mirror of
https://github.com/shadow-maint/shadow.git
synced 2024-11-23 18:14:07 +08:00
f93cf255d4
Closes #238 Update all files to list SPDX license shortname. Most files are BSD 3 clause license. The exceptions are: serge@sl ~/src/shadow$ git grep SPDX-License | grep -v BSD-3-Clause contrib/atudel:# SPDX-License-Identifier: BSD-4-Clause lib/tcbfuncs.c: * SPDX-License-Identifier: 0BSD libmisc/salt.c: * SPDX-License-Identifier: Unlicense src/login_nopam.c: * SPDX-License-Identifier: Unlicense src/nologin.c: * SPDX-License-Identifier: BSD-2-Clause src/vipw.c: * SPDX-License-Identifier: GPL-2.0-or-later Signed-off-by: Serge Hallyn <serge@hallyn.com>
471 lines
15 KiB
XML
471 lines
15 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<!--
|
|
SPDX-FileCopyrightText: 1991 - 1994, Julianne Frances Haugh
|
|
SPDX-FileCopyrightText: 2007 - 2011, Nicolas François
|
|
SPDX-License-Identifier: BSD-3-Clause
|
|
-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
|
|
<!ENTITY ENCRYPT_METHOD SYSTEM "login.defs.d/ENCRYPT_METHOD.xml">
|
|
<!ENTITY GID_MAX SYSTEM "login.defs.d/GID_MAX.xml">
|
|
<!ENTITY HOME_MODE SYSTEM "login.defs.d/HOME_MODE.xml">
|
|
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
|
|
<!ENTITY MD5_CRYPT_ENAB SYSTEM "login.defs.d/MD5_CRYPT_ENAB.xml">
|
|
<!ENTITY PASS_MAX_DAYS SYSTEM "login.defs.d/PASS_MAX_DAYS.xml">
|
|
<!ENTITY PASS_MIN_DAYS SYSTEM "login.defs.d/PASS_MIN_DAYS.xml">
|
|
<!ENTITY PASS_WARN_AGE SYSTEM "login.defs.d/PASS_WARN_AGE.xml">
|
|
<!ENTITY SHA_CRYPT_MIN_ROUNDS SYSTEM "login.defs.d/SHA_CRYPT_MIN_ROUNDS.xml">
|
|
<!ENTITY SUB_GID_COUNT SYSTEM "login.defs.d/SUB_GID_COUNT.xml">
|
|
<!ENTITY SUB_UID_COUNT SYSTEM "login.defs.d/SUB_UID_COUNT.xml">
|
|
<!ENTITY SYS_GID_MAX SYSTEM "login.defs.d/SYS_GID_MAX.xml">
|
|
<!ENTITY SYS_UID_MAX SYSTEM "login.defs.d/SYS_UID_MAX.xml">
|
|
<!ENTITY UID_MAX SYSTEM "login.defs.d/UID_MAX.xml">
|
|
<!ENTITY UMASK SYSTEM "login.defs.d/UMASK.xml">
|
|
<!-- SHADOW-CONFIG-HERE -->
|
|
]>
|
|
|
|
<refentry id='newusers.8'>
|
|
<!-- $Id$ -->
|
|
<refentryinfo>
|
|
<author>
|
|
<firstname>Julianne Frances</firstname>
|
|
<surname>Haugh</surname>
|
|
<contrib>Creation, 1991</contrib>
|
|
</author>
|
|
<author>
|
|
<firstname>Thomas</firstname>
|
|
<surname>Kłoczko</surname>
|
|
<email>kloczek@pld.org.pl</email>
|
|
<contrib>shadow-utils maintainer, 2000 - 2007</contrib>
|
|
</author>
|
|
<author>
|
|
<firstname>Nicolas</firstname>
|
|
<surname>François</surname>
|
|
<email>nicolas.francois@centraliens.net</email>
|
|
<contrib>shadow-utils maintainer, 2007 - now</contrib>
|
|
</author>
|
|
</refentryinfo>
|
|
<refmeta>
|
|
<refentrytitle>newusers</refentrytitle>
|
|
<manvolnum>8</manvolnum>
|
|
<refmiscinfo class="sectdesc">System Management Commands</refmiscinfo>
|
|
<refmiscinfo class="source">shadow-utils</refmiscinfo>
|
|
<refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
|
|
</refmeta>
|
|
<refnamediv id='name'>
|
|
<refname>newusers</refname>
|
|
<refpurpose>update and create new users in batch</refpurpose>
|
|
</refnamediv>
|
|
<!-- body begins here -->
|
|
<refsynopsisdiv id='synopsis'>
|
|
<cmdsynopsis>
|
|
<command>newusers</command>
|
|
<arg choice='opt'>
|
|
<replaceable>options</replaceable>
|
|
</arg>
|
|
<arg choice='opt'>
|
|
<replaceable>file</replaceable>
|
|
</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1 id='description'>
|
|
<title>DESCRIPTION</title>
|
|
<para>
|
|
The <command>newusers</command> command reads a <replaceable>file</replaceable> (or the standard input by default)
|
|
and uses this information to update a set
|
|
of existing users or to create new users. Each line is in the same format
|
|
as the standard password file (see
|
|
<citerefentry><refentrytitle>passwd</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>) with the exceptions explained below:
|
|
</para>
|
|
<para>pw_name:pw_passwd:pw_uid:pw_gid:pw_gecos:pw_dir:pw_shell</para>
|
|
|
|
<variablelist remap='IP'>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis remap='I'>pw_name</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
This is the name of the user.
|
|
</para>
|
|
<para>
|
|
It can be the name of a new user or the name of an existing
|
|
user (or a user created before by
|
|
<command>newusers</command>). In case of an existing user,
|
|
the user's information will be changed, otherwise a new user
|
|
will be created.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis remap='I'>pw_passwd</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
This field will be encrypted and used as the new value of the
|
|
encrypted password.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis remap='I'>pw_uid</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
This field is used to define the UID of the user.
|
|
</para>
|
|
<para>
|
|
If the field is empty, a new (unused) UID will be defined
|
|
automatically by <command>newusers</command>.
|
|
</para>
|
|
<para>
|
|
If this field contains a number, this number will be used as
|
|
the UID.
|
|
</para>
|
|
<para>
|
|
If this field contains the name of an existing user (or the
|
|
name of a user created before by
|
|
<command>newusers</command>), the UID of the specified user
|
|
will be used.
|
|
</para>
|
|
<para>
|
|
If the UID of an existing user is changed, the files ownership
|
|
of the user's file should be fixed manually.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis remap='I'>pw_gid</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
This field is used to define the primary group ID for the user.
|
|
</para>
|
|
<para>
|
|
If this field contains the name of an existing group (or a
|
|
group created before by <command>newusers</command>), the GID
|
|
of this group will be used as the primary group ID for the
|
|
user.
|
|
</para>
|
|
<para>
|
|
If this field is a number, this number will be used as the
|
|
primary group ID of the user. If no groups exist with this
|
|
GID, a new group will be created with this GID, and the name
|
|
of the user.
|
|
</para>
|
|
<para>
|
|
If this field is empty, a new group will be created with the
|
|
name of the user and a GID will be automatically defined by
|
|
<command>newusers</command> to be used as the primary group ID
|
|
for the user and as the GID for the new group.
|
|
</para>
|
|
<para>
|
|
If this field contains the name of a group which does not
|
|
exist (and was not created before by
|
|
<command>newusers</command>), a new group will be created with
|
|
the specified name and a GID will be automatically defined by
|
|
<command>newusers</command> to be used as the primary group ID
|
|
for the user and GID for the new group.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis remap='I'>pw_gecos</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
This field is copied in the GECOS field of the user.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis remap='I'>pw_dir</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
This field is used to define the home directory of the user.
|
|
</para>
|
|
<para>
|
|
If this field does not specify an existing directory, the
|
|
specified directory is created, with ownership set to the
|
|
user being created or updated and its primary group. Note
|
|
that <emphasis>newusers does not create parent directories
|
|
</emphasis> of the new user's home directory. The newusers
|
|
command will fail to create the home directory if the parent
|
|
directories do not exist, and will send a message to stderr
|
|
informing the user of the failure. The newusers command will
|
|
not halt or return a failure to the calling shell if it fails
|
|
to create the home directory, it will continue to process the
|
|
batch of new users specified.
|
|
</para>
|
|
<para>
|
|
If the home directory of an existing user is changed,
|
|
<command>newusers</command> does not move or copy the content
|
|
of the old directory to the new location. This should be done
|
|
manually.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<emphasis remap='I'>pw_shell</emphasis>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
This field defines the shell of the user.
|
|
No checks are performed on this field.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>
|
|
<command>newusers</command> first tries to create or change all the
|
|
specified users, and then write these changes to the user or group
|
|
databases. If an error occurs (except in the final writes to the
|
|
databases), no changes are committed to the databases.
|
|
</para>
|
|
<para condition="pam">
|
|
During this first pass, users are created with a locked password
|
|
(and passwords are not changed for the users which are not created).
|
|
A second pass is used to update the passwords using PAM. Failures
|
|
to update a password are reported, but will not stop the other
|
|
password updates.
|
|
</para>
|
|
|
|
<para>
|
|
This command is intended to be used in a large system environment
|
|
where many accounts are updated at a single time.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='options'>
|
|
<title>OPTIONS</title>
|
|
<para>
|
|
The options which apply to the <command>newusers</command> command are:
|
|
</para>
|
|
<variablelist remap='IP'>
|
|
<varlistentry>
|
|
<term>
|
|
<option>--badname</option>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
Allow names that do not conform to standards.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<variablelist remap='IP' condition="no_pam">
|
|
<varlistentry>
|
|
<term><option>-c</option>, <option>--crypt-method</option></term>
|
|
<listitem>
|
|
<para>Use the specified method to encrypt the passwords.</para>
|
|
<para>
|
|
The available methods are DES, MD5, NONE, and SHA256 or SHA512
|
|
if your libc support these methods.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<variablelist remap='IP'>
|
|
<varlistentry>
|
|
<term><option>-h</option>, <option>--help</option></term>
|
|
<listitem>
|
|
<para>Display help message and exit.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<option>-r</option>, <option>--system</option>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
Create a system account.
|
|
</para>
|
|
<para>
|
|
System users will be created with no aging information in
|
|
<filename>/etc/shadow</filename>, and their numeric
|
|
identifiers are chosen in the
|
|
<option>SYS_UID_MIN</option>-<option>SYS_UID_MAX</option>
|
|
range, defined in <filename>login.defs</filename>, instead of
|
|
<option>UID_MIN</option>-<option>UID_MAX</option> (and their
|
|
<option>GID</option> counterparts for the creation of groups).
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term>
|
|
<option>-R</option>, <option>--root</option> <replaceable>CHROOT_DIR</replaceable>
|
|
</term>
|
|
<listitem>
|
|
<para>
|
|
Apply changes in the <replaceable>CHROOT_DIR</replaceable>
|
|
directory and use the configuration files from the
|
|
<replaceable>CHROOT_DIR</replaceable> directory.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
<variablelist remap='IP' condition="no_pam">
|
|
<varlistentry condition="sha_crypt">
|
|
<term><option>-s</option>, <option>--sha-rounds</option></term>
|
|
<listitem>
|
|
<para>
|
|
Use the specified number of rounds to encrypt the passwords.
|
|
</para>
|
|
<para>
|
|
The value 0 means that the system will choose the default
|
|
number of rounds for the crypt method (5000).
|
|
</para>
|
|
<para>
|
|
A minimal value of 1000 and a maximal value of 999,999,999
|
|
will be enforced.
|
|
</para>
|
|
<para>
|
|
You can only use this option with the SHA256 or SHA512
|
|
crypt method.
|
|
</para>
|
|
<para>
|
|
By default, the number of rounds is defined by the
|
|
SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in
|
|
<filename>/etc/login.defs</filename>.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1 id='caveats'>
|
|
<title>CAVEATS</title>
|
|
<para>
|
|
The input file must be protected since it contains unencrypted
|
|
passwords.
|
|
</para>
|
|
<para condition="no_pam">
|
|
You should make sure the passwords and the encryption method respect
|
|
the system's password policy.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1 id='configuration'>
|
|
<title>CONFIGURATION</title>
|
|
<para>
|
|
The following configuration variables in
|
|
<filename>/etc/login.defs</filename> change the behavior of this
|
|
tool:
|
|
</para>
|
|
<variablelist condition="no_pam">
|
|
&ENCRYPT_METHOD;
|
|
</variablelist>
|
|
<variablelist>
|
|
&GID_MAX; <!-- documents also GID_MIN -->
|
|
&HOME_MODE;
|
|
&MAX_MEMBERS_PER_GROUP;
|
|
</variablelist>
|
|
<variablelist condition="no_pam">
|
|
&MD5_CRYPT_ENAB;
|
|
</variablelist>
|
|
<variablelist>
|
|
&PASS_MAX_DAYS;
|
|
&PASS_MIN_DAYS;
|
|
&PASS_WARN_AGE;
|
|
</variablelist>
|
|
<variablelist condition="no_pam">
|
|
&SHA_CRYPT_MIN_ROUNDS; <!-- documents also SHA_CRYPT_MAX_ROUNDS-->
|
|
</variablelist>
|
|
<variablelist>
|
|
&SUB_GID_COUNT; <!-- documents also SUB_GID_MAX and SUB_GID_MIN -->
|
|
&SUB_UID_COUNT; <!-- documents also SUB_UID_MAX and SUB_UID_MIN -->
|
|
&SYS_GID_MAX; <!-- documents also SYS_GID_MIN -->
|
|
&SYS_UID_MAX; <!-- documents also SYS_UID_MIN -->
|
|
&UID_MAX; <!-- documents also UID_MIN -->
|
|
&UMASK;
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1 id='files'>
|
|
<title>FILES</title>
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><filename>/etc/passwd</filename></term>
|
|
<listitem>
|
|
<para>User account information.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><filename>/etc/shadow</filename></term>
|
|
<listitem>
|
|
<para>Secure user account information.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><filename>/etc/group</filename></term>
|
|
<listitem>
|
|
<para>Group account information.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry condition="gshadow">
|
|
<term><filename>/etc/gshadow</filename></term>
|
|
<listitem>
|
|
<para>Secure group account information.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry>
|
|
<term><filename>/etc/login.defs</filename></term>
|
|
<listitem>
|
|
<para>Shadow password suite configuration.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry condition="pam">
|
|
<term><filename>/etc/pam.d/newusers</filename></term>
|
|
<listitem>
|
|
<para>PAM configuration for <command>newusers</command>.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry condition="subids">
|
|
<term><filename>/etc/subgid</filename></term>
|
|
<listitem>
|
|
<para>Per user subordinate group IDs.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
<varlistentry condition="subids">
|
|
<term><filename>/etc/subuid</filename></term>
|
|
<listitem>
|
|
<para>Per user subordinate user IDs.</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1 id='see_also'>
|
|
<title>SEE ALSO</title>
|
|
<para>
|
|
<citerefentry>
|
|
<refentrytitle>login.defs</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>passwd</refentrytitle><manvolnum>1</manvolnum>
|
|
</citerefentry>,
|
|
<phrase condition="subids">
|
|
<citerefentry>
|
|
<refentrytitle>subgid</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>,
|
|
<citerefentry>
|
|
<refentrytitle>subuid</refentrytitle><manvolnum>5</manvolnum>
|
|
</citerefentry>,
|
|
</phrase>
|
|
<citerefentry>
|
|
<refentrytitle>useradd</refentrytitle><manvolnum>8</manvolnum>
|
|
</citerefentry>.
|
|
</para>
|
|
</refsect1>
|
|
</refentry>
|