User definition =============== .. highlight:: yaml :: user: name: | # The username(s) ensure: exists|removed # Action password: # Plaintext password password-hash: # Encrypted password uid: # UID for user gid: # Primary GID for user comment: # Comment string for user homedir: # Homedir for user manage-home: # Create and remove homedir shell: # Shell for user groups: # Extra groups for user after: | # Depends on Name ---- One or more usernames to manage with the other settings ensure ------ The ensure parameter defines what needs to be done with the package. exists Make sure the user exists and matches the definition removed Remove the user if it exists. Password and password-hash -------------------------- If defined this makes sure the password is as defined. If the ``password`` parameter is set then it will be compared to the password hash in ``/etc/passwd``. If the password doesn't match then it will be encrypted with ``crypt(3)`` and stored for the user. Instead of specifying the plaintext password you can also set the ``password-hash`` parameter. This makes it more secure since the plaintext password isn't stored somewhere but it might change the stored hash in the password file if the algorythm isn't the same als the old password. Encrypted passwords have the form of ``$id$salt$encrypted``. If you put passwords in your manifest then you should make sure that it's a strong cypher. The `id` part of the password should be 6 (SHA-512) or 5 (SHA-256). Passwords with the the id 1 (MD5) are not secure. UID and GID ----------- With these parameters you can manually specify the user id and primary group id. If you don't specify them then the next free UID and GID above 999 will be used. Be aware that changing the UID of an existing user will break the link between the user and the files. Comment ------- This parameter controls the comment field in the ``/etc/passwd`` file. This is mostly used to store the user's full name Homedir and manage-home ----------------------- The default homedir location for a user is ``BASE_DIR/username``. BASE_DIR defaults to ``/home`` in most configurations but might be changed in ``/etc/default/useradd`` or ``/etc/login.defs``. If you specify the ``homedir`` option then it will be used as the absolute path to the home directory. It should contain the username. By default TinyCM won't create or remove the homedir itself, only manage the reference in the passwd file. If you set ``manage-home`` to true then the directory will be create and deleted when needed. Shell ----- This sets the default shell for the user. If it isn't specified then it will default to ``/bin/false`` which makes the user unable to login. This is fine for user accounts created for system services. Specify another shell here for user accounts created for actual users. Groups ------ This list is the extra non-primary groups for the user. One popular use is the ``wheel`` group to give users sudo access if sudo is installed.