/usr.bin/chpass/chpass.1

https://bitbucket.org/freebsd/freebsd-head/ · Unknown · 487 lines · 487 code · 0 blank · 0 comment · 0 complexity · 3f31c972843f419055b454f336d8597f MD5 · raw file 

    

  1. .\" Copyright (c) 1988, 1990, 1993
    2. 

  2. .\"	The Regents of the University of California.  All rights reserved.
    3. 

  3. .\"
    4. 

  4. .\" Redistribution and use in source and binary forms, with or without
    5. 

  5. .\" modification, are permitted provided that the following conditions
    6. 

  6. .\" are met:
    7. 

  7. .\" 1. Redistributions of source code must retain the above copyright
    8. 

  8. .\"    notice, this list of conditions and the following disclaimer.
    9. 

  9. .\" 2. Redistributions in binary form must reproduce the above copyright
    10. 

  10. .\"    notice, this list of conditions and the following disclaimer in the
    11. 

  11. .\"    documentation and/or other materials provided with the distribution.
    12. 

  12. .\" 4. Neither the name of the University nor the names of its contributors
    13. 

  13. .\"    may be used to endorse or promote products derived from this software
    14. 

  14. .\"    without specific prior written permission.
    15. 

  15. .\"
    16. 

  16. .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
    17. 

  17. .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
    18. 

  18. .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
    19. 

  19. .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
    20. 

  20. .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
    21. 

  21. .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
    22. 

  22. .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
    23. 

  23. .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
    24. 

  24. .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
    25. 

  25. .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
    26. 

  26. .\" SUCH DAMAGE.
    27. 

  27. .\"
    28. 

  28. .\"     @(#)chpass.1	8.2 (Berkeley) 12/30/93
    29. 

  29. .\" $FreeBSD$
    30. 

  30. .\"
    31. 

  31. .Dd December 30, 1993
    32. 

  32. .Dt CHPASS 1
    33. 

  33. .Os
    34. 

  34. .Sh NAME
    35. 

  35. .Nm chpass ,
    36. 

  36. .Nm chfn ,
    37. 

  37. .Nm chsh ,
    38. 

  38. .Nm ypchpass ,
    39. 

  39. .Nm ypchfn ,
    40. 

  40. .Nm ypchsh
    41. 

  41. .Nd add or change user database information
    42. 

  42. .Sh SYNOPSIS
    43. 

  43. .Nm
    44. 

  44. .Op Fl a Ar list
    45. 

  45. .Op Fl p Ar encpass
    46. 

  46. .Op Fl e Ar expiretime
    47. 

  47. .Op Fl s Ar newshell
    48. 

  48. .Op user
    49. 

  49. .Nm
    50. 

  50. .Op Fl oly
    51. 

  51. .Op Fl a Ar list
    52. 

  52. .Op Fl p Ar encpass
    53. 

  53. .Op Fl e Ar expiretime
    54. 

  54. .Op Fl s Ar newshell
    55. 

  55. .Op Fl d Ar domain
    56. 

  56. .Op Fl h Ar host
    57. 

  57. .Op user
    58. 

  58. .Sh DESCRIPTION
    59. 

  59. The
    60. 

  60. .Nm
    61. 

  61. utility
    62. 

  62. allows editing of the user database information associated
    63. 

  63. with
    64. 

  64. .Ar user
    65. 

  65. or, by default, the current user.
    66. 

  66. .Pp
    67. 

  67. The
    68. 

  68. .Nm chfn ,
    69. 

  69. .Nm chsh ,
    70. 

  70. .Nm ypchpass ,
    71. 

  71. .Nm ypchfn
    72. 

  72. and
    73. 

  73. .Nm ypchsh
    74. 

  74. utilities behave identically to
    75. 

  75. .Nm .
    76. 

  76. (There is only one program.)
    77. 

  77. .Pp
    78. 

  78. The information is formatted and supplied to an editor for changes.
    79. 

  79. .Pp
    80. 

  80. Only the information that the user is allowed to change is displayed.
    81. 

  81. .Pp
    82. 

  82. The options are as follows:
    83. 

  83. .Bl -tag -width indent
    84. 

  84. .It Fl a
    85. 

  85. The super-user is allowed to directly supply a user database
    86. 

  86. entry, in the format specified by
    87. 

  87. .Xr passwd 5 ,
    88. 

  88. as an argument.
    89. 

  89. This argument must be a colon
    90. 

  90. .Pq Dq \&:
    91. 

  91. separated list of all the
    92. 

  92. user database fields, although they may be empty.
    93. 

  93. .It Fl p
    94. 

  94. The super-user is allowed to directly supply an encrypted password field,
    95. 

  95. in the format used by
    96. 

  96. .Xr crypt 3 ,
    97. 

  97. as an argument.
    98. 

  98. .It Fl e Ar expiretime
    99. 

  99. Change the account expire time.
    100. 

  100. This option is used to set the expire time
    101. 

  101. from a script as if it was done in the interactive editor.
    102. 

  102. .It Fl s Ar newshell
    103. 

  103. Attempt to change the user's shell to
    104. 

  104. .Ar newshell .
    105. 

  105. .El
    106. 

  106. .Pp
    107. 

  107. Possible display items are as follows:
    108. 

  108. .Pp
    109. 

  109. .Bl -tag -width "Other Information:" -compact -offset indent
    110. 

  110. .It Login:
    111. 

  111. user's login name
    112. 

  112. .It Password:
    113. 

  113. user's encrypted password
    114. 

  114. .It Uid:
    115. 

  115. user's login
    116. 

  116. .It Gid:
    117. 

  117. user's login group
    118. 

  118. .It Class:
    119. 

  119. user's general classification
    120. 

  120. .It Change:
    121. 

  121. password change time
    122. 

  122. .It Expire:
    123. 

  123. account expiration time
    124. 

  124. .It Full Name:
    125. 

  125. user's real name
    126. 

  126. .It Office Location:
    127. 

  127. user's office location (1)
    128. 

  128. .It Office Phone:
    129. 

  129. user's office phone (1)
    130. 

  130. .It Home Phone:
    131. 

  131. user's home phone (1)
    132. 

  132. .It Other Information:
    133. 

  133. any locally defined parameters for user (1)
    134. 

  134. .It Home Directory:
    135. 

  135. user's home directory
    136. 

  136. .It Shell:
    137. 

  137. user's login shell
    138. 

  138. .Pp
    139. 

  139. .It NOTE(1) -
    140. 

  140. In the actual master.passwd file, these fields are comma-delimited
    141. 

  141. fields embedded in the FullName field.
    142. 

  142. .El
    143. 

  143. .Pp
    144. 

  144. The
    145. 

  145. .Ar login
    146. 

  146. field is the user name used to access the computer account.
    147. 

  147. .Pp
    148. 

  148. The
    149. 

  149. .Ar password
    150. 

  150. field contains the encrypted form of the user's password.
    151. 

  151. .Pp
    152. 

  152. The
    153. 

  153. .Ar uid
    154. 

  154. field is the number associated with the
    155. 

  155. .Ar login
    156. 

  156. field.
    157. 

  157. Both of these fields should be unique across the system (and often
    158. 

  158. across a group of systems) as they control file access.
    159. 

  159. .Pp
    160. 

  160. While it is possible to have multiple entries with identical login names
    161. 

  161. and/or identical user id's, it is usually a mistake to do so.
    162. 

  162. Routines
    163. 

  163. that manipulate these files will often return only one of the multiple
    164. 

  164. entries, and that one by random selection.
    165. 

  165. .Pp
    166. 

  166. The
    167. 

  167. .Ar gid
    168. 

  168. field is the group that the user will be placed in at login.
    169. 

  169. Since
    170. 

  170. .Bx
    171. 

  171. supports multiple groups (see
    172. 

  172. .Xr groups 1 )
    173. 

  173. this field currently has little special meaning.
    174. 

  174. This field may be filled in with either a number or a group name (see
    175. 

  175. .Xr group 5 ) .
    176. 

  176. .Pp
    177. 

  177. The
    178. 

  178. .Ar class
    179. 

  179. field references class descriptions in
    180. 

  180. .Pa /etc/login.conf
    181. 

  181. and is typically used to initialize the user's system resource limits
    182. 

  182. when they login.
    183. 

  183. .Pp
    184. 

  184. The
    185. 

  185. .Ar change
    186. 

  186. field is the date by which the password must be changed.
    187. 

  187. .Pp
    188. 

  188. The
    189. 

  189. .Ar expire
    190. 

  190. field is the date on which the account expires.
    191. 

  191. .Pp
    192. 

  192. Both the
    193. 

  193. .Ar change
    194. 

  194. and
    195. 

  195. .Ar expire
    196. 

  196. fields should be entered in the form
    197. 

  197. .Dq month day year
    198. 

  198. where
    199. 

  199. .Ar month
    200. 

  200. is the month name (the first three characters are sufficient),
    201. 

  201. .Ar day
    202. 

  202. is the day of the month, and
    203. 

  203. .Ar year
    204. 

  204. is the year.
    205. 

  205. .Pp
    206. 

  206. Five fields are available for storing the user's
    207. 

  207. .Ar full name , office location ,
    208. 

  208. .Ar work
    209. 

  209. and
    210. 

  210. .Ar home telephone
    211. 

  211. numbers and finally
    212. 

  212. .Ar other information
    213. 

  213. which is a single comma delimited string to represent any additional
    214. 

  214. gecos fields (typically used for site specific user information).
    215. 

  215. Note that
    216. 

  216. .Xr finger 1
    217. 

  217. will display the office location and office phone together under the
    218. 

  218. heading
    219. 

  219. .Ar Office: .
    220. 

  220. .Pp
    221. 

  221. The user's
    222. 

  222. .Ar home directory
    223. 

  223. is the full
    224. 

  224. .Ux
    225. 

  225. path name where the user
    226. 

  226. will be placed at login.
    227. 

  227. .Pp
    228. 

  228. The
    229. 

  229. .Ar shell
    230. 

  230. field is the command interpreter the user prefers.
    231. 

  231. If the
    232. 

  232. .Ar shell
    233. 

  233. field is empty, the Bourne shell,
    234. 

  234. .Pa /bin/sh ,
    235. 

  235. is assumed.
    236. 

  236. When altering a login shell, and not the super-user, the user
    237. 

  237. may not change from a non-standard shell or to a non-standard
    238. 

  238. shell.
    239. 

  239. Non-standard is defined as a shell not found in
    240. 

  240. .Pa /etc/shells .
    241. 

  241. .Pp
    242. 

  242. Once the information has been verified,
    243. 

  243. .Nm
    244. 

  244. uses
    245. 

  245. .Xr pwd_mkdb 8
    246. 

  246. to update the user database.
    247. 

  247. .Sh ENVIRONMENT
    248. 

  248. The
    249. 

  249. .Xr vi 1
    250. 

  250. editor will be used unless the environment variable
    251. 

  251. .Ev EDITOR
    252. 

  252. is set to
    253. 

  253. an alternate editor.
    254. 

  254. When the editor terminates, the information is re-read and used to
    255. 

  255. update the user database itself.
    256. 

  256. Only the user, or the super-user, may edit the information associated
    257. 

  257. with the user.
    258. 

  258. .Pp
    259. 

  259. See
    260. 

  260. .Xr pwd_mkdb 8
    261. 

  261. for an explanation of the impact of setting the
    262. 

  262. .Ev PW_SCAN_BIG_IDS
    263. 

  263. environment variable.
    264. 

  264. .Sh NIS INTERACTION
    265. 

  265. The
    266. 

  266. .Nm
    267. 

  267. utility can also be used in conjunction with NIS, however some restrictions
    268. 

  268. apply.
    269. 

  269. Currently,
    270. 

  270. .Nm
    271. 

  271. can only make changes to the NIS passwd maps through
    272. 

  272. .Xr rpc.yppasswdd 8 ,
    273. 

  273. which normally only permits changes to a user's password, shell and GECOS
    274. 

  274. fields.
    275. 

  275. Except when invoked by the super-user on the NIS master server,
    276. 

  276. .Nm
    277. 

  277. (and, similarly,
    278. 

  278. .Xr passwd 1 )
    279. 

  279. cannot use the
    280. 

  280. .Xr rpc.yppasswdd 8
    281. 

  281. server to change other user information or
    282. 

  282. add new records to the NIS passwd maps.
    283. 

  283. Furthermore,
    284. 

  284. .Xr rpc.yppasswdd 8
    285. 

  285. requires password authentication before it will make any
    286. 

  286. changes.
    287. 

  287. The only user allowed to submit changes without supplying
    288. 

  288. a password is the super-user on the NIS master server; all other users,
    289. 

  289. including those with root privileges on NIS clients (and NIS slave
    290. 

  290. servers) must enter a password.
    291. 

  291. (The super-user on the NIS master is allowed to bypass these restrictions
    292. 

  292. largely for convenience: a user with root access
    293. 

  293. to the NIS master server already has the privileges required to make
    294. 

  294. updates to the NIS maps, but editing the map source files by hand can
    295. 

  295. be cumbersome.
    296. 

  296. .Pp
    297. 

  297. Note: these exceptions only apply when the NIS master server is a
    298. 

  298. .Fx
    299. 

  299. system).
    300. 

  300. .Pp
    301. 

  301. Consequently, except where noted, the following restrictions apply when
    302. 

  302. .Nm
    303. 

  303. is used with NIS:
    304. 

  304. .Bl -enum -offset indent
    305. 

  305. .It
    306. 

  306. .Em "Only the shell and GECOS information may be changed" .
    307. 

  307. All other
    308. 

  308. fields are restricted, even when
    309. 

  309. .Nm
    310. 

  310. is invoked by the super-user.
    311. 

  311. While support for
    312. 

  312. changing other fields could be added, this would lead to
    313. 

  313. compatibility problems with other NIS-capable systems.
    314. 

  314. Even though the super-user may supply data for other fields
    315. 

  315. while editing an entry, the extra information (other than the
    316. 

  316. password -- see below) will be silently discarded.
    317. 

  317. .Pp
    318. 

  318. Exception: the super-user on the NIS master server is permitted to
    319. 

  319. change any field.
    320. 

  320. .Pp
    321. 

  321. .It
    322. 

  322. .Em "Password authentication is required" .
    323. 

  323. The
    324. 

  324. .Nm
    325. 

  325. utility will prompt for the user's NIS password before effecting
    326. 

  326. any changes.
    327. 

  327. If the password is invalid, all changes will be
    328. 

  328. discarded.
    329. 

  329. .Pp
    330. 

  330. Exception: the super-user on the NIS master server is allowed to
    331. 

  331. submit changes without supplying a password.
    332. 

  332. (The super-user may
    333. 

  333. choose to turn off this feature using the
    334. 

  334. .Fl o
    335. 

  335. flag, described below.)
    336. 

  336. .It
    337. 

  337. .Em "Adding new records to the local password database is discouraged" .
    338. 

  338. The
    339. 

  339. .Nm
    340. 

  340. utility will allow the administrator to add new records to the
    341. 

  341. local password database while NIS is enabled, but this can lead to
    342. 

  342. some confusion since the new records are appended to the end of
    343. 

  343. the master password file, usually after the special NIS '+' entries.
    344. 

  344. The administrator should use
    345. 

  345. .Xr vipw 8
    346. 

  346. to modify the local password
    347. 

  347. file when NIS is running.
    348. 

  348. .Pp
    349. 

  349. The super-user on the NIS master server is permitted to add new records
    350. 

  350. to the NIS password maps, provided the
    351. 

  351. .Xr rpc.yppasswdd 8
    352. 

  352. server has been started with the
    353. 

  353. .Fl a
    354. 

  354. flag to permitted additions (it refuses them by default).
    355. 

  355. The
    356. 

  356. .Nm
    357. 

  357. utility tries to update the local password database by default; to update the
    358. 

  358. NIS maps instead, invoke chpass with the
    359. 

  359. .Fl y
    360. 

  360. flag.
    361. 

  361. .It
    362. 

  362. .Em "Password changes are not permitted".
    363. 

  363. Users should use
    364. 

  364. .Xr passwd 1
    365. 

  365. or
    366. 

  366. .Xr yppasswd 1
    367. 

  367. to change their NIS passwords.
    368. 

  368. The super-user is allowed to specify
    369. 

  369. a new password (even though the
    370. 

  370. .Dq Password:
    371. 

  371. field does not show
    372. 

  372. up in the editor template, the super-user may add it back by hand),
    373. 

  373. but even the super-user must supply the user's original password
    374. 

  374. otherwise
    375. 

  375. .Xr rpc.yppasswdd 8
    376. 

  376. will refuse to update the NIS maps.
    377. 

  377. .Pp
    378. 

  378. Exception: the super-user on the NIS master server is permitted to
    379. 

  379. change a user's NIS password with
    380. 

  380. .Nm .
    381. 

  381. .El
    382. 

  382. .Pp
    383. 

  383. There are also a few extra option flags that are available when
    384. 

  384. .Nm
    385. 

  385. is compiled with NIS support:
    386. 

  386. .Bl -tag -width indent
    387. 

  387. .It Fl l
    388. 

  388. Force
    389. 

  389. .Nm
    390. 

  390. to modify the local copy of a user's password
    391. 

  391. information in the event that a user exists in both
    392. 

  392. the local and NIS databases.
    393. 

  393. .It Fl y
    394. 

  394. Opposite effect of
    395. 

  395. .Fl l .
    396. 

  396. This flag is largely redundant since
    397. 

  397. .Nm
    398. 

  398. operates on NIS entries by default if NIS is enabled.
    399. 

  399. .It Fl d Ar domain
    400. 

  400. Specify a particular NIS domain.
    401. 

  401. The
    402. 

  402. .Nm
    403. 

  403. utility uses the system domain name by default, as set by the
    404. 

  404. .Xr domainname 1
    405. 

  405. utility.
    406. 

  406. The
    407. 

  407. .Fl d
    408. 

  408. option can be used to override a default, or to specify a domain
    409. 

  409. when the system domain name is not set.
    410. 

  410. .It Fl h Ar host
    411. 

  411. Specify the name or address of an NIS server to query.
    412. 

  412. Normally,
    413. 

  413. .Nm
    414. 

  414. will communicate with the NIS master host specified in the
    415. 

  415. .Pa master.passwd
    416. 

  416. or
    417. 

  417. .Pa passwd
    418. 

  418. maps.
    419. 

  419. On hosts that have not been configured as NIS clients, there is
    420. 

  420. no way for the program to determine this information unless the user
    421. 

  421. provides the hostname of a server.
    422. 

  422. Note that the specified hostname need
    423. 

  423. not be that of the NIS master server; the name of any server, master or
    424. 

  424. slave, in a given NIS domain will do.
    425. 

  425. .Pp
    426. 

  426. When using the
    427. 

  427. .Fl d
    428. 

  428. option, the hostname defaults to
    429. 

  429. .Dq localhost .
    430. 

  430. The
    431. 

  431. .Fl h
    432. 

  432. option can be used in conjunction with the
    433. 

  433. .Fl d
    434. 

  434. option, in which case the user-specified hostname will override
    435. 

  435. the default.
    436. 

  436. .Pp
    437. 

  437. .It Fl o
    438. 

  438. Force the use of RPC-based updates when communicating with
    439. 

  439. .Xr rpc.yppasswdd 8
    440. 

  440. .Pq Dq old-mode .
    441. 

  441. When invoked by the super-user on the NIS master server,
    442. 

  442. .Nm
    443. 

  443. allows unrestricted changes to the NIS passwd maps using dedicated,
    444. 

  444. non-RPC-based mechanism (in this case, a
    445. 

  445. .Ux
    446. 

  446. domain socket).
    447. 

  447. The
    448. 

  448. .Fl o
    449. 

  449. flag can be used to force
    450. 

  450. .Nm
    451. 

  451. to use the standard update mechanism instead.
    452. 

  452. This option is provided
    453. 

  453. mainly for testing purposes.
    454. 

  454. .El
    455. 

  455. .Sh FILES
    456. 

  456. .Bl -tag -width /etc/master.passwd -compact
    457. 

  457. .It Pa /etc/master.passwd
    458. 

  458. the user database
    459. 

  459. .It Pa /etc/passwd
    460. 

  460. a Version 7 format password file
    461. 

  461. .It Pa /etc/chpass.XXXXXX
    462. 

  462. temporary copy of the password file
    463. 

  463. .It Pa /etc/shells
    464. 

  464. the list of approved shells
    465. 

  465. .El
    466. 

  466. .Sh SEE ALSO
    467. 

  467. .Xr finger 1 ,
    468. 

  468. .Xr login 1 ,
    469. 

  469. .Xr passwd 1 ,
    470. 

  470. .Xr getusershell 3 ,
    471. 

  471. .Xr login.conf 5 ,
    472. 

  472. .Xr passwd 5 ,
    473. 

  473. .Xr pw 8 ,
    474. 

  474. .Xr pwd_mkdb 8 ,
    475. 

  475. .Xr vipw 8
    476. 

  476. .Rs
    477. 

  477. .%A Robert Morris
    478. 

  478. .%A Ken Thompson
    479. 

  479. .%T "UNIX Password security"
    480. 

  480. .Re
    481. 

  481. .Sh HISTORY
    482. 

  482. The
    483. 

  483. .Nm
    484. 

  484. utility appeared in
    485. 

  485. .Bx 4.3 Reno .
    486. 

  486. .Sh BUGS
    487. 

  487. User information should (and eventually will) be stored elsewhere.
    488.