Clockwork

res_user(5)

NAME

res_user - Clockwork Resource Type for system users

DESCRIPTION

The user resource manages system user accounts.

ATTRIBUTES

uid

Numeric user ID of this account.

username

The username for this account.

gid

Numeric group ID for this acount's primary group.

home

Path to this user's home directory. This attribute only sets the home directory path in /etc/password. To create home directories for new users, see the makehome / skeleton attribute.

present

Whether or not this account should exist on the system.

locked

Whether or not this account should be locked and therefore unable to log in. Locking an account does not destroy password information; a locked account can be unlocked later and the original password will work.

comment
gecos

A comment describing the purpose of this account, commonly refered to as the GECOS field. See passwd(5) for more details.

Clockwork does not attempt to interpret the GECOS field like the chfn(1) utility does.

shell

The path to the login shell for this account. No validation is done on this shell, since specifying non-existent or unapproved login shells is one way of locking accounts out of a system.

password
pwhash

The (encrypted) password for this account. Details of encryption depend on the specific platform and system configuration. Clockwork does not attempt to encrypt or decrypt passwords for users.

changepw

Whether or not Clockwork should change the passowrd of an existing user account, according to the value of password. The primary use of this attribute is for provisioning new accounts with default initial passwords, but not forcibly reseting the password during subsequent runs.

pwmin

Minimum number of days between password changes.

pwmax

Maximum age of the account password (in days).

pwwarn

Number of days before the password expires (according to pwmax) to start warning the user that they should change their password.

inact

Number of days after the password expires (according to pwmax) before the account is reversibly disabled.

expiry
expiration

When the account expires. This value is specified as the number of days since Jan 1, 1970, and is not related to the pwmax, pwmin or inact attributes.

skeleton
makehome

This attribute enables home directory creation for new users. Valid values include "yes", "no" or a path to a skeleton directory. If "yes" is used, then the system default of /etc/skel is used as a template to create the new home directory. Otherwise, the path given is used.

Home directory creation is only effective if the account does not already exist on the local system; Clockwork will not overwrite or otherwise meddle with a pre-existing home directory.

See the EXAMPLES section for more information.

EXAMPLES

Removing and Locking Accounts

To remove a user account:

user "jim" {
    present: "no"
}

To keep the account around (including its original password), but deny any and all login access to it:

user "jim" {
    locked: "yes"
}

Password Expiration

The following example implements a password expiration policy:

user "eva" {
  pwmin:  1   # After password change, user must
              # wait at least 1 day to change their
              # password again.

  pwmax:  45  # Passwords *must* be changed after
              # 45 days.

  pwwarn: 10  # Warn the user 10 days before their
              # password expires that they will have
              # to change it soon.  Under normal
              # circumstances, this will be 35 days
              # after they change it.

  inact:  5   # Give the users 5 days after their
              # password expires (50 days after they
              # change it) before disabling the
              # account.
}

If you specify password aging parameters, make sure you don't also set the account password via the password / pwhash and changepw attributes.

Creating Home Directories

The user resource can create the home directory for newly created users if the makehome or skeleton attributes are set.

Create the user "bob", and model his home directory after /etc/skel:

user "bob" {
    uid:      1006
    gid:      1001   # users, defined elsewhere
    home:     "/home/guests/bob"
    makehome: "yes"
}

If you want to use a different skeleton directory (i.e. for system administrator accounts), specify its path in the makehome attribute:

user "james" {
  uid:       7001,
  gid:       1002,   # admins, defined elsewhere
  home:      "/home/james"
  makehome:  "/etc/skel.admin"
}

Note: The makehome and skeleton attributes are synonymous. The last example is probably more clearly expressed as:

user "james" {
  uid:       7001,
  gid:       1002,   # admins, defined elsewhere
  home:      "/home/james"
  skeleton:  "/etc/skel.admin"
}

CAVEATS

1. Removing Home Directories

Clockwork does not remove a user's home directory when it removes the account. This is by design, to ensure that important data is not lost when users depart. If you want to remove the home directory, use res_file(5) in concert with res_user.

2. Dependencies

For flexibility's sake, Clockwork does not create implicit dependencies on users for their primary group. If you specify that a user's primary GID should be 177, Clockwork will happily comply, even if there is no group defined on the system (either through policy or externally) with that GID.

This should not break normal operation of the system, but it will lead to some strangeness when dealing with files owned by that user.

DEPENDENCIES

See Caveat #2.

AUTHOR

Clockwork was designed and written by James Hunt.

The Clockwork website is licensed under the Creative Commons Attribution-NoDerivs 3.0 United States License