 |
Index for
Section 8 |
|
 |
Alphabetical
listing for U |
|
 |
Bottom of
page |
|
usermod(8)
NAME
usermod - Modifies a user's login information on the system.
SYNOPSIS
/usr/sbin/usermod [-c comment] [-d dir] [-e expire] [-m] [-g group] [-G
group[,group...]] [-H home_dir] [-p home_dir] [-l login_name] [-P] [-s
shell] [-t type] [-u uid [-o]] [-x extended_option] login
/usr/sbin/usermod -D [-g group] [-s shell] [-x extended_option]
OPTIONS
-c comment
Modifies the description of the account, currently used as the field
for the user's full name in the user database file. The comment
argument can be any text string. If the text string contains spaces,
enclose the string in quotes.
-H home_dir
Sets the pathname of the user's home directory location. The pathname
is combined with the login name to form the full path of the home
directory. The -H option cannot be used with the -d option, but see
also the -m option.
-d pathname
Specifies the home directory (file system) where the user account
resides. If not specified, dir defaults to base_dir/login, where
base_dir is the default directory for user login accounts and login is
the name of the new login account. The -d option cannot be used with
the -H option, but see also the -m option.
-m dir_pathname
Moves the user's home directory to the new location. This option must
be combined with either the -H or -d options.
-p Indicates that you want to supply a password. You are prompted to
enter the password, which is not echoed to the screen. After entering a
password, you are prompted to verify it by entering it.
-D Displays and sets the default values used by the account management
utilities for user and group information.
When used without arguments, this flag displays the default values. If
invoked with any combination of the flags listed by the usermod -D
command, it sets the default values for those flags. Subsequent
invocations of usermod use these new defaults. For example, in the
POSIX environment, the following command sets the group to be project,
the account to be local and the minimum UID to be 300 for any new login
that is created subsequently by useradd or dxaccounts:
# usermod -D -g project -x local=1 min_uid=300
-e expire
This option is only for use on systems running in enhanced security
mode and is useful for creating temporary logins. The value of the
expire argument is a date, must be in the format 10/27/97. A blank
value ("") defeats the status of the expired date. Set the extended
option -x account_expiration for the default value. See the useradd(8)
reference page for a list of valid date formats. Note that if a two-
digit year is specified, and the number is >=69 and <=99, the year is
assumed to be 19** (20th century). Otherwise the year is assumed to be
20** (21st century).
-g group
Changes the account holder's primary group to the specified group
identification (GID). The group argument can be specified as an
existing group's identification number (GID) or character-string name.
You can use the -D option to set the default primary group for new
logins. .
-G group[,group...]
Modifies user's secondary groups This option is a comma separated list
of groups that defines the supplementary group membership for a new
user. Groups can be specified by the group's name or by its group
identification number (GID). An error is displayed for each group that
does not exist. Duplicate groups are ignored.
-l login_name
Changes the user's login name to the specified name.
-s shell
Modifies the users login shell. When used without the -D option, it
specifies the full pathname of the program used as the user's login
shell. The shell argument must be a valid executable file. When used
with the -D option, -s defines the system default.
-t type
Changes an account type to the specified type.
-u uid
Modifies the user identification number (UID) of the new user. The uid
must be specified as a non-negative decimal integer.
-o When modifying a UID, allows a user identification (UID) number to be
duplicated (non-unique). This option can be used only with the -u
option.
-x extended_option
The following sets of extended_option attributes are available. You can
enter any number of options (within the character limit of the command
line) by separating each option with a space. Note that some extended
options are only available under specific system environments. To
review the current defaults, use the following command:
# usermod -D
A valid command string for extended options would be:
# usermod -D -x distributed=1 next_UID=300 \
administrative_lock_applied=0
The following extended options are available:
distributed=0|1
Indicates that the account is a NIS user account. This value can
be set as a default with the -D option and is incompatible with the
local option. If the distributed option is set, the local option is
automatically set to the opposite value.
local=0|1
Indicates that the account is local. This value can be set as a
default with the -D option and is incompatible with the distributed
option. If the local option is set, the distributed option is
automatically set to the opposite value.
min_uid=n
Specifies the minimum UID value. This value can only be set as a
default with the -D option.
max_uid=n
Specifies the maximum UID value. This value can only be set as a
default with the -D option.
next_uid=n
Specifies the next sequential unassigned UID. This value can only
be set as a default with the -D option.
dup_uid=0|1
Allows the UID to be a duplicate of an existing UID. This value can
only be set as a default with the -D option.
basehome_dir=pathname
Specifies the location of the file system where home directories
reside by default, such as /usr/users. This option can only be
used with the -D option to set a default.
skel_dir=pathname
Specifies the location of the file system where skeleton files such
as the default user profile reside. Such as /usr/skel. This option
can only be used with the -D option to set a default.
max_groups_per_user=n
Specifies the maximum number of groups to which a user can belong.
This value can only be set as a default with the -D option.
use_hashed=0|1
Specifies the hashed password database. This value can only be set
as a default with the -D option.
administrative_lock_applied=0|1
Locks the account. This value can be specified with -x in a
command or set as a default with the -D option. A value of 1 locks
the specified account, while while a value of 0 will unlock it.
The default is 1.
The following extended_option attributes are available only on systems
running in enhanced security mode.
passwd_expire_time=n
Specifies the time, in days, between the last password change and
the password expiration. (A new password must be chosen.) The value
of n must be an integer. If the value of the passwd_expiration_time
attribute is set to 0, there is no password expiration time.
passwd_lifetime=n
Specifies the time, in days, between the last password change and
the expiration of the account. The value of n must be an integer.
If the passwd_lifetime attribute is set to 0, the password lifetime
is infinite.
passwd_min_change_time=n
Specifies the time, in days, which must pass before a user can
change the user account password. The value of n must be an
integer. The passwd_min_change_time=0 argument means there is no
minimum time to change the user account password.
passwd_expire_date=date_string
The date on which the current password will expire. See the -e
option for a list of valid date formats.
passwd_choose_own=0|1
Allows the user to choose their own password.
passwd_run_generator=0|1
Forces the automatic password generator to run.
passwd_generated_length=n
Sets the number of characters for generated passwords.
passwd_checked_for_obviousness=0|1
Forces the automatic password checker to run.
passwd_min_change_time=n
Sets the minimum number of days that can elapse before a password
can be changed.
passwd_lifetime=n
Sets maximum number of days that can elapse before the password
must be changed by the user.
passwd_must_change=0|1
Forces a password change.
passwd_min_length=n
Sets the minimum number of characters in a password.
passwd_max_length=n
Sets the maximum number of characters in a password.
passwd_history_limit=n
Sets the number of times that the password must be changed before a
password can be reused.
logon_hours=time-string
Sets the days of the week and hours of the day during which the
account holder can log in to the account. The time string format
is an entry of Dd0000-0000 for each day and time that logins are
enabled. Time is given in a 24-hour clock format. For example to
restrict logins to Sunday, Monday and Wednesday:
Su0830-1730,Mo0830-1730,We0830-1730
The hours are restricted to 8:30AM to 5:30PM.
account_expiration=date_string
Specifies a date on which logins will be disabled automatically.
account_lifetime=n
Specifies a date on which the account will expire and will be
retired automatically.
account_inactive=n
Specifies the number of days that can elapse before an inactive
account is locked automatically.
max_login_attempts=n
Specifies the number of failed login attempts that can occur before
an account is locked automatically.
grace_limit=n
Specifies the number of days that can elapse after an account is
locked before the account will expire.
The following extended_option attributes are available for creating PC
accounts that can be assigned to client PC users on systems running
ASU:
pc_username=name_string
The user account name on the PC. This can be identical to the
user's UNIX account, or it can map to a shared account. See the
System Administration for more information on account mapping.
pc_unix_username=login_name
The backing UNIX account name, if no name is entered it will be the
same as the PC usr account name.
pc_fullname=text__string
The full name of the user or a description of the account.
pc_comment=text_string
A brief description of the account that is modifiable only by the
administrator.
pc_usercomment=text_string
A brief description of the account. This string can be changed by
the user.
pc_homedir=pathname
The path to the user's home directory, specified as an ASU share
format.
pc_primary_group=group
The primary ASU group (domain) to which the user belongs.
pc_secondary_groups=group,group....
The secondary ASU groups (domains) to which the user belongs. This
value is specified as a comma-delimited list.
pc_logon_workstations=client_name
A list of client host systems from which the user can log on. This
value is specified as a comma-delimited list and a null value (" ")
means that the user can log on from all workstations.
pc_logon_script=pathname
The directory where the default logon script is located. This
directory is created during ASU configuration.
pc_account_type =local|global
Specifies whether the PC account is a local or global account in
the ASU domain.
pc_account_expiration=date_string
Specifies the date on which the account will expire and logins will
be prevented.
pc_logon_hours=Dd0000-0000,Dd0000-0000....
Specifies the days of the week and hours of the day during which
logins will expire and logons will be permitted or denied. See
logon_hours for details of the string format.
pc_user_profile_path=pathname
Specifies the pathname to the default user profile directory.
pc_disable_account =0|1
Specifies whether the account is locked, disabling logins.
pc_passwd
A text string that will be the initial account password. Note that
you must precede the pc_passwd option with the -x option and you
will be prompted to enter a password and then confirm the entry.
The password will not be echoed to the screen.
pc_passwd_choose_own=0|1
Controls whether the user can set their own password.
pc_passwd_change_required=0|1
Forces password change during the initial login.
pc_forced_logoff=n_seconds
Specifies a forced log off when the user's account or logon time
expires. If there is a live server connection when the time
expires, and this value is set to 1, the connection will be
dropped. This option is only available with the -D option to change
the default setting. A value of -1 specifies never, meaning that
the user is not disconnected. The account expires after the user
logs off.
pc_min_passwd_age=n
Specifies the minimum number of days that can elapse before a
password can be changed by the user. This option is only available
with the -D option to change the default setting.
pc_max_passwd_age=n
Specifies the maximum number of days that can elapse before a
password must be changed by the user. This option is only available
with the -D option to change the default setting.
pc_passwd_min_length=n
Specifies the minimum number of characters in a valid password
string. This option is only available with the -D option to change
the default setting.
pc_passwd_uniqueness=n
Forces validation of the password for uniqueness. This option is
only available with the -D option to change the default setting.
This option is equivalent to the passwd_history_limit option.
login
Specifies the new login name of the user. It can be a string of any
printable characters, except a colon (:) or newline (\n) character.
You cannot specify a new login name for PC users. Refer to the Advanced
Server for UNIX (ASU) documentation for more information.
DESCRIPTION
The usermod command is part of a set of command-line interfaces (CLI) that
are used to create and administer user accounts on the system. When The
Advanced Server for UNIX (ASU) is installed and running, the usermod
command can also be used to administer Windows NT domain (PC) accounts,
including simultaneous (synchronized) modification of PC accounts or
modifications to PC accounts alone. Accounts can also be modified with the
/usr/bin/X11/dxaccounts graphical user interface (GUI), although the
extended options are only available from the CLI utilities such as useradd
and usermod.
Different options are available depending on how the local system is
configured:
· In the default UNIX environment, user account management is compliant
with the IEEE POSIX Draft P13873.3 standard.
· If enhanced (C2) security is configured, additional options and
extended options can be used.
· The CLI is backwards-compatible, so all existing local scripts will
function. However, you should consider testing your account
management scripts before use.
The usermod command modifies a user's login definition on the system and
makes the login-related changes in the appropriate system files determined
by the current level of security.
The system file entries modified with this command have a limit of 512
characters per line. Specifying long arguments to several options may
exceed this limit.
With the -x option, the system administrator can specify extended options,
such as whether the user login account to be modified is local or whether
it resides in the NIS master database. If the -x option is not specified,
the user login account is modified from the appropriate database as
specified by the system defaults.
The default behavior on the system for the usermod command is distributed=0
and local=1. With these values, the system modifies the user login
definition at the local database by default. Setting the distributed= and
local= attributes to the same value (for example, distributed=0 and
local=0) produces an error.
You must have superuser privilege to execute this command.
RESTRICTIONS
Note the following restrictions that apply to this release:
-P option
When modifying a synchronized PC and UNIX account that has different
UNIX and PC account names, the following conditions apply:
·
if the -P flag is specified, pc_unix_username specifies the UNIX
account and the login is the PC account.
·
If the -P flag not given, pc_username specifies the PC account and
the login is the UNIX account.
-P option
When creating or modifying PC only accounts, the PC account will be
backed to the UNIX account lmworld. This account must exist when
adding PC only accounts. The lmworld account is created when the ASU
kit is installed.
When the -P option is used, the specified login is the PC account name.
When the -P option is not used, the specified login is the UNIX account
name. When the extended option pc_synchronize is used, the specified
login is the UNIX account name.
pc_unix_username extended option
The extended attribute pc_unix_username can only be used when the -P
option is specified on the command line. This extended option is used
to specify a UNIX account name when creating or modifying a PC account.
pc_username extended option
The extended attribute pc_username cannot be used when the -P option is
specified on the command line. It is used to specify a PC account name
when creating or modifying a UNIX account.
pc_synchronize extended option
The pc_synchronize option cannot be used with the -P option.
Distributed accounts can only be added or modified on NIS servers.
EXIT STATUS
The usermod command exits with one of the following values:
0 Success.
1 Failure.
2 Warning.
EXAMPLES
1. The following example changes the UID of the user, newuser, to 451 in
the user database:
% usermod -u 451 newuser
2. The following example changes the home directory of the user, xyz to
/users/xyz, and moves the files from the user's current directory to
the new directory:
% usermod -d /users/xyz -m xyz
3. The following example changes the login shell of the user, abc, in the
NIS master database on the system where the command is executed:
% usermod -s /bin/csh -x distributed=1 abc
4. The following example changes the user's login name from abc to xyz:
% usermod -l xyz abc
5. The following example shows a typical output of default settings using
the -D option alone:
% usermod -D
Local = 1
Distributed = 0
Minimum User ID = 12
Next User ID = 200
Maximum User ID = 4294967293
Duplicate User ID = 0
Use Hashed Database = 0
Max Groups Per User = 32
Base Home Directory = /usr/users
Administrative Lock = 1
Primary Group = users
Skeleton Directory = /usr/skel
Shell = /bin/sh
Synchronized UNIX/PC Accts = 0
PC Minimum Password Length = 8
PC Minimum Password Age = 30
PC Maximum Password Age = 90
PC Password Uniqueness = 1
PC Force Logoff After = 4294967295
6. The following example changes the primary group of the user, abc, to
15:
% usermod -g 15 abc
7. The following example enables the creation of synchronized PC accounts
and sets the minimum user ID (UID) and the next user ID to be used:
% usermod -D -x pc_synchronize=1 \
min_uid=20 next_uid=250
8. The following example applies to the user's PC account only. It
unlocks the account and sets the allowed logins from 8:00 AM to 11:00
PM on Monday:
% usermod -P -x pc_disable_account=0 \
pc_logon_hours=Mo0800-2300 StudentB
9. The following example shows how to modify a user's password:
% usermod -P -x pc_passwd StudentB
FILES
The usermod command operates on the appropriate files for the specific
level of system security.
SEE ALSO
Commands: groupadd(8), groupdel(8), groupmod(8), useradd(8), userdel(8)
System Administration
Security
***THIS IS NOT A VALID TAG***
|
Index for
Section 8 |
|
|
Alphabetical
listing for U |
|
 |
Top of
page |
|