1 .\" Copyright (c) 1988, 1990, 1993
2 .\" The Regents of the University of California. All rights reserved.
4 .\" Redistribution and use in source and binary forms, with or without
5 .\" modification, are permitted provided that the following conditions
7 .\" 1. Redistributions of source code must retain the above copyright
8 .\" notice, this list of conditions and the following disclaimer.
9 .\" 2. Redistributions in binary form must reproduce the above copyright
10 .\" notice, this list of conditions and the following disclaimer in the
11 .\" documentation and/or other materials provided with the distribution.
12 .\" 3. Neither the name of the University nor the names of its contributors
13 .\" may be used to endorse or promote products derived from this software
14 .\" without specific prior written permission.
16 .\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
17 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
20 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
38 .Nd add or change user database information
42 .Op Fl e Ar expiretime
50 .Op Fl e Ar expiretime
59 allows editing of the user database information associated
62 or, by default, the current user.
71 utilities behave identically to
73 (There is only one program.)
75 The information is formatted and supplied to an editor for changes.
77 Only the information that the user is allowed to change is displayed.
79 The options are as follows:
80 .Bl -tag -width "-e expiretime"
82 The super-user is allowed to directly supply a user database
83 entry, in the format specified by
86 This argument must be a colon
88 separated list of all the
89 user database fields, although they may be empty.
90 .It Fl e Ar expiretime
91 Change the account expire time.
92 This option is used to set the expire time
93 from a script as if it was done in the interactive editor.
95 The super-user is allowed to directly supply an encrypted password field,
100 Attempt to change the user's shell to
104 Possible display items are as follows:
106 .Bl -tag -width "Other Information:" -compact -offset indent
110 user's encrypted password
116 user's general classification
120 account expiration time
124 user's office location (1)
126 user's office phone (1)
128 user's home phone (1)
129 .It Other Information:
130 any locally defined parameters for user (1)
132 user's home directory
137 In the actual master.passwd file, these fields are comma-delimited
138 fields embedded in the FullName field.
143 field is the user name used to access the computer account.
147 field contains the encrypted form of the user's password.
151 field is the number associated with the
154 Both of these fields should be unique across the system (and often
155 across a group of systems) as they control file access.
157 While it is possible to have multiple entries with identical login names
158 and/or identical user id's, it is usually a mistake to do so.
160 that manipulate these files will often return only one of the multiple
161 entries, and that one by random selection.
165 field is the group that the user will be placed in at login.
168 supports multiple groups (see
170 this field currently has little special meaning.
171 This field may be filled in with either a number or a group name (see
176 field references class descriptions in
178 and is typically used to initialize the user's system resource limits
183 field is the date by which the password must be changed.
187 field is the date on which the account expires.
193 fields should be entered in the form
197 is the month name (the first three characters are sufficient),
199 is the day of the month, and
203 Five fields are available for storing the user's
204 .Ar full name , office location ,
209 .Ar other information
210 which is a single comma delimited string to represent any additional
211 gecos fields (typically used for site specific user information).
214 will display the office location and office phone together under the
222 path name where the user
223 will be placed at login.
227 field is the command interpreter the user prefers.
230 field is empty, the Bourne shell,
233 When altering a login shell, and not the super-user, the user
234 may not change from a non-standard shell or to a non-standard
236 Non-standard is defined as a shell not found in
239 Once the information has been verified,
243 to update the user database.
247 editor will be used unless the environment variable
251 When the editor terminates, the information is re-read and used to
252 update the user database itself.
253 Only the user, or the super-user, may edit the information associated
258 for an explanation of the impact of setting the
260 environment variable.
264 utility can also be used in conjunction with NIS, however some restrictions
268 can only make changes to the NIS passwd maps through
269 .Xr rpc.yppasswdd 8 ,
270 which normally only permits changes to a user's password, shell and GECOS
272 Except when invoked by the super-user on the NIS master server,
278 server to change other user information or
279 add new records to the NIS passwd maps.
282 requires password authentication before it will make any
284 The only user allowed to submit changes without supplying
285 a password is the super-user on the NIS master server; all other users,
286 including those with root privileges on NIS clients (and NIS slave
287 servers) must enter a password.
288 (The super-user on the NIS master is allowed to bypass these restrictions
289 largely for convenience: a user with root access
290 to the NIS master server already has the privileges required to make
291 updates to the NIS maps, but editing the map source files by hand can
294 Note: these exceptions only apply when the NIS master server is a
298 Consequently, except where noted, the following restrictions apply when
301 .Bl -enum -offset indent
303 .Em "Only the shell and GECOS information may be changed" .
305 fields are restricted, even when
307 is invoked by the super-user.
309 changing other fields could be added, this would lead to
310 compatibility problems with other NIS-capable systems.
311 Even though the super-user may supply data for other fields
312 while editing an entry, the extra information (other than the
313 password \(em see below) will be silently discarded.
315 Exception: the super-user on the NIS master server is permitted to
318 .Em "Password authentication is required" .
321 utility will prompt for the user's NIS password before effecting
323 If the password is invalid, all changes will be
326 Exception: the super-user on the NIS master server is allowed to
327 submit changes without supplying a password.
329 choose to turn off this feature using the
331 flag, described below.)
333 .Em "Adding new records to the local password database is discouraged" .
336 utility will allow the administrator to add new records to the
337 local password database while NIS is enabled, but this can lead to
338 some confusion since the new records are appended to the end of
339 the master password file, usually after the special NIS '+' entries.
340 The administrator should use
342 to modify the local password
343 file when NIS is running.
345 The super-user on the NIS master server is permitted to add new records
346 to the NIS password maps, provided the
348 server has been started with the
350 flag to permitted additions (it refuses them by default).
353 utility tries to update the local password database by default; to update the
354 NIS maps instead, invoke chpass with the
358 .Em "Password changes are not permitted".
363 to change their NIS passwords.
364 The super-user is allowed to specify
365 a new password (even though the
368 up in the editor template, the super-user may add it back by hand),
369 but even the super-user must supply the user's original password
372 will refuse to update the NIS maps.
374 Exception: the super-user on the NIS master server is permitted to
375 change a user's NIS password with
379 There are also a few extra option flags that are available when
381 is compiled with NIS support:
382 .Bl -tag -width "-d domain"
384 Specify a particular NIS domain.
387 utility uses the system domain name by default, as set by the
392 option can be used to override a default, or to specify a domain
393 when the system domain name is not set.
395 Specify the name or address of an NIS server to query.
398 will communicate with the NIS master host specified in the
403 On hosts that have not been configured as NIS clients, there is
404 no way for the program to determine this information unless the user
405 provides the hostname of a server.
406 Note that the specified hostname need
407 not be that of the NIS master server; the name of any server, master or
408 slave, in a given NIS domain will do.
412 option, the hostname defaults to
416 option can be used in conjunction with the
418 option, in which case the user-specified hostname will override
423 to modify the local copy of a user's password
424 information in the event that a user exists in both
425 the local and NIS databases.
427 Force the use of RPC-based updates when communicating with
430 When invoked by the super-user on the NIS master server,
432 allows unrestricted changes to the NIS passwd maps using dedicated,
433 non-RPC-based mechanism (in this case, a
438 flag can be used to force
440 to use the standard update mechanism instead.
441 This option is provided
442 mainly for testing purposes.
446 This flag is largely redundant since
448 operates on NIS entries by default if NIS is enabled.
451 .Bl -tag -width /etc/master.passwd -compact
452 .It Pa /etc/master.passwd
455 a Version 7 format password file
456 .It Pa /etc/pw.XXXXXX
459 the list of approved shells
462 Change the shell of the current user to
463 .Ql /usr/local/bin/zsh :
464 .Bd -literal -offset indent
465 chsh -s /usr/local/bin/zsh
480 .%T "UNIX Password security"
488 User information should (and eventually will) be stored elsewhere.