused group IDs from the range +\fBSUB_GID_MIN\fR +to +\fBSUB_GID_MAX\fR +for each new user\&. +.sp +The default values for +\fBSUB_GID_MIN\fR, +\fBSUB_GID_MAX\fR, +\fBSUB_GID_COUNT\fR +are respectively 100000, 600100000 and 65536\&. +.RE +.PP +\fBSUB_UID_MIN\fR (number), \fBSUB_UID_MAX\fR (number), \fBSUB_UID_COUNT\fR (number) +.RS 4 +If +/etc/subuid +exists, the commands +\fBuseradd\fR +and +\fBnewusers\fR +(unless the user already have subordinate user IDs) allocate +\fBSUB_UID_COUNT\fR +unused user IDs from the range +\fBSUB_UID_MIN\fR +to +\fBSUB_UID_MAX\fR +for each new user\&. +.sp +The default values for +\fBSUB_UID_MIN\fR, +\fBSUB_UID_MAX\fR, +\fBSUB_UID_COUNT\fR +are respectively 100000, 600100000 and 65536\&. +.RE +.PP +\fBSYS_GID_MAX\fR (number), \fBSYS_GID_MIN\fR (number) +.RS 4 +Range of group IDs used for the creation of system groups by +\fBuseradd\fR, +\fBgroupadd\fR, or +\fBnewusers\fR\&. +.sp +The default value for +\fBSYS_GID_MIN\fR +(resp\&. +\fBSYS_GID_MAX\fR) is 101 (resp\&. +\fBGID_MIN\fR\-1)\&. +.RE +.PP +\fBSYS_UID_MAX\fR (number), \fBSYS_UID_MIN\fR (number) +.RS 4 +Range of user IDs used for the creation of system users by +\fBuseradd\fR +or +\fBnewusers\fR\&. +.sp +The default value for +\fBSYS_UID_MIN\fR +(resp\&. +\fBSYS_UID_MAX\fR) is 101 (resp\&. +\fBUID_MIN\fR\-1)\&. +.RE +.PP +\fBUID_MAX\fR (number), \fBUID_MIN\fR (number) +.RS 4 +Range of user IDs used for the creation of regular users by +\fBuseradd\fR +or +\fBnewusers\fR\&. +.sp +The default value for +\fBUID_MIN\fR +(resp\&. +\fBUID_MAX\fR) is 1000 (resp\&. 60000)\&. +.RE +.PP +\fBUMASK\fR (number) +.RS 4 +The file mode creation mask is initialized to this value\&. If not specified, the mask will be initialized to 022\&. +.sp +\fBuseradd\fR +and +\fBnewusers\fR +use this mask to set the mode of the home directory they create if +\fBHOME_MODE\fR +is not set\&. +.sp +It is also used by +\fBlogin\fR +to define users\*(Aq initial umask\&. Note that this mask can be overridden by the user\*(Aqs GECOS line (if +\fBQUOTAS_ENAB\fR +is set) or by the specification of a limit with the +\fIK\fR +identifier in +\fBlimits\fR(5)\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.PP +/etc/subgid +.RS 4 +Per user subordinate group IDs\&. +.RE +.PP +/etc/subuid +.RS 4 +Per user subordinate user IDs\&. +.RE +.SH "SEE ALSO" +.PP +\fBlogin.defs\fR(5), +\fBpasswd\fR(1), +\fBsubgid\fR(5), \fBsubuid\fR(5), +\fBuseradd\fR(8)\&. diff --git a/man/man8/nologin.8 b/man/man8/nologin.8 new file mode 100644 index 0000000..cc1c114 --- /dev/null +++ b/man/man8/nologin.8 @@ -0,0 +1,55 @@ +'\" t +.\" Title: nologin +.\" Author: Nicolas François <nicolas.francois@centraliens.net> +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "NOLOGIN" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +nologin \- politely refuse a login +.SH "SYNOPSIS" +.HP \w'\fBnologin\fR\ 'u +\fBnologin\fR +.SH "DESCRIPTION" +.PP +The +\fBnologin\fR +command displays a message that an account is not available and exits non\-zero\&. It is intended as a replacement shell field for accounts that have been disabled\&. +.PP +To disable all logins, investigate +\fBnologin\fR(5)\&. +.PP +If +\fBSSH_ORIGINAL_COMMAND\fR +is populated it will be logged\&. +.SH "SEE ALSO" +.PP +\fBlogin\fR(1), +\fBnologin\fR(5)\&. +.SH "HISTORY" +.PP +The +\fBnologin\fR +command appeared in BSD 4\&.4\&. diff --git a/man/man8/pwck.8 b/man/man8/pwck.8 new file mode 100644 index 0000000..834cc83 --- /dev/null +++ b/man/man8/pwck.8 @@ -0,0 +1,334 @@ +'\" t +.\" Title: pwck +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "PWCK" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pwck \- verify the integrity of password files +.SH "SYNOPSIS" +.HP \w'\fBpwck\fR\ 'u +\fBpwck\fR [options] [\fIPASSWORDFILE\fR\ [\ \fISHADOWFILE\fR\ ]] +.SH "DESCRIPTION" +.PP +The +\fBpwck\fR +command verifies the integrity of the users and authentication information\&. It checks that all entries in +/etc/passwd +and +/etc/shadow +have the proper format and contain valid data\&. The user is prompted to delete entries that are improperly formatted or which have other uncorrectable errors\&. +.PP +Checks are made to verify that each entry has: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +the correct number of fields +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a unique and valid user name +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a valid user and group identifier +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a valid primary group +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a valid home directory +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +a valid login shell +.RE +.PP +Checks for shadowed password information are enabled when the second file parameter +\fISHADOWFILE\fR +is specified or when +/etc/shadow +exists on the system\&. +.PP +These checks are the following: +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +every passwd entry has a matching shadow entry, and every shadow entry has a matching passwd entry +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +passwords are specified in the shadowed file +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +shadow entries have the correct number of fields +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +shadow entries are unique in shadow +.RE +.sp +.RS 4 +.ie n \{\ +\h'-04'\(bu\h'+03'\c +.\} +.el \{\ +.sp -1 +.IP \(bu 2.3 +.\} +the last password changes are not in the future +.RE +.PP +The checks for correct number of fields and unique user name are fatal\&. If the entry has the wrong number of fields, the user will be prompted to delete the entire line\&. If the user does not answer affirmatively, all further checks are bypassed\&. An entry with a duplicated user name is prompted for deletion, but the remaining checks will still be made\&. All other errors are warnings and the user is encouraged to run the +\fBusermod\fR +command to correct the error\&. +.PP +The commands which operate on the +/etc/passwd +file are not able to alter corrupted or duplicated entries\&. +\fBpwck\fR +should be used in those circumstances to remove the offending entry\&. +.SH "OPTIONS" +.PP +The +\fB\-r\fR +and +\fB\-s\fR +options cannot be combined\&. +.PP +The options which apply to the +\fBpwck\fR +command are: +.PP +\fB\-\-badname\fR\ \& +.RS 4 +Allow names that do not conform to standards\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-q\fR, \fB\-\-quiet\fR +.RS 4 +Report errors only\&. The warnings which do not require any action from the user won\*(Aqt be displayed\&. +.RE +.PP +\fB\-r\fR, \fB\-\-read\-only\fR +.RS 4 +Execute the +\fBpwck\fR +command in read\-only mode\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-s\fR, \fB\-\-sort\fR +.RS 4 +Sort entries in +/etc/passwd +and +/etc/shadow +by UID\&. +.RE +.PP +By default, +\fBpwck\fR +operates on the files +/etc/passwd +and +/etc/shadow\&. The user may select alternate files with the +\fIpasswd\fR +and +\fIshadow\fR +parameters\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBNONEXISTENT\fR (string) +.RS 4 +If a system account intentionally does not have a home directory that exists, this string can be provided in the /etc/passwd entry for the account to indicate this\&. The result is that pwck will not emit a spurious warning for this account\&. +.RE +.PP +\fBPASS_MAX_DAYS\fR (number) +.RS 4 +The maximum number of days a password may be used\&. If the password is older than this, a password change will be forced\&. If not specified, \-1 will be assumed (which disables the restriction)\&. +.RE +.PP +\fBPASS_MIN_DAYS\fR (number) +.RS 4 +The minimum number of days allowed between password changes\&. Any password changes attempted sooner than this will be rejected\&. If not specified, 0 will be assumed (which disables the restriction)\&. +.RE +.PP +\fBPASS_WARN_AGE\fR (number) +.RS 4 +The number of days warning given before a password expires\&. A zero means warning is given only upon the day of expiration, a negative value means no warning is given\&. If not specified, no warning will be provided\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.SH "EXIT VALUES" +.PP +The +\fBpwck\fR +command exits with the following values: +.PP +\fI0\fR +.RS 4 +success +.RE +.PP +\fI1\fR +.RS 4 +invalid command syntax +.RE +.PP +\fI2\fR +.RS 4 +one or more bad password entries +.RE +.PP +\fI3\fR +.RS 4 +can\*(Aqt open password files +.RE +.PP +\fI4\fR +.RS 4 +can\*(Aqt lock password files +.RE +.PP +\fI5\fR +.RS 4 +can\*(Aqt update password files +.RE +.PP +\fI6\fR +.RS 4 +can\*(Aqt sort password files +.RE +.SH "SEE ALSO" +.PP +\fBgroup\fR(5), +\fBgrpck\fR(8), +\fBpasswd\fR(5), +\fBshadow\fR(5), +\fBusermod\fR(8)\&. diff --git a/man/man8/pwconv.8 b/man/man8/pwconv.8 new file mode 100644 index 0000000..147f21f --- /dev/null +++ b/man/man8/pwconv.8 @@ -0,0 +1,193 @@ +'\" t +.\" Title: pwconv +.\" Author: Marek Michałkiewicz +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "PWCONV" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pwconv, pwunconv, grpconv, grpunconv \- convert to and from shadow passwords and groups +.SH "SYNOPSIS" +.HP \w'\fBpwconv\fR\ 'u +\fBpwconv\fR [\fIoptions\fR] +.HP \w'\fBpwunconv\fR\ 'u +\fBpwunconv\fR [\fIoptions\fR] +.HP \w'\fBgrpconv\fR\ 'u +\fBgrpconv\fR [\fIoptions\fR] +.HP \w'\fBgrpunconv\fR\ 'u +\fBgrpunconv\fR [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +The +\fBpwconv\fR +command creates +\fIshadow\fR +from +\fIpasswd\fR +and an optionally existing +\fIshadow\fR\&. +.PP +The +\fBpwunconv\fR +command creates +\fIpasswd\fR +from +\fIpasswd\fR +and +\fIshadow\fR +and then removes +\fIshadow\fR\&. +.PP +The +\fBgrpconv\fR +command creates +\fIgshadow\fR +from +\fIgroup\fR +and an optionally existing +\fIgshadow\fR\&. +.PP +The +\fBgrpunconv\fR +command creates +\fIgroup\fR +from +\fIgroup\fR +and +\fIgshadow\fR +and then removes +\fIgshadow\fR\&. +.PP +These four programs all operate on the normal and shadow password and group files: +/etc/passwd, +/etc/group, +/etc/shadow, and +/etc/gshadow\&. +.PP +Each program acquires the necessary locks before conversion\&. +\fBpwconv\fR +and +\fBgrpconv\fR +are similar\&. First, entries in the shadowed file which don\*(Aqt exist in the main file are removed\&. Then, shadowed entries which don\*(Aqt have `x\*(Aq as the password in the main file are updated\&. Any missing shadowed entries are added\&. Finally, passwords in the main file are replaced with `x\*(Aq\&. These programs can be used for initial conversion as well to update the shadowed file if the main file is edited by hand\&. +.PP +\fBpwconv\fR +will use the values of +\fIPASS_MIN_DAYS\fR, +\fIPASS_MAX_DAYS\fR, and +\fIPASS_WARN_AGE\fR +from +/etc/login\&.defs +when adding new entries to +/etc/shadow\&. +.PP +Likewise +\fBpwunconv\fR +and +\fBgrpunconv\fR +are similar\&. Passwords in the main file are updated from the shadowed file\&. Entries which exist in the main file but not in the shadowed file are left alone\&. Finally, the shadowed file is removed\&. Some password aging information is lost by +\fBpwunconv\fR\&. It will convert what it can\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBpwconv\fR, +\fBpwunconv\fR, +\fBgrpconv\fR, and +\fBgrpunconv\fR +commands are: +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.SH "BUGS" +.PP +Errors in the password or group files (such as invalid or duplicate entries) may cause these programs to loop forever or fail in other strange ways\&. Please run +\fBpwck\fR +and +\fBgrpck\fR +to correct any such errors before converting to or from shadow passwords or groups\&. +.SH "CONFIGURATION" +.PP +The following configuration variable in +/etc/login\&.defs +changes the behavior of +\fBgrpconv\fR +and +\fBgrpunconv\fR: +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of +\fBpwconv\fR: +.PP +\fBPASS_MAX_DAYS\fR (number) +.RS 4 +The maximum number of days a password may be used\&. If the password is older than this, a password change will be forced\&. If not specified, \-1 will be assumed (which disables the restriction)\&. +.RE +.PP +\fBPASS_MIN_DAYS\fR (number) +.RS 4 +The minimum number of days allowed between password changes\&. Any password changes attempted sooner than this will be rejected\&. If not specified, 0 will be assumed (which disables the restriction)\&. +.RE +.PP +\fBPASS_WARN_AGE\fR (number) +.RS 4 +The number of days warning given before a password expires\&. A zero means warning is given only upon the day of expiration, a negative value means no warning is given\&. If not specified, no warning will be provided\&. +.RE +.SH "FILES" +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "SEE ALSO" +.PP +\fBgrpck\fR(8), +\fBlogin.defs\fR(5), +\fBpwck\fR(8)\&. diff --git a/man/man8/pwunconv.8 b/man/man8/pwunconv.8 new file mode 100644 index 0000000..6eed9e8 --- /dev/null +++ b/man/man8/pwunconv.8 @@ -0,0 +1 @@ +.so man8/pwconv.8 diff --git a/man/man8/sulogin.8 b/man/man8/sulogin.8 new file mode 100644 index 0000000..f33405d --- /dev/null +++ b/man/man8/sulogin.8 @@ -0,0 +1,116 @@ +'\" t +.\" Title: sulogin +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "SULOGIN" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +sulogin \- Single\-user login +.SH "SYNTAX" +.PP +\fBsulogin\fR +[\fItty\-device\fR] +.SH "DESCRIPTION" +.PP +The +\fBsulogin\fR +command is invoked by +\fBinit\fR +prior to allowing the user access to the system when in single user mode\&. This feature may only be available on certain systems where +\fBinit\fR +has been modified accordingly, or where the +/etc/inittab +has an entry for a single user login\&. +.PP +The user is prompted +.PP +Type control\-d to proceed with normal startup, +(or give root password for system maintenance): +.PP +Input and output will be performed with the standard file descriptors unless the optional device name argument is provided\&. +.PP +If the user enters the correct root password, a login session is initiated\&. When +\fIEOF\fR +is pressed instead, the system enters multi\-user mode\&. +.PP +After the user exits the single\-user shell, or presses +\fIEOF\fR, the system begins the initialization process required to enter multi\-user mode\&. +.SH "CAVEATS" +.PP +This command can only be used if +\fBinit\fR +has been modified to call +\fBsulogin\fR +instead of +/bin/sh, or if the user has set the +\fIinittab\fR +to support a single user login\&. For example, the line: +.PP +co:s:respawn:/etc/sulogin /dev/console +.PP +should execute the sulogin command in single user mode\&. +.PP +As complete an environment as possible is created\&. However, various devices may be unmounted or uninitialized and many of the user commands may be unavailable or nonfunctional as a result\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBENV_HZ\fR (string) +.RS 4 +If set, it will be used to define the HZ environment variable when a user login\&. The value must be preceded by +\fIHZ=\fR\&. A common value on Linux is +\fIHZ=100\fR\&. +.RE +.PP +\fBENV_TZ\fR (string) +.RS 4 +If set, it will be used to define the TZ environment variable when a user login\&. The value can be the name of a timezone preceded by +\fITZ=\fR +(for example +\fITZ=CST6CDT\fR), or the full path to the file containing the timezone specification (for example +/etc/tzname)\&. +.sp +If a full path is specified but the file does not exist or cannot be read, the default is to use +\fITZ=CST6CDT\fR\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.SH "SEE ALSO" +.PP +\fBlogin\fR(1), +\fBsh\fR(1), +\fBinit\fR(8)\&. diff --git a/man/man8/useradd.8 b/man/man8/useradd.8 new file mode 100644 index 0000000..e6530b3 --- /dev/null +++ b/man/man8/useradd.8 @@ -0,0 +1,827 @@ +'\" t +.\" Title: useradd +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "USERADD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +useradd \- create a new user or update default new user information +.SH "SYNOPSIS" +.HP \w'\fBuseradd\fR\ 'u +\fBuseradd\fR [\fIoptions\fR] \fILOGIN\fR +.HP \w'\fBuseradd\fR\ 'u +\fBuseradd\fR \-D +.HP \w'\fBuseradd\fR\ 'u +\fBuseradd\fR \-D [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +When invoked without the +\fB\-D\fR +option, the +\fBuseradd\fR +command creates a new user account using the values specified on the command line plus the default values from the system\&. Depending on command line options, the +\fBuseradd\fR +command will update system files and may also create the new user\*(Aqs home directory and copy initial files\&. +.PP +By default, a group will also be created for the new user (see +\fB\-g\fR, +\fB\-N\fR, +\fB\-U\fR, and +\fBUSERGROUPS_ENAB\fR)\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBuseradd\fR +command are: +.PP +\fB\-\-badname\fR\ \& +.RS 4 +Allow names that do not conform to standards\&. +.RE +.PP +\fB\-b\fR, \fB\-\-base\-dir\fR\ \&\fIBASE_DIR\fR +.RS 4 +The default base directory for the system if +\fB\-d\fR\ \&\fIHOME_DIR\fR +is not specified\&. +\fIBASE_DIR\fR +is concatenated with the account name to define the home directory\&. +.sp +If this option is not specified, +\fBuseradd\fR +will use the base directory specified by the +\fBHOME\fR +variable in +/etc/default/useradd, or +/home +by default\&. +.RE +.PP +\fB\-c\fR, \fB\-\-comment\fR\ \&\fICOMMENT\fR +.RS 4 +Any text string\&. It is generally a short description of the account, and is currently used as the field for the user\*(Aqs full name\&. +.RE +.PP +\fB\-d\fR, \fB\-\-home\-dir\fR\ \&\fIHOME_DIR\fR +.RS 4 +The new user will be created using +\fIHOME_DIR\fR +as the value for the user\*(Aqs login directory\&. The default is to append the +\fILOGIN\fR +name to +\fIBASE_DIR\fR +and use that as the login directory name\&. If the directory +\fIHOME_DIR\fR +does not exist, then it will be created unless the +\fB\-M\fR +option is specified\&. +.RE +.PP +\fB\-D\fR, \fB\-\-defaults\fR +.RS 4 +See below, the subsection "Changing the default values"\&. +.RE +.PP +\fB\-e\fR, \fB\-\-expiredate\fR\ \&\fIEXPIRE_DATE\fR +.RS 4 +The date on which the user account will be disabled\&. The date is specified in the format +\fIYYYY\-MM\-DD\fR\&. +.sp +If not specified, +\fBuseradd\fR +will use the default expiry date specified by the +\fBEXPIRE\fR +variable in +/etc/default/useradd, or an empty string (no expiry) by default\&. +.RE +.PP +\fB\-f\fR, \fB\-\-inactive\fR\ \&\fIINACTIVE\fR +.RS 4 +defines the number of days after the password exceeded its maximum age where the user is expected to replace this password\&. The value is stored in the shadow password file\&. An input of 0 will disable an expired password with no delay\&. An input of \-1 will blank the respective field in the shadow password file\&. See +\fBshadow\fR(5)for more information\&. +.sp +If not specified, +\fBuseradd\fR +will use the default inactivity period specified by the +\fBINACTIVE\fR +variable in +/etc/default/useradd, or \-1 by default\&. +.RE +.PP +\fB\-F\fR, \fB\-\-add\-subids\-for\-system\fR +.RS 4 +Update +/etc/subuid +and +/etc/subgid +even when creating a system account with +\fB\-r\fR +option\&. +.RE +.PP +\fB\-g\fR, \fB\-\-gid\fR\ \&\fIGROUP\fR +.RS 4 +The name or the number of the user\*(Aqs primary group\&. The group name must exist\&. A group number must refer to an already existing group\&. +.sp +If not specified, the behavior of +\fBuseradd\fR +will depend on the +\fBUSERGROUPS_ENAB\fR +variable in +/etc/login\&.defs\&. If this variable is set to +\fIyes\fR +(or +\fB\-U/\-\-user\-group\fR +is specified on the command line), a group will be created for the user, with the same name as her loginname\&. If the variable is set to +\fIno\fR +(or +\fB\-N/\-\-no\-user\-group\fR +is specified on the command line), useradd will set the primary group of the new user to the value specified by the +\fBGROUP\fR +variable in +/etc/default/useradd, or 1000 by default\&. +.RE +.PP +\fB\-G\fR, \fB\-\-groups\fR\ \&\fIGROUP1\fR[\fI,GROUP2,\&.\&.\&.\fR[\fI,GROUPN\fR]]] +.RS 4 +A list of supplementary groups which the user is also a member of\&. Each group is separated from the next by a comma, with no intervening whitespace\&. The groups are subject to the same restrictions as the group given with the +\fB\-g\fR +option\&. The default is for the user to belong only to the initial group\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-k\fR, \fB\-\-skel\fR\ \&\fISKEL_DIR\fR +.RS 4 +The skeleton directory, which contains files and directories to be copied in the user\*(Aqs home directory, when the home directory is created by +\fBuseradd\fR\&. +.sp +This option is only valid if the +\fB\-m\fR +(or +\fB\-\-create\-home\fR) option is specified\&. +.sp +If this option is not set, the skeleton directory is defined by the +\fBSKEL\fR +variable in +/etc/default/useradd +or, by default, +/etc/skel\&. +.sp +If possible, the ACLs and extended attributes are copied\&. +.RE +.PP +\fB\-K\fR, \fB\-\-key\fR\ \&\fIKEY\fR=\fIVALUE\fR +.RS 4 +Overrides +/etc/login\&.defs +defaults (\fBUID_MIN\fR, +\fBUID_MAX\fR, +\fBUMASK\fR, +\fBPASS_MAX_DAYS\fR +and others)\&. +.sp +Example: +\fB\-K\fR\ \&\fIPASS_MAX_DAYS \fR=\fI\-1\fR +can be used when creating an account to turn off password aging\&. Multiple +\fB\-K\fR +options can be specified, e\&.g\&.: +\fB\-K\fR\ \&\fIUID_MIN\fR +=\fI100\fR\ \&\fB\-K\fR\ \& +\fIUID_MAX\fR=\fI499\fR +.RE +.PP +\fB\-l\fR, \fB\-\-no\-log\-init\fR +.RS 4 +Do not add the user to the lastlog and faillog databases\&. +.sp +By default, the user\*(Aqs entries in the lastlog and faillog databases are reset to avoid reusing the entry from a previously deleted user\&. +.sp +If this option is not specified, +\fBuseradd\fR +will also consult the variable +\fBLOG_INIT\fR +in the +/etc/default/useradd +if set to no the user will not be added to the lastlog and faillog databases\&. +.RE +.PP +\fB\-m\fR, \fB\-\-create\-home\fR +.RS 4 +Create the user\*(Aqs home directory if it does not exist\&. The files and directories contained in the skeleton directory (which can be defined with the +\fB\-k\fR +option) will be copied to the home directory\&. +.sp +By default, if this option is not specified and +\fBCREATE_HOME\fR +is not enabled, no home directories are created\&. +.sp +The directory where the user\*(Aqs home directory is created must exist and have proper SELinux context and permissions\&. Otherwise the user\*(Aqs home directory cannot be created or accessed\&. +.RE +.PP +\fB\-M\fR, \fB\-\-no\-create\-home\fR +.RS 4 +Do not create the user\*(Aqs home directory, even if the system wide setting from +/etc/login\&.defs +(\fBCREATE_HOME\fR) is set to +\fIyes\fR\&. +.RE +.PP +\fB\-N\fR, \fB\-\-no\-user\-group\fR +.RS 4 +Do not create a group with the same name as the user, but add the user to the group specified by the +\fB\-g\fR +option or by the +\fBGROUP\fR +variable in +/etc/default/useradd\&. +.sp +The default behavior (if the +\fB\-g\fR, +\fB\-N\fR, and +\fB\-U\fR +options are not specified) is defined by the +\fBUSERGROUPS_ENAB\fR +variable in +/etc/login\&.defs\&. +.RE +.PP +\fB\-o\fR, \fB\-\-non\-unique\fR +.RS 4 +allows the creation of an account with an already existing UID\&. +.sp +This option is only valid in combination with the +\fB\-u\fR +option\&. As a user identity serves as key to map between users on one hand and permissions, file ownerships and other aspects that determine the system\*(Aqs behavior on the other hand, more than one login name will access the account of the given UID\&. +.RE +.PP +\fB\-p\fR, \fB\-\-password\fR\ \&\fIPASSWORD\fR +.RS 4 +defines an initial password for the account\&. PASSWORD is expected to be encrypted, as returned by +\fBcrypt \fR(3)\&. Within a shell script, this option allows to create efficiently batches of users\&. +.sp +Without this option, the new account will be locked and with no password defined, i\&.e\&. a single exclamation mark in the respective field of +/etc/shadow\&. This is a state where the user won\*(Aqt be able to access the account or to define a password himself\&. +.sp +\fBNote:\fRAvoid this option on the command line because the password (or encrypted password) will be visible by users listing the processes\&. +.sp +You should make sure the password respects the system\*(Aqs password policy\&. +.RE +.PP +\fB\-r\fR, \fB\-\-system\fR +.RS 4 +Create a system account\&. +.sp +System users will be created with no aging information in +/etc/shadow, and their numeric identifiers are chosen in the +\fBSYS_UID_MIN\fR\-\fBSYS_UID_MAX\fR +range, defined in +/etc/login\&.defs, instead of +\fBUID_MIN\fR\-\fBUID_MAX\fR +(and their +\fBGID\fR +counterparts for the creation of groups)\&. +.sp +Note that +\fBuseradd\fR +will not create a home directory for such a user, regardless of the default setting in +/etc/login\&.defs +(\fBCREATE_HOME\fR)\&. You have to specify the +\fB\-m\fR +options if you want a home directory for a system account to be created\&. +.sp +Note that this option will not update +/etc/subuid +and +/etc/subgid\&. You have to specify the +\fB\-F\fR +options if you want to update the files for a system account to be created\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-P\fR, \fB\-\-prefix\fR\ \&\fIPREFIX_DIR\fR +.RS 4 +Apply changes to configuration files under the root filesystem found under the directory +\fIPREFIX_DIR\fR\&. This option does not chroot and is intended for preparing a cross\-compilation target\&. Some limitations: NIS and LDAP users/groups are not verified\&. PAM authentication is using the host files\&. No SELINUX support\&. +.RE +.PP +\fB\-s\fR, \fB\-\-shell\fR\ \&\fISHELL\fR +.RS 4 +sets the path to the user\*(Aqs login shell\&. Without this option, the system will use the +\fBSHELL\fR +variable specified in +/etc/default/useradd, or, if that is as well not set, the field for the login shell in +/etc/passwd +remains empty\&. +.RE +.PP +\fB\-u\fR, \fB\-\-uid\fR\ \&\fIUID\fR +.RS 4 +The numerical value of the user\*(Aqs ID\&. This value must be unique, unless the +\fB\-o\fR +option is used\&. The value must be non\-negative\&. The default is to use the smallest ID value greater than or equal to +\fBUID_MIN\fR +and greater than every other user\&. +.sp +See also the +\fB\-r\fR +option and the +\fBUID_MAX\fR +description\&. +.RE +.PP +\fB\-U\fR, \fB\-\-user\-group\fR +.RS 4 +Create a group with the same name as the user, and add the user to this group\&. +.sp +The default behavior (if the +\fB\-g\fR, +\fB\-N\fR, and +\fB\-U\fR +options are not specified) is defined by the +\fBUSERGROUPS_ENAB\fR +variable in +/etc/login\&.defs\&. +.RE +.PP +\fB\-Z\fR, \fB\-\-selinux\-user\fR\ \&\fISEUSER\fR +.RS 4 +defines the SELinux user for the new account\&. Without this option, a SELinux uses the default user\&. Note that the shadow system doesn\*(Aqt store the selinux\-user, it uses +\fBsemanage\fR(8) +for that\&. +.RE +.SS "Changing the default values" +.PP +When invoked with only the +\fB\-D\fR +option, +\fBuseradd\fR +will display the current default values\&. When invoked with +\fB\-D\fR +plus other options, +\fBuseradd\fR +will update the default values for the specified options\&. Valid default\-changing options are: +.PP +\fB\-b\fR, \fB\-\-base\-dir\fR\ \&\fIBASE_DIR\fR +.RS 4 +sets the path prefix for a new user\*(Aqs home directory\&. The user\*(Aqs name will be affixed to the end of +\fIBASE_DIR\fR +to form the new user\*(Aqs home directory name, if the +\fB\-d\fR +option is not used when creating a new account\&. +.sp +This option sets the +\fBHOME\fR +variable in +/etc/default/useradd\&. +.RE +.PP +\fB\-e\fR, \fB\-\-expiredate\fR\ \&\fIEXPIRE_DATE\fR +.RS 4 +sets the date on which newly created user accounts are disabled\&. +.sp +This option sets the +\fBEXPIRE\fR +variable in +/etc/default/useradd\&. +.RE +.PP +\fB\-f\fR, \fB\-\-inactive\fR\ \&\fIINACTIVE\fR +.RS 4 +defines the number of days after the password exceeded its maximum age where the user is expected to replace this password\&. See +\fBshadow\fR(5)for more information\&. +.sp +This option sets the +\fBINACTIVE\fR +variable in +/etc/default/useradd\&. +.RE +.PP +\fB\-g\fR, \fB\-\-gid\fR\ \&\fIGROUP\fR +.RS 4 +sets the default primary group for newly created users, accepting group names or a numerical group ID\&. The named group must exist, and the GID must have an existing entry\&. +.sp +This option sets the +\fBGROUP\fR +variable in +/etc/default/useradd\&. +.RE +.PP +\fB\-s\fR, \fB\-\-shell\fR\ \&\fISHELL\fR +.RS 4 +defines the default login shell for new users\&. +.sp +This option sets the +\fBSHELL\fR +variable in +/etc/default/useradd\&. +.RE +.SH "NOTES" +.PP +The system administrator is responsible for placing the default user files in the +/etc/skel/ +directory (or any other skeleton directory specified in +/etc/default/useradd +or on the command line)\&. +.SH "CAVEATS" +.PP +You may not add a user to a NIS or LDAP group\&. This must be performed on the corresponding server\&. +.PP +Similarly, if the username already exists in an external user database such as NIS or LDAP, +\fBuseradd\fR +will deny the user account creation request\&. +.PP +Usernames may contain only lower and upper case letters, digits, underscores, or dashes\&. They can end with a dollar sign\&. Dashes are not allowed at the beginning of the username\&. Fully numeric usernames and usernames \&. or \&.\&. are also disallowed\&. It is not recommended to use usernames beginning with \&. character as their home directories will be hidden in the +\fBls\fR +output\&. +.PP +Usernames may only be up to 32 characters long\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBCREATE_HOME\fR (boolean) +.RS 4 +Indicate if a home directory should be created by default for new users\&. +.sp +This setting does not apply to system users, and can be overridden on the command line\&. +.RE +.PP +\fBGID_MAX\fR (number), \fBGID_MIN\fR (number) +.RS 4 +Range of group IDs used for the creation of regular groups by +\fBuseradd\fR, +\fBgroupadd\fR, or +\fBnewusers\fR\&. +.sp +The default value for +\fBGID_MIN\fR +(resp\&. +\fBGID_MAX\fR) is 1000 (resp\&. 60000)\&. +.RE +.PP +\fBHOME_MODE\fR (number) +.RS 4 +The mode for new home directories\&. If not specified, the +\fBUMASK\fR +is used to create the mode\&. +.sp +\fBuseradd\fR +and +\fBnewusers\fR +use this to set the mode of the home directory they create\&. +.RE +.PP +\fBLASTLOG_UID_MAX\fR (number) +.RS 4 +Highest user ID number for which the lastlog entries should be updated\&. As higher user IDs are usually tracked by remote user identity and authentication services there is no need to create a huge sparse lastlog file for them\&. +.sp +No +\fBLASTLOG_UID_MAX\fR +option present in the configuration means that there is no user ID limit for writing lastlog entries\&. +.RE +.PP +\fBMAIL_DIR\fR (string) +.RS 4 +The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&. The parameter CREATE_MAIL_SPOOL in +/etc/default/useradd +determines whether the mail spool should be created\&. +.RE +.PP +\fBMAIL_FILE\fR (string) +.RS 4 +Defines the location of the users mail spool files relatively to their home directory\&. +.RE +.PP +The +\fBMAIL_DIR\fR +and +\fBMAIL_FILE\fR +variables are used by +\fBuseradd\fR, +\fBusermod\fR, and +\fBuserdel\fR +to create, move, or delete the user\*(Aqs mail spool\&. +.PP +If +\fBMAIL_CHECK_ENAB\fR +is set to +\fIyes\fR, they are also used to define the +\fBMAIL\fR +environment variable\&. +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.PP +\fBPASS_MAX_DAYS\fR (number) +.RS 4 +The maximum number of days a password may be used\&. If the password is older than this, a password change will be forced\&. If not specified, \-1 will be assumed (which disables the restriction)\&. +.RE +.PP +\fBPASS_MIN_DAYS\fR (number) +.RS 4 +The minimum number of days allowed between password changes\&. Any password changes attempted sooner than this will be rejected\&. If not specified, 0 will be assumed (which disables the restriction)\&. +.RE +.PP +\fBPASS_WARN_AGE\fR (number) +.RS 4 +The number of days warning given before a password expires\&. A zero means warning is given only upon the day of expiration, a negative value means no warning is given\&. If not specified, no warning will be provided\&. +.RE +.PP +\fBSUB_GID_MIN\fR (number), \fBSUB_GID_MAX\fR (number), \fBSUB_GID_COUNT\fR (number) +.RS 4 +If +/etc/subuid +exists, the commands +\fBuseradd\fR +and +\fBnewusers\fR +(unless the user already have subordinate group IDs) allocate +\fBSUB_GID_COUNT\fR +unused group IDs from the range +\fBSUB_GID_MIN\fR +to +\fBSUB_GID_MAX\fR +for each new user\&. +.sp +The default values for +\fBSUB_GID_MIN\fR, +\fBSUB_GID_MAX\fR, +\fBSUB_GID_COUNT\fR +are respectively 100000, 600100000 and 65536\&. +.RE +.PP +\fBSUB_UID_MIN\fR (number), \fBSUB_UID_MAX\fR (number), \fBSUB_UID_COUNT\fR (number) +.RS 4 +If +/etc/subuid +exists, the commands +\fBuseradd\fR +and +\fBnewusers\fR +(unless the user already have subordinate user IDs) allocate +\fBSUB_UID_COUNT\fR +unused user IDs from the range +\fBSUB_UID_MIN\fR +to +\fBSUB_UID_MAX\fR +for each new user\&. +.sp +The default values for +\fBSUB_UID_MIN\fR, +\fBSUB_UID_MAX\fR, +\fBSUB_UID_COUNT\fR +are respectively 100000, 600100000 and 65536\&. +.RE +.PP +\fBSYS_GID_MAX\fR (number), \fBSYS_GID_MIN\fR (number) +.RS 4 +Range of group IDs used for the creation of system groups by +\fBuseradd\fR, +\fBgroupadd\fR, or +\fBnewusers\fR\&. +.sp +The default value for +\fBSYS_GID_MIN\fR +(resp\&. +\fBSYS_GID_MAX\fR) is 101 (resp\&. +\fBGID_MIN\fR\-1)\&. +.RE +.PP +\fBSYS_UID_MAX\fR (number), \fBSYS_UID_MIN\fR (number) +.RS 4 +Range of user IDs used for the creation of system users by +\fBuseradd\fR +or +\fBnewusers\fR\&. +.sp +The default value for +\fBSYS_UID_MIN\fR +(resp\&. +\fBSYS_UID_MAX\fR) is 101 (resp\&. +\fBUID_MIN\fR\-1)\&. +.RE +.PP +\fBUID_MAX\fR (number), \fBUID_MIN\fR (number) +.RS 4 +Range of user IDs used for the creation of regular users by +\fBuseradd\fR +or +\fBnewusers\fR\&. +.sp +The default value for +\fBUID_MIN\fR +(resp\&. +\fBUID_MAX\fR) is 1000 (resp\&. 60000)\&. +.RE +.PP +\fBUMASK\fR (number) +.RS 4 +The file mode creation mask is initialized to this value\&. If not specified, the mask will be initialized to 022\&. +.sp +\fBuseradd\fR +and +\fBnewusers\fR +use this mask to set the mode of the home directory they create if +\fBHOME_MODE\fR +is not set\&. +.sp +It is also used by +\fBlogin\fR +to define users\*(Aq initial umask\&. Note that this mask can be overridden by the user\*(Aqs GECOS line (if +\fBQUOTAS_ENAB\fR +is set) or by the specification of a limit with the +\fIK\fR +identifier in +\fBlimits\fR(5)\&. +.RE +.PP +\fBUSERGROUPS_ENAB\fR (boolean) +.RS 4 +Enable setting of the umask group bits to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007) for non\-root users, if the uid is the same as gid, and username is the same as the primary group name\&. +.sp +If set to +\fIyes\fR, +\fBuserdel\fR +will remove the user\*(Aqs group if it contains no more members, and +\fBuseradd\fR +will create by default a group with the name of the user\&. +.RE +.SH "FILES" +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.PP +/etc/default/useradd +.RS 4 +Default values for account creation\&. +.RE +.PP +/etc/shadow\-maint/useradd\-pre\&.d/*, /etc/shadow\-maint/useradd\-post\&.d/* +.RS 4 +Run\-part files to execute during user addition\&. The environment variable +\fBACTION\fR +will be populated with useradd and +\fBSUBJECT\fR +with the +\fBusername\fR\&. +useradd\-pre\&.d +will be executed prior to any user addition\&. +useradd\-post\&.d +will execute after user addition\&. If a script exits non\-zero then execution will terminate\&. +.RE +.PP +/etc/skel/ +.RS 4 +Directory containing default files\&. +.RE +.PP +/etc/subgid +.RS 4 +Per user subordinate group IDs\&. +.RE +.PP +/etc/subuid +.RS 4 +Per user subordinate user IDs\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.SH "EXIT VALUES" +.PP +The +\fBuseradd\fR +command exits with the following values: +.PP +\fI0\fR +.RS 4 +success +.RE +.PP +\fI1\fR +.RS 4 +can\*(Aqt update password file +.RE +.PP +\fI2\fR +.RS 4 +invalid command syntax +.RE +.PP +\fI3\fR +.RS 4 +invalid argument to option +.RE +.PP +\fI4\fR +.RS 4 +UID already in use (and no +\fB\-o\fR) +.RE +.PP +\fI6\fR +.RS 4 +specified group doesn\*(Aqt exist +.RE +.PP +\fI9\fR +.RS 4 +username or group name already in use +.RE +.PP +\fI10\fR +.RS 4 +can\*(Aqt update group file +.RE +.PP +\fI12\fR +.RS 4 +can\*(Aqt create home directory +.RE +.PP +\fI14\fR +.RS 4 +can\*(Aqt update SELinux user mapping +.RE +.SH "SEE ALSO" +.PP +\fBchfn\fR(1), +\fBchsh\fR(1), +\fBpasswd\fR(1), +\fBcrypt\fR(3), +\fBgroupadd\fR(8), +\fBgroupdel\fR(8), +\fBgroupmod\fR(8), +\fBlogin.defs\fR(5), +\fBnewusers\fR(8), +\fBsubgid\fR(5), \fBsubuid\fR(5), +\fBuserdel\fR(8), +\fBusermod\fR(8)\&. diff --git a/man/man8/userdel.8 b/man/man8/userdel.8 new file mode 100644 index 0000000..acfc412 --- /dev/null +++ b/man/man8/userdel.8 @@ -0,0 +1,325 @@ +'\" t +.\" Title: userdel +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "USERDEL" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +userdel \- delete a user account and related files +.SH "SYNOPSIS" +.HP \w'\fBuserdel\fR\ 'u +\fBuserdel\fR [options] \fILOGIN\fR +.SH "DESCRIPTION" +.PP +The +\fBuserdel\fR +command modifies the system account files, deleting all entries that refer to the user name +\fILOGIN\fR\&. The named user must exist\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBuserdel\fR +command are: +.PP +\fB\-f\fR, \fB\-\-force\fR +.RS 4 +This option forces the removal of the user account, even if the user is still logged in\&. It also forces +\fBuserdel\fR +to remove the user\*(Aqs home directory and mail spool, even if another user uses the same home directory or if the mail spool is not owned by the specified user\&. If +\fBUSERGROUPS_ENAB\fR +is defined to +\fIyes\fR +in +/etc/login\&.defs +and if a group exists with the same name as the deleted user, then this group will be removed, even if it is still the primary group of another user\&. +.sp +\fINote:\fR +This option is dangerous and may leave your system in an inconsistent state\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-r\fR, \fB\-\-remove\fR +.RS 4 +Files in the user\*(Aqs home directory will be removed along with the home directory itself and the user\*(Aqs mail spool\&. Files located in other file systems will have to be searched for and deleted manually\&. +.sp +The mail spool is defined by the +\fBMAIL_DIR\fR +variable in the +login\&.defs +file\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-P\fR, \fB\-\-prefix\fR\ \&\fIPREFIX_DIR\fR +.RS 4 +Apply changes in the +\fIPREFIX_DIR\fR +directory and use the configuration files from the +\fIPREFIX_DIR\fR +directory\&. This option does not chroot and is intended for preparing a cross\-compilation target\&. Some limitations: NIS and LDAP users/groups are not verified\&. PAM authentication is using the host files\&. No SELINUX support\&. +.RE +.PP +\fB\-Z\fR, \fB\-\-selinux\-user\fR +.RS 4 +Remove any SELinux user mapping for the user\*(Aqs login\&. +.RE +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBMAIL_DIR\fR (string) +.RS 4 +The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&. The parameter CREATE_MAIL_SPOOL in +/etc/default/useradd +determines whether the mail spool should be created\&. +.RE +.PP +\fBMAIL_FILE\fR (string) +.RS 4 +Defines the location of the users mail spool files relatively to their home directory\&. +.RE +.PP +The +\fBMAIL_DIR\fR +and +\fBMAIL_FILE\fR +variables are used by +\fBuseradd\fR, +\fBusermod\fR, and +\fBuserdel\fR +to create, move, or delete the user\*(Aqs mail spool\&. +.PP +If +\fBMAIL_CHECK_ENAB\fR +is set to +\fIyes\fR, they are also used to define the +\fBMAIL\fR +environment variable\&. +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.PP +\fBUSERDEL_CMD\fR (string) +.RS 4 +If defined, this command is run when removing a user\&. It should remove any at/cron/print jobs etc\&. owned by the user to be removed (passed as the first argument)\&. +.sp +The return code of the script is not taken into account\&. +.sp +Here is an example script, which removes the user\*(Aqs cron, at and print jobs: +.sp +.if n \{\ +.RS 4 +.\} +.nf +#! /bin/sh + +# Check for the required argument\&. +if [ $# != 1 ]; then + echo "Usage: $0 username" + exit 1 +fi + +# Remove cron jobs\&. +crontab \-r \-u $1 + +# Remove at jobs\&. +# Note that it will remove any jobs owned by the same UID, +# even if it was shared by a different username\&. +AT_SPOOL_DIR=/var/spool/cron/atjobs +find $AT_SPOOL_DIR \-name "[^\&.]*" \-type f \-user $1 \-delete \e; + +# Remove print jobs\&. +lprm $1 + +# All done\&. +exit 0 + +.fi +.if n \{\ +.RE +.\} +.sp +.RE +.PP +\fBUSERGROUPS_ENAB\fR (boolean) +.RS 4 +Enable setting of the umask group bits to be the same as owner bits (examples: 022 \-> 002, 077 \-> 007) for non\-root users, if the uid is the same as gid, and username is the same as the primary group name\&. +.sp +If set to +\fIyes\fR, +\fBuserdel\fR +will remove the user\*(Aqs group if it contains no more members, and +\fBuseradd\fR +will create by default a group with the name of the user\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration\&. +.RE +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.PP +/etc/shadow\-maint/userdel\-pre\&.d/*, /etc/shadow\-maint/userdel\-post\&.d/* +.RS 4 +Run\-part files to execute during user deletion\&. The environment variable +\fBACTION\fR +will be populated with +\fBuserdel\fR +and +\fBSUBJECT\fR +with the username\&. +userdel\-pre\&.d +will be executed prior to any user deletion\&. +userdel\-post\&.d +will execute after user deletion\&. If a script exits non\-zero then execution will terminate\&. +.RE +.PP +/etc/subgid +.RS 4 +Per user subordinate group IDs\&. +.RE +.PP +/etc/subuid +.RS 4 +Per user subordinate user IDs\&. +.RE +.SH "EXIT VALUES" +.PP +The +\fBuserdel\fR +command exits with the following values: +.PP +\fI0\fR +.RS 4 +success +.RE +.PP +\fI1\fR +.RS 4 +can\*(Aqt update password file +.RE +.PP +\fI2\fR +.RS 4 +invalid command syntax +.RE +.PP +\fI6\fR +.RS 4 +specified user doesn\*(Aqt exist +.RE +.PP +\fI8\fR +.RS 4 +user currently logged in +.RE +.PP +\fI10\fR +.RS 4 +can\*(Aqt update group file +.RE +.PP +\fI12\fR +.RS 4 +can\*(Aqt remove home directory +.RE +.SH "CAVEATS" +.PP +\fBuserdel\fR +will not allow you to remove an account if there are running processes which belong to this account\&. In that case, you may have to kill those processes or lock the user\*(Aqs password or account and remove the account later\&. The +\fB\-f\fR +option can force the deletion of this account\&. +.PP +You should manually check all file systems to ensure that no files remain owned by this user\&. +.PP +You may not remove any NIS attributes on a NIS client\&. This must be performed on the NIS server\&. +.PP +If +\fBUSERGROUPS_ENAB\fR +is defined to +\fIyes\fR +in +/etc/login\&.defs, +\fBuserdel\fR +will delete the group with the same name as the user\&. To avoid inconsistencies in the passwd and group databases, +\fBuserdel\fR +will check that this group is not used as a primary group for another user, and will just warn without deleting the group otherwise\&. The +\fB\-f\fR +option can force the deletion of this group\&. +.SH "SEE ALSO" +.PP +\fBchfn\fR(1), +\fBchsh\fR(1), +\fBpasswd\fR(1), +\fBlogin.defs\fR(5), +\fBgpasswd\fR(8), +\fBgroupadd\fR(8), +\fBgroupdel\fR(8), +\fBgroupmod\fR(8), +\fBsubgid\fR(5), \fBsubuid\fR(5), +\fBuseradd\fR(8), +\fBusermod\fR(8)\&. diff --git a/man/man8/usermod.8 b/man/man8/usermod.8 new file mode 100644 index 0000000..f419a69 --- /dev/null +++ b/man/man8/usermod.8 @@ -0,0 +1,478 @@ +'\" t +.\" Title: usermod +.\" Author: Julianne Frances Haugh +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "USERMOD" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +usermod \- modify a user account +.SH "SYNOPSIS" +.HP \w'\fBusermod\fR\ 'u +\fBusermod\fR [\fIoptions\fR] \fILOGIN\fR +.SH "DESCRIPTION" +.PP +The +\fBusermod\fR +command modifies the system account files\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBusermod\fR +command are: +.PP +\fB\-a\fR, \fB\-\-append\fR +.RS 4 +Add the user to the supplementary group(s)\&. Use only with the +\fB\-G\fR +option\&. +.RE +.PP +\fB\-b\fR, \fB\-\-badname\fR +.RS 4 +Allow names that do not conform to standards\&. +.RE +.PP +\fB\-c\fR, \fB\-\-comment\fR\ \&\fICOMMENT\fR +.RS 4 +update the comment field of the user in +/etc/passwd, which is normally modified using the +\fBchfn\fR(1) +utility\&. +.RE +.PP +\fB\-d\fR, \fB\-\-home\fR\ \&\fIHOME_DIR\fR +.RS 4 +The user\*(Aqs new login directory\&. +.sp +If the +\fB\-m\fR +option is given, the contents of the current home directory will be moved to the new home directory, which is created if it does not already exist\&. If the current home directory does not exist the new home directory will not be created\&. +.RE +.PP +\fB\-e\fR, \fB\-\-expiredate\fR\ \&\fIEXPIRE_DATE\fR +.RS 4 +The date on which the user account will be disabled\&. The date is specified in the format +\fIYYYY\-MM\-DD\fR\&. Integers as input are interpreted as days after 1970\-01\-01\&. +.sp +An input of \-1 or an empty string will blank the account expiration field in the shadow password file\&. The account will remain available with no date limit\&. +.sp +This option requires a +/etc/shadow +file\&. A +/etc/shadow +entry will be created if there were none\&. +.RE +.PP +\fB\-f\fR, \fB\-\-inactive\fR\ \&\fIINACTIVE\fR +.RS 4 +defines the number of days after the password exceeded its maximum age during which the user may still login by immediately replacing the password\&. This grace period before the account becomes inactive is stored in the shadow password file\&. An input of 0 will disable an expired password with no delay\&. An input of \-1 will blank the respective field in the shadow password file\&. See +\fBshadow\fR(5) +for more information\&. +.sp +This option requires a +/etc/shadow +file\&. A +/etc/shadow +entry will be created if there were none\&. +.RE +.PP +\fB\-g\fR, \fB\-\-gid\fR\ \&\fIGROUP\fR +.RS 4 +The name or numerical ID of the user\*(Aqs new primary group\&. The group must exist\&. +.sp +Any file from the user\*(Aqs home directory owned by the previous primary group of the user will be owned by this new group\&. +.sp +The group ownership of files outside of the user\*(Aqs home directory must be fixed manually\&. +.sp +The change of the group ownership of files inside of the user\*(Aqs home directory is also not done if the home dir owner uid is different from the current or new user id\&. This is a safety measure for special home directories such as +/\&. +.RE +.PP +\fB\-G\fR, \fB\-\-groups\fR\ \&\fIGROUP1\fR[\fI,GROUP2,\&.\&.\&.\fR[\fI,GROUPN\fR]]] +.RS 4 +A list of supplementary groups which the user is also a member of\&. Each group is separated from the next by a comma, with no intervening whitespace\&. The groups must exist\&. +.sp +If the user is currently a member of a group which is not listed, the user will be removed from the group\&. This behaviour can be changed via the +\fB\-a\fR +option, which appends the user to the current supplementary group list\&. +.RE +.PP +\fB\-l\fR, \fB\-\-login\fR\ \&\fINEW_LOGIN\fR +.RS 4 +The name of the user will be changed from +\fILOGIN\fR +to +\fINEW_LOGIN\fR\&. Nothing else is changed\&. In particular, the user\*(Aqs home directory or mail spool should probably be renamed manually to reflect the new login name\&. +.RE +.PP +\fB\-L\fR, \fB\-\-lock\fR +.RS 4 +Lock a user\*(Aqs password\&. This puts a \*(Aq!\*(Aq in front of the encrypted password, effectively disabling the password\&. You can\*(Aqt use this option with +\fB\-p\fR +or +\fB\-U\fR\&. +.sp +Note: if you wish to lock the account (not only access with a password), you should also set the +\fIEXPIRE_DATE\fR +to +\fI1\fR\&. +.RE +.PP +\fB\-m\fR, \fB\-\-move\-home\fR +.RS 4 +moves the content of the user\*(Aqs home directory to the new location\&. If the current home directory does not exist the new home directory will not be created\&. +.sp +This option is only valid in combination with the +\fB\-d\fR +(or +\fB\-\-home\fR) option\&. +.sp +\fBusermod\fR +will try to adapt the ownership of the files and to copy the modes, ACL and extended attributes, but manual changes might be needed afterwards\&. +.RE +.PP +\fB\-o\fR, \fB\-\-non\-unique\fR +.RS 4 +allows to change the user ID to a non\-unique value\&. +.sp +This option is only valid in combination with the +\fB\-u\fR +option\&. As a user identity serves as key to map between users on one hand and permissions, file ownerships and other aspects that determine the system\*(Aqs behavior on the other hand, more than one login name will access the account of the given UID\&. +.RE +.PP +\fB\-p\fR, \fB\-\-password\fR\ \&\fIPASSWORD\fR +.RS 4 +defines a new password for the user\&. PASSWORD is expected to be encrypted, as returned by +\fBcrypt \fR(3)\&. +.sp +\fBNote:\fR +Avoid this option on the command line because the password (or encrypted password) will be visible by users listing the processes\&. +.sp +You should make sure the password respects the system\*(Aqs password policy\&. +.RE +.PP +\fB\-r\fR, \fB\-\-remove\fR +.RS 4 +Remove the user from named supplementary group(s)\&. Use only with the +\fB\-G\fR +option\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-P\fR, \fB\-\-prefix\fR\ \&\fIPREFIX_DIR\fR +.RS 4 +Apply changes within the directory tree starting with +\fIPREFIX_DIR\fR +and use as well the configuration files located there\&. This option does not chroot and is intended for preparing a cross\-compilation target\&. Some limitations: NIS and LDAP users/groups are not verified\&. PAM authentication is using the host files\&. No SELINUX support\&. +.RE +.PP +\fB\-s\fR, \fB\-\-shell\fR\ \&\fISHELL\fR +.RS 4 +changes the user\*(Aqs login shell\&. An empty string for SHELL blanks the field in +/etc/passwd +and logs the user into the system\*(Aqs default shell\&. +.RE +.PP +\fB\-u\fR, \fB\-\-uid\fR\ \&\fIUID\fR +.RS 4 +The new value of the user\*(Aqs ID\&. +.sp +This value must be unique, unless the +\fB\-o\fR +option is used\&. The value must be non\-negative\&. +.sp +The user\*(Aqs mailbox, and any files which the user owns and which are located in the user\*(Aqs home directory will have the file user ID changed automatically\&. +.sp +The ownership of files outside of the user\*(Aqs home directory must be fixed manually\&. +.sp +The change of the user ownership of files inside of the user\*(Aqs home directory is also not done if the home dir owner uid is different from the current or new user id\&. This is a safety measure for special home directories such as +/\&. +.sp +No checks will be performed with regard to the +\fBUID_MIN\fR, +\fBUID_MAX\fR, +\fBSYS_UID_MIN\fR, or +\fBSYS_UID_MAX\fR +from +/etc/login\&.defs\&. +.RE +.PP +\fB\-U\fR, \fB\-\-unlock\fR +.RS 4 +Unlock a user\*(Aqs password\&. This removes the \*(Aq!\*(Aq in front of the encrypted password\&. You can\*(Aqt use this option with +\fB\-p\fR +or +\fB\-L\fR\&. +.sp +Note: if you wish to unlock the account (not only access with a password), you should also set the +\fIEXPIRE_DATE\fR +(for example to +\fI99999\fR, or to the +\fBEXPIRE\fR +value from +/etc/default/useradd)\&. +.RE +.PP +\fB\-v\fR, \fB\-\-add\-subuids\fR\ \&\fIFIRST\fR\-\fILAST\fR +.RS 4 +Add a range of subordinate uids to the user\*(Aqs account\&. +.sp +This option may be specified multiple times to add multiple ranges to a user\*(Aqs account\&. +.sp +No checks will be performed with regard to +\fBSUB_UID_MIN\fR, +\fBSUB_UID_MAX\fR, or +\fBSUB_UID_COUNT\fR +from /etc/login\&.defs\&. +.RE +.PP +\fB\-V\fR, \fB\-\-del\-subuids\fR\ \&\fIFIRST\fR\-\fILAST\fR +.RS 4 +Remove a range of subordinate uids from the user\*(Aqs account\&. +.sp +This option may be specified multiple times to remove multiple ranges to a user\*(Aqs account\&. When both +\fB\-\-del\-subuids\fR +and +\fB\-\-add\-subuids\fR +are specified, the removal of all subordinate uid ranges happens before any subordinate uid range is added\&. +.sp +No checks will be performed with regard to +\fBSUB_UID_MIN\fR, +\fBSUB_UID_MAX\fR, or +\fBSUB_UID_COUNT\fR +from /etc/login\&.defs\&. +.RE +.PP +\fB\-w\fR, \fB\-\-add\-subgids\fR\ \&\fIFIRST\fR\-\fILAST\fR +.RS 4 +Add a range of subordinate gids to the user\*(Aqs account\&. +.sp +This option may be specified multiple times to add multiple ranges to a user\*(Aqs account\&. +.sp +No checks will be performed with regard to +\fBSUB_GID_MIN\fR, +\fBSUB_GID_MAX\fR, or +\fBSUB_GID_COUNT\fR +from /etc/login\&.defs\&. +.RE +.PP +\fB\-W\fR, \fB\-\-del\-subgids\fR\ \&\fIFIRST\fR\-\fILAST\fR +.RS 4 +Remove a range of subordinate gids from the user\*(Aqs account\&. +.sp +This option may be specified multiple times to remove multiple ranges to a user\*(Aqs account\&. When both +\fB\-\-del\-subgids\fR +and +\fB\-\-add\-subgids\fR +are specified, the removal of all subordinate gid ranges happens before any subordinate gid range is added\&. +.sp +No checks will be performed with regard to +\fBSUB_GID_MIN\fR, +\fBSUB_GID_MAX\fR, or +\fBSUB_GID_COUNT\fR +from /etc/login\&.defs\&. +.RE +.PP +\fB\-Z\fR, \fB\-\-selinux\-user\fR\ \&\fISEUSER\fR +.RS 4 +defines the SELinux user to be mapped with +\fILOGIN\fR\&. An empty string ("") will remove the respective entry (if any)\&. Note that the shadow system doesn\*(Aqt store the selinux\-user, it uses semanage(8) for that\&. +.RE +.SH "CAVEATS" +.PP +You must make certain that the named user is not executing any processes when this command is being executed if the user\*(Aqs numerical user ID, the user\*(Aqs name, or the user\*(Aqs home directory is being changed\&. +\fBusermod\fR +checks this on Linux\&. On other operating systems it only uses utmp to check if the user is logged in\&. +.PP +You must change the owner of any +\fBcrontab\fR +files or +\fBat\fR +jobs manually\&. +.PP +You must make any changes involving NIS on the NIS server\&. +.SH "CONFIGURATION" +.PP +The following configuration variables in +/etc/login\&.defs +change the behavior of this tool: +.PP +\fBLASTLOG_UID_MAX\fR (number) +.RS 4 +Highest user ID number for which the lastlog entries should be updated\&. As higher user IDs are usually tracked by remote user identity and authentication services there is no need to create a huge sparse lastlog file for them\&. +.sp +No +\fBLASTLOG_UID_MAX\fR +option present in the configuration means that there is no user ID limit for writing lastlog entries\&. +.RE +.PP +\fBMAIL_DIR\fR (string) +.RS 4 +The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&. The parameter CREATE_MAIL_SPOOL in +/etc/default/useradd +determines whether the mail spool should be created\&. +.RE +.PP +\fBMAIL_FILE\fR (string) +.RS 4 +Defines the location of the users mail spool files relatively to their home directory\&. +.RE +.PP +The +\fBMAIL_DIR\fR +and +\fBMAIL_FILE\fR +variables are used by +\fBuseradd\fR, +\fBusermod\fR, and +\fBuserdel\fR +to create, move, or delete the user\*(Aqs mail spool\&. +.PP +If +\fBMAIL_CHECK_ENAB\fR +is set to +\fIyes\fR, they are also used to define the +\fBMAIL\fR +environment variable\&. +.PP +\fBMAX_MEMBERS_PER_GROUP\fR (number) +.RS 4 +Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in +/etc/group +(with the same name, same password, and same GID)\&. +.sp +The default value is 0, meaning that there are no limits in the number of members in a group\&. +.sp +This feature (split group) permits to limit the length of lines in the group file\&. This is useful to make sure that lines for NIS groups are not larger than 1024 characters\&. +.sp +If you need to enforce such limit, you can use 25\&. +.sp +Note: split groups may not be supported by all tools (even in the Shadow toolsuite)\&. You should not use this variable unless you really need it\&. +.RE +.PP +\fBSUB_GID_MIN\fR (number), \fBSUB_GID_MAX\fR (number), \fBSUB_GID_COUNT\fR (number) +.RS 4 +If +/etc/subuid +exists, the commands +\fBuseradd\fR +and +\fBnewusers\fR +(unless the user already have subordinate group IDs) allocate +\fBSUB_GID_COUNT\fR +unused group IDs from the range +\fBSUB_GID_MIN\fR +to +\fBSUB_GID_MAX\fR +for each new user\&. +.sp +The default values for +\fBSUB_GID_MIN\fR, +\fBSUB_GID_MAX\fR, +\fBSUB_GID_COUNT\fR +are respectively 100000, 600100000 and 65536\&. +.RE +.PP +\fBSUB_UID_MIN\fR (number), \fBSUB_UID_MAX\fR (number), \fBSUB_UID_COUNT\fR (number) +.RS 4 +If +/etc/subuid +exists, the commands +\fBuseradd\fR +and +\fBnewusers\fR +(unless the user already have subordinate user IDs) allocate +\fBSUB_UID_COUNT\fR +unused user IDs from the range +\fBSUB_UID_MIN\fR +to +\fBSUB_UID_MAX\fR +for each new user\&. +.sp +The default values for +\fBSUB_UID_MIN\fR, +\fBSUB_UID_MAX\fR, +\fBSUB_UID_COUNT\fR +are respectively 100000, 600100000 and 65536\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account informatio\&. +.RE +.PP +/etc/login\&.defs +.RS 4 +Shadow password suite configuration +.RE +.PP +/etc/passwd +.RS 4 +User account information +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information +.RE +.PP +/etc/subgid +.RS 4 +Per user subordinate group IDs +.RE +.PP +/etc/subuid +.RS 4 +Per user subordinate user IDs +.RE +.SH "SEE ALSO" +.PP +\fBchfn\fR(1), +\fBchsh\fR(1), +\fBpasswd\fR(1), +\fBcrypt\fR(3), +\fBgpasswd\fR(8), +\fBgroupadd\fR(8), +\fBgroupdel\fR(8), +\fBgroupmod\fR(8), +\fBlogin.defs\fR(5), +\fBsubgid\fR(5), \fBsubuid\fR(5), +\fBuseradd\fR(8), +\fBuserdel\fR(8)\&. diff --git a/man/man8/vigr.8 b/man/man8/vigr.8 new file mode 100644 index 0000000..ff72d7a --- /dev/null +++ b/man/man8/vigr.8 @@ -0,0 +1 @@ +.so man8/vipw.8 diff --git a/man/man8/vipw.8 b/man/man8/vipw.8 new file mode 100644 index 0000000..d686fdd --- /dev/null +++ b/man/man8/vipw.8 @@ -0,0 +1,137 @@ +'\" t +.\" Title: vipw +.\" Author: Marek Michałkiewicz +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 11/08/2022 +.\" Manual: System Management Commands +.\" Source: shadow-utils 4.13 +.\" Language: English +.\" +.TH "VIPW" "8" "11/08/2022" "shadow\-utils 4\&.13" "System Management Commands" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +vipw, vigr \- edit the password, group, shadow\-password or shadow\-group file +.SH "SYNOPSIS" +.HP \w'\fBvipw\fR\ 'u +\fBvipw\fR [\fIoptions\fR] +.HP \w'\fBvigr\fR\ 'u +\fBvigr\fR [\fIoptions\fR] +.SH "DESCRIPTION" +.PP +The +\fBvipw\fR +and +\fBvigr\fR +commands edits the files +/etc/passwd +and +/etc/group, respectively\&. With the +\fB\-s\fR +flag, they will edit the shadow versions of those files, +/etc/shadow +and +/etc/gshadow, respectively\&. The programs will set the appropriate locks to prevent file corruption\&. When looking for an editor, the programs will first try the environment variable +\fB$VISUAL\fR, then the environment variable +\fB$EDITOR\fR, and finally the default editor, +\fBvi\fR(1)\&. +.SH "OPTIONS" +.PP +The options which apply to the +\fBvipw\fR +and +\fBvigr\fR +commands are: +.PP +\fB\-g\fR, \fB\-\-group\fR +.RS 4 +Edit group database\&. +.RE +.PP +\fB\-h\fR, \fB\-\-help\fR +.RS 4 +Display help message and exit\&. +.RE +.PP +\fB\-p\fR, \fB\-\-passwd\fR +.RS 4 +Edit passwd database\&. +.RE +.PP +\fB\-q\fR, \fB\-\-quiet\fR +.RS 4 +Quiet mode\&. +.RE +.PP +\fB\-R\fR, \fB\-\-root\fR\ \&\fICHROOT_DIR\fR +.RS 4 +Apply changes in the +\fICHROOT_DIR\fR +directory and use the configuration files from the +\fICHROOT_DIR\fR +directory\&. Only absolute paths are supported\&. +.RE +.PP +\fB\-s\fR, \fB\-\-shadow\fR +.RS 4 +Edit shadow or gshadow database\&. +.RE +.SH "ENVIRONMENT" +.PP +\fBVISUAL\fR +.RS 4 +Editor to be used\&. +.RE +.PP +\fBEDITOR\fR +.RS 4 +Editor to be used if +\fBVISUAL\fR +is not set\&. +.RE +.SH "FILES" +.PP +/etc/group +.RS 4 +Group account information\&. +.RE +.PP +/etc/gshadow +.RS 4 +Secure group account information\&. +.RE +.PP +/etc/passwd +.RS 4 +User account information\&. +.RE +.PP +/etc/shadow +.RS 4 +Secure user account information\&. +.RE +.SH "SEE ALSO" +.PP +\fBvi\fR(1), +\fBgroup\fR(5), +\fBgshadow\fR(5) +, +\fBpasswd\fR(5), , +\fBshadow\fR(5)\&. |