diff options
Diffstat (limited to 'man/zh_CN/man5/login.defs.5')
| -rw-r--r-- | man/zh_CN/man5/login.defs.5 | 660 |
1 files changed, 4 insertions, 656 deletions
diff --git a/man/zh_CN/man5/login.defs.5 b/man/zh_CN/man5/login.defs.5 index c93b21e1..a336d009 100644 --- a/man/zh_CN/man5/login.defs.5 +++ b/man/zh_CN/man5/login.defs.5 @@ -1,13 +1,13 @@ '\" t .\" Title: login.defs .\" Author: Julianne Frances Haugh -.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/> -.\" Date: 2022-01-02 +.\" Generator: DocBook XSL Stylesheets vsnapshot <http://docbook.sf.net/> +.\" Date: 2022-08-18 .\" Manual: File Formats and Configuration Files -.\" Source: shadow-utils 4.11.1 +.\" Source: shadow-utils 4.12.2 .\" Language: Chinese Simplified .\" -.TH "LOGIN\&.DEFS" "5" "2022-01-02" "shadow\-utils 4\&.11\&.1" "File Formats and Configuration" +.TH "LOGIN\&.DEFS" "5" "2022-08-18" "shadow\-utils 4\&.12\&.2" "File Formats and Configuration" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -48,663 +48,11 @@ value\&. Numbers (both regular and long) may be either decimal values, octal val .PP 提供如下配置项: .PP -\fBCHFN_AUTH\fR (boolean) -.RS 4 -If -\fIyes\fR, the -\fBchfn\fR -program will require authentication before making any changes, unless run by the superuser\&. -.RE -.PP -\fBCHFN_RESTRICT\fR (string) -.RS 4 -This parameter specifies which values in the -\fIgecos\fR -field of the -/etc/passwd -file may be changed by regular users using the -\fBchfn\fR -program\&. It can be any combination of letters -\fIf\fR, -\fIr\fR, -\fIw\fR, -\fIh\fR, for Full name, Room number, Work phone, and Home phone, respectively\&. For backward compatibility, -\fIyes\fR -is equivalent to -\fIrwh\fR -and -\fIno\fR -is equivalent to -\fIfrwh\fR\&. If not specified, only the superuser can make any changes\&. The most restrictive setting is better achieved by not installing -\fBchfn\fR -SUID\&. -.RE -.PP -\fBCHSH_AUTH\fR (boolean) -.RS 4 -If -\fIyes\fR, the -\fBchsh\fR -program will require authentication before making any changes, unless run by the superuser\&. -.RE -.PP -\fBCONSOLE\fR (string) -.RS 4 -如果定义了,或者是包含设备名(没行一个)的文件的完整路径名,或者是\(lq:\(rq分隔的设备名列表。将只会在这写设备上允许 root 登录。 -.sp -如果没有定义,可以在任何设备上使用 root。 -.sp -指定的设备时不带 /dev/ 前缀。 -.RE -.PP -\fBCONSOLE_GROUPS\fR (string) -.RS 4 -List of groups to add to the user\*(Aqs supplementary groups set when logging in on the console (as determined by the CONSOLE setting)\&. Default is none\&. - -Use with caution \- it is possible for users to gain permanent access to these groups, even when not logged in on the console\&. -.RE -.PP -\fBCREATE_HOME\fR (boolean) -.RS 4 -指示是否应该为新用户默认创建主目录。 -.sp -此设置并不应用到系统用户,并且可以使用命令行覆盖。 -.RE -.PP -\fBDEFAULT_HOME\fR (boolean) -.RS 4 -如果不能 cd 到主目录时,说明是否允许登录。默认是否。 -.sp -If set to -\fIyes\fR, the user will login in the root (/) directory if it is not possible to cd to her home directory\&. -.RE -.PP -\fBENCRYPT_METHOD\fR (string) -.RS 4 -这定义了系统加密密码的默认算法(如果没有在命令行上指定算法)。 -.sp -It can take one of these values: -\fIDES\fR -(default), -\fIMD5\fR, \fISHA256\fR, \fISHA512\fR\&. MD5 and DES should not be used for new hashes, see -crypt(5) -for recommendations\&. -.sp -Note: this parameter overrides the -\fBMD5_CRYPT_ENAB\fR -variable\&. -.RE -.PP -\fBENV_HZ\fR (string) -.RS 4 -If set, it will be used to define the HZ environment variable when a user login\&. The value must be preceded by -\fIHZ=\fR\&. A common value on Linux is -\fIHZ=100\fR\&. -.RE -.PP -\fBENV_PATH\fR (string) -.RS 4 -If set, it will be used to define the PATH environment variable when a regular user login\&. The value is a colon separated list of paths (for example -\fI/bin:/usr/bin\fR) and can be preceded by -\fIPATH=\fR\&. The default value is -\fIPATH=/bin:/usr/bin\fR\&. -.RE -.PP -\fBENV_SUPATH\fR (string) -.RS 4 -If set, it will be used to define the PATH environment variable when the superuser login\&. The value is a colon separated list of paths (for example -\fI/sbin:/bin:/usr/sbin:/usr/bin\fR) and can be preceded by -\fIPATH=\fR\&. The default value is -\fIPATH=/sbin:/bin:/usr/sbin:/usr/bin\fR\&. -.RE -.PP -\fBENV_TZ\fR (string) -.RS 4 -If set, it will be used to define the TZ environment variable when a user login\&. The value can be the name of a timezone preceded by -\fITZ=\fR -(for example -\fITZ=CST6CDT\fR), or the full path to the file containing the timezone specification (for example -/etc/tzname)\&. -.sp -If a full path is specified but the file does not exist or cannot be read, the default is to use -\fITZ=CST6CDT\fR\&. -.RE -.PP -\fBENVIRON_FILE\fR (string) -.RS 4 -如果此文件存在,并且可读,将会从中读取登录环境。所有行都必须是 name=value 的格式。 -.sp -以 # 开头的行将视为注释,并被忽略。 -.RE -.PP -\fBERASECHAR\fR (number) -.RS 4 -Terminal ERASE character (\fI010\fR -= backspace, -\fI0177\fR -= DEL)\&. -.sp -此值可以使用前缀\(lq0\(rq表示八进制,\(lq0x\(rq表示十六进制。 -.RE -.PP -\fBFAIL_DELAY\fR (number) -.RS 4 -登录失败后,等待多少秒才再允许登录。 -.RE -.PP -\fBFAILLOG_ENAB\fR (boolean) -.RS 4 -Enable logging and display of -/var/log/faillog -login failure info\&. -.RE -.PP -\fBFAKE_SHELL\fR (string) -.RS 4 -If set, -\fBlogin\fR -will execute this shell instead of the users\*(Aq shell specified in -/etc/passwd\&. -.RE -.PP -\fBFTMP_FILE\fR (string) -.RS 4 -如果定义,登录失败会以 utmp 格式记录在此文件中。 -.RE -.PP -\fBGID_MAX\fR (number), \fBGID_MIN\fR (number) -.RS 4 -Range of group IDs used for the creation of regular groups by -\fBuseradd\fR, -\fBgroupadd\fR, or -\fBnewusers\fR\&. -.sp -The default value for -\fBGID_MIN\fR -(resp\&. -\fBGID_MAX\fR) is 1000 (resp\&. 60000)\&. -.RE -.PP -\fBHMAC_CRYPTO_ALGO\fR (string) -.RS 4 -Used to select the HMAC cryptography algorithm that the pam_timestamp module is going to use to calculate the keyed\-hash message authentication code\&. -.sp -Note: Check -hmac(3) -to see the possible algorithms that are available in your system\&. -.RE -.PP -\fBHOME_MODE\fR (number) -.RS 4 -The mode for new home directories\&. If not specified, the -\fBUMASK\fR -is used to create the mode\&. -.sp -\fBuseradd\fR -and -\fBnewusers\fR -use this to set the mode of the home directory they create\&. -.RE -.PP -\fBHUSHLOGIN_FILE\fR (string) -.RS 4 -If defined, this file can inhibit all the usual chatter during the login sequence\&. If a full pathname is specified, then hushed mode will be enabled if the user\*(Aqs name or shell are found in the file\&. If not a full pathname, then hushed mode will be enabled if the file exists in the user\*(Aqs home directory\&. -.RE -.PP -\fBISSUE_FILE\fR (string) -.RS 4 -如果定义了,此文件将在每次的登录提示之前显示。 -.RE -.PP -\fBKILLCHAR\fR (number) -.RS 4 -Terminal KILL character (\fI025\fR -= CTRL/U)\&. -.sp -此值可以使用前缀\(lq0\(rq表示八进制,\(lq0x\(rq表示十六进制。 -.RE -.PP -\fBLASTLOG_ENAB\fR (boolean) -.RS 4 -允许记录和显示 /var/log/lastlog 登录时间信息。 -.RE -.PP -\fBLASTLOG_UID_MAX\fR (number) -.RS 4 -Highest user ID number for which the lastlog entries should be updated\&. As higher user IDs are usually tracked by remote user identity and authentication services there is no need to create a huge sparse lastlog file for them\&. -.sp -No -\fBLASTLOG_UID_MAX\fR -option present in the configuration means that there is no user ID limit for writing lastlog entries\&. -.RE -.PP -\fBLOG_OK_LOGINS\fR (boolean) -.RS 4 -允许记录成功登录。 -.RE -.PP -\fBLOG_UNKFAIL_ENAB\fR (boolean) -.RS 4 -在记录到登录失败时,允许记录未知用户名。 -.sp -注意:如果用户不小心将密码输入到了登录名中,记录未知用户名可能是一个安全隐患。 -.RE -.PP -\fBLOGIN_RETRIES\fR (number) -.RS 4 -密码错误时,重试的最大次数。 -.RE -.PP -\fBLOGIN_STRING\fR (string) -.RS 4 -此字符串用于提示输入密码。默认是 "Password: ",或者翻译了的结果(汉语中翻译为了\(lq密码:\(rq)。如果设置了此变量,提示不会被翻译。 -.sp -If the string contains -\fI%s\fR, this will be replaced by the user\*(Aqs name\&. -.RE -.PP -\fBLOGIN_TIMEOUT\fR (number) -.RS 4 -最大登录时间(以秒为单位)。 -.RE -.PP -\fBMAIL_CHECK_ENAB\fR (boolean) -.RS 4 -启用登录时检查和显示邮箱状态。 -.sp -如果 shell 的启动文件已经检查了邮件("mailx \-e" 或者其它同功能的工具),您应该禁用它。 -.RE -.PP -\fBMAIL_DIR\fR (string) -.RS 4 -The mail spool directory\&. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted\&. If not specified, a compile\-time default is used\&. The parameter CREATE_MAIL_SPOOL in -/etc/default/useradd -determines whether the mail spool should be created\&. -.RE -.PP -\fBMAIL_FILE\fR (string) -.RS 4 -定义用户邮箱文件的位置(相对于主目录)。 -.RE -.PP -The -\fBMAIL_DIR\fR -and -\fBMAIL_FILE\fR -variables are used by -\fBuseradd\fR, -\fBusermod\fR, and -\fBuserdel\fR -to create, move, or delete the user\*(Aqs mail spool\&. -.PP -If -\fBMAIL_CHECK_ENAB\fR -is set to -\fIyes\fR, they are also used to define the -\fBMAIL\fR -environment variable\&. -.PP -\fBMAX_MEMBERS_PER_GROUP\fR (number) -.RS 4 -Maximum members per group entry\&. When the maximum is reached, a new group entry (line) is started in -/etc/group -(with the same name, same password, and same GID)\&. -.sp -默认值是 0,意味着组中的成员数没有限制。 -.sp -此功能(分割组)允许限制组文件中的行长度。这对于确保 NIS 组的行比长于 1024 字符。 -.sp -如果要强制这个限制,可以使用 25。 -.sp -注意:分割组可能不受所有工具的支持(甚至在 Shadow 工具集中)。您不应该使用这个变量,除非真的需要。 -.RE -.PP -\fBMD5_CRYPT_ENAB\fR (boolean) -.RS 4 -Indicate if passwords must be encrypted using the MD5\-based algorithm\&. If set to -\fIyes\fR, new passwords will be encrypted using the MD5\-based algorithm compatible with the one used by recent releases of FreeBSD\&. It supports passwords of unlimited length and longer salt strings\&. Set to -\fIno\fR -if you need to copy encrypted passwords to other systems which don\*(Aqt understand the new algorithm\&. Default is -\fIno\fR\&. -.sp -This variable is superseded by the -\fBENCRYPT_METHOD\fR -variable or by any command line option used to configure the encryption algorithm\&. -.sp -This variable is deprecated\&. You should use -\fBENCRYPT_METHOD\fR\&. -.RE -.PP -\fBMOTD_FILE\fR (string) -.RS 4 -If defined, ":" delimited list of "message of the day" files to be displayed upon login\&. -.RE -.PP -\fBNOLOGINS_FILE\fR (string) -.RS 4 -If defined, name of file whose presence will inhibit non\-root logins\&. The contents of this file should be a message indicating why logins are inhibited\&. -.RE -.PP -\fBNONEXISTENT\fR (string) -.RS 4 -If a system account intentionally does not have a home directory that exists, this string can be provided in the /etc/passwd entry for the account to indicate this\&. The result is that pwck will not emit a spurious warning for this account\&. -.RE -.PP -\fBOBSCURE_CHECKS_ENAB\fR (boolean) -.RS 4 -对密码更改启用附加检查。 -.RE -.PP -\fBPASS_ALWAYS_WARN\fR (boolean) -.RS 4 -如果是 root,警告弱密码,但是仍然允许使用。 -.RE -.PP -\fBPASS_CHANGE_TRIES\fR (number) -.RS 4 -可以尝试更改密码的最大次数(太容易)。 -.RE -.PP -\fBPASS_MAX_DAYS\fR (number) -.RS 4 -一个密码可以使用的最大天数。如果密码比这旧,将会强迫更改密码。如果不指定,就假定为 \-1,这会禁用这个限制。 -.RE -.PP -\fBPASS_MIN_DAYS\fR (number) -.RS 4 -The minimum number of days allowed between password changes\&. Any password changes attempted sooner than this will be rejected\&. If not specified, 0 will be assumed (which disables the restriction)\&. -.RE -.PP -\fBPASS_WARN_AGE\fR (number) -.RS 4 -密码过期之前给出警告的天数。0 表示只有只在过期的当天警告,负值表示不警告。如果没有指定,不会给警告。 -.RE -.PP \fBPASS_MAX_DAYS\fR, \fBPASS_MIN_DAYS\fR and \fBPASS_WARN_AGE\fR are only used at the time of account creation\&. Any changes to these settings won\*(Aqt affect existing accounts\&. -.PP -\fBPASS_MAX_LEN\fR (number), \fBPASS_MIN_LEN\fR (number) -.RS 4 -Number of significant characters in the password for crypt()\&. -\fBPASS_MAX_LEN\fR -is 8 by default\&. Don\*(Aqt change unless your crypt() is better\&. This is ignored if -\fBMD5_CRYPT_ENAB\fR -set to -\fIyes\fR\&. -.RE -.PP -\fBPORTTIME_CHECKS_ENAB\fR (boolean) -.RS 4 -Enable checking of time restrictions specified in -/etc/porttime\&. -.RE -.PP -\fBQUOTAS_ENAB\fR (boolean) -.RS 4 -Enable setting of resource limits from -/etc/limits -and ulimit, umask, and niceness from the user\*(Aqs passwd gecos field\&. -.RE -.PP -\fBSHA_CRYPT_MIN_ROUNDS\fR (number), \fBSHA_CRYPT_MAX_ROUNDS\fR (number) -.RS 4 -When -\fBENCRYPT_METHOD\fR -is set to -\fISHA256\fR -or -\fISHA512\fR, this defines the number of SHA rounds used by the encryption algorithm by default (when the number of rounds is not specified on the command line)\&. -.sp -使用很多轮转,会让暴力破解更加困难。但是需要注意,认证用户时也会需要更多的 CPU 资源。 -.sp -If not specified, the libc will choose the default number of rounds (5000), which is orders of magnitude too low for modern hardware\&. -.sp -值必须在 1000 \- 999,999,999 之间。 -.sp -If only one of the -\fBSHA_CRYPT_MIN_ROUNDS\fR -or -\fBSHA_CRYPT_MAX_ROUNDS\fR -values is set, then this value will be used\&. -.sp -If -\fBSHA_CRYPT_MIN_ROUNDS\fR -> -\fBSHA_CRYPT_MAX_ROUNDS\fR, the highest value will be used\&. -.RE -.PP -\fBSULOG_FILE\fR (string) -.RS 4 -如果定义了,所有的 su 活动都会记录到此文件。 -.RE -.PP -\fBSU_NAME\fR (string) -.RS 4 -如果定义了,就是运行\(lqsu \-\(rq时显示的命令名称。例如,如果定义为\(lqsu\(rq,那么\(lqps\(rq会显示此命令为\(lq\-su\(rq。如果没有定义,\(lqps\(rq将会显示实际执行的 shell,例如类似于\(lq\-sh\(rq。 -.RE -.PP -\fBSU_WHEEL_ONLY\fR (boolean) -.RS 4 -If -\fIyes\fR, the user must be listed as a member of the first gid 0 group in -/etc/group -(called -\fIroot\fR -on most Linux systems) to be able to -\fBsu\fR -to uid 0 accounts\&. If the group doesn\*(Aqt exist or is empty, no one will be able to -\fBsu\fR -to uid 0\&. -.RE -.PP -\fBSUB_GID_MIN\fR (number), \fBSUB_GID_MAX\fR (number), \fBSUB_GID_COUNT\fR (number) -.RS 4 -If -/etc/subuid -exists, the commands -\fBuseradd\fR -and -\fBnewusers\fR -(unless the user already have subordinate group IDs) allocate -\fBSUB_GID_COUNT\fR -unused group IDs from the range -\fBSUB_GID_MIN\fR -to -\fBSUB_GID_MAX\fR -for each new user\&. -.sp -The default values for -\fBSUB_GID_MIN\fR, -\fBSUB_GID_MAX\fR, -\fBSUB_GID_COUNT\fR -are respectively 100000, 600100000 and 65536\&. -.RE -.PP -\fBSUB_UID_MIN\fR (number), \fBSUB_UID_MAX\fR (number), \fBSUB_UID_COUNT\fR (number) -.RS 4 -If -/etc/subuid -exists, the commands -\fBuseradd\fR -and -\fBnewusers\fR -(unless the user already have subordinate user IDs) allocate -\fBSUB_UID_COUNT\fR -unused user IDs from the range -\fBSUB_UID_MIN\fR -to -\fBSUB_UID_MAX\fR -for each new user\&. -.sp -The default values for -\fBSUB_UID_MIN\fR, -\fBSUB_UID_MAX\fR, -\fBSUB_UID_COUNT\fR -are respectively 100000, 600100000 and 65536\&. -.RE -.PP -\fBSYS_GID_MAX\fR (number), \fBSYS_GID_MIN\fR (number) -.RS 4 -Range of group IDs used for the creation of system groups by -\fBuseradd\fR, -\fBgroupadd\fR, or -\fBnewusers\fR\&. -.sp -The default value for -\fBSYS_GID_MIN\fR -(resp\&. -\fBSYS_GID_MAX\fR) is 101 (resp\&. -\fBGID_MIN\fR\-1)\&. -.RE -.PP -\fBSYS_UID_MAX\fR (number), \fBSYS_UID_MIN\fR (number) -.RS 4 -Range of user IDs used for the creation of system users by -\fBuseradd\fR -or -\fBnewusers\fR\&. -.sp -The default value for -\fBSYS_UID_MIN\fR -(resp\&. -\fBSYS_UID_MAX\fR) is 101 (resp\&. -\fBUID_MIN\fR\-1)\&. -.RE -.PP -\fBSYSLOG_SG_ENAB\fR (boolean) -.RS 4 -Enable "syslog" logging of -\fBsg\fR -activity\&. -.RE -.PP -\fBSYSLOG_SU_ENAB\fR (boolean) -.RS 4 -Enable "syslog" logging of -\fBsu\fR -activity \- in addition to sulog file logging\&. -.RE -.PP -\fBTTYGROUP\fR (string), \fBTTYPERM\fR (string) -.RS 4 -The terminal permissions: the login tty will be owned by the -\fBTTYGROUP\fR -group, and the permissions will be set to -\fBTTYPERM\fR\&. -.sp -By default, the ownership of the terminal is set to the user\*(Aqs primary group and the permissions are set to -\fI0600\fR\&. -.sp -\fBTTYGROUP\fR -can be either the name of a group or a numeric group identifier\&. -.sp -If you have a -\fBwrite\fR -program which is "setgid" to a special group which owns the terminals, define TTYGROUP to the group number and TTYPERM to 0620\&. Otherwise leave TTYGROUP commented out and assign TTYPERM to either 622 or 600\&. -.RE -.PP -\fBTTYTYPE_FILE\fR (string) -.RS 4 -If defined, file which maps tty line to TERM environment parameter\&. Each line of the file is in a format something like "vt100 tty01"\&. -.RE -.PP -\fBUID_MAX\fR (number), \fBUID_MIN\fR (number) -.RS 4 -Range of user IDs used for the creation of regular users by -\fBuseradd\fR -or -\fBnewusers\fR\&. -.sp -The default value for -\fBUID_MIN\fR -(resp\&. -\fBUID_MAX\fR) is 1000 (resp\&. 60000)\&. -.RE -.PP -\fBULIMIT\fR (number) -.RS 4 -Default -\fBulimit\fR -value\&. -.RE -.PP -\fBUMASK\fR (number) -.RS 4 -文件模式创建掩码初始化为此值。如果没有指定,掩码初始化为 022。 -.sp -\fBuseradd\fR -and -\fBnewusers\fR -use this mask to set the mode of the home directory they create if -\fBHOME_MODE\fR -is not set\&. -.sp -It is also used by -\fBlogin\fR -to define users\*(Aq initial umask\&. Note that this mask can be overridden by the user\*(Aqs GECOS line (if -\fBQUOTAS_ENAB\fR -is set) or by the specification of a limit with the -\fIK\fR -identifier in -\fBlimits\fR(5)\&. -.RE -.PP -\fBUSERDEL_CMD\fR (string) -.RS 4 -如果定义了,这是删除账户时执行的命令。它应该移除所有属于此用户的的 at/cron/print 等作业(作为第一个参数传递)。 -.sp -这个脚本的返回值并不被带到账户中去。 -.sp -Here is an example script, which removes the user\*(Aqs cron, at and print jobs: -.sp -.if n \{\ -.RS 4 -.\} -.nf -#! /bin/sh - -# Check for the required argument\&. -if [ $# != 1 ]; then - echo "Usage: $0 username" - exit 1 -fi - -# Remove cron jobs\&. -crontab \-r \-u $1 - -# Remove at jobs\&. -# Note that it will remove any jobs owned by the same UID, -# even if it was shared by a different username\&. -AT_SPOOL_DIR=/var/spool/cron/atjobs -find $AT_SPOOL_DIR \-name "[^\&.]*" \-type f \-user $1 \-delete \e; - -# Remove print jobs\&. -lprm $1 - -# All done\&. -exit 0 - -.fi -.if n \{\ -.RE -.\} -.sp -.RE -.PP -\fBUSERGROUPS_ENAB\fR (boolean) -.RS 4 -如果 uid 和 gid 相同,用户名和主用户名也相同,使非 root 组的组掩码位和属主位相同 (如:022 \-> 002, 077 \-> 007)。 -.sp -If set to -\fIyes\fR, -\fBuserdel\fR -will remove the user\*(Aqs group if it contains no more members, and -\fBuseradd\fR -will create by default a group with the name of the user\&. -.RE .SH "交叉引用" .PP 如下交叉引用显示影子密码套件哪个程序使用哪个参数。 |