DESCRIPTION
The newusers command reads a file (or the standard input by default) and uses this information to update a set of existing users or to create new users. Each line is in the same format as the standard password file (see passwd(5)) with the exceptions explained below:
It can be the name of a new user or the name of an existing user (or a user created before by newusers). In case of an existing user, the user’s information will be changed, otherwise a new user will be created.
If the field is empty, a new (unused) UID will be defined automatically by newusers.
If this field contains a number, this number will be used as the UID.
If this field contains the name of an existing user (or the name of a user created before by newusers), the UID of the specified user will be used.
If the UID of an existing user is changed, the files ownership of the user’s file should be fixed manually.
If this field contains the name of an existing group (or a group created before by newusers), the GID of this group will be used as the primary group ID for the user.
If this field is a number, this number will be used as the primary group ID of the user. If no groups exist with this GID, a new group will be created with this GID, and the name of the user.
If this field is empty, a new group will be created with the name of the user and a GID will be automatically defined by newusers to be used as the primary group ID for the user and as the GID for the new group.
If this field contains the name of a group which does not exist (and was not created before by newusers), a new group will be created with the specified name and a GID will be automatically defined by newusers to be used as the primary group ID for the user and GID for the new group.
If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group. Note that newusers does not create parent directories of the new user’s home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified.
If the home directory of an existing user is changed, newusers does not move or copy the content of the old directory to the new location. This should be done manually.
newusers first tries to create or change all the specified users, and then write these changes to the user or group databases. If an error occurs (except in the final writes to the databases), no changes are committed to the databases.
During this first pass, users are created with a locked password (and passwords are not changed for the users which are not created). A second pass is used to update the passwords using PAM. Failures to update a password are reported, but will not stop the other password updates.
This command is intended to be used in a large system environment where many accounts are updated at a single time.
OPTIONS
The options which apply to the newusers command are:
System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MIN—SYS_UID_MAX range, defined in login.defs, instead of UID_MIN—UID_MAX (and their GID counterparts for the creation of groups).
-R, —root CHROOT_DIR
Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory. Only absolute paths are supported.
CAVEATS
The input file must be protected since it contains unencrypted passwords.
CONFIGURATION
The following configuration variables in /etc/login.defs change the behavior of this tool:
GID_MAX (number), GID_MIN (number)
Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.
The default value for GID_MIN (resp. GID_MAX) is 1000 (resp. 60000).
useradd and newusers use this to set the mode of the home directory they create.
MAX_MEMBERS_PER_GROUP (number)
Maximum members per group entry. When the maximum is reached, a new group entry (line) is started in /etc/group (with the same name, same password, and same GID).
The default value is 0, meaning that there are no limits in the number of members in a group.
This feature (split group) permits to limit the length of lines in the group file. This is useful to make sure that lines for NIS groups are not larger than 1024 characters.
If you need to enforce such limit, you can use 25.
Note: split groups may not be supported by all tools (even in the Shadow toolsuite). You should not use this variable unless you really need it.
PASS_MAX_DAYS (number)
The maximum number of days a password may be used. If the password is older than this, a password change will be forced. If not specified, -1 will be assumed (which disables the restriction).
PASS_MIN_DAYS (number)
The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If not specified, 0 will be assumed (which disables the restriction).
PASS_WARN_AGE (number)
The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a negative value means no warning is given. If not specified, no warning will be provided.
SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)
If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user.
The default values for SUB_GID_MIN, SUB_GID_MAX, SUB_GID_COUNT are respectively 100000, 600100000 and 65536.
SUB_UID_MIN (number), SUB_UID_MAX (number), SUB_UID_COUNT (number)
If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs) allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user.
The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 65536.
SYS_GID_MAX (number), SYS_GID_MIN (number)
Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers.
The default value for SYS_GID_MIN (resp. SYS_GID_MAX) is 101 (resp. GID_MIN-1).
SYS_UID_MAX (number), SYS_UID_MIN (number)
The default value for SYS_UID_MIN (resp. SYS_UID_MAX) is 101 (resp. UID_MIN-1).
UID_MAX (number), UID_MIN (number)
The default value for UID_MIN (resp. UID_MAX) is 1000 (resp. 60000).
The file mode creation mask is initialized to this value. If not specified, the mask will be initialized to 022.
useradd and newusers use this mask to set the mode of the home directory they create if HOME_MODE is not set.
It is also used by pam_umask as the default umask value.
DESCRIPTION
su allows commands to be run with a substitute user and group ID.
When called with no user specified, su defaults to running an interactive shell as root. When user is specified, additional arguments can be supplied, in which case they are passed to the shell.
For backward compatibility, su defaults to not change the current directory and to only set the environment variables HOME and SHELL (plus USER and LOGNAME if the target user is not root). It is recommended to always use the —login option (instead of its shortcut —) to avoid side effects caused by mixing environments.
This version of su uses PAM for authentication, account and session management. Some configuration options found in other su implementations, such as support for a wheel group, have to be configured via PAM.
su is mostly designed for unprivileged users, the recommended solution for privileged users (e.g., scripts executed by root) is to use non-set-user-ID command runuser(1) that does not require authentication and provides separate PAM configuration. If the PAM session is not required at all then the recommended solution is to use command setpriv(1).
Note that su in all cases uses PAM (pam_getenvlist(3)) to do the final environment modification. Command-line options such as —login and —preserve-environment affect the environment before it is modified by PAM.
Since version 2.38 su resets process resource limits RLIMIT_NICE, RLIMIT_RTPRIO, RLIMIT_FSIZE, RLIMIT_AS and RLIMIT_NOFILE.
OPTIONS
-c, —command=command
-g, —group=group
-G, —supp-group=group
Specify a supplementary group. This option is available to the root user only. The first specified supplementary group is also used as a primary group if the option —group is not specified.
•clears all the environment variables except TERM and variables specified by —whitelist-environment
-m, -p, —preserve-environment
Preserve the entire environment, i.e., do not set HOME, SHELL, USER or LOGNAME. This option is ignored if the option —login is specified.
Create a pseudo-terminal for the session. The independent terminal provides better security as the user does not share a terminal with the original session. This can be used to avoid TIOCSTI ioctl terminal injection and other security attacks against terminal file descriptors. The entire session can also be moved to the background (e.g., su —pty — username -c application &). If the pseudo-terminal is enabled, then su works as a proxy between the sessions (sync stdin and stdout).
This feature is mostly designed for interactive sessions. If the standard input is not a terminal, but for example a pipe (e.g., echo «date» | su —pty), then the ECHO flag for the pseudo-terminal is disabled to avoid messy output.
-s, —shell=shell
Run the specified shell instead of the default. The shell to run is selected according to the following rules, in order:
•the shell specified in the environment variable SHELL, if the —preserve-environment option is used
If the target user has a restricted shell (i.e., not listed in /etc/shells), the —shell option and the SHELL environment variables are ignored unless the calling user is root.
—session-command=command
-w, —whitelist-environment=list
Don’t reset the environment variables specified in the comma-separated list when clearing the environment for —login. The whitelist is ignored for the environment variables HOME, SHELL, USER, LOGNAME, and PATH.
SIGNALS
Upon receiving either SIGINT, SIGQUIT or SIGTERM, su terminates its child and afterwards terminates itself with the received signal. The child is terminated by SIGTERM, after unsuccessful attempt and 2 seconds of delay the child is killed by SIGKILL.
CONFIG FILES
su reads the /etc/default/su and /etc/login.defs configuration files. The following configuration items are relevant for su:
Defines the PATH environment variable for a regular user. The default value is /usr/local/bin:/bin:/usr/bin.
ENV_ROOTPATH (string), ENV_SUPATH (string)
Defines the PATH environment variable for root. ENV_SUPATH takes precedence. The default value is /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin.
ALWAYS_SET_PATH (boolean)
If set to yes and —login and —preserve-environment were not specified su initializes PATH.
The environment variable PATH may be different on systems where /bin and /sbin are merged into /usr; this variable is also affected by the —login command-line option and the PAM system setting (e.g., pam_env(8)).
EXIT STATUS
su normally returns the exit status of the command it executed. If the command was killed by a signal, su returns the number of the signal plus 128.
Exit status generated by su itself: