User definition¶

user:
    name: <string>|<list>     # The username(s)
    ensure: exists|removed    # Action
    password: <string>        # Plaintext password
    password-hash: <string>   # Encrypted password
    uid: <int>                # UID for user
    gid: <int>                # Primary GID for user
    comment: <string>         # Comment string for user
    homedir: <string>         # Homedir for user
    manage-home: <bool>       # Create and remove homedir
    shell: <string>           # Shell for user
    groups: <list>            # Extra groups for user
    after: <string>|<list>    # Depends on

Name¶

One or more usernames to manage with the other settings

ensure¶

The ensure parameter defines what needs to be done with the package.

exists: Make sure the user exists and matches the definition
removed: Remove the user if it exists.

Password and password-hash¶

If defined this makes sure the password is as defined. If the password parameter is set then it will be compared to the password hash in /etc/passwd. If the password doesn’t match then it will be encrypted with crypt(3) and stored for the user.

Instead of specifying the plaintext password you can also set the password-hash parameter. This makes it more secure since the plaintext password isn’t stored somewhere but it might change the stored hash in the password file if the algorythm isn’t the same als the old password.

Encrypted passwords have the form of $id$salt$encrypted. If you put passwords in your manifest then you should make sure that it’s a strong cypher. The id part of the password should be 6 (SHA-512) or 5 (SHA-256). Passwords with the the id 1 (MD5) are not secure.

UID and GID¶

With these parameters you can manually specify the user id and primary group id. If you don’t specify them then the next free UID and GID above 999 will be used.

Be aware that changing the UID of an existing user will break the link between the user and the files.

Comment¶

This parameter controls the comment field in the /etc/passwd file. This is mostly used to store the user’s full name

Homedir and manage-home¶

The default homedir location for a user is BASE_DIR/username. BASE_DIR defaults to /home in most configurations but might be changed in /etc/default/useradd or /etc/login.defs.

If you specify the homedir option then it will be used as the absolute path to the home directory. It should contain the username.

By default TinyCM won’t create or remove the homedir itself, only manage the reference in the passwd file. If you set manage-home to true then the directory will be create and deleted when needed.

Shell¶

This sets the default shell for the user. If it isn’t specified then it will default to /bin/false which makes the user unable to login. This is fine for user accounts created for system services. Specify another shell here for user accounts created for actual users.

Groups¶

This list is the extra non-primary groups for the user. One popular use is the wheel group to give users sudo access if sudo is installed.