Scroll to navigation

NEWUSERS(8) 系统管理命令 NEWUSERS(8)

名称

newusers - 批量更新和创建新用户

大纲

newusers [选项] [文件]

描述

The newusers command reads a file (or the standard input by default) and uses this information to update a set of existing users or to create new users. Each line is in the same format as the standard password file (see passwd(5)) with the exceptions explained below:

pw_name:pw_passwd:pw_uid:pw_gid:pw_gecos:pw_dir:pw_shell

pw_name

这是用户的用户名。

It can be the name of a new user or the name of an existing user (or a user created before by newusers). In case of an existing user, the user's information will be changed, otherwise a new user will be created.

pw_passwd

此字段将被加密然后用于加密后密码的新值。

pw_uid

此字段用于定义用户的 UID。

If the field is empty, a new (unused) UID will be defined automatically by newusers.

如果此字段包含一个数字,此数字会用于 UID。

If this field contains the name of an existing user (or the name of a user created before by newusers), the UID of the specified user will be used.

如果一个现有用户更改了 UID,此用户的文件所有权需要手动修复。

pw_gid

此字段用于定义用户的主组 ID。

If this field contains the name of an existing group (or a group created before by newusers), the GID of this group will be used as the primary group ID for the user.

如果此字段是一个数字,此数字会被用作此用户的主组 ID。如果没有对应此 GID 的现有组,将会使用此 GID 创建一个新组,名称和用户名相同。

If this field is empty, a new group will be created with the name of the user and a GID will be automatically defined by newusers to be used as the primary group ID for the user and as the GID for the new group.

If this field contains the name of a group which does not exist (and was not created before by newusers), a new group will be created with the specified name and a GID will be automatically defined by newusers to be used as the primary group ID for the user and GID for the new group.

pw_gecos

此字段复制到用户的 GECOS 字段。

pw_dir

此字段用于定义用户的主目录。

If this field does not specify an existing directory, the specified directory is created, with ownership set to the user being created or updated and its primary group. Note that newusers does not create parent directories of the new user's home directory. The newusers command will fail to create the home directory if the parent directories do not exist, and will send a message to stderr informing the user of the failure. The newusers command will not halt or return a failure to the calling shell if it fails to create the home directory, it will continue to process the batch of new users specified.

If the home directory of an existing user is changed, newusers does not move or copy the content of the old directory to the new location. This should be done manually.

pw_shell

此字段定义了用户的 shell。对此字段不进行任何检查。

newusers first tries to create or change all the specified users, and then write these changes to the user or group databases. If an error occurs (except in the final writes to the databases), no changes are committed to the databases.

此命令一般用于在大型的应用环境中,对大量账户进行一次性更新。

选项

The options which apply to the newusers command are:

-c, --crypt-method

使用指定的方法加密密码。

可用的方法有 DES, MD5, NONE, and SHA256 或 SHA512,前提是您的 libc 支持这写方法。

-h, --help

现实帮助信息并退出。

-r, --system

创建一个系统账户。

System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups).

-R, --root CHROOT_DIR

Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.

-s, --sha-rounds

使用指定次数的轮转来加密密码。

值 0 表示让系统为加密方法选择默认的轮转次数 (5000)。

会强制最小 1,000,最大 9,9999,9999

您只可以对 SHA256 或 SHA512 使用此选项。

By default, the number of rounds is defined by the SHA_CRYPT_MIN_ROUNDS and SHA_CRYPT_MAX_ROUNDS variables in /etc/login.defs.

CAVEATS

输入文件必须受到保护,因为它包含未加密的密码。

您需要确保你吗和加密方法符合系统的密码策略。

配置文件

The following configuration variables in /etc/login.defs change the behavior of this tool:

ENCRYPT_METHOD (string)

这定义了系统加密密码的默认算法(如果没有在命令行上指定算法)。

It can take one of these values: DES (default), MD5, SHA256, SHA512.

Note: this parameter overrides the MD5_CRYPT_ENAB variable.

GID_MAX (number), GID_MIN (number)

Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.

The default value for GID_MIN (resp. GID_MAX) is 1000 (resp. 60000).

MAX_MEMBERS_PER_GROUP (number)

Maximum members per group entry. When the maximum is reached, a new group entry (line) is started in /etc/group (with the same name, same password, and same GID).

默认值是 0,意味着组中的成员数没有限制。

此功能(分割组)允许限制组文件中的行长度。这对于确保 NIS 组的行比长于 1024 字符。

如果要强制这个限制,可以使用 25。

注意:分割组可能不受所有工具的支持(甚至在 Shadow 工具集中)。您不应该使用这个变量,除非真的需要。

MD5_CRYPT_ENAB (boolean)

Indicate if passwords must be encrypted using the MD5-based algorithm. If set to yes, new passwords will be encrypted using the MD5-based algorithm compatible with the one used by recent releases of FreeBSD. It supports passwords of unlimited length and longer salt strings. Set to no if you need to copy encrypted passwords to other systems which don't understand the new algorithm. Default is no.

This variable is superseded by the ENCRYPT_METHOD variable or by any command line option used to configure the encryption algorithm.

This variable is deprecated. You should use ENCRYPT_METHOD.

PASS_MAX_DAYS (number)

一个密码可以使用的最大天数。如果密码比这旧,将会强迫更改密码。如果不指定,就假定为 -1,这会禁用这个限制。

PASS_MIN_DAYS (number)

两次更改密码时间的最小间隔。将会拒绝任何早于此的更改密码的尝试。如果不指定,假定为 -1,将会禁用这个限制。

PASS_WARN_AGE (number)

密码过期之前给出警告的天数。0 表示只有只在过期的当天警告,负值表示不警告。如果没有指定,不会给警告。

SHA_CRYPT_MIN_ROUNDS (number), SHA_CRYPT_MAX_ROUNDS (number)

When ENCRYPT_METHOD is set to SHA256 or SHA512, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line).

使用很多轮转,会让暴力破解更加困难。但是需要注意,认证用户时也会需要更多的 CPU 资源。

如果没有指定,libc 会选择默认的轮转数(5000)。

值必须在 1000 - 999,999,999 之间。

If only one of the SHA_CRYPT_MIN_ROUNDS or SHA_CRYPT_MAX_ROUNDS values is set, then this value will be used.

If SHA_CRYPT_MIN_ROUNDS > SHA_CRYPT_MAX_ROUNDS, the highest value will be used.

SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)

If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user.

The default values for SUB_GID_MIN, SUB_GID_MAX, SUB_GID_COUNT are respectively 100000, 600100000 and 65536.

SUB_UID_MIN (number), SUB_UID_MAX (number), SUB_UID_COUNT (number)

If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs) allocate SUB_UID_COUNT unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user.

The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 65536.

SYS_GID_MAX (number), SYS_GID_MIN (number)

Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers.

The default value for SYS_GID_MIN (resp. SYS_GID_MAX) is 101 (resp. GID_MIN-1).

SYS_UID_MAX (number), SYS_UID_MIN (number)

Range of user IDs used for the creation of system users by useradd or newusers.

The default value for SYS_UID_MIN (resp. SYS_UID_MAX) is 101 (resp. UID_MIN-1).

UID_MAX (number), UID_MIN (number)

Range of user IDs used for the creation of regular users by useradd or newusers.

The default value for UID_MIN (resp. UID_MAX) is 1000 (resp. 60000).

UMASK (number)

文件模式创建掩码初始化为此值。如果没有指定,掩码初始化为 022。

useradd and newusers use this mask to set the mode of the home directory they create

It is also used by login to define users' initial umask. Note that this mask can be overridden by the user's GECOS line (if QUOTAS_ENAB is set) or by the specification of a limit with the K identifier in limits(5).

文件

/etc/passwd

用户账户信息。

/etc/shadow

安全用户账户信息。

/etc/group

组账户信息。

/etc/gshadow

安全组账户信息。

/etc/login.defs

Shadow 密码套件配置。

/etc/subgid

Per user subordinate group IDs.

/etc/subuid

Per user subordinate user IDs.

参见

login.defs(5), passwd(1), subgid(5), subuid(5),useradd(8).

2019-08-07 shadow-utils 4.6