From f791716cd4ca5f25a2b1977c3a635722a8a5c316 Mon Sep 17 00:00:00 2001 From: ianmdlvl Date: Sun, 14 Jul 2002 19:29:37 +0000 Subject: [PATCH] Manpages for all of sync-accounts. --- debian/changelog | 2 +- sync-accounts/grab-account.8 | 77 +++++ sync-accounts/sync-accounts | 183 +---------- sync-accounts/sync-accounts-createuser.8 | 103 ++++++ sync-accounts/sync-accounts.5 | 396 +++++++++++++++++++++++ sync-accounts/sync-accounts.8 | 68 ++-- 6 files changed, 624 insertions(+), 205 deletions(-) create mode 100644 sync-accounts/grab-account.8 create mode 100644 sync-accounts/sync-accounts-createuser.8 create mode 100644 sync-accounts/sync-accounts.5 diff --git a/debian/changelog b/debian/changelog index 8466b92..be60a22 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,7 +1,7 @@ chiark-utils (3.0.0) unstable; urgency=low * Added sync-accounts. - * Manpage sync-accounts(8). + * Manpages for all of sync-accounts. * sync-accounts comments may be indented. -- diff --git a/sync-accounts/grab-account.8 b/sync-accounts/grab-account.8 new file mode 100644 index 0000000..8d6687d --- /dev/null +++ b/sync-accounts/grab-account.8 @@ -0,0 +1,77 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.TH GRAB\-ACCOUNT 8 "14th July 2002" "Greenend" "chiark utilities" +.SH NAME +grab\-account \- add new account synchronised to remote system +.SH SYNOPSIS +.BI "grab\-account " local\-user " " source " [" remote\-user ] +.SH DESCRIPTION +.B grab-account +reconfigures sync-accounts to start synchronising a specified local +user (which may not yet exist) from a specified remote system, and +then invokes sync-accounts once to synchronise from that source. + +.B /etc/sync-accounts/createuser +should contain a +.B addhere +line in the appropriate source section (ie, after +.BR host " \fIsource\fP)." +grab-account adds a +.br +.BR " user" " \fIlocal\-user\fP [" remote= "\fIremote\-user\fP]" +.br +directive just before +.B addhere +and runs +.BR sync-accounts " \fIsource\fP." +.SH EXIT STATUS +.TP +.B 0 +All went well. +.TP +any other +There were problems. +.SH FILES +.BR /etc/sync-accounts ; +See also +.BR sync-accounts (8). +.SH ENVIRONMENT +See +.BR sync-accounts (8). +.SH BUGS +There is no locking of +.B /etc/sync-accounts +so do not invoke grab-account from a script, or more than once at a +time by hand. Do not edit /etc/sync-accounts by hand and also +simultaneously run grab-account. + +The mechanism involving +.B addhere +is suboptimal. This should be done with an include feature in +sync-accounts, so that grab-account does not have to edit a +configuration file that really belongs to the sysadmin. +.SH AUTHOR +.B grab-account +and this manpage are part of the +.B sync-accounts +package which was written by Ian Jackson . +They are Copyright 1999-2000,2002 Ian Jackson +, and Copyright 2000-2001 nCipher +Corporation Ltd. + +The sync-accounts package is free software; you can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation; either version 2, or (at +your option) any later version. + +This is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with this program; if not, write to the Free Software Foundation, Inc., +59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +.SH SEE ALSO +.BR sync-accounts "(8), " +.BR sync-accounts "(5), " +.BR passwd "(5)" diff --git a/sync-accounts/sync-accounts b/sync-accounts/sync-accounts index fe5b666..3efa06e 100755 --- a/sync-accounts/sync-accounts +++ b/sync-accounts/sync-accounts @@ -1,8 +1,8 @@ #!/usr/bin/perl -# $Id: sync-accounts,v 1.19 2002-07-14 17:07:44 ianmdlvl Exp $ +# $Id: sync-accounts,v 1.20 2002-07-14 19:29:37 ianmdlvl Exp $ # -# Copyright (C)1999-2000 Ian Jackson -# Copyright (C)2000-2001 nCipher Corporation Ltd +# Copyright 1999-2000,2002 Ian Jackson +# Copyright 2000-2001 nCipher Corporation Ltd # # This is free software; you can redistribute it and/or modify it under # the terms of the GNU General Public License as published by the Free @@ -17,183 +17,6 @@ # You should already have a copy of the GNU General Public License. # If not, write to the Free Software Foundation, Inc., 59 Temple # Place - Suite 330, Boston, MA 02111-1307, USA. -# -# The config file consists of directives, one per line. Leading and -# trailing whitespace, blank lines and lines starting # are ignored. -# -# Some config file directives apply globally and should appear first: -# -# lockpasswd link -# lockgroup link -# Specifies the lockfile suffix or pathname to use when editing -# the passwd and group files. The value is a suffix if it does -# not start with `/'. If set to /dev/null no locking is done. -# -# lockpasswd runvia -# lockgroup runvia -# Lock by reinvoking ourselves via a program as EDITOR. -# ( would typically be vipw or vigr.) -# -# lockpasswd none -# lockgroup none -# Do not lock. -# -# logfile -# Append log messages to instead of stdout. -# Errors still go to stderr. -# -# localformat bsd|std -# Specifies the local password file is in the relevant format: -# `std' is the standard V7 password file (with a SysV- style -# /etc/shadow if one is detected at run-time); `bsd' is the weird -# BSD4.4 master.passwd format, and should be used only with -# `lockpasswd runvia vipw'. The default is `std'. -# -# Some config file directives set options which may be different at -# different points in the file. The most-recently-seen value is used -# at each point: -# -# uidmin -# uidmax -# homebase -# When an account is to be created, a uid/gid will be chosen -# which is one higher than the highest currently in use (except -# that ids outside the range - are ignored and will -# never be used). The default home directory location is -# /. -# -# sameuid -# nosameuid -# Specifies whether uids are supposed to match. The default is -# nosameuid. When sameuid is on, it is an error for the uid or -# gid of a local account not to match the corresponding remote -# account, and new local accounts will get the remote accounts' -# ids. -# -# usergroups -# nousergroups -# defaultgid -# Specifies whether local accounts are supposed to have -# corresponding groups, or all be part of a particular group. If -# usergroups is set, when a new account is created, the -# corresponding per-user group will be created as well, and -# per-user groups are created for existing accounts if necessary -# (if account creation is enabled). If the gid or group name for -# a per-user group is already taken for a different group name or -# gid this will be logged, and processing of that account will be -# inhibited, but it is not a fatal error. If defaultgid is used, -# then newly-created accounts will be made a part of that group, -# and the groups of existing accounts will be left alone. If -# nousergroups is specified then no new accounts can be created, -# and existing accounts' groups will be left alone. The default -# is `usergroups'. -# -# createuser -# createuser -# nocreateuser -# Specifies whether accounts found on the remote host should be -# created if necessary, and what command to run to do the -# creation (eg, setup of home directory). The default is -# nocreateuser. If createuser is specified without a commandname -# then sync-accounts-createuser is used. The command is found on -# the PATH if necessary. Either sameuid, or both uidmin and -# uidmax, must be specified, if accounts are to be created. -# -# The command (which will be run with sh -c) must at least create -# the new account's home directory. The passwd and group entries -# will not have been set up. The following environment variables -# will be set, giving details about the account to be created: -# SYNCUSER_CREATE_USER -# SYNCUSER_CREATE_UID -# SYNCUSER_CREATE_GID -# SYNCUSER_CREATE_COMMENT -# SYNCUSER_CREATE_HOME -# SYNCUSER_CREATE_SHELL -# If it chooses, the script may modify the password entry which -# will be added to the system, by outputting a replacement -# password file entry. (The password field of that is ignored.) -# If the script outputs a line which does not contain a : then -# the account will not be created after all. -# -# group -# nogroup -# Specifies that the membership of the local groups specified -# should be adjusted or not adjusted whenever account data for a -# particular user is copied, so that the account will be a member -# of the affected group locally iff it is a member of the same -# group on the remote host. The most recently-encountered -# glob-pattern for a particular group takes effect. The default -# is `nogroups *'. -# -# defaultshell -# If, when creating an account, the remote account's shell is not -# available on the local system, this value will be used. The -# default is /bin/sh. -# -# Some config file directives are per-host, and should appear before -# any directives which actually modify accounts: -# -# host -# Starts a host's section. This resets the per-host parameters -# to the defaults. The shorthostname need not be the host's -# official name in any sense. If sync-accounts is invoked with -# host names on the command line they are compared with the -# shorthostnames. -# -# getpasswd -# getgroup -# Commands to run on the local host to get the passwd, shadow and -# group data for the host in question. getpasswd must be -# specified if user data is to be transferred; getgroup must be -# specified if group data is to be transferred. -# -# getshadow -# Specifies that shadow file data is to be used (by default, -# password information is found from the output of getpasswd). -# The command should emit shadow data in the format specified by -# shadow(5) on Linux. getshadow should not be specified without -# getpasswd. -# -# remoteformat std|bsd -# Specifies the format of the output of `getpasswd'. `std' is -# standard V7 passwd file format (optionally augmented by the use -# of a shadow file fetched with getshadow). `bsd' is the weird -# BSD4.4 master.passwd format (and getshadow should not normally -# be used with `remoteformat bsd'). The default is `std'. -# -# Some configuration file directives specify that account data is to -# transferred from the current host. They should appear as the last -# thing(s) in a host section: -# -# user [remote=] -# Specifies that account data should be copied for local user -# from the remote account (assumed to -# be the same as if not specified). The account -# password, comment field, and shell will be copied -# unconditionally. If sameuid is specified the uid will be -# checked. -# -# users - -# Specifies that all remote users whose uid is in the given range -# are to be copied to corresponding local user accounts. -# -# nouser -# Specifies that data for is _not_ to be copied, even -# if subsequent user or users directives suggest that it should -# be. -# -# (A note is made when a `user', `users' or `nouser' directive is -# encountered for a particular account, and no subsequent directives -# for that account will take effect.) -# -# addhere -# This directive has no effect on `sync-accounts'. However, it -# is used as a placeholder by `grab-account': new accounts for -# creation are inserted just before `addhere'. -# -# Finally, the config file must finish with: -# -# end use POSIX; diff --git a/sync-accounts/sync-accounts-createuser.8 b/sync-accounts/sync-accounts-createuser.8 new file mode 100644 index 0000000..97bb749 --- /dev/null +++ b/sync-accounts/sync-accounts-createuser.8 @@ -0,0 +1,103 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.TH SYNC\-ACCOUNTS\-CREATEUSER 8 "14th July 2002" "Greenend" "chiark utilities" +.SH NAME +sync\-accounts\-createuser \- helper/hook program for sync\-accounts +.SH SYNOPSIS +.BI SYNCUSER_CREATE_ var = "value\fP... \fI" sync\-accounts\-createuser +.SH DESCRIPTION +.B sync-accounts-createuser +is invoked by +.B sync-accounts +when sync-accounts is creating a local account. + +It must perform all of the tasks involved with local account creation +except for the actual changes to the password, shadow and group +databases. + +At the very minimum, it must create the new account's home directory +(with appropriate permissions). The supplied sync-accounts-createuser +script does exactly that. + +It may also suggest to sync-accounts modifications to the new +account's passwd entry. +.SH INVOCATION +When sync-accounts-createuser is invoked, the passwd and group entries +will not yet have been set up, so it may not rely on them. +sync-accounts-createuser will not be supplied with any arguments. +However, the following environment variables will be set, giving +details about the account to be created: +.br +.B " " SYNCUSER_CREATE_USER +.br +.B " " SYNCUSER_CREATE_UID +.br +.B " " SYNCUSER_CREATE_GID +.br +.B " " SYNCUSER_CREATE_COMMENT +.br +.B " " SYNCUSER_CREATE_HOME +.br +.B " " SYNCUSER_CREATE_SHELL +.SH RESULTS +sync-accounts-createuser should usually produce no output. + +It can inhibit the creation of the user by outputting a single line +not containing a colon; in this case, a diagnostic message will be +written to sync-accounts's logfile, and the user will be skipped. + +Alternatively, it may write out an alternative password file entry, in +which case sync-accounts will use the supplied data for the local +passwd file instead of that from the remote host. +The line should be in +Sys-V passwd file format (regardless of +.B localformat +or +.B remoteformat +settings). The username field should be taken from +.BR SYNCUSER_CREATE_USER , +and the password field should be +.BR x . +.SH EXIT STATUS +.TP +.B 0 +All went well, or we wrote a line without a colon to say +that the account should not be created. +.TP +any other +There were serious problems and sync-accounts should bomb out +immediately. +.SH FILES +None. +.SH ENVIRONMENT +See above. +.SH BUGS +The supplied sync-accounts-createuser does not check that it +was not supplied with any arguments; nor does it check that the +.B SYNCUSER_CREATE_* +variables are set, or have sensible values. +.SH AUTHOR +.B sync-accounts-createuser +and this manpage are part of the +.B sync-accounts +package which was written by Ian Jackson . +They are Copyright 1999-2000,2002 Ian Jackson +, and Copyright 2000-2001 nCipher +Corporation Ltd. + +The sync-accounts package is free software; you can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation; either version 2, or (at +your option) any later version. + +This is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with this program; if not, write to the Free Software Foundation, Inc., +59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +.SH SEE ALSO +.BR sync-accounts "(8), " +.BR sync-accounts "(5), " +.BR passwd "(5)" diff --git a/sync-accounts/sync-accounts.5 b/sync-accounts/sync-accounts.5 new file mode 100644 index 0000000..a07e841 --- /dev/null +++ b/sync-accounts/sync-accounts.5 @@ -0,0 +1,396 @@ +.\" Hey, Emacs! This is an -*- nroff -*- source file. +.TH SYNC\-ACCOUNTS 5 "15th July 2002" "Greenend" "chiark utilities" +.SH NAME +/etc/sync\-accounts \- configuration file for sync\-accounts +.SH DESCRIPTION +.B /etc/sync\-accounts +contains the default configuration of the +.BR sync-accounts (8) +account synchronisation tool. + +The configuration file specifies how to access and update the local +password and group databases, where sync-accounts should log. + +It also specifies the list of (remote) sources for account +information, and which accounts and details should be copied from each +source to the local system. +.SH OVERALL SYNTAX AND SEMANTICS +The configuration file is parsed as a series of lines. First, leading +and trailing whitespace on each line is removed, and then empty lines, +or lines starting with +.BR # , +are removed. + +Each line is parsed as a directive. The order of directives is +significant; some directives set up information which later +directives rely on. + +The configuration file must contain an +.B end +directive; anything after that point is ignored. +.SH GLOBAL DIRECTIVES +These directives may appear only at the start of the file (before any +other directives), and each directive must appear only once; +otherwise, sync-accounts my behave oddly. +.TP +.BR lockpasswd | lockgroup " \fImethod\fP [\fIdetails \fP...]" +Specifies how the passwd and group files should be read and/or locked. +See +.B LOCKING METHOD DIRECTIVES +below. +.TP +.BI "logfile " filename +Append log messages to +.I filename +instead of stdout. +Errors still go to stderr. +.TP +.BR localformat " " bsd | std +Specifies the local password file is in the relevant format: +.B std +is the standard V7 password file (with a SysV-style +/etc/shadow if /etc/shadow exists). +.B bsd +is the BSD4.4 master.passwd format, and should be used only with +.BR "lockpasswd runvia vipw" . +The default is +.BR std . +.SH LOCKING METHOD DIRECTIVES +One +.B lockgroup +and one +.B lockpasswd +directive must be present, in the global directives at the start of +the config file. + +The choice of the appropriate directives can be difficult without +special knowledge of the local system. In general, it is best to use +.B lockpasswd runvia vipw +where this is available, as if this works avoids having to know the +names of the lockfiles. + +GNU systems (including GNU/Linux and Debian GNU/BSD) typically lock +the group file separately and supply +.BR vigr , +in which case you should use +.BR "lockgroup vigr" . + +Most systems other than GNU do not lock the group file at all (or +assume that all programs which modify the group file will lock the +passwd file), in which case +.B lockgroup none +is appropriate. + +If vigr or vipw is not available or is known to be broken (eg, because +it does not lock properly), then use +.BR link . +.TP +.BR lockpasswd | lockgroup " " runvia " \fIprogram\fP +sync-accounts will reinvoke itself using +.IR program , +which must behave like +.B vipw +or +.BR vigr . +sync-accounts will set the +.B EDITOR +environment variable to the path it was invoked with (Perl's +.BR $0 ) +and put some information for its own use into +.B SYNC_ACCOUNTS_* +environment variables (which will also allow sync-accounts to tell +that it has already been reinvoked via +.I program +and should not do so again). + +If both +.BI "lockpasswd runvia " vipw +and +.BI "lockgroup runvia " vigr +are specified, then it must be possible and safe for the EDITOR +run by +.I vipw +to invoke +.IR vigr , +as this is what sync-accounts will do. +.TP +.BR lockpasswd | lockgroup " " link " \fIsuffix\fP|\fIfilename\fP +sync-accounts will attempt to lock the passwd or group file by making +a hardlink from the real file to the specified filename. +If +.IR suffix | filename +starts with a +.B / +it is interpreted as a filename; otherwise it is interpreted as +a suffix, to be appended to the real database filename. +.TP +.BR lockpasswd | lockgroup " " none +sync-accounts will not attempt to lock the passwd or group files at +all. + +.B lockgroup none +is appropriate on systems where there is no separate locking for the +group file (either because there is no proper support for automatic +editing of the group file, or because you're expected to lock the +password file), although in the absence of +.B vigr +it's inevitable that simultaneous changes to the group file made by +both the human sysadmin and by sync-accounts will cause problems. + +.B lockpasswd none +is very dangerous and should not normally be used. It will cause data +loss if any other tool for changing password data is used - eg, +.BR passwd (1). +.SH PER-SOURCE DIRECTIVES +Within each source's section, all of the per-source directives must +appear before any account-selection directives; otherwise +sync-accounts may behave oddly. If a per-source directive is +repeated, the last setting takes effect. +.TP +.BI "host " source +Starts a source's section. Usually each source will correspond +exactly to one host which is acting as a source of account data. +The +.B host +directive resets the per-source parameters to the defaults. +.I source +need not be the source host's official name in any sense and is used +only for identification. Any +.I source +must be named in only one +.B host +directive, or sync-accounts may behave oddly. +.TP +.BR getpasswd | getgroup | getshadow " \fIcommand\fP..." +sync-accounts always fetches account data from sources by running specified +commands on the local host; it does not contain any network protocols, +itself. + +.I command +is fed to +.BR "sh -c" +and might typically contain something like +.br +.B " ssh syncacct@remote.host cat /etc/passwd" +.br +where the user syncacct on remote.host is in group shadow, or +.br +.B " cat /var/local/sync-accounts/remote.host/passwd" +where the file named is copied across using cron. + +.B getpasswd +must be specified if user data is to be transferred; +.B getgroup +must be specified if group data is to be transferred. + +.B getshadow +should be specified iff getpasswd is specified but the data from +getpasswd does not contain actual password information, and should +emit data in Sys-V shadow password format. +.TP +.BR remoteformat " " std | bsd +Specifies the format of the output of getpasswd. +.B std +is standard V7 passwd file format (optionally augmented by the use of +a shadow file fetched with getshadow). +.B bsd +is the BSD4.4 master.passwd format (and getshadow should not normally +be used with +.BR "remoteformat bsd" ). +The default is +.BR std . +.SH SYNCHRONISATION SETTINGS +The following directives affect the way that account data is copied. +They may be freely mixed with other directives, and repeated. The +setting in effect is the one set by the last relevant settings +directive before any particular account-selection directive. +.TP +.BR uidmin | uidmax " \fivalue\fP" +When an account is to be created locally, a uid/gid will be chosen +which is one higher than the highest currently in use, except that ids +below uidmin or above uidmax are ignored and will never be used. +There is no default. +.TP +.BI "homebase " homebase +When an account is to be created locally, its home directory will be +.IB homebase / username +where +.I username +is the name of the account. The default is +.BR /home . +.TP +.RB [ no ] sameuid +Specifies whether uids are supposed to match. With +.BR sameuid , +it is an error for the uid or gid of a synchronised local account not +to match the corresponding remote account, and new local accounts will +get the remote accounts' ids. +The default is +.BR nosameuid . +.TP +.BR usergroups " | " nousergroups " | " defaultgid " \fIgid\fP" +Specifies whether local accounts are supposed to have +corresponding groups, or all be part of a particular group. The +default is +.BR usergroups . + +With +.BR usergroups , +when a new account is created, the +corresponding per-user group will be created as well, and +per-user groups are created for existing accounts if necessary +(if account creation is enabled). If the gid or group name for +a per-user group is already taken for a different group name or +gid this will be logged, and processing of that account will be +inhibited, but it is not a fatal error. + +With +.BR defaultgid , +newly-created accounts will be made a part of that group, +and the groups of existing accounts will be left alone. + +With +.BR nousergroups , +no new accounts can be created, and existing accounts' groups will be +left alone. +.TP +.BR createuser " [\fIcommand\fP] | " nocreateuser +Specifies whether accounts found on the remote host should be created +if necessary, and what command to run to do the the rest of the +account setup (eg, creation of home directory, etc.). The default is +.BR nocreateuser . + +If +.B createuser +is specified without a command then +.B sync-accounts-createuser +is used; the supplied sync-accounts-createuser program is a reasonable +minimal implementation. + +With +.BR createuser , +either sameuid, or both uidmin and uidmax, must be specified, if +accounts are actually to be created. + +The command is passed to +.BR "sh -c" . +See +.BR sync-accounts-createuser (8) +for details of +.IR command 's +environment and functionality. +.TP +.BR group | nogroup " \fIglob-pattern\fP" +.B group +specifies that the membership of the local groups specified should be +adjusted adjusted whenever account data for any user is copied, so +that the account will be a member of the affected group locally iff +the source account it is a member of the same group on the source +host. + +The most recently-encountered glob-pattern for a particular group +takes effect. The default is +.BR "nogroups *" . + +The glob patterns may contain only alphanumerics, the two glob +metacharacters +.BR "* ?" +and four punctuation characters +.BR "- + . _" ; +\fB\\\fP-quoting and character sets and ranges are not supported. +.TP +.BI "defaultshell " pathname +Local accounts' shells will, when an account is synchronised, be set +to the remote account's shell if the same file exists locally and is +executable. Otherwise, this value will be used. The +default is +.BR /bin/sh . +.SH ACCOUNT SELECTION +These directives specify that the selected accounts are to be +synchronised: that is, the local account data will be unconditionally +overwritten (according to the synchronisation settings) with data from +the current source (according to the most recent +.B host +directive). + +Any particular local username will only be synchronised once; the +source and settings for first account selection directive which +selects that local username will be used. + +When an account is synchronised, the account password, comment field, +and shell will be copied unconditionally. If +.B sameuid +is in effect specified the uid will be checked (or copied, for new +accounts). +.TP +.BR user " \fIusername\fP [" remote "=\fIremoteusername\fP]" +Specifies that account data should be copied for local user +.I username +from the remote account +.I remoteusername +(or +.I username +if +.I remoteusername +is not specified). +.TP +.RI "\fBusers\fP " ruidmin - ruidmax +Specifies that all remote users whose remote uid is in the given range +are to be synchronised to corresponding user accounts. (Note that the +remote uid will only be copied if +.B sameuid +is in effect.) +.TP +.BI "nouser " username +Specifies that data for +.I username is not to be copied, even +if subsequent user or users directives suggest that it should be. +.TP +.B addhere +This directive has no effect on sync-accounts. However, it is used as +a placeholder by grab-account: new accounts for creation are inserted +just before addhere. See +.BR grab-account (8). +.SH FINAL DIRECTIVE +.TP +.B end +must appear in the configuration file, usually at the end of the file. +Nothing after it will be read. +.SH BUGS +The advice about the correct +.B lockpasswd +and +.B lockgroup +directives is probably out of date or flatly wrong. +.SH AUTHOR +.B sync-accounts +and this manpage are part of the +.B sync-accounts +package which was written by Ian Jackson . +They are Copyright 1999-2000,2002 Ian Jackson +, and Copyright 2000-2001 nCipher +Corporation Ltd. + +The sync-accounts package is free software; you can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation; either version 2, or (at +your option) any later version. + +This is distributed in the hope that it will be useful, but WITHOUT ANY +WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS +FOR A PARTICULAR PURPOSE. See the GNU General Public License for more +details. + +You should have received a copy of the GNU General Public License along +with this program; if not, write to the Free Software Foundation, Inc., +59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +.SH SEE ALSO +.BR sync-accounts "(8), " +.BR grab-account "(8), " +.BR sync-accounts-createuser "(8), " +.BR passwd "(5), " +.BR group "(5), " +.BR shadow "(5), " +.BR master.passwd "(5), " +.BR vipw "(8), " +.BR vigr "(8)" diff --git a/sync-accounts/sync-accounts.8 b/sync-accounts/sync-accounts.8 index 92e1e80..fd3b6e7 100644 --- a/sync-accounts/sync-accounts.8 +++ b/sync-accounts/sync-accounts.8 @@ -5,13 +5,13 @@ sync\-accounts \- synchronise accounts and passwords .SH SYNOPSIS .BR sync\-accounts " [\fIoptions\fP] [\fIsource\fP ...]" .SH DESCRIPTION -.B sync\-accounts +.B sync-accounts is a tool for copying account information into the local system's password and group databases, or equivalent, from other systems. It can be used to slave individual accounts, whole systems, or various partial combinations. -By default, when invoked, sync\-accounts reads is configuration file +By default, when invoked, sync-accounts reads is configuration file and updates all of the local details it is configured to synchronise, from all relevant sources. @@ -19,19 +19,19 @@ If one or more \fIsource\fPs are named as command-line arguments, only information from those sources is installed locally. See -.BR sync\-accounts(5) -for detailed information about sync\-accounts's behaviour and +.BR sync-accounts(5) +for detailed information about sync-accounts's behaviour and configuration. .SH OPTIONS .TP .BI \-C config\-file Reads -.I config\-file +.I config-file instead of -.BR /etc/sync\-accounts . +.BR /etc/sync-accounts . .TP .BR \-q -Instead of updating local information, sync\-accounts displays a +Instead of updating local information, sync-accounts displays a summary of which accounts are synchronised or not, and from where. .TP .BR \-n @@ -46,16 +46,16 @@ in the current directory. With new accounts are not created at all. The system databases are not locked. .SH SECURITY -sync\-accounts is not resistant to malicious data in the local +sync-accounts is not resistant to malicious data in the local password and group databases, or its configuration file or command line arguments. Malicious data in source information will not be able to take control of sync-accounts, but will be copied to the local databases if -sync\-accounts is configured to do so. +sync-accounts is configured to do so. -To update the local databases, sync\-accounts must be run as root. -For \-q and \-n sync\-accounts still needs to be able to successfuly +To update the local databases, sync-accounts must be run as root. +For \-q and \-n sync-accounts still needs to be able to successfuly invoke the commands specified in the configuration for getpasswd and getgroup. .SH EXIT STATUS @@ -72,7 +72,7 @@ updated. Default configuration file. (Override with .BR -C .) .TP -.B sync\-accounts\-createuser +.B sync-accounts-createuser Default command invoked by sync-accounts to create local users. .TP .B /home @@ -81,8 +81,11 @@ Default location for created users' home directories. .B /bin/sh Default shell for created users. .TP -.BR /etc/master.passwd ", " /etc/passwd ", " /etc/shadow ", " /etc/group -Default local account databases, depending on configuration. +.BR /etc/passwd ", " /etc/group ", " /etc/shadow ", " /etc/master.passwd +Local account databases, depending on configuration. +.TP +.BR /etc/shadow-non-existent +Must not exist. .SH ENVIRONMENT .TP .BR EDITOR ", " VISUAL @@ -102,28 +105,35 @@ and .BR vigr (8), apart from .BR EDITOR " and/or" VISUAL -will affect the operation of sync\-accounts. +will affect the operation of sync-accounts. Avoid messing with these if possible. .LP .B PATH is used to find subprograms such as -.BR sync\-accounts\-createuser " and " vipw / vigr . +.BR sync-accounts-createuser " and " vipw / vigr . .SH BUGS -Using sync\-accounts does not give particularly prompt propagation of +Using sync-accounts does not give particularly prompt propagation of changed account information. There is no simple mechanism for automatically getting the right configuration details for accessing the local system's password and group databases. + +All the systems sharing account information using sync-accounts need +to be using compatible encrypted-password schemes. .SH AUTHOR -.B sync\-accounts -and this manpage were written by Ian Jackson -. They are Copyright 2002 Ian Jackson. +.B sync-accounts +and this manpage are part of the +.B sync-accounts +package which was written by Ian Jackson . +They are Copyright 1999-2000,2002 Ian Jackson +, and Copyright 2000-2001 nCipher +Corporation Ltd. -sync\-accounts and this manpage are free software; you can -redistribute it and/or modify it under the terms of the GNU General -Public License as published by the Free Software Foundation; either -version 2, or (at your option) any later version. +The sync-accounts package is free software; you can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation; either version 2, or (at +your option) any later version. This is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS @@ -133,3 +143,13 @@ details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. +.SH SEE ALSO +.BR sync-accounts "(5), " +.BR grab-account "(8), " +.BR sync-accounts-createuser "(8), " +.BR passwd "(5), " +.BR group "(5), " +.BR shadow "(5), " +.BR master.passwd "(5), " +.BR vipw "(8), " +.BR vigr "(8)" -- 2.30.2