<?xml version="1.0" encoding="UTF-8"?>
<!--
Copyright (c) 1991 - 1994, Julianne Frances Haugh
- Copyright (c) 2007 - 2009, Nicolas François
+ Copyright (c) 2007 - 2011, Nicolas François
All rights reserved.
Redistribution and use in source and binary forms, with or without
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY MAIL_DIR SYSTEM "login.defs.d/MAIL_DIR.xml">
<!ENTITY MAX_MEMBERS_PER_GROUP SYSTEM "login.defs.d/MAX_MEMBERS_PER_GROUP.xml">
+<!ENTITY TCB_SYMLINKS SYSTEM "login.defs.d/TCB_SYMLINKS.xml">
+<!ENTITY USE_TCB SYSTEM "login.defs.d/USE_TCB.xml">
+<!-- SHADOW-CONFIG-HERE -->
]>
<refentry id='usermod.8'>
<!-- $Id$ -->
<refentrytitle>usermod</refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo class="sectdesc">System Management Commands</refmiscinfo>
+ <refmiscinfo class="source">shadow-utils</refmiscinfo>
+ <refmiscinfo class="version">&SHADOW_UTILS_VERSION;</refmiscinfo>
</refmeta>
<refnamediv id='name'>
<refname>usermod</refname>
</term>
<listitem>
<para>
- Add the user to the supplemental group(s). Use only with
+ Add the user to the supplementary group(s). Use only with the
<option>-G</option> option.
</para>
</listitem>
</para>
<para>
If the <option>-m</option>
- option is given the contents of the current home directory will
+ option is given, the contents of the current home directory will
be moved to the new home directory, which is created if it does
not already exist.
</para>
The date on which the user account will be disabled. The date is
specified in the format <emphasis remap='I'>YYYY-MM-DD</emphasis>.
</para>
+ <para>
+ An empty <replaceable>EXPIRE_DATE</replaceable> argument will
+ disable the expiration of the account.
+ </para>
+ <para>
+ This option requires a <filename>/etc/shadow</filename> file.
+ A <filename>/etc/shadow</filename> entry will be created if
+ there were none.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<para>
A value of 0 disables the account as soon
as the password has expired, and a value of -1 disables the
- feature. The default value is -1.
+ feature.
+ </para>
+ <para>
+ This option requires a <filename>/etc/shadow</filename> file.
+ A <filename>/etc/shadow</filename> entry will be created if
+ there were none.
</para>
</listitem>
</varlistentry>
<listitem>
<para>
The group name or number of the user's new initial login group.
- The group name must exist. A group number must refer to an
- already existing group. The default group number is 1.
+ The group must exist.
+ </para>
+ <para>
+ Any file from the user's home directory owned by the previous
+ primary group of the user will be owned by this new group.
+ </para>
+ <para>
+ The group ownership of files outside of the user's home directory
+ must be fixed manually.
</para>
</listitem>
</varlistentry>
The name of the user will be changed from
<replaceable>LOGIN</replaceable> to
<replaceable>NEW_LOGIN</replaceable>. Nothing else is changed. In
- particular, the user's home directory name should probably be
- changed manually to reflect the new login name.
+ particular, the user's home directory or mail spool should
+ probably be renamed manually to reflect the new login name.
</para>
</listitem>
</varlistentry>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-m</option>, <option>--move-home</option>
+ </term>
+ <listitem>
+ <para>
+ Move the content of the user's home directory to the new
+ location.
+ </para>
+ <para>
+ This option is only valid in combination with the
+ <option>-d</option> (or <option>--home</option>) option.
+ </para>
+ <para>
+ <command>usermod</command> will try to adapt the ownership of the
+ files and to copy the modes, ACL and extended attributes, but
+ manual changes might be needed afterwards.
+ </para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term>
<option>-o</option>, <option>--non-unique</option>
<refentrytitle>crypt</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>.
</para>
+ <para>
+ <emphasis role="bold">Note:</emphasis> This option is not
+ recommended because the password (or encrypted password) will
+ be visible by users listing the processes.
+ </para>
+ <para condition="pam">
+ The password will be written in the local
+ <filename>/etc/passwd</filename> or
+ <filename>/etc/shadow</filename> file. This might differ from the
+ password database configured in your PAM configuration.
+ </para>
+ <para>
+ You should make sure the password respects the system's
+ password policy.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-R</option>, <option>--root</option>
+ <replaceable>CHROOT_DIR</replaceable>
+ </term>
+ <listitem>
+ <para>
+ Apply changes in the <replaceable>CHROOT_DIR</replaceable>
+ directory and use the configuration files from the
+ <replaceable>CHROOT_DIR</replaceable> directory.
+ </para>
</listitem>
</varlistentry>
<varlistentry>
<para>
This value must be unique,
unless the <option>-o</option> option is used. The value must be
- non-negative. Values between 0 and 999 are typically reserved
- for system accounts.
+ non-negative.
+ </para>
+ <para>
+ The user's mailbox, and any files which the user owns and which are
+ located in the user's home
+ directory will have the file user ID changed automatically.
</para>
<para>
- Any files which the user owns and which are
- located in the directory tree rooted at the user's home
- directory will have the file user ID changed automatically.
- Files outside of the user's home directory must be altered
- manually.
+ The ownership of files outside of the user's home directory
+ must be fixed manually.
+ </para>
+ <para>
+ No checks will be performed with regard to the
+ <option>UID_MIN</option>, <option>UID_MAX</option>,
+ <option>SYS_UID_MIN</option>, or <option>SYS_UID_MAX</option>
+ from <filename>/etc/login.defs</filename>.
</para>
</listitem>
</varlistentry>
password), you should also set the
<replaceable>EXPIRE_DATE</replaceable> (for example to
<replaceable>99999</replaceable>, or to the
- <replaceable>EXPIRE</replaceable> value from
+ <option>EXPIRE</option> value from
<filename>/etc/default/useradd</filename>).
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-Z</option>, <option>--selinux-user</option>
+ <replaceable>SEUSER</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The SELinux user for the user's login. The default is to leave
+ this field the blank, which causes the system to select the
+ default SELinux user.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
<refsect1 id='caveats'>
<title>CAVEATS</title>
<para>
- <command>usermod</command> will not allow you to change the name of an
- user who is logged in. You must make certain that the named user is
+ You must make certain that the named user is
not executing any processes when this command is being executed if the
- user's numerical user ID is being changed. You must change the owner
- of any <command>crontab</command> files manually. You must change
- the owner of any <command>at</command> jobs manually. You must make
- any changes involving NIS on the NIS server.
+ user's numerical user ID, the user's name, or the user's home
+ directory is being changed. <command>usermod</command> checks this
+ on Linux, but only check if the user is logged in according to utmp
+ on other architectures.
+ </para>
+ <para>
+ You must change the owner of any <command>crontab</command> files or
+ <command>at</command> jobs manually.
+ </para>
+ <para>
+ You must make any changes involving NIS on the NIS server.
</para>
</refsect1>
<variablelist>
&MAIL_DIR; <!-- documents also MAIL_FILE -->
&MAX_MEMBERS_PER_GROUP;
+ &TCB_SYMLINKS;
+ &USE_TCB;
</variablelist>
</refsect1>
<para>Group account information.</para>
</listitem>
</varlistentry>
+ <varlistentry condition="gshadow">
+ <term><filename>/etc/gshadow</filename></term>
+ <listitem>
+ <para>Secure group account information.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><filename>/etc/login.defs</filename></term>
+ <listitem>
+ <para>Shadow password suite configuration.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><filename>/etc/passwd</filename></term>
<listitem>