rolemod(8) 맨 페이지 - 윈디하나의 솔라나라

개요

섹션
맨 페이지 이름
검색(S)

rolemod(8)

System Administration Commands                                      useradd(8)



NAME
       useradd,  roleadd,  usermod,  rolemod - administer an existing or add a
       new user or role login to the system

SYNOPSIS
       useradd [-A authorization[,authorization...]]
            [-b base_dir | -d dir] [-c comment] [-e expire]
            [-f inactive] [-g group] [-G group[,group]...]
            [-K key=value] [-m [-k skel_dir]] [-p projname]
            [-z yes | no | nodelegation]
            [-P profile[,profile...]]
            [-R role [, role...]]
            [-s shell] [-S repository] [-u uid [-o]] username


       useradd -D [-A authorization[,authorization...]]
            [-b base_dir] [-s shell [-k skel_dir]] [-e expire]
            [-f inactive] [-g group] [-K key=value] [-p projname]
            [-P profile[,profile...]]


       roleadd [-A authorization[,authorization...]]
            [-b base_dir | -d dir] [-c comment] [-e expire]
            [-f inactive] [-g group] [-G group [,group]...]
            [-K key=value] [-m [-k skel_dir]] [-p projname]
            [-z yes | no | nodelegation]
            [-P profile[,profile...]]
            [-s shell] [-S repository] [-u uid [-o]] rolename


       roleadd -D [-A authorization[,authorization...]]
            [-b base_dir] [-s shell [-k skel_dir]] [-e expire]
            [-f inactive] [-g group] [-K key=value] [-p projname]
            [-P profile[,profile...]]


       usermod [-A authorization[,authorization...]]
            [-d dir] [-c comment] [-e expire]
            [-f inactive] [-g group] [-G group [,group]...]
            [-K key=value] [-m [-k skel_dir]] [-p projname]
            [-z yes | no | nodelegation]
            [-P profile[,profile...]]
            [-R role [, role...]]
            [-l new_username]
            [-q qualifier]
            [-s shell] [-S repository] [-u uid [-o]] username


       rolemod [-A authorization[,authorization...]]
            [-d dir] [-c comment] [-e expire]
            [-f inactive] [-g group] [-G group [,group]...]
            [-K key=value] [-m [-k skel_dir]] [-p projname]
            [-z yes | no | nodelegation]
            [-P profile[,profile...]]
            [-l new_rolename]
            [-q qualifier]
            [-s shell] [-S repository] [-u uid [-o]] rolename

DESCRIPTION
       The useradd and roleadd utilities add a new user or role entry  to  the
       passwd(5),  shadow(5),  and user_attr(5) databases in the files or ldap
       repository.


       The usermod and rolemod utilities modify a user's or role's login defi‐
       nition on the system. They change the definition of the specified login
       and make the  appropriate  login-related  changes  to  the  appropriate
       repository and corresponding file system changes.


       The  -A  and -P options respectively assign authorizations and profiles
       to the user or role. The -R option assigns roles to a user. (Roles can‐
       not  be  assigned  to  other roles.) The -p option associates a project
       with a user or role. The  -K  option  adds  a  key=value  pair  to  the
       user_attr  entry  for the user or role. Multiple key=value pairs may be
       added with multiple -K options.


       The -G option creates supplementary group memberships for the  user  or
       role.  The -m option creates the home directory for the user or role if
       requested. The new login remains locked until the passwd(1) command  is
       executed.


       Specifying  the  -D  to useradd or roleadd with the -s, -k, -g, -b, -f,
       -e, -A, -P, -p, -R, or -K option (or any combination of these  options)
       sets  the  default values for the respective fields. See the -D option,
       below. Subsequent useradd or roleadd commands without the -D option use
       these arguments.


       Alternatively,  default  settings  may  be  specified  that are applied
       dynamically at run time. For accounts that are created using  -S  ldap,
       the  default values for any of the -K attributes may be specified using
       -S ldap and the  special  value  default@  as  the  account  name.  The
       default@ account is automatically locked since it is not intended to be
       used for logins. Additional default values may  be  specified  in  pol‐
       icy.conf(5).


       useradd  and  usermod require that usernames be in the format described
       in passwd(5). A warning message is displayed if these restrictions  are
       not met.


       roleadd and rolemod require that role names be a string of no more than
       eight bytes consisting of characters from the set of alphabetic charac‐
       ters,  numeric  characters, period (.), underscore (_), and hyphen (-).
       The first character should be alphabetic and the name should contain at
       least one lower case alphabetic character. A warning message is written
       if these restrictions are not  met.  A  future  Solaris  release  might
       refuse  to  accept role names that do not meet these requirements. Role
       names must contain at least one character and must not contain a  colon
       (:) or a newline (\n).


       When  used  with  usermod or rolemod the -A, -G, -K, -P, and -R options
       may take a list of values to add or remove to the granted set using the
       [+|-] prefix. A prefix + adds the value to the existing set; a prefix -
       removes the value from the existing granted set. To remove  all  values
       an empty list must be specified using '', or any appropriate equivalent
       according to the shell in use.


       An administrator must be granted the User Management Profile to be able
       to create a new user or role. An administrator must be granted the User
       Security Profile to modify the  security  attributes  for  an  existing
       user.  To  be able to modify the non-security attributes of an existing
       user requires the User Management Profile. The authorizations  required
       to set the various fields in passwd, shadow, and user_attr can be found
       in passwd(5), shadow(5), and user_attr(5). The authorizations  required
       to assign groups and projects can be found in group(5) and project(5).

OPTIONS
       The following options are supported:

       -A [+|-]authorization

           One or more comma-separated authorizations defined in auth_attr(5).
           Only a user or role who has grant rights to the  authorization  can
           assign it to an account.


       -b base_dir

           The  base  directory  for  new  login  home directories (see the -d
           option below. When a new user account is  being  created,  base_dir
           must  already  exist  unless the -m option or the -d option is also
           specified.


       -c comment

           Any text string. It is generally a short description of the  login,
           and  is  currently used as the field for the user's full name. This
           information is stored in the user's passwd entry.


       -d dir | server:dir

           Specifies the home directory path for the new user.  If  no  server
           name  is  specified,  the  specified directory is maintained in the
           passwd(5) database.

           The optional server name specifies  the  host  on  which  the  home
           directory  resides. Entries in this form depend on the automounter,
           and are maintained in the auto_home map. The path /home/username is
           maintained  in  the  passwd(5) database. When the user subsequently
           references /home/username, the automounter will mount the specified
           directory on /home/username.


       -D

           Display  the  default  values for group, base_dir, skel_dir, shell,
           inactive, expire, proj, projname,  zfshome,  and  key=value  pairs.
           When  used  with the -g, -b, -f, -e, -A, -P, -p, -R, or -K options,
           the -D option sets the default values for the specified fields. The
           default values are:


           tab()  box;  cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) FIELDDEFAULT
           VALUE  _  groupother  (GID   of   1)   _   base_dir/export/home   _
           skel_dir/etc/skel  _  shell/usr/bin/bash _ inactive0 _ expirenull _
           authsnull _ profilesnull _ auth_profilesnull _ proj3 _  projnamede‐
           fault  _  zfshomeyes _ T{ key=value (pairs defined in user_attr(5))
           T}not present _ rolesnull



       -e expire

           Specify the expiration date for a login. After this date,  no  user
           will  be able to access this login. The expire option argument is a
           date entered using one of the date formats included in the template
           file /etc/datemsk. See getdate(3C).

           If  the  date  format  that  you choose includes spaces, it must be
           quoted. For example, you can enter 10/6/90 or October  6,  1990.  A
           null  value  ("  ")  defeats  the  status of the expired date. This
           option is useful for creating temporary logins.


       -f inactive

           The maximum number of days allowed  between  uses  of  a  login  ID
           before  that  ID  is  declared  invalid. Normal values are positive
           integers. A value of 0 defeats the status.


       -g group

           An existing group's integer ID or  character-string  name.  Without
           the  -D  option, it defines the new user's primary group membership
           and defaults to the default group. You can reset this default value
           by  invoking  useradd   -D   -g   group. GIDs 0-99 are reserved for
           allocation by the Solaris Operating System.


       -G [+|-]group

           An existing group's integer ID or character-string name. It defines
           the  new  user's supplementary group membership. Duplicates between
           group with the  -g  and  -G  options  are  ignored.  No  more  than
           NGROUPS_MAX  groups  can  be  specified. GIDs 0-99 are reserved for
           allocation by the Solaris Operating System.


       -K key[+|-]=value

           A key=value pair to add  to  the  user's  attributes.  Multiple  -K
           options may be used to add multiple key=value pairs. The generic -K
           option with the appropriate key may be used instead of the specific
           implied  key  options (-A, -P, -R, -p). See user_attr(5) for a list
           of valid key=value pairs. The "type" key is not  a  valid  key  for
           this option. Keys may not be repeated.


       -k skel_dir

           A  directory  that contains skeleton information (such as .profile)
           that can be copied into a new user's home directory. This directory
           must  already  exist.  The  system provides the /etc/skel directory
           that can be used for this purpose.


       -m

           Create the new user's home directory if it does not already  exist.
           If the directory already exists, it must have read, write, and exe‐
           cute permissions by group, where group is the user's primary group.
           If the server name specified to the -d option is a remote host then
           the system will not attempt to create the home directory.

           When the -z option is not passed and  if  the  directory  does  not
           already  exist and the parent directory is the mount point of a ZFS
           dataset, then a child of that dataset will be created  and  mounted
           at  the  specified  location.  The user is delegated permissions to
           create ZFS snapshots and promote them. The  newly  created  dataset
           will  inherit  the  encryption  setting  from  its parent. If it is
           encrypted, the user is granted permission to  change  its  wrapping
           key.

           The newly created directory is created as multilevel dataset.


       -l new_loginname

           The  new login name for a user or role. Only valid with usermod and
           rolemod.


       -o

           This option allows a UID to be duplicated (non-unique).


       -P [+|-]profile

           One  or  more  comma-separated  execution   profiles   defined   in
           prof_attr(5).


       -p projname

           Name  of  the  project with which the added user is associated. See
           the projname field as defined in project(5).


       -q qualifier

           The name of a host or netgroup which qualifies where  the  extended
           attributes  (specified  through the -K, -P, -A, and -R options) are
           applicable. The prefix @ is required to indicate that the qualifier
           is  a  netgroup  name.  The  -q  option  is only valid if the login
           account is maintained in the LDAP name service.


       -R [+|-]role

           One  or  more  comma-separated  execution   profiles   defined   in
           user_attr(5). Roles cannot be assigned to other roles.


       -s shell

           Full  pathname of the program used as the user's shell on login. If
           unspecified, it will default to  any  value  previously  configured
           with  the  -D   -s  option. If no default has been set with -D  -s,
           then /usr/bin/bash will be used. The value of shell must be a valid
           executable file.


       -z zfshome

           Select if a new separate ZFS filesystem is created as the user/role
           home directory. The option can be set as the system wide default or
           set per user/role.

           yes

               User  has  their own ZFS filesystem with the mount, create, and
               snapshot zfs allow delegations


           nodelegation

               User has their own ZFS filesystem but with no delegations


           no

               Users home is a simple directory



       -S repository

           The repository specifies which name service will  be  updated.  The
           valid  repositories  are  files and ldap. The default repository is
           files. When the repository is files, the authorizations,  profiles,
           and roles can be present in other name service repositories and can
           be assigned to a user in the files repository. When the  repository
           is  ldap, all the assignable attributes must be present in the ldap
           repository, and both the LDAP server and client must be  configured
           with enableShadowUpdate. See ldapclient(8) for details.


       -u uid

           The  UID  of  the new user. This UID must be a non-negative decimal
           integer below MAXUID as defined in <sys/param.h>. The UID  defaults
           to the next available (unique) number above the highest number cur‐
           rently assigned. For  example,  if  UIDs  100,  105,  and  200  are
           assigned,  the  next  default UID number will be 201. UIDs 0-99 are
           reserved for allocation by the Solaris Operating System.


EXAMPLES
       Example 1 Creating a User



       The following command adds adds the user with the default configuration


         # useradd jdoe




       This results in the system assigning the next available uid,  the  user
       will not have a home directory created for them.

       Example  2 Creating a User with a specified uid and create a local home
       directory



       The following command adds adds the user and creates their home  direc‐
       tory in the default location


         # useradd -u 1001 -m jdoe


       Example 3 Creating a User with a local home directory that is not a ZFS
       filesystem



       The following command adds adds the user and creates their home  direc‐
       tory in the default location


         # useradd -z no -m jdoe




       This  results  in  new user with a directory in the default location as
       their home directory.

       Example 4 Set the system default for the type of home directory



       The following command sets the system wide default to  be  a  directory
       rather  than  a  per-user ZFS file system as the default home directory
       type.


         # useradd -D -z no


       Example 5 Assigning Privileges to a User



       The following command adds the privilege that affects  high  resolution
       times to a user's initial, inheritable set of privileges.


         # usermod -K defaultpriv=basic,proc_clock_highres jdoe




       This command results in the following entry in user_attr:


         jdoe::::type=normal;defaultpriv=basic,proc_clock_highres


       Example 6 Removing a Privilege from a User's Limit Set



       The  following  command removes the privilege that allows the specified
       user to create hard links to directories and to unlink directories.


         # usermod -K limitpriv=all,!sys_linkdir jdoe




       This command results in the following entry in user_attr:


         jdoe::::type=normal;defaultpriv=basic,limitpriv=all,!sys_linkdir


       Example 7 Removing a Privilege from a User's Basic Set



       The following command removes the privilege that allows  the  specified
       user to examine processes outside the user's session.


         # usermod -K defaultpriv=basic,!proc_session jdoe




       This command results in the following entry in user_attr:


         jdoe::::type=normal;defaultpriv=basic,!proc_session;limitpriv=all


       Example 8 Assigning a Role to a User



       The following command assigns a role to a user. The role must have been
       created prior to running this command.


         # usermod -R mailadm jdoe




       This command results in the following entry in user_attr:


         jdoe::::type=normal;roles=mailadm;defaultpriv=basic;limitpriv=all



       Example 9 Granting Several Rights to a User



       The following command  grants  the  solaris.zone.manage  authorization,
       Project  Management  rights  profile, sets limit privilege to basic and
       assigns the mailadm role to the user.


         # usermod -A 'solaris.zone.manage' -P 'Project Management' \
              -K limitpriv=basic -R mailadm -S files jdoe_ldap




       This command results in the following entry in user_attr:


         jdoe_ldap::::auths=solaris.zone.manage;profiles=ProjectManagement;
         limitpriv=basic;roles=mailadm


       Example 10 Granting an Authenticated Rights Profile to a User



       The following command adds an authenticated rights profile to a trusted
       user.


         # usermod -K auth_profiles+="Network Security" jdoe


       Example 11 Removing All Profiles from a User



       The  following command removes all profiles that were granted to a user
       directly. The user will still have any rights profiles that are granted
       by means of the PROFS_GRANTED key in policy.conf(5).


         # usermod -P "" jdoe


       Example 12 Set the root account to be a role



       Set the root account to be a role and assign the role to a user.


         # usermod -K type=role root



         # usermod -R +root jdoe




       This will change the root account to be a role and add the root role to
       any existing role assignments for the user jdoe.

       Example 13 Set the root account to be a direct login account



       Change the root account from being a role to a direct login account.


         # rolemod -K type=normal root




       This will change the root account to no longer be  a  role,  so  direct
       login to it on the console will be allowed.

       Example 14 Deleting a User



       Delete the user and remove their home directory.


         # userdel -r jdoe




       This  will  remove  the  user  entry from the passwd, shadow, group and
       user_attr databases, and will delete the users home directory  and  all
       of its content.

EXIT STATUS
       In  case  of  an  error, these commands print an error message and exit
       with one of the following values:

       1     No permission for attempted operation.


       2     The command syntax was invalid. A usage message for  the  usermod
             command is displayed.


       3     An invalid argument was provided to an option.


       4     The gid or uid given with the -u option is already in use.


       5     The password and shadow files are not consistent with each other.
             pwconv(8) might  be  of  use  to  correct  possible  errors.  See
             passwd(5) and shadow(5).


       6     The  login to be modified does not exist, the gid or the uid does
             not exist.


       7     The group, passwd, or shadow file is missing.


       9     A group or user name is already in use.


       10    Cannot update the passwd, shadow, or user_attr file.


       11    Insufficient space to move the home directory (-m option).


       12    Unable to create, remove, or move the new home directory.


       13    Requested login is already in use.


       14    Unexpected failure.


       16    Unable to update the group database.


       17    Unable to update the project database.


       18    Insufficient authorization.


       19    Does not have role.


       20    Does not have profile.


       21    Does not have privilege.


       22    Does not have label.


       23    Does not have group.


       24    System not running Trusted Extensions.


       25    Does not have project.


       26    Unable to update auto_home.


FILES
       /etc/datemsk


       /etc/passwd


       /etc/shadow


       /etc/group


       /etc/skel


       /usr/include/limits.h


       /etc/user_attr

ATTRIBUTES
       See attributes(7) for descriptions of the following attributes:


       tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE  TYPEAT‐
       TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilityCommit‐
       ted


SEE ALSO
       auths(1), passwd(1), profiles(1), roles(1), getdate(3C),  auth_attr(5),
       group(5), passwd(5), prof_attr(5), project(5), shadow(5), user_attr(5),
       attributes(7), labels(7),  rbac(7),  groupadd(8),  groupdel(8),  group‐
       mod(8), grpck(8), logins(8), pwck(8), pwconv(8), roledel(8), userdel(8)


       Managing User Accounts and User Environments in Oracle Solaris 11.4


       Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP

DIAGNOSTICS
       In case of an error, useradd displays an error message and exits with a
       non-zero status. If the error occurred because LDAP  is  misconfigured,
       the error message is preceded by "LDAP configuration problem".


       The following indicates that login specified is already in use:

         UX: useradd: ERROR: login is already in use. Choose another.



       The  following  indicates  that the uid specified with the -u option is
       not unique:

         UX: useradd: ERROR: uid uid is already in use. Choose another.




       The following indicates that the group specified with the -g option has
       not yet been created:

         UX: useradd: ERROR: group group does not exist. Choose another.




       The following indicates that the uid specified with the -u option is in
       the range of reserved UIDs (from 0-99):

         UX: useradd: WARNING: uid uid is reserved.



       The following indicates that the  uid  specified  with  the  -u  option
       exceeds MAXUID as defined in <sys/param.h>:

         UX: useradd: ERROR: uid uid is too big. Choose another.




       The  following  indicates  that the /etc/passwd or /etc/shadow files do
       not exist:

         UX: useradd: ERROR: Cannot update system files - login cannot be created.




       The following indicates that the user executing the  command  does  not
       have sufficient authorization to perform the operation:

         UX: useradd: ERROR: Permission denied.



       The  following  indicates  that an invalid directory was specified in a
       useradd command:

         UX: invalid_directory is not a valid directory. Choose another.


NOTES
       These utilities add or modify definitions in the passwd, shadow, group,
       project,  and  user_attr databases in the scope (default or specified).
       They will verify the uniqueness of the user name (or role) and user  id
       and  the  existence  of  any group names specified against the external
       name service.



Oracle Solaris 11.4               21 Jun 2021                       useradd(8)
맨 페이지 내용의 저작권은 맨 페이지 작성자에게 있습니다.
RSS ATOM XHTML 5 CSS3