diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:54:37 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:54:37 +0000 |
commit | 97c26c1924b076ef23ebe4381558e8aa025712b2 (patch) | |
tree | 109724175f07436696f51b14b5abbd3f4d704d6d /man/login.defs.d | |
parent | Initial commit. (diff) | |
download | shadow-97c26c1924b076ef23ebe4381558e8aa025712b2.tar.xz shadow-97c26c1924b076ef23ebe4381558e8aa025712b2.zip |
Adding upstream version 1:4.13+dfsg1.upstream/1%4.13+dfsg1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
67 files changed, 1350 insertions, 0 deletions
diff --git a/man/login.defs.d/CHFN_AUTH.xml b/man/login.defs.d/CHFN_AUTH.xml new file mode 100644 index 0000000..771fb0b --- /dev/null +++ b/man/login.defs.d/CHFN_AUTH.xml @@ -0,0 +1,16 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>CHFN_AUTH</option> (boolean)</term> + <listitem> + <para> + If <replaceable>yes</replaceable>, the <command>chfn</command> + program will require authentication before making any changes, + unless run by the superuser. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/CHFN_RESTRICT.xml b/man/login.defs.d/CHFN_RESTRICT.xml new file mode 100644 index 0000000..a00ab3c --- /dev/null +++ b/man/login.defs.d/CHFN_RESTRICT.xml @@ -0,0 +1,27 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>CHFN_RESTRICT</option> (string)</term> + <listitem> + <para> + This parameter specifies which values in the <emphasis + remap='I'>gecos</emphasis> field of the + <filename>/etc/passwd</filename> file may be changed by regular + users using the <command>chfn</command> program. It can be any + combination of letters <replaceable>f</replaceable>, + <replaceable>r</replaceable>, <replaceable>w</replaceable>, + <replaceable>h</replaceable>, for Full name, Room number, Work + phone, and Home phone, respectively. For backward compatibility, + <replaceable>yes</replaceable> is equivalent to + <replaceable>rwh</replaceable> and <replaceable>no</replaceable> is + equivalent to <replaceable>frwh</replaceable>. If not specified, + only the superuser can make any changes. The most restrictive + setting is better achieved by not installing <command>chfn</command> + SUID. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/CHSH_AUTH.xml b/man/login.defs.d/CHSH_AUTH.xml new file mode 100644 index 0000000..c690d2d --- /dev/null +++ b/man/login.defs.d/CHSH_AUTH.xml @@ -0,0 +1,16 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>CHSH_AUTH</option> (boolean)</term> + <listitem> + <para> + If <replaceable>yes</replaceable>, the <command>chsh</command> + program will require authentication before making any changes, + unless run by the superuser. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/CONSOLE.xml b/man/login.defs.d/CONSOLE.xml new file mode 100644 index 0000000..1d0fefc --- /dev/null +++ b/man/login.defs.d/CONSOLE.xml @@ -0,0 +1,22 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>CONSOLE</option> (string)</term> + <listitem> + <para> + If defined, either full pathname of a file containing device names + (one per line) or a ":" delimited list of device names. Root logins will be + allowed only upon these devices. + </para> + <para> + If not defined, root will be allowed on any device. + </para> + <para> + The device should be specified without the /dev/ prefix. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/CONSOLE_GROUPS.xml b/man/login.defs.d/CONSOLE_GROUPS.xml new file mode 100644 index 0000000..0fd874c --- /dev/null +++ b/man/login.defs.d/CONSOLE_GROUPS.xml @@ -0,0 +1,20 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>CONSOLE_GROUPS</option> (string)</term> + <listitem> + <para> + List of groups to add to the user's supplementary groups set when + logging in on the console (as determined by the CONSOLE setting). + Default is none. + <para> + </para> + Use with caution - it is possible for users to gain permanent access + to these groups, even when not logged in on the console. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/CREATE_HOME.xml b/man/login.defs.d/CREATE_HOME.xml new file mode 100644 index 0000000..769c968 --- /dev/null +++ b/man/login.defs.d/CREATE_HOME.xml @@ -0,0 +1,17 @@ +<!-- + SPDX-FileCopyrightText: 2009 , Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>CREATE_HOME</option> (boolean)</term> + <listitem> + <para> + Indicate if a home directory should be created by default for new + users. + </para> + <para> + This setting does not apply to system users, and can be overridden on + the command line. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/DEFAULT_HOME.xml b/man/login.defs.d/DEFAULT_HOME.xml new file mode 100644 index 0000000..b5944c1 --- /dev/null +++ b/man/login.defs.d/DEFAULT_HOME.xml @@ -0,0 +1,20 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>DEFAULT_HOME</option> (boolean)</term> + <listitem> + <para> + Indicate if login is allowed if we can't cd to the home directory. + Default is no. + </para> + <para> + If set to <replaceable>yes</replaceable>, the user will login in + the root (<filename>/</filename>) directory if it is not possible to + cd to her home directory. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/ENCRYPT_METHOD.xml b/man/login.defs.d/ENCRYPT_METHOD.xml new file mode 100644 index 0000000..85dd79b --- /dev/null +++ b/man/login.defs.d/ENCRYPT_METHOD.xml @@ -0,0 +1,33 @@ +<!-- + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>ENCRYPT_METHOD</option> (string)</term> + <listitem> + <para> + This defines the system default encryption algorithm for encrypting + passwords (if no algorithm are specified on the command line). + </para> + <para> + It can take one of these values: + <replaceable>DES</replaceable> (default), + <replaceable>MD5</replaceable><phrase condition="sha_crypt">, + <replaceable>SHA256</replaceable>, + <replaceable>SHA512</replaceable></phrase>. + MD5 and DES should not be used for new hashes, see + <refentrytitle>crypt</refentrytitle><manvolnum>5</manvolnum> + for recommendations. + </para> + <para> + Note: this parameter overrides the <option>MD5_CRYPT_ENAB</option> + variable. + </para> + <para condition="pam"> + Note: This only affect the generation of group passwords. + The generation of user passwords is done by PAM and subject to the + PAM configuration. It is recommended to set this variable + consistently with the PAM configuration. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/ENVIRON_FILE.xml b/man/login.defs.d/ENVIRON_FILE.xml new file mode 100644 index 0000000..f27f538 --- /dev/null +++ b/man/login.defs.d/ENVIRON_FILE.xml @@ -0,0 +1,18 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2009, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>ENVIRON_FILE</option> (string)</term> + <listitem> + <para> + If this file exists and is readable, login environment will be + read from it. Every line should be in the form name=value. + </para> + <para> + Lines starting with a # are treated as comment lines and ignored. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/ENV_HZ.xml b/man/login.defs.d/ENV_HZ.xml new file mode 100644 index 0000000..daf1752 --- /dev/null +++ b/man/login.defs.d/ENV_HZ.xml @@ -0,0 +1,23 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <!-- XXX: When compiled with PAM support, only sulogin uses ENV_HZ --> + <term><option>ENV_HZ</option> (string)</term> + <listitem> + <para> + If set, it will be used to define the HZ environment variable when + a user login. The value must be preceded by + <replaceable>HZ=</replaceable>. A common value on Linux is + <replaceable>HZ=100</replaceable>. + </para> + <para condition="pam"> + The <envar>HZ</envar> environment variable is only set when the user + (the superuser) logs in with <command>sulogin</command>. + </para> + <!-- TODO: it can in fact be used to set any other variable--> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/ENV_PATH.xml b/man/login.defs.d/ENV_PATH.xml new file mode 100644 index 0000000..633ed81 --- /dev/null +++ b/man/login.defs.d/ENV_PATH.xml @@ -0,0 +1,19 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>ENV_PATH</option> (string)</term> + <listitem> + <para> + If set, it will be used to define the PATH environment variable when + a regular user login. The value is a colon separated list of paths + (for example <replaceable>/bin:/usr/bin</replaceable>) and can be + preceded by <replaceable>PATH=</replaceable>. The default value is + <replaceable>PATH=/bin:/usr/bin</replaceable>. + </para> + <!-- TODO: it can in fact be used to set any other variable--> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/ENV_SUPATH.xml b/man/login.defs.d/ENV_SUPATH.xml new file mode 100644 index 0000000..d34298b --- /dev/null +++ b/man/login.defs.d/ENV_SUPATH.xml @@ -0,0 +1,20 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2009, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>ENV_SUPATH</option> (string)</term> + <listitem> + <para> + If set, it will be used to define the PATH environment variable when + the superuser login. The value is a colon separated list of paths + (for example + <replaceable>/sbin:/bin:/usr/sbin:/usr/bin</replaceable>) and can be + preceded by <replaceable>PATH=</replaceable>. The default value is + <replaceable>PATH=/sbin:/bin:/usr/sbin:/usr/bin</replaceable>. + </para> + <!-- TODO: it can in fact be used to set any other variable--> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/ENV_TZ.xml b/man/login.defs.d/ENV_TZ.xml new file mode 100644 index 0000000..04d208e --- /dev/null +++ b/man/login.defs.d/ENV_TZ.xml @@ -0,0 +1,24 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>ENV_TZ</option> (string)</term> + <listitem> + <para> + If set, it will be used to define the TZ environment variable when + a user login. The value can be the name of a timezone preceded by + <replaceable>TZ=</replaceable> (for example + <replaceable>TZ=CST6CDT</replaceable>), or the full path to the file + containing the timezone specification (for example + <filename>/etc/tzname</filename>). + </para> + <!-- TODO: it can in fact be used to set any other variable--> + <para> + If a full path is specified but the file does not exist or cannot be + read, the default is to use <replaceable>TZ=CST6CDT</replaceable>. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/ERASECHAR.xml b/man/login.defs.d/ERASECHAR.xml new file mode 100644 index 0000000..42cbfcf --- /dev/null +++ b/man/login.defs.d/ERASECHAR.xml @@ -0,0 +1,19 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>ERASECHAR</option> (number)</term> + <listitem> + <para> + Terminal ERASE character (<replaceable>010</replaceable> = + backspace, <replaceable>0177</replaceable> = DEL). + </para> + <para> + The value can be prefixed "0" for an octal value, or "0x" for an + hexadecimal value. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/FAILLOG_ENAB.xml b/man/login.defs.d/FAILLOG_ENAB.xml new file mode 100644 index 0000000..e4bff21 --- /dev/null +++ b/man/login.defs.d/FAILLOG_ENAB.xml @@ -0,0 +1,15 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>FAILLOG_ENAB</option> (boolean)</term> + <listitem> + <para> + Enable logging and display of <filename>/var/log/faillog</filename> + login failure info. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/FAIL_DELAY.xml b/man/login.defs.d/FAIL_DELAY.xml new file mode 100644 index 0000000..fea7862 --- /dev/null +++ b/man/login.defs.d/FAIL_DELAY.xml @@ -0,0 +1,15 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>FAIL_DELAY</option> (number)</term> + <listitem> + <para> + Delay in seconds before being allowed another attempt after a login + failure. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/FAKE_SHELL.xml b/man/login.defs.d/FAKE_SHELL.xml new file mode 100644 index 0000000..4c596b3 --- /dev/null +++ b/man/login.defs.d/FAKE_SHELL.xml @@ -0,0 +1,15 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>FAKE_SHELL</option> (string)</term> + <listitem> + <para> + If set, <command>login</command> will execute this shell instead of + the users' shell specified in <filename>/etc/passwd</filename>. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/FTMP_FILE.xml b/man/login.defs.d/FTMP_FILE.xml new file mode 100644 index 0000000..930f9a3 --- /dev/null +++ b/man/login.defs.d/FTMP_FILE.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>FTMP_FILE</option> (string)</term> + <listitem> + <para> + If defined, login failures will be logged in this file in a utmp format. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/GID_MAX.xml b/man/login.defs.d/GID_MAX.xml new file mode 100644 index 0000000..b051e5f --- /dev/null +++ b/man/login.defs.d/GID_MAX.xml @@ -0,0 +1,21 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>GID_MAX</option> (number)</term> + <term><option>GID_MIN</option> (number)</term> + <listitem> + <para> + Range of group IDs used for the creation of regular groups by + <command>useradd</command>, <command>groupadd</command>, or + <command>newusers</command>. + </para> + <para> + The default value for <option>GID_MIN</option> (resp. + <option>GID_MAX</option>) is 1000 (resp. 60000). + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/HMAC_CRYPTO_ALGO.xml b/man/login.defs.d/HMAC_CRYPTO_ALGO.xml new file mode 100644 index 0000000..3aa3370 --- /dev/null +++ b/man/login.defs.d/HMAC_CRYPTO_ALGO.xml @@ -0,0 +1,20 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>HMAC_CRYPTO_ALGO</option> (string)</term> + <listitem> + <para> + Used to select the HMAC cryptography algorithm that the pam_timestamp + module is going to use to calculate the keyed-hash message authentication + code. + </para> + <para> + Note: Check <refentrytitle>hmac</refentrytitle><manvolnum>3</manvolnum> + to see the possible algorithms that are available in your system. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/HOME_MODE.xml b/man/login.defs.d/HOME_MODE.xml new file mode 100644 index 0000000..1be69d9 --- /dev/null +++ b/man/login.defs.d/HOME_MODE.xml @@ -0,0 +1,19 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2009, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>HOME_MODE</option> (number)</term> + <listitem> + <para> + The mode for new home directories. If not specified, + the <option>UMASK</option> is used to create the mode. + </para> + <para> + <command>useradd</command> and <command>newusers</command> use this + to set the mode of the home directory they create. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/HUSHLOGIN_FILE.xml b/man/login.defs.d/HUSHLOGIN_FILE.xml new file mode 100644 index 0000000..84c82fa --- /dev/null +++ b/man/login.defs.d/HUSHLOGIN_FILE.xml @@ -0,0 +1,18 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>HUSHLOGIN_FILE</option> (string)</term> + <listitem> + <para> + If defined, this file can inhibit all the usual chatter during the + login sequence. If a full pathname is specified, then hushed mode + will be enabled if the user's name or shell are found in the file. + If not a full pathname, then hushed mode will be enabled if the file + exists in the user's home directory. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/ISSUE_FILE.xml b/man/login.defs.d/ISSUE_FILE.xml new file mode 100644 index 0000000..b1d2c3e --- /dev/null +++ b/man/login.defs.d/ISSUE_FILE.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>ISSUE_FILE</option> (string)</term> + <listitem> + <para> + If defined, this file will be displayed before each login prompt. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/KILLCHAR.xml b/man/login.defs.d/KILLCHAR.xml new file mode 100644 index 0000000..b73cc2d --- /dev/null +++ b/man/login.defs.d/KILLCHAR.xml @@ -0,0 +1,18 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>KILLCHAR</option> (number)</term> + <listitem> + <para> + Terminal KILL character (<replaceable>025</replaceable> = CTRL/U). + </para> + <para> + The value can be prefixed "0" for an octal value, or "0x" for an + hexadecimal value. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/LASTLOG_ENAB.xml b/man/login.defs.d/LASTLOG_ENAB.xml new file mode 100644 index 0000000..9603096 --- /dev/null +++ b/man/login.defs.d/LASTLOG_ENAB.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>LASTLOG_ENAB</option> (boolean)</term> + <listitem> + <para> + Enable logging and display of /var/log/lastlog login time info. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/LASTLOG_UID_MAX.xml b/man/login.defs.d/LASTLOG_UID_MAX.xml new file mode 100644 index 0000000..38ad310 --- /dev/null +++ b/man/login.defs.d/LASTLOG_UID_MAX.xml @@ -0,0 +1,22 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-FileCopyrightText: 2018, Red Hat, inc. + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>LASTLOG_UID_MAX</option> (number)</term> + <listitem> + <para> + Highest user ID number for which the lastlog entries should be + updated. As higher user IDs are usually tracked by remote user + identity and authentication services there is no need to create + a huge sparse lastlog file for them. + </para> + <para> + No <option>LASTLOG_UID_MAX</option> option present in the configuration + means that there is no user ID limit for writing lastlog entries. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/LOGIN_RETRIES.xml b/man/login.defs.d/LOGIN_RETRIES.xml new file mode 100644 index 0000000..ba0b05a --- /dev/null +++ b/man/login.defs.d/LOGIN_RETRIES.xml @@ -0,0 +1,20 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>LOGIN_RETRIES</option> (number)</term> + <listitem> + <para> + Maximum number of login retries in case of bad password. + </para> + <para condition="pam"> + This will most likely be overridden by PAM, since the default + pam_unix module has its own built in of 3 retries. However, this is + a safe fallback in case you are using an authentication module that + does not enforce PAM_MAXTRIES. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/LOGIN_STRING.xml b/man/login.defs.d/LOGIN_STRING.xml new file mode 100644 index 0000000..12183c8 --- /dev/null +++ b/man/login.defs.d/LOGIN_STRING.xml @@ -0,0 +1,20 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>LOGIN_STRING</option> (string)</term> + <listitem> + <para> + The string used for prompting a password. The default is to use + "Password: ", or a translation of that string. If you set this + variable, the prompt will not be translated. + </para> + <para> + If the string contains <replaceable>%s</replaceable>, this will be + replaced by the user's name. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/LOGIN_TIMEOUT.xml b/man/login.defs.d/LOGIN_TIMEOUT.xml new file mode 100644 index 0000000..af20462 --- /dev/null +++ b/man/login.defs.d/LOGIN_TIMEOUT.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>LOGIN_TIMEOUT</option> (number)</term> + <listitem> + <para> + Max time in seconds for login. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/LOG_OK_LOGINS.xml b/man/login.defs.d/LOG_OK_LOGINS.xml new file mode 100644 index 0000000..35b13e9 --- /dev/null +++ b/man/login.defs.d/LOG_OK_LOGINS.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>LOG_OK_LOGINS</option> (boolean)</term> + <listitem> + <para> + Enable logging of successful logins. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/LOG_UNKFAIL_ENAB.xml b/man/login.defs.d/LOG_UNKFAIL_ENAB.xml new file mode 100644 index 0000000..040382c --- /dev/null +++ b/man/login.defs.d/LOG_UNKFAIL_ENAB.xml @@ -0,0 +1,19 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>LOG_UNKFAIL_ENAB</option> (boolean)</term> + <listitem> + <para> + Enable display of unknown usernames when login failures are + recorded. + </para> + <para> + Note: logging unknown usernames may be a security issue if an user + enter her password instead of her login name. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/MAIL_CHECK_ENAB.xml b/man/login.defs.d/MAIL_CHECK_ENAB.xml new file mode 100644 index 0000000..584f328 --- /dev/null +++ b/man/login.defs.d/MAIL_CHECK_ENAB.xml @@ -0,0 +1,18 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>MAIL_CHECK_ENAB</option> (boolean)</term> + <listitem> + <para> + Enable checking and display of mailbox status upon login. + </para> + <para> + You should disable it if the shell startup files already check for + mail ("mailx -e" or equivalent). + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/MAIL_DIR.xml b/man/login.defs.d/MAIL_DIR.xml new file mode 100644 index 0000000..328ebb8 --- /dev/null +++ b/man/login.defs.d/MAIL_DIR.xml @@ -0,0 +1,38 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>MAIL_DIR</option> (string)</term> + <listitem> + <para> + The mail spool directory. This is needed to manipulate the mailbox + when its corresponding user account is modified or deleted. If not + specified, a compile-time default is used. + The parameter CREATE_MAIL_SPOOL in <filename>/etc/default/useradd</filename> + determines whether the mail spool should be created. + </para> + </listitem> +</varlistentry><varlistentry> + <term><option>MAIL_FILE</option> (string)</term> + <listitem> + <para> + Defines the location of the users mail spool files relatively to + their home directory. + </para> + </listitem> +</varlistentry> +<!-- FIXME: MAIL_FILE not used in useradd --> +<para> + The <option>MAIL_DIR</option> and <option>MAIL_FILE</option> variables + are used by <command>useradd</command>, <command>usermod</command>, and + <command>userdel</command> to create, move, or delete the user's mail + spool. +</para> +<para condition="no_pam"> + If <option>MAIL_CHECK_ENAB</option> is set to + <replaceable>yes</replaceable>, they are also used to define the + <envar>MAIL</envar> environment variable. +</para> diff --git a/man/login.defs.d/MAX_MEMBERS_PER_GROUP.xml b/man/login.defs.d/MAX_MEMBERS_PER_GROUP.xml new file mode 100644 index 0000000..345cdb3 --- /dev/null +++ b/man/login.defs.d/MAX_MEMBERS_PER_GROUP.xml @@ -0,0 +1,33 @@ +<!-- + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>MAX_MEMBERS_PER_GROUP</option> (number)</term> + <listitem> + <para> + Maximum members per group entry. When the maximum is reached, a new + group entry (line) is started in <filename>/etc/group</filename> + (with the same name, same password, and same GID). + </para> + <para> + The default value is 0, meaning that there are no limits in the + number of members in a group. + </para> + <!-- Note: on HP, split groups have the same ID, but different + names. --> + <para> + This feature (split group) permits to limit the length of lines in + the group file. This is useful to make sure that lines for NIS + groups are not larger than 1024 characters. + </para> + <para> + If you need to enforce such limit, you can use 25. + </para> + <para> + Note: split groups may not be supported by all tools (even in the + Shadow toolsuite). You should not use this variable unless you really + need it. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/MD5_CRYPT_ENAB.xml b/man/login.defs.d/MD5_CRYPT_ENAB.xml new file mode 100644 index 0000000..94006a6 --- /dev/null +++ b/man/login.defs.d/MD5_CRYPT_ENAB.xml @@ -0,0 +1,36 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>MD5_CRYPT_ENAB</option> (boolean)</term> + <listitem> + <para> + Indicate if passwords must be encrypted using the MD5-based + algorithm. If set to <replaceable>yes</replaceable>, new passwords + will be encrypted using the MD5-based algorithm compatible with the + one used by recent releases of FreeBSD. It supports passwords of + unlimited length and longer salt strings. Set to + <replaceable>no</replaceable> if you need to copy encrypted + passwords to other systems which don't understand the new algorithm. + Default is <replaceable>no</replaceable>. + </para> + <para> + This variable is superseded by the <option>ENCRYPT_METHOD</option> + variable or by any command line option used to configure the + encryption algorithm. + </para> + <para> + This variable is deprecated. You should use + <option>ENCRYPT_METHOD</option>. + </para> + <para condition="pam"> + Note: This only affect the generation of group passwords. + The generation of user passwords is done by PAM and subject to the + PAM configuration. It is recommended to set this variable + consistently with the PAM configuration. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/MOTD_FILE.xml b/man/login.defs.d/MOTD_FILE.xml new file mode 100644 index 0000000..f7350e8 --- /dev/null +++ b/man/login.defs.d/MOTD_FILE.xml @@ -0,0 +1,15 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>MOTD_FILE</option> (string)</term> + <listitem> + <para> + If defined, ":" delimited list of "message of the day" files to be + displayed upon login. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/NOLOGINS_FILE.xml b/man/login.defs.d/NOLOGINS_FILE.xml new file mode 100644 index 0000000..41be5f8 --- /dev/null +++ b/man/login.defs.d/NOLOGINS_FILE.xml @@ -0,0 +1,16 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>NOLOGINS_FILE</option> (string)</term> + <listitem> + <para> + If defined, name of file whose presence will inhibit non-root + logins. The contents of this file should be a message indicating + why logins are inhibited. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/NONEXISTENT.xml b/man/login.defs.d/NONEXISTENT.xml new file mode 100644 index 0000000..e6484ec --- /dev/null +++ b/man/login.defs.d/NONEXISTENT.xml @@ -0,0 +1,17 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2009, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>NONEXISTENT</option> (string)</term> + <listitem> + <para> + If a system account intentionally does not have a home directory + that exists, this string can be provided in the /etc/passwd + entry for the account to indicate this. The result is that pwck + will not emit a spurious warning for this account. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/OBSCURE_CHECKS_ENAB.xml b/man/login.defs.d/OBSCURE_CHECKS_ENAB.xml new file mode 100644 index 0000000..9215790 --- /dev/null +++ b/man/login.defs.d/OBSCURE_CHECKS_ENAB.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>OBSCURE_CHECKS_ENAB</option> (boolean)</term> + <listitem> + <para> + Enable additional checks upon password changes. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/PASS_ALWAYS_WARN.xml b/man/login.defs.d/PASS_ALWAYS_WARN.xml new file mode 100644 index 0000000..3eb224a --- /dev/null +++ b/man/login.defs.d/PASS_ALWAYS_WARN.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>PASS_ALWAYS_WARN</option> (boolean)</term> + <listitem> + <para> + Warn about weak passwords (but still allow them) if you are root. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/PASS_CHANGE_TRIES.xml b/man/login.defs.d/PASS_CHANGE_TRIES.xml new file mode 100644 index 0000000..f3fa0ac --- /dev/null +++ b/man/login.defs.d/PASS_CHANGE_TRIES.xml @@ -0,0 +1,15 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>PASS_CHANGE_TRIES</option> (number)</term> + <listitem> + <para> + Maximum number of attempts to change password if rejected (too + easy). + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/PASS_MAX_DAYS.xml b/man/login.defs.d/PASS_MAX_DAYS.xml new file mode 100644 index 0000000..7f7061b --- /dev/null +++ b/man/login.defs.d/PASS_MAX_DAYS.xml @@ -0,0 +1,16 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>PASS_MAX_DAYS</option> (number)</term> + <listitem> + <para> + The maximum number of days a password may be used. If the password + is older than this, a password change will be forced. If not + specified, -1 will be assumed (which disables the restriction). + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/PASS_MAX_LEN.xml b/man/login.defs.d/PASS_MAX_LEN.xml new file mode 100644 index 0000000..2e14583 --- /dev/null +++ b/man/login.defs.d/PASS_MAX_LEN.xml @@ -0,0 +1,19 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>PASS_MAX_LEN</option> (number)</term> + <term><option>PASS_MIN_LEN</option> (number)</term> + <listitem> + <para> + Number of significant characters in the password for crypt(). + <option>PASS_MAX_LEN</option> is 8 by default. Don't change unless + your crypt() is better. This is ignored if + <option>MD5_CRYPT_ENAB</option> set to + <replaceable>yes</replaceable>. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/PASS_MIN_DAYS.xml b/man/login.defs.d/PASS_MIN_DAYS.xml new file mode 100644 index 0000000..c35cbb1 --- /dev/null +++ b/man/login.defs.d/PASS_MIN_DAYS.xml @@ -0,0 +1,16 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>PASS_MIN_DAYS</option> (number)</term> + <listitem> + <para> + The minimum number of days allowed between password changes. Any + password changes attempted sooner than this will be rejected. If not + specified, 0 will be assumed (which disables the restriction). + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/PASS_WARN_AGE.xml b/man/login.defs.d/PASS_WARN_AGE.xml new file mode 100644 index 0000000..0feeb7e --- /dev/null +++ b/man/login.defs.d/PASS_WARN_AGE.xml @@ -0,0 +1,17 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>PASS_WARN_AGE</option> (number)</term> + <listitem> + <para> + The number of days warning given before a password expires. A zero + means warning is given only upon the day of expiration, a negative + value means no warning is given. If not specified, no warning will + be provided. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/PORTTIME_CHECKS_ENAB.xml b/man/login.defs.d/PORTTIME_CHECKS_ENAB.xml new file mode 100644 index 0000000..78d683b --- /dev/null +++ b/man/login.defs.d/PORTTIME_CHECKS_ENAB.xml @@ -0,0 +1,15 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>PORTTIME_CHECKS_ENAB</option> (boolean)</term> + <listitem> + <para> + Enable checking of time restrictions specified in + <filename>/etc/porttime</filename>. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/QUOTAS_ENAB.xml b/man/login.defs.d/QUOTAS_ENAB.xml new file mode 100644 index 0000000..f85d7d0 --- /dev/null +++ b/man/login.defs.d/QUOTAS_ENAB.xml @@ -0,0 +1,16 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2011, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>QUOTAS_ENAB</option> (boolean)</term> + <listitem> + <para> + Enable setting of resource limits from + <filename>/etc/limits</filename> and ulimit, umask, and niceness + from the user's passwd gecos field. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml b/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml new file mode 100644 index 0000000..43972d7 --- /dev/null +++ b/man/login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml @@ -0,0 +1,45 @@ +<!-- + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="sha_crypt"> + <term><option>SHA_CRYPT_MIN_ROUNDS</option> (number)</term> + <term><option>SHA_CRYPT_MAX_ROUNDS</option> (number)</term> + <listitem> + <para> + When <option>ENCRYPT_METHOD</option> is set to + <replaceable>SHA256</replaceable> or + <replaceable>SHA512</replaceable>, this defines the number of SHA + rounds used by the encryption algorithm by default (when the number + of rounds is not specified on the command line). + </para> + <para> + With a lot of rounds, it is more difficult to brute forcing the + password. But note also that more CPU resources will be needed to + authenticate users. + </para> + <para> + If not specified, the libc will choose the default number of rounds + (5000), which is orders of magnitude too low for modern hardware. + </para> + <para> + The values must be inside the 1000-999,999,999 range. + </para> + <para> + If only one of the <option>SHA_CRYPT_MIN_ROUNDS</option> or + <option>SHA_CRYPT_MAX_ROUNDS</option> values is set, then this value + will be used. + </para> + <para> + If <option>SHA_CRYPT_MIN_ROUNDS</option> > + <option>SHA_CRYPT_MAX_ROUNDS</option>, the highest value will be + used. + </para> + <para condition="pam"> + Note: This only affect the generation of group passwords. + The generation of user passwords is done by PAM and subject to the + PAM configuration. It is recommended to set this variable + consistently with the PAM configuration. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SUB_GID_COUNT.xml b/man/login.defs.d/SUB_GID_COUNT.xml new file mode 100644 index 0000000..4eb5078 --- /dev/null +++ b/man/login.defs.d/SUB_GID_COUNT.xml @@ -0,0 +1,24 @@ +<!-- + SPDX-FileCopyrightText: 2013, Eric W. Biederman + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="subids"> + <term><option>SUB_GID_MIN</option> (number)</term> + <term><option>SUB_GID_MAX</option> (number)</term> + <term><option>SUB_GID_COUNT</option> (number)</term> + <listitem> + <para> + If <filename>/etc/subuid</filename> exists, the commands + <command>useradd</command> and <command>newusers</command> (unless + the user already have subordinate group IDs) allocate + <option>SUB_GID_COUNT</option> unused group IDs from the range + <option>SUB_GID_MIN</option> to <option>SUB_GID_MAX</option> for each + new user. + </para> + <para> + The default values for <option>SUB_GID_MIN</option>, + <option>SUB_GID_MAX</option>, <option>SUB_GID_COUNT</option> + are respectively 100000, 600100000 and 65536. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SUB_UID_COUNT.xml b/man/login.defs.d/SUB_UID_COUNT.xml new file mode 100644 index 0000000..90bead5 --- /dev/null +++ b/man/login.defs.d/SUB_UID_COUNT.xml @@ -0,0 +1,24 @@ +<!-- + SPDX-FileCopyrightText: 2013, Eric W. Biederman + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="subids"> + <term><option>SUB_UID_MIN</option> (number)</term> + <term><option>SUB_UID_MAX</option> (number)</term> + <term><option>SUB_UID_COUNT</option> (number)</term> + <listitem> + <para> + If <filename>/etc/subuid</filename> exists, the commands + <command>useradd</command> and <command>newusers</command> (unless + the user already have subordinate user IDs) allocate + <option>SUB_UID_COUNT</option> unused user IDs from the range + <option>SUB_UID_MIN</option> to <option>SUB_UID_MAX</option> for each + new user. + </para> + <para> + The default values for <option>SUB_UID_MIN</option>, + <option>SUB_UID_MAX</option>, <option>SUB_UID_COUNT</option> + are respectively 100000, 600100000 and 65536. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SULOG_FILE.xml b/man/login.defs.d/SULOG_FILE.xml new file mode 100644 index 0000000..4fab8aa --- /dev/null +++ b/man/login.defs.d/SULOG_FILE.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>SULOG_FILE</option> (string)</term> + <listitem> + <para> + If defined, all su activity is logged to this file. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SU_NAME.xml b/man/login.defs.d/SU_NAME.xml new file mode 100644 index 0000000..d71d1aa --- /dev/null +++ b/man/login.defs.d/SU_NAME.xml @@ -0,0 +1,17 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>SU_NAME</option> (string)</term> + <listitem> + <para> + If defined, the command name to display when running "su -". For + example, if this is defined as "su" then a "ps" will display the + command is "-su". If not defined, then "ps" would display the name + of the shell actually being run, e.g. something like "-sh". + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SU_WHEEL_ONLY.xml b/man/login.defs.d/SU_WHEEL_ONLY.xml new file mode 100644 index 0000000..2a0b39a --- /dev/null +++ b/man/login.defs.d/SU_WHEEL_ONLY.xml @@ -0,0 +1,20 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<!-- TODO: TBC --> +<varlistentry condition="no_pam"> + <term><option>SU_WHEEL_ONLY</option> (boolean)</term> + <listitem> + <para> + If <replaceable>yes</replaceable>, the user must be listed as a + member of the first gid 0 group in <filename>/etc/group</filename> + (called <replaceable>root</replaceable> on most Linux systems) to be + able to <command>su</command> to uid 0 accounts. If the group + doesn't exist or is empty, no one will be able to + <command>su</command> to uid 0. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SYSLOG_SG_ENAB.xml b/man/login.defs.d/SYSLOG_SG_ENAB.xml new file mode 100644 index 0000000..8e2f23a --- /dev/null +++ b/man/login.defs.d/SYSLOG_SG_ENAB.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>SYSLOG_SG_ENAB</option> (boolean)</term> + <listitem> + <para> + Enable "syslog" logging of <command>sg</command> activity. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SYSLOG_SU_ENAB.xml b/man/login.defs.d/SYSLOG_SU_ENAB.xml new file mode 100644 index 0000000..155e3c5 --- /dev/null +++ b/man/login.defs.d/SYSLOG_SU_ENAB.xml @@ -0,0 +1,15 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>SYSLOG_SU_ENAB</option> (boolean)</term> + <listitem> + <para> + Enable "syslog" logging of <command>su</command> activity - in + addition to sulog file logging. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SYS_GID_MAX.xml b/man/login.defs.d/SYS_GID_MAX.xml new file mode 100644 index 0000000..f39ddfd --- /dev/null +++ b/man/login.defs.d/SYS_GID_MAX.xml @@ -0,0 +1,19 @@ +<!-- + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>SYS_GID_MAX</option> (number)</term> + <term><option>SYS_GID_MIN</option> (number)</term> + <listitem> + <para> + Range of group IDs used for the creation of system groups by + <command>useradd</command>, <command>groupadd</command>, or + <command>newusers</command>. + </para> + <para> + The default value for <option>SYS_GID_MIN</option> (resp. + <option>SYS_GID_MAX</option>) is 101 (resp. <option>GID_MIN</option>-1). + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/SYS_UID_MAX.xml b/man/login.defs.d/SYS_UID_MAX.xml new file mode 100644 index 0000000..5b0a1de --- /dev/null +++ b/man/login.defs.d/SYS_UID_MAX.xml @@ -0,0 +1,18 @@ +<!-- + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>SYS_UID_MAX</option> (number)</term> + <term><option>SYS_UID_MIN</option> (number)</term> + <listitem> + <para> + Range of user IDs used for the creation of system users by + <command>useradd</command> or <command>newusers</command>. + </para> + <para> + The default value for <option>SYS_UID_MIN</option> (resp. + <option>SYS_UID_MAX</option>) is 101 (resp. <option>UID_MIN</option>-1). + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/TCB_AUTH_GROUP.xml b/man/login.defs.d/TCB_AUTH_GROUP.xml new file mode 100644 index 0000000..fabcb03 --- /dev/null +++ b/man/login.defs.d/TCB_AUTH_GROUP.xml @@ -0,0 +1,13 @@ +<!-- + SPDX-FileCopyrightText: 2010, Pawel Hajdan + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="tcb"> + <term><option>TCB_AUTH_GROUP</option> (boolean)</term> + <listitem> + <para> + If <replaceable>yes</replaceable>, newly created tcb shadow files + will be group owned by the <replaceable>auth</replaceable> group. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/TCB_SYMLINKS.xml b/man/login.defs.d/TCB_SYMLINKS.xml new file mode 100644 index 0000000..7e52c34 --- /dev/null +++ b/man/login.defs.d/TCB_SYMLINKS.xml @@ -0,0 +1,29 @@ +<!-- + SPDX-FileCopyrightText: 2010, Pawel Hajdan + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="tcb"> + <term><option>TCB_SYMLINKS</option> (boolean)</term> + <listitem> + <para> + If <replaceable>yes</replaceable>, the location of the user tcb + directory to be created will not be automatically set to /etc/tcb/user, + but will be computed depending on the UID of the user, according to + the following algorithm: + <programlisting> +if ( UID is less than 1000) { + use /etc/tcb/user +} else if ( UID is less than 1000000) { + kilos = UID / 1000 + use /etc/tcb/:kilos/user + make symlink /etc/tcb/user to the above directory +} else { + megas = UID / 1000000 + kilos = ( UID / megas * 1000000 ) / 1000 + use /etc/tcb/:megas/:kilos/user + make symlink /etc/tcb/user to the above directory +} + </programlisting> + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/TTYGROUP.xml b/man/login.defs.d/TTYGROUP.xml new file mode 100644 index 0000000..e7cb53d --- /dev/null +++ b/man/login.defs.d/TTYGROUP.xml @@ -0,0 +1,32 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>TTYGROUP</option> (string)</term> + <term><option>TTYPERM</option> (string)</term> + <listitem> + <para> + The terminal permissions: the login tty will be owned by the + <option>TTYGROUP</option> group, and the permissions will be set to + <option>TTYPERM</option>. + </para> + <para> + By default, the ownership of the terminal is set to the user's + primary group and the permissions are set to + <replaceable>0600</replaceable>. + </para> + <para> + <option>TTYGROUP</option> can be either the name of a group or a + numeric group identifier. + </para> + <para> + If you have a <command>write</command> program which is "setgid" to + a special group which owns the terminals, define TTYGROUP to the + group number and TTYPERM to 0620. Otherwise leave TTYGROUP + commented out and assign TTYPERM to either 622 or 600. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/TTYTYPE_FILE.xml b/man/login.defs.d/TTYTYPE_FILE.xml new file mode 100644 index 0000000..491bb0b --- /dev/null +++ b/man/login.defs.d/TTYTYPE_FILE.xml @@ -0,0 +1,15 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>TTYTYPE_FILE</option> (string)</term> + <listitem> + <para> + If defined, file which maps tty line to TERM environment parameter. + Each line of the file is in a format something like "vt100 tty01". + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/UID_MAX.xml b/man/login.defs.d/UID_MAX.xml new file mode 100644 index 0000000..df365d0 --- /dev/null +++ b/man/login.defs.d/UID_MAX.xml @@ -0,0 +1,20 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>UID_MAX</option> (number)</term> + <term><option>UID_MIN</option> (number)</term> + <listitem> + <para> + Range of user IDs used for the creation of regular users by + <command>useradd</command> or <command>newusers</command>. + </para> + <para> + The default value for <option>UID_MIN</option> (resp. + <option>UID_MAX</option>) is 1000 (resp. 60000). + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/ULIMIT.xml b/man/login.defs.d/ULIMIT.xml new file mode 100644 index 0000000..2ff3733 --- /dev/null +++ b/man/login.defs.d/ULIMIT.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="no_pam"> + <term><option>ULIMIT</option> (number)</term> + <listitem> + <para> + Default <command>ulimit</command> value. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/UMASK.xml b/man/login.defs.d/UMASK.xml new file mode 100644 index 0000000..1090e05 --- /dev/null +++ b/man/login.defs.d/UMASK.xml @@ -0,0 +1,32 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2009, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>UMASK</option> (number)</term> + <listitem> + <para> + The file mode creation mask is initialized to this value. If not + specified, the mask will be initialized to 022. + </para> + <para> + <command>useradd</command> and <command>newusers</command> use this + mask to set the mode of the home directory they create if + <option>HOME_MODE</option> is not set. + </para> + <para condition="no_pam"> + It is also used by <command>login</command> to define users' initial + umask. Note that this mask can be overridden by the user's GECOS + line (if <option>QUOTAS_ENAB</option> is set) or by the + specification of a limit with the <emphasis>K</emphasis> identifier + in <citerefentry><refentrytitle>limits</refentrytitle> + <manvolnum>5</manvolnum></citerefentry>. + </para> + <para condition="pam"> + It is also used by <command>pam_umask</command> as the default umask + value. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/USERDEL_CMD.xml b/man/login.defs.d/USERDEL_CMD.xml new file mode 100644 index 0000000..56c0933 --- /dev/null +++ b/man/login.defs.d/USERDEL_CMD.xml @@ -0,0 +1,48 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 1996 - 2000, Marek Michałkiewicz + SPDX-FileCopyrightText: 2007 - 2009, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>USERDEL_CMD</option> (string)</term> + <listitem> + <para> + If defined, this command is run when removing a user. It should + remove any at/cron/print jobs etc. owned by the user to be removed + (passed as the first argument). + </para> + <para> + The return code of the script is not taken into account. + </para> + <para> + Here is an example script, which removes the user's + cron, at and print jobs: + <programlisting> +#! /bin/sh + +# Check for the required argument. +if [ $# != 1 ]; then + echo "Usage: $0 username" + exit 1 +fi + +# Remove cron jobs. +crontab -r -u $1 + +# Remove at jobs. +# Note that it will remove any jobs owned by the same UID, +# even if it was shared by a different username. +AT_SPOOL_DIR=/var/spool/cron/atjobs +find $AT_SPOOL_DIR -name "[^.]*" -type f -user $1 -delete \; + +# Remove print jobs. +lprm $1 + +# All done. +exit 0 + </programlisting> + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/USERGROUPS_ENAB.xml b/man/login.defs.d/USERGROUPS_ENAB.xml new file mode 100644 index 0000000..6338fc9 --- /dev/null +++ b/man/login.defs.d/USERGROUPS_ENAB.xml @@ -0,0 +1,22 @@ +<!-- + SPDX-FileCopyrightText: 1991 - 1993, Julianne Frances Haugh + SPDX-FileCopyrightText: 1991 - 1993, Chip Rosenthal + SPDX-FileCopyrightText: 2007 - 2008, Nicolas François + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry> + <term><option>USERGROUPS_ENAB</option> (boolean)</term> + <listitem> + <para condition="no_pam"> + Enable setting of the umask group bits to be the same as owner bits + (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is + the same as gid, and username is the same as the primary group name. + </para> + <para> + If set to <replaceable>yes</replaceable>, <command>userdel</command> + will remove the user's group if it contains no more members, and + <command>useradd</command> will create by default a group with the + name of the user. + </para> + </listitem> +</varlistentry> diff --git a/man/login.defs.d/USE_TCB.xml b/man/login.defs.d/USE_TCB.xml new file mode 100644 index 0000000..a89bf23 --- /dev/null +++ b/man/login.defs.d/USE_TCB.xml @@ -0,0 +1,14 @@ +<!-- + SPDX-FileCopyrightText: 2010, Pawel Hajdan + SPDX-License-Identifier: BSD-3-Clause +--> +<varlistentry condition="tcb"> + <term><option>USE_TCB</option> (boolean)</term> + <listitem> + <para> + If <replaceable>yes</replaceable>, the <citerefentry> + <refentrytitle>tcb</refentrytitle><manvolnum>5</manvolnum></citerefentry> + password shadowing scheme will be used. + </para> + </listitem> +</varlistentry> |