Working from SponsorsDataAccountsDocumentationBig as a start, we attempt to indicate sections which are irrelevant and annotate others.
sponsors - the accounts-master package's sponsor database
The sponsors database is typically stored in a several files, one per sponsor, in several directories, one per department. Blank lines, and those beginning with a are ignored. Lines ending with a backslash, are considered to be contin- ued on the following line as if it were part of the same line. (Ensure that the backslash really is the last charac- ter on the line and is not followed by a space.) In most cases the backslash isn't required, as lines may also be continued by indenting the continuation lines with tabs or spaces. Lines beginning with an equal sign separate sections. By convention, eight equal signs (i.e. are used before each new billcode or class, and four equal signs (i.e. are used before each resource. Each line comprises a keyword, immediately followed by a colon, and a list of space-separated arguments. Lists must never be empty. If a particular keyword does not apply or its value is unknown, the line should be omitted (or com- mented out with a and not left with an empty list. If the first character of a list is a character, the rest of the line will be the name of a decommentable file (relative to the current file if the first character of the name isn't The line will then behave as if the list were the contents of that file. In general this feature shouldn't be used except where necessary to automate the processing of the Registrar's data.
The data is stored in a logical hierarchy, each sponsor being divided into several billcodes, each billcode into several classes, and each class into several resources. Each billcode is assumed to belong to the most recently encountered sponsor, and resets all information associated with any previously encountered billcodes. Each class is assumed to belong to the most recently encountered billcode, and resets all information associated with any previously encountered classes. Each resource is assumed to belong to the most recently encountered class, and resets all information associated with any previously encountered resource. Values for each keyword are accumulated until an keyword is encountered, at which point all accumulated data is applied to the userids named on that line.
This describes the person sponsoring everything that follows to the end of the file. Sponsor: Name of person Department: Sponsor's UW department, if any Address: Sponsor's paper mailing address, if any Multiple lines may be used if required. Email: Sponsor's e-mail address, if any Billing: NoCharge Sponsor is not charged for sponsored resources. Billing: Automatic Charges are automatically debited to sponsor's Finan- cial Services account. Statements: NoPaper A paper statement is not mailed to the sponsor each month. Statements: NoWeb The sponsor's monthly statement is not posted in our web space. Infrastructure: FirstConnection Userids: userid:idnumber list Multiple lines may be used if required. See the Resource subsubsubsection for details about the Userids list.
This defines the University billing code to which all fol- lowing classes, up to the end of the file or the next bill- code, will be charged. If a University billcode is not appropriate (e.g. resources for internal use), some other string may be used. Check with the accountING package main- tainer to see what is or is not appropriate. Billcode: UW billcode or equivalent
This defines the the class to which all following resources, up to the end of the file or the next class or billcode, will be charged. Class names must be unique (i.e. no class may have more than one sponsor). The reports produced by list_sponsors(8) will begin on a new page for each class. Class: Name of class There are currently no rules about what a class name may be, but for the moment, to be consistent with the old software, they should be of the form where is one through five alphabetic characters, is three digits, and is zero or one alphabetic characters. To avoid confusion with those classes automatically generated from the Registrar's data, one should use Dual-Case when creating new class names (e.g. Soft100). Description: Description of class A short description of the purpose of the class. Usage: Primary use of the class One of or The most significant value is as it means that usage under this class should not count toward active usage on a machine. (e.g. for a staff member that must occasionally sign onto a researcher's machine to maintain (but not use) its software.). Subsidy: Dean's subsidy or indicating whether or not the Dean's subsidy applies to resources sponsored by this class (by default it does). Instructors: Name of professor, class instructor(s), et al. The human(s) responsible for the class. Enrollment: Number of members The estimated size of the class. Load: low, moderate, high, or heavy The estimated cpu load for the class. Requirements: Extra requirements A short list of extra requirements (e.g. special soft- ware) for the class. Fee: Lab fee The lab fee charge for one term. Can be given as the number of cents, or suffixed with or The two keywords may be abbreviated by truncation. MembershipStarts: Date to start Any following membership lists will be ignored before this date. MembershipEnds: Date to end Any following membership lists will be ignored after this date. If a start date is given, the end date may be expressed relatively (e.g. Members: A list of userids that belong to this class. Note that they will not automatically be assigned any resources; that must be done by giving a value to an trigger.
This defines a set of resources to be billed to the current class under the current billcode for the current sponsor. The first line must select a resource: Computing: List of host names This defines resources for computer accounts to be billed to the current class under the current billcode for the current sponsor. Printing: List of printer queue names This defines printer access to be billed to the current class under the current billcode for the current spon- sor. MailAlias: mail-alias This defines a mail alias (e.g. to be billed to the current class under the current billcode for the cur- rent sponsor. If the mail-alias is more than 7 charac- ters long, it must also include square brackets to indicate allowable userid truncation. (e.g. generates 5 aliases, but generates only one alias). PPP: List of PPP names This defines PPP access to be billed to the current class under the current billcode for the current spon- sor. Any following lines define the attributes associated with the resource, which is allocated whenever a AssignTo: List of userids line is encountered. More than one line may be given for a resource, typically either to avoid long lines or to apply a start or end date to some but not all users. The special userid means all userids defined in members lists for this class. For the mailalias resource, the given userids may contain at-signs, and other punctuation, including colons, and are not checked for validity. Otherwise, each userid should be immediately followed by an optional the redundancy providing checking for incorrect or misspelled userids. In addition, if the userid (and id num- ber) is on a machine not in the standard userid namespace (e.g. for accessing our printers), it should be followed by indicating the name of another machine where the account resides. To avoid entering the id number each time the same userid appears for the same sponsor, the id number may be omitted without generating any warnings if the userid and id number are given in the list in the Sponsor section. If a IgnoreUserids: List of userids is in effect when a userid list is encountered, any entries common to both lists will be ignored. (This is currently implemented only for the resource. The following attributes are common to most resources. Quota: Restrictions on the amount of the resource For PPP accounts it is not defined, for printers it is a money limit (format is as described in the field in the subsubsection above), and for computer accounts it restricts the amount of disk space. Disk space is assumed to be in kilobytes, but may be suffixed with with or to indicate kilobytes, megabytes, or gigabytes. To specify a quota without limit, the abbreviatable keyword may be used. SponsorshipStarts: Date sponsorship takes effect This is a date before which the sponsorship of the resource does not apply. SponsorshipEnds: Date sponsorship ends This is a date after which the sponsorship of the resource no longer applies. If a start date is given, the end date may be expressed relatively (e.g. End dates are used, rather than simply deleting the data, because the sponsorship information may be required by the accountING software for several months after the resources are no longer needed. For the PPP resource, the end date may instead be given as the name of a host. In that case, the sponsorship of the resource is considered to have ended when the user no longer has an account on the specified host. Address: IP-Address This applies only to the PPP resource. This causes the resource to be assigned this fixed IP address rather than being assigned one arbitrarily each time a connec- tion is made. Groups: Group membership This applies only to the computing resource, and lists unix groups of which the user should be a member. Hosts: List of hosts This applies only to the mailalias resource, and lists unix regions on which the alias should apply. Account: Sponsoring account This applies only to the printing resource. If speci- fied, the single account name that will be used (instead of the class name) as the field in the printer quota database. (i.e. the value the must be supplied when using Note that this means that these account names are in the same namespace as class names, and therefore along with the class names should be unique.
The following is meant to represent the tree structure of the database. Each file contains one sponsor: Sponsor: Department: Address: Email: Userids: ======== Each sponsor is divided into one or more billcodes: Billcode1 ... Billcode ... BillcodeN ======== Each billcode is divided into one or more classes: Class1 ... Class ... ClassN Description1 Description DescriptionN ==== Each class is divided into one or more resources: Computing... Printing... MailAlias... PPP1... Starts Starts Starts Starts Ends Ends Ends Ends Quota Quota Hosts Address Groups Account Each resource is divided into one or more lists of userids: AssignTo1 ... AssignTo2 ... AssignToN Each sponsor, billcode, class, or resource section overrides all attributes defined by previous sections of the same type. Whenever an AssignTo list is found for a resource, all attributes accumulated so far are assigned to each userid in the list. It is important to understand the difference between how values are accumulated as described in the previous two sen- tences. The Userid list does *not* reset any previously defined values for the current resource. So for instance, if the file contained the sequence: ... Computing: math watdragon Quota: 100M AssignTo: *MEMBERS* SponsorshipStarts: 1996/01/01 SponsorshipEnds: +1Year AssignTo: jdoe jsmith SponsorshipStarts: 1996/06/06 AssignTo: fbaggins gabandabalf The fbaggins account would also inherit the 100M quota and, perhaps more surprisingly, the January 1997 end date.
get_all_sponsors(3w), list_sponsors(8).
Copyright (C) 1995,2006, MFCF, University of Waterloo.
accounts-master-package, accounts-master - description of the accounts-master package
The accounts-master package allows one to manage distributed resources from a single centralized database. It currently knows about printer quotas, PPP access, and UNIX accounts. The central database contains a description of who sponsors what resources. The software determines what each resource provider should provide, passes this information to the resource providers, and tells them "make it so". The database also provides information for billing and accounting purposes, while the control files associated with individual resources provide information about why a user has the resources.
The database (described in sponsors(5)) consists of text files in an arbitrary structure under the "data/sponsors" directory. A simple text editor (e.g. vi(1)) provides the user interface, though if desired one could design a more elaborate mechanism. The sponsor_resources(8) program examines the database and produces a number of text files under the three directories "data/resources/{account,ppp,printer}". Each file under a resource directory bears the name of one of the resource providers (e.g. "account/logos.math", "ppp/anik3.mfcf", "printer/ps_mfcf").
The accounts-client(8) program distributes these resource files to each resource provider and does the appropriate things to make the resources correspond to the contents of the file. In the case of UNIX accounts, this means running the spon- sor_accounts(8) program on the machine of interest. On each machine, a file, "/software/accounts/data/users", contains sponsor-related information for each entry in the "/etc/passwd" file. The program ignores accounts not created by the sponsors data, and adjusts the resources of all sponsored accounts to match the new resource data. This involves changing disk quotas and the "/etc/passwd" and "/etc/group" files. It does not actually remove entries from the passwd file, but instead simply marks them as expired, other jobs later making them unusable (expire_accounts(8)) and finally remov- ing them and their files (rmallusr(8)).
The list_sponsors(8) program produces summaries of sponsored resources suitable for sending to the individual sponsors. Each report begins a new page for each class (a set of com- mon resources), showing the specific allocation of resources for each user.
Currently, the sponsors data does not affect /etc/group. Currently, nothing uses the printer and ppp resource infor- mation. This package contains many other files and programs.
sponsors(5).
Copyright (C) 1997, MFCF, University of Waterloo.
accounts-client - updates accounts on remote clients
accounts-client [[host=]hostname]
accounts-client uses the data compiled by the accounts-mas- ter(8) program ("/software/accounts-mas- ter/data/resources/*/*") and updates all accounts-controlled accounts on the specified "host=" host. If no explicit host is given, all hosts (i.e. those listed by `hostin group=mfcf_sponsored`, `hostin group=mfcf_ads`, `hostin group=mfcf_macs`, `hostin group=windows-masters`, and `hostin group=polaris-masters`) are updated. (Replace "_mfcf" with "_cscf" or other appropriate administration.) For each of the "mfcf_sponsored" machines (the most common case), the account resource file is distributed to the machine and the sponsor_accounts(8) program is run on that machine to do the update. Processing for the other types of hosts is handled in a sim- ilar way, though the host where the update processing occurs might not be the same as the target host.
Unlike accounts-master(8), this program does not detach itself, and so killing it might have some effect on the remote updates.
When updating all clients, one would typically do something like this: math% accounts-client >&~/#ac math% cut -c1-79 ~/#ac | page For a single client, math% accounts-client student.math would be used.
accounts-master(8), sponsor_resources(8), do_polaris(8), sponsor_accounts(8), mfcf-course-accounts(i).
Copyright (C) 1996, 1997, 2009, MFCF, University of Water- loo.
Apparently missing here is a man page for make_all_accounts which does the actual work
accounts-master - gathers current information for maintain- ing accounts
accounts-master [{+|-}Verbose]
accounts-master gathers information from various places and produces lists of accounts and resources that should exist on the machines it administers. In addition, (some) printer quotas, man pages and web pages are updated. The program, accounts-client(8), should then be used to update the accounts on those machines (hostin group=stu- dents). The output, which is appended to the log file, is much more detailed than one would normally want to see, so unless one specifies "+Verbose", all blank lines and all lines begin- ning with "+++" are omitted from the output. If one doesn't want to see the progress of the job as it proceeds, specify- ing "-Verbose" will suppress all lines beginning with "===", and in theory only the important messages (e.g. errors) will be displayed. Note that the real work is done by a program that is submit- ted by an rsh where it runs in the background independent of this program. That means that one may kill the accounts- master program without affecting the actual update.
This is still somewhat under development. What is actually considered to be important output isn't always correct. The output sometimes contains lines of the form "ADD1: ...". This indicates something I have to update by hand, but even- tually it will be automated. The same list will appear every time, so you don't need to worry about telling me about them.
/software/accounts-master/data/sponsors/ /software/accounts-master/data/resources/ /software/accounts/logs/accounts-master
accounts-client(8), sponsor_resources(8), mfcf-course- accounts(i).
Copyright (C) 1994,1996, MFCF, University of Waterloo.
get_printer_quotas - merge requests for accounts
get_printer_quotas
get_printer_quotas uses the "Printers" control file to determine the current printer quota allocations, and to pro- duce batch update files suitable for each printer. At the moment nothing beyond this is automated. One must do the following by hand: math% get_printer_quotas math% cd /software/accounts-master/data/work math% lpquota_update_sucks -p ps_mfcf - < lpquotas.update.ps_mfcf math% lpquota_update_sucks -p [ ... ] - < lpquotas.update.[ ... ] math% mv lpquotas.new lpquotas making sure that each step works successfully. The program will fail harmlessly if the file "lpquotas.new" exists. The very first time, the "lpquotas" file, which contains the current values of the printer quotas, must be created as an empty file. At the end of each term the following must be done, before switching to the Registrar's data for the next term. - Remove all non-cumulative entries from the Printers file. - Update as usual. - Zap the lpquotas file (to forget about everything). - Set up the Printers file for the new term. - Switch all the other accounts things for the new term. - Do all other accounts updates for the new term. - Update as ususal.
/software/accounts-master/data/control/Printers /software/accounts-master/data/work/lpquotas /software/accounts-master/data/work/lpquotas.new /software/accounts-master/data/work/lpquotas.update.<printer>
lpquota_update_sucks(8),
Copyright (C) 1992, MFCF, University of Waterloo.
get_student_registry - fetch the current student registry from Data Processing
get_student_registry
get_student_registry fetches the current student registry data provided by Data Processing. The file contains the following colon-separated fields: - family name - given name(s) - initials - id number - faculty - program - year and term - degree type - courses (separated by commas)
/software/accounts-master/data/temp/student_registry
register_student_programs(8).
Copyright (C) 1991, MFCF, University of Waterloo.
get_userid_status - gather the userid statuses in our admin- istration
servers/get_userid_status host*
set hosts=`include_files config/hosts_mail | decomment` get_userid_status `cat $hosts` >addresses
get_userid_status runs userid_status(8) on each host given on the command line filling in any known id numbers to pro- duce the mail address for each id. Output consists of one line per userid in the form "userid:id:host:status", where "id" is the student, employee, or other id number associated with the userid, and "status" is one of: "Active", "Zmail", "Sendmail", "Expired", "Unused", "DelForward", "Deleted", or "Unknown", as described in mail_registry(8).
This program is normally run only by the register_mail(8) program to produce input for the mail_registry(8) program.
userid_status(8), mail_registry(8), register_mail(8).
Copyright (C) 1995, MFCF, University of Waterloo.
inuse - query IST's inuse userid database
inuse [grep arguments]
inuse searches the database of inuse userids maintained by IST. Typically one would use this to see if an about-to-be-ass- signed userid is in use anywhere on campus. Userids can be in full or truncated-to-8 format. For short userids one would likely want to check for that userid exactly (e.g. "jsmith" shouldn't match "ajsmith" or "jsmithjones"), using the -w grep option. % inuse -w jsmith For long userids one would likely want to check for both forms: % inuse -w 'rbutterw\|rbutterworth' % inuse '\\\<rbutterw' % inuse -w 'rbutte.\*' Each line of output contains three fields: Date, Userid, Host, and Source, where the Source is an occasionally mean- ingful comment supplied by the program that registers the userid as being in use, and the Date is the most recent date that the information in the other three fields was received (unfortunately they don't record the earliest such date too).
The right number of backslashes to use isn't always obvious. This uses a lot of cpu on one of IST's machines, so don't abuse it.
/software/gnu/bin/grep -E
Copyright (C) 1998, MFCF, University of Waterloo.
list_classes - list MFCF-resource classes
list_classes [-Registration] [+Noresources] [+Colons] [Sponsors=/software/accounts-master/data/sponsors/REGISTRAR] [[fields=]ALL|Cents|Printer|Class|Kbytes| |Host|Limit|Enrollment|Load|Instructor|Com- ment]*
[Sponsors=/software/accounts-master/data/sponsors/REGISTRAR] Directory (or file) containing class sponsorship infor- mation. [+Noresources] List "nowhere" classes too (i.e. those used only for generating .classlists). [-Registration] Don't list faculty and department pseudo-classes (e.g. cs08, arts3). [+Colons] Display output as colon-separated fields. [[fields=]fieldname]* Each specified field (which may be abbreviated by non- ambiguous truncation) is displayed in the output in the order given. "ALL" implies all fields.
list_classes Sorts, culls, and lists the Registrar sponsored classes in what is intended to be a more readable format. Future options might include "Host=hostname" to select by host.
list_classes class enrollment load instructor comment \ >/software/mfcf-specific/man/mani/mfcf-classes.i list_classes cents printer class kbytes host instructor +reg \ >/software/mfcf-specific/mani/mfcf-class-resources.i
sponsors5
Copyright (C) 1993,1997,2001, MFCF, University of Waterloo.
list_sponsors - list resource sponsors
list_sponsors [HaveExpired=121] [WillEnd=183] [[sponsorpath=]/software/accounts-master/data/sponsors]* [Resources=ALL|Printing|MailAliases|PPP|Computing|Equip- ment|Users|Sponsors|Classes] [Severity=Warnings|Notes|Errors] [ListNames=Classes|Resources|Users|Sponsors]
Put report into "#ls-stdout" and errors into "#ls-stderr": % ( list_sponsors > #ls-stdout ) >&#ls-stderr List accounts sponsored by MFCF: % cd /software/accounts-master/data/sponsors && list_spon- sors +s MFCF
[[sponsorpath=]/software/accounts-master/data/sponsors]* Files (or directories to be recursively descended) con- taining the sponsor data. [HaveExpired=121] Warn about entries that expired more than this many days ago. [WillEnd=183] Warn about entries that will expire in fewer than this many days. ment|Users|Sponsors|Classes] [Resources=ALL|Printing|MailAliases|PPP|Computing|Equip- Restrict the report to a specific section. Note that "Users" isn't really a resource. [Severity=Warnings|Notes|Errors] Omit problem reports that are less than this severity. The default is warnings and errors, with notes sup- pressed. [ListNames=Classes|Resources|Users|Sponsors] Special purpose formatted output (still under deveop- ment).
list_sponsors formats the contents of the sponsors database into reports (or summaries) suitable for sending to the sponsors. If all you are interested in is checking the database for problems, use the "ListNames=users" option to minimize the time it takes and the size of the standard output produced.
For the "ListNames=users" form, a simple list containing all "userid@host" and "userid@@host" forms defined by the database is produced. This is handy for comparing the database against which accounts are actually on each machine. The double "@" indicates that the host is one that doesn't claim to use standard userids. The normal form of the output comprises one report for each sponsor, each beginning on a new page with the sponsor's name, address, etc. followed by listings of the computer accounts and printer accounts they sponsor, followed by a list of all sponsored userids containing their names, id numbers, etc. Sponsors should check that the resources for each account are correct, and that the userids they have requested really do correspond to the people described in the last section.
Stderr may contain three classes of messages, one per line, prefixed with "Note:", "Warning:", or "Error:". Notes are unimportant things that can be fixed when the presence of these messages becomes annoying enough. Warnings are impor- tant things that the program managed to correct, but which should be fixed as soon as possible. Errors are serious problems that cause the program to exit prematurely, and which must be corrected. The most common messages you are likely to see are: "Error: unknown host" The host isn't reachable from this machine. "Error: userid xxx should be yyy" An obsolete userid was given for the user. "Error: userid xxx has id number yyy not zzz" The userid and id number don't match. "Error: userid xxx is not a standard userid" The userid isn't registered as a standard userid. "Error: disk quota xxx begins with a non-digit" "Warning: we don't administer host xxx" The host isn't in our adminstration, so we don't create accounts there. "Warning: userid xxx should have id number zzz" No id number was given with the userid, but one should be given so that the redundancy will help check for typos and other mistakes. This will eventually become a fatal error. "Warning: ignoring group xxx" A group such as "users" or "none" was assigned to the account, but such groups are automatically given any- way. "Warning: xxx requires exactly one argument" A non-essential information field was given bad data. "Note: sponsor xxx, billcode yyy, has expired account zzz" The entry expired before the time indicated by the "HaveExpired=" option. "Note: userid xxx should possibly be yyy" An obsolete standard userid has been given, but it's on a host that doesn't claim to have standard userids, so it might actually be a different user. "Note: userid xxx should possibly have id number zzz" If this is a standard userid, it should have the given id number, but it's on a host that doesn't claim to have standard userids, so it might actually be a dif- ferent user. "Note: userid xxx is a non-standard userid" The userid is non-standard, but it's on a host that doesn't claim to have standard userids.
/software/accounts-master/data/sponsors/*/*
Copyright (C) 1993, 1994, MFCF, University of Waterloo.
mail_deletion - gather invalid uwdir mail addresses
servers/mail_deletion <host-file Outputdirectory=path Registered=registered-file Status=status-file
mail_deletion reads a list of uwdir mail addresses (from Registered=) and compares them to a list of known addresses (from Status=), as produced by get_userid_status(8), and writes the result to a file in the Outputdirectory: "uwdir_wrong". Registered addresses with hosts that are not named in the host-file are ignored. The "uwdir_wrong" file is suitable (with a little editing) for passing to uwdir-submit(8).
This program is normally run only by the register_mail(8) program.
get_userid_status(8), userid_status(8), uwdir-submit(8).
Copyright (C) 1995,2010 MFCF, University of Waterloo.
mail_registry - gather mail addresses suitable for uwdir
servers/mail_registry [Domain=uwaterloo.ca]
mail_registry reads a list of mail addresses as produced by the get_userid_status(8) program, reformats it ("id:address:status"), and writes the result to standard output. The first field of the output is an valid e-mail address with a fully-qualified host-domain-name. The second field is one of the following statuses: Active - /etc/passwd: the account has been assigned a pass- word. Zmail "/software/zmailer/data/config/lists" Sendmail "/var/adm/sendmail/aliases" Expired "/software/accounts/data/users" - the account is living on borrowed time and unless circumstances change will become DelForward "/etc/passwd" - login shell is "/etc/Deleting*", but the home directory contains a ".forward" file. Unused "/etc/passwd" - encrypted password is "New-User*". i.e. the account has not yet been assigned a password. Deleted "/etc/passwd" - login shell is "/etc/Deleting*". i.e. the account is unusable and will be removed at the end of the month. Unknown - should never happen. Records with the "Deleted" status are not written. If a userid has the same status on two hosts, the status for the host that was given first on the command line will be used. If a userid has different statuses on two hosts, the status that appears first in the above list will be used. Note that the order of the above statuses is not the same as the priority used on the individual hosts by userid_status(8).
This program is normally run only by the register_mail(8) program.
get_userid_status(8), userid_status(8), uwdir-submit(8).
Copyright (C) 1995,2010, MFCF, University of Waterloo.
make_remote_accounts - makes remote accounts.
servers/make_remote_accounts [-h hostname]
This should not be called by anyone or anything other than by the accounts-client(8) program. make_remote_accounts Takes the information produced by make_all_accounts(8), and sends it to the specified machine (or all machines in `hostin group=students`), and then runs mkstuds(8) remotely to update the accounts.
/software/accounts-master/data/control/{Classes,Special}, /software/accounts-master/data/work/*.
Can only handle userids that have student id numbers.
accounts-master(8), accounts-client(8), make-all- accounts(8), mfcf-course-accounts(i), mkstuds(8).
Copyright (C) 1994, MFCF, University of Waterloo.
merge_account_requests - merge requests for accounts
sort requests merge_account_requests
merge_account_requests fetches requests for accounts from standard input (which must be sorted by id number) and merges them with the student registry data. The output con- tains the following colon-separated fields: - id number - initials - family name - given name(s) - courses (separated by commas)
/software/accounts-master/data/temp/student_registry_mfcf
register_userids(8), get_special(8), get_student_reg- istry(8).
Copyright (C) 1991, MFCF, University of Waterloo.
net_update_sql - produce SQL commands to update inventory database SNMP info
servers/net_update_sql [Input=]/software/accounts-mas- ter/data/networks/NetInfo
net_update_sql examines the ping and SNMP data compiled by network scanning and produces SQL commands to update the inventory database.
scan_network(8), check_network(8), update_network(8).
Copyright (C) 2008 MFCF, University of Waterloo.
register_mail - send preferred mail addresses to uwdir
servers/register_mail
register_mail examines the mail address for all userids in the administration (actually the hosts named in the file "/software/accounts-master/config/hosts_mail" less those named in the file ".../config/hosts_nomail"), and sends them to the uwdir database. Because of the way quwdir(1) works, changes cannot be made to existing addresses. Instead two updates are sent. The first update contains records for invalid mail addresses (no such userid on the machine, or the account is about to be deleted and has no ".forward" file), requesting that the entries be deleted. The second contains records for all userids in the adminis- tration. Only those entries matching uwdir mail addresses that are empty will be filled in.
get_userid_status(8), userid_status(8), mail_deletion(8), mail_registry(8), quwdir(1).
Copyright (C) 1995,2008 MFCF, University of Waterloo.
register_student_programs - merge requests for accounts
register_student_programs <input >output
register_student_programs fetches requests for accounts from standard input (which are in the computing services format (see get_student_registry(8))) and produces records with the following colon-separated fields: - id number - initials - family name - given name(s) - courses (separated by commas) An additional item is added to the courses list of the form "faculty#", where "faculty" is the faculty the student is registered in, and "#" is the year the student is registered in, with "6" indicating a Masters student, "7" indicating a Doctors student, and "0" indicating a non-degree student or other unknown program.
/software/accounts-master/data/temp/student_registry, /software/accounts-master/data/temp/student_registry_mfcf.
register_userids(8), get_special(8), get_student_reg- istry(8).
Copyright (C) 1991, MFCF, University of Waterloo.
select_classes - select classes of users for account cre- ation
select_classes
select_classes reads account requests from its standard input and selects those that match entries in the Classes file.
/software/accounts-master/data/host/Classes
make_account_requests(8).
Copyright (C) 1991, MFCF, University of Waterloo.
sponsor_resources - generate resource data from sponsors data 'Warning: This is still under development."
sponsor_resources Severity=Warnings|Notes|Errors [sponsors=]/software/accounts-master/data/sponsors Configdirectory=/software/accounts-master/data/sponsors/.Config Resources=/software/accounts-master/data/resources Expired=90 Today=today
[sponsors=]/software/accounts-master/data/sponsors Directories or files containing the sponsors database. Configdirectory=/software/accounts-master/data/spon- sors/.Config Directory containing configuration files. Resources=/software/accounts-master/data/resources Directory to contain the sponsored resources output. Severity=Warnings|Notes|Errors Omit problem reports that are less than this severity. The default is warnings and errors, with notes sup- pressed. Expired=90 Warn about sponsorship which ended more than the given number of days before the current time. Today=today Change the assumed date (time) used for all time-based calculations such as SponsorshipEnds. The format "21 Jan 2009" is accepted, as are various other date for- mats.
sponsor_resources takes the sponsors data and sorts it by resource-type (account, printer, ppp) and by resource- provider (hostname, printername, anikname), and merges com- mon resources for each userid. The output is put into a number of files and directories. Each resource-type has an output directory, and each resource-provider has a file containing the resources it should provide. For instance, the file "/software/accounts- master/data/resources/computing/math" will contain all the sponsored accounts that should be on the host "math". The output contains one line for each resource for each userid, with each field separated by colons. The first field is always the userid. The accounts records then have fields for personal-name, id number, and preferred uid. The final field is a comma-separated list of resource quo- tas. These are of the form: "Class-name(quotas)", where in the case of printers, the quotas are in pages; in ppps, the quotas are nonexistent; and in the case of accounts, the quotas are in kilobytes and may be followed by a semicolon and a comma-separated list of groups.
/software/accounts-master/data/sponsors/*/* /software/accounts-master/data/resources/{account,printer,ppp}/*
accounts-master(8) - calls sponsor_resources and even more accounts-client(8) - update remote accounts list_sponsors(8) - explanation of error messages
Copyright (C) 1996, 1997, MFCF, University of Waterloo.
update_web_pages - update mfcf web pages with mfcf.math data
update_web_pages
none
update_web_pages is normally run from the crontab, but can be run safely at any time. It is intended to solve some of the problems caused by hav- ing the authoritative source for some information on "mfcf.math", while the MFCF web server is on "www.math", a different machine. The program is a script that simply calls other programs that produce automated web pages, and then distributes the results to the MFCF web space.
webify_owner_groups(8)
Copyright (C) 2001, MFCF, University of Waterloo.
webify_owner_groups - produce supported host web pages from Owners data
servers/webify_owner_groups [outputDirectory=/software/accounts-master/data/work/web- ify_owner_groups] [GroupDescriptions=/software/accounts-master/data/own- ers/.Config/groups] [[ownerpath=]/software/accounts-master/data/owners]
outputDirectory= Directory where the html files are to be dumped GroupDescriptions= File containing host group descriptions. [ownerpath=] File or directory containing owner information.
webify_owner_groups takes the hosts in the owners database (ownerpath=), and produces a web page for each group (including configured group descriptions (GroupDescrip- tions=)), and an "index.html" file therefor. All output is put into the specified directory (outputDirec- tory=). The program will exit with a fatal error if it attempts to overwrite any existing file, so be sure to empty the directory before calling it. This program is intended to be run by another program (nor- mally from the crontab), which then distributes the new web pages to "www.math". The options are provided mostly for debugging purposes, and are not normally needed.
/software/accounts-master/data/work/webify_owner_groups/* /software/accounts-master/data/owners/.Config/groups /software/accounts-master/data/owners/* check_owners(8)
Copyright (C) 2001, MFCF, University of Waterloo.
diskquota - show disk quota
diskquota [-Remote] [userid|uid]*
The diskquota command shows the calling or specified user's disk quota on the current host and on all hosts from which writable filesystems are remotely mounted. The -Remote flag will prevent any remote filesystems from being checked. If disk usage exceeds the user's soft limit, the hard limit is also displayed (in square brackets). On most machines, each user's disk quota and usage is nor- mally public information, available for any other user to see. On machines where this policy isn't followed, users in group "operator" or "accounts" may query anyone's quota, even if the filesystem's quota file does not have general read permissions. If it checks any filesystems whose disk usage is in the pro- cess of being reinitialized (e.g. the Network Appliances fileservers for the student and general regions) this com- mand will exit with status 1.
quota(1)
/software/accounts/config/regional/fashosts /software/accounts/config/regional/rquotahosts
Copyright (C) 1993,2003,2005,2008 MFCF, University of Water- loo.
groups - show group memberships
groups [-s<sep>] [-p] [user] groups [-s<sep>] [-p] -{g|G} group_name groups [-s<sep>] [-p] -{g|G} group_id
The groups command shows the groups to which you or the optionally specified user belong. If the -p flag is used, only the principal group for users is listed; in other words, only /etc/passwd is examined. If -p is used, a group or userid must be specified. If the -g flag is used, all members of the specified group are shown. (The group may be specified either by its name or numeric group id.) If the -G flag is used, only the user names of accounts for which the specified group is the principal group are listed; in other words, only /etc/passwd is examined. The -G flag is obsolete - use -p -g instead. The string given as argument to the -s flag is used as the separator between the user names or group names listed, instead of a newline (the default for the -g/-G form) or a space (the default for the other form). The string is parsed for escape sequences of the form "\x" where x is in the set {a, b, f, n, r, t, v}: these are mapped to corresponding ASCII character codes as per K&R 2nd ed. sec- tion 2.3. Each user belongs to a group specified in the password file /etc/passwd and possibly to other groups as specified in the file /etc/group. If you do not own a file but belong to the group which it is owned by then you are granted group access to the file. When a new file is created it is given the group of the con- taining directory.
setgroups(2)
/etc/passwd, /etc/group
More groups should be allowed. groups in.
The -g, -G, -p, and -s options are UW enhancements.
init_home - reinitialize your home directory
init_home [userid]*
This command tries to set up your home directory as it would be if the account had just been created. Usually this just means giving you the latest versions of the standard .cshrc and .profile files. Any conflicting files will be renamed and a warning displayed. The optional userid arguments may only be given if you are root. If no userid is given, the directory specified by the "$HOME" environment variable will be used. If that variable is not set, the home directory field in your "/etc/passwd" entry will be used. If your reason for using this command is that your ".cshrc" file is so messed up that you can't even execute any com- mands, you will have to invoke the command using its full pathname: /software/accounts/bin/init_home. Note that this command does not affect X11 files, such as ".xsession", which can be reinitialized by simply removing or renaming them and logging in again.
Files and directories are copied, following symlinks, from the package's "init_home" configuration directories. It is a common practice for administrators to have accounts automatically created on all hosts that they are responsible for. Such users can be listed as "userid@homehost" in the "admin/common_users" configuration file. init_home will initialize the ".forward" and ".rhosts" files for these accounts (but will not replace existing instances thereof).
/software/accounts/config/*/init_home /software/accounts/config/admin/common_users
.cshrc(5)
Copyright (C) 1990, 1997, 2005, 2006, MFCF, University of Waterloo.
password - change a user's password
password Userid_Or_Idnumber password Userid_Or_IdNumber +Randompassword password Userid_Or_IdNumber Encryptedpassword=string
This command enables certain non-super-users to change a user's password, though it is also handy for super-users, and can be used by non-privileged users to set their own passwords (in particular if they forget the spelling of "passwd"). For students, it is best to give this command the 8-digit "id number", since it isn't possible to know their official userid from the information given on id cards (e.g. jsmith vs. j2smith). This mapping from id number to userid is likely to work only on machines that have MFCF standard userids. Userid matches are performed before id-number matches, so administrations may use the payment[sic] field of the "users" file for some- thing other than the id-number without worrying about incor- rect matches. (See users(5)). The "+Randompassword" option will generate a random password and ask if that is what you want it set to. The "Encryptedpassword=string" option will set the /etc/passwd entry to the given string. Only a super user can set the string to be a single "*". Don't try it unless you know what you're doing. New accounts are usually created with an illegal encrypted password, typically something like "New-User-S96". (Illegal means anything that isn't exactly 13 characters chosen from the set of digits, letters, and the characters "/" and ".".) Some accounts may have illegal passwords simply because they are not intended ever to be logged into. In such cases the illegal password entry should begin with the character "*". Someone in group "operator", "opcons", or "staff" may change passwords only on accounts that have an illegal encrypted value, providing the first character is not a "*". Someone in group "accounts" may change any password provided that the encrypted form is not a single "*". No one but the super-user may change a vendor-supplied account (e.g. "root" or "daemon"), as defined by the file "/software/setpw/config/arch/vendor.passwd".
passwd(1)
Copyright (C) 1989, 1998, MFCF, University of Waterloo.
Courses - accounts database of student courses
/software/regtape/data/Courses /software/accounts/data/host/Courses
The file /software/regtape/data/Courses contains information describing the courses for which student accounts are to be created. The file is maintained on the central regtape host, and distributed elsewhere to /software/accounts/data/host/Courses. The file consists of a series of records, one per line. Anything after '#' is treated as a comment and ignored, as are blank lines. Fields are separated by blanks or tabs and are aligned only for human readability.
# #course host kbytes # Comments # # Modelling With Ordinary Differential Equations am250 crocus 500 # Marshman am250 dahlia 500 # Marshman am250 trillium 500 # Marshman # Modelling with Systems of Ordinary Diffiqueues am251 crocus 500 # Marshman am251 dahlia 500 # Marshman am251 trillium 500 # Marshman
/software/regtape/data/Courses /software/accounts/data/host/Courses
Copyright (c) 1990, MFCF, University of Waterloo.
fashosts - declare remote fileserver information
/software/accounts/config/regional/fashosts
The file /software/accounts/config/regional/fashosts lists the remote quota trees which are maintained remotely on ded- icated fileservers. Blank lines, and any line whose first non-blank character is a "#" are ignored. Each line consists of the hostname of a remote fileserver (typically a faserver), optionally followed by a colon, and a list of one or more quota tree names, separated by commas.
The following lines might be used to declare remote filesys- tems on remote fileserver "hooke.math". The first line assumes defaults will be used, while successive lines spec- ify more details of quota tree(s) explicitly. hooke.math hooke.math:vol1 hooke.math:vol1/home hooke.math:vol1/home,vol1/mail Assuming that a user with a uid of 123 in the "/etc/passwd" file has a sponsored disk quota value of 5000 kbytes in the "data/users" file, the last line in the above example would produce these two lines in the fileserver's "/etc/quotas" file: 123 user@/vol/vol1/home 5000K 123 user@/vol/vol1/mail 5000K
Until the parser can be made smarter, the "vol1/" values must be identical for all entries on a line. More significantly, each hostname must be different. Together these restrictions imply that each host can have only one "/vol1" value.
Perhaps the syntax could be extended to allow the quotas on multiple qtrees to be different, with relative percentages or absolute amounts. e.g.: hooke.math:vol1/home,vol1/mail(50%),vol1/scratch(20G)
mkquota(8)
Copyright (C) 2008, MFCF,CSCF, University of Waterloo.
users - user account related information
/software/accounts/data/users
The file /software/accounts/data/users contains information about user accounts, complementing the /etc/passwd file, with which there should be a one-to-one mapping. The file consists of a series of records, one per line. Fields within a record are separated by a colon. For his- torical reasons, the fields are called: "name", "quota", "date", "type", "payment", and "info". name contains the full untruncated userid of the user. quota contains the disk quota associated with the account. If not suffixed with "K", "k", "m", "M", "g", or "G", the value is considered to be in kilobytes. [It is possible that this value may be followed by a comma and other quota values (e.g. monthly credit limit for printer pages or resource dollars), but such values are not currently set or used by any software in the accounts or accounts_client packages.] date the date the account was created in "yyyy/mm/dd" for- mat. [historically, some other date formats were used] type [potentially] determines what controls the existence of this account. If the field is "vendor" or "xhier", the account is vendor-sponsored or xhier-sponsored, as determined by /software/setpw/config/arch/vendor.passwd and /software/*/export/passwd. If the first eight characters of the field are "sponsor-", the account is controlled by the sponsor_accounts(8) program in the accounts_client package. The vendor and xhier entries are automatically set by the accounts package's Install script, while other sponsored entries are maintained by accounts_client(8) updates. This sponsor method is the only one still used by MFCF. If the first two characters are apparently meaningless, and the rest of the field is "student", the account is controlled by the mkmerge(8) program in the accounts package, via calls from the make_remote_accounts(8) program in the accounts-master package. If the field contains anything else, the account is not affected by either of these two accounts maintenance mechanisms. payment contains the id number of the owner of the account, if controlled by the sponsor or student mechanisms. For sponsored accounts, this may be followed by the name of the user within parentheses. info For student accounts, this contains the classes in which the user is enrolled, in the form: "Name-Number- Term-dd/mm/yy". For sponsored accounts, this contains the sponsoring classes, in the form: "class(quota[;group[,group]...])yyyy/mm/dd". In both cases, the date is when the account was registered into that class on the host machine. For xhier accounts, this field contains the names of the sponsoring xhier packages.
/software/acccounts/data/users
Copyright (C) 1991,1996,2005, MFCF, University of Waterloo.
accounts-config - configuring the accounts package
The accounts package can be configured to suit various administrations and individual hosts. Some of those config- urations are described below.
Questions and requests regarding user's accounts and resources are traditionally mailed to the userid "accounts". The home directory of the "accounts" account has a ".for- ward" file that redirects the mail to the mail alias "admin_accounts", which is controled by the package's admin- istration file "export/aliases". Administrators can set whatever alias is appropriate in this export file on their central administration host. Those wanting to send this mail elsewhere for a specific machine can override that ".forward" file by adding an alias to the file /software/local_[hostname]/export/aliases for the userid "accounts". (An installation of that package is required for the alias to take effect). This alias may, but doesn't have to, send a copy to "admin_accounts" as well as to the interested individuals.
It is not necessary to have an "accounts" passwd entry. Without it, the default ".forward" file will have no effect. Instead one may (either via the package's "export/aliases" file or by centralized automated alias administration) sim- ply do something such as setting "accounts->admin_accounts@adminhost" everywhere, and then have an alias for "admin_accounts" on the central admin host.
When an account is created, the standard ".cshrc", ".pro- file", and ".xsession" files typically contain an invocation of the "first_login" program, which asks the user for finger data, displays some messages, and finally removes itself from the user's file. By default, the messages are produced by the "con- fig/share/first_time" file. An administration can override this file by editing, on the administration host, the file "config/admin/first_time", which will be automatically distributed to all other hosts in the same administration. Similarly, each host can have its own messages by editing the file "config/local/first_time", which will not be dis- tributed. Note that these files are "source"ed by a "csh" program, so they may source the other versions of the file if the intent is simply to add to, rather than replace, the standard mes- sages.
(Applies to the "accounts_client" package only.) The regional file "config/regional/grace" may contain a line giving the number of days of grace that an account should be granted between its expiry and its being disabled. If the decommented file is empty a default value (currently 21) will be used.
(Applies to the "accounts_client" package only.) The regional file "config/regional/quota_basic" may contain a line giving the number of kilobytes of basic disk quota (e.g. for .cshrc files, mailboxes, etc.) to be given to each account in addition to whatever other quota might be assigned to it via the sponsors database. A default of 200 kbytes will be used if this file is decomment-empty.
The crontab runs a program that periodically walks the filesystem looking for improperly owned files. The behaviour of this program can be configured by the (non)existence of the userid "orphan" and the groups "every- one", and "orphan", and by the files "con- fig/local/orphan_ignore". and "config/local/orphan_nfs". The "orphan_nfs" configuration is used by this package's crontab to determine which NFS-mounted filesystems will be examined. See orphan(8) for other configuration details.
The crontab runs a program that periodically checks for con- sistency among the home directories and various user accounts files ("/etc/passwd", "/etc/group", etc.). See "man accounts_check" for how to control the checks per- formed.
When the acount_update(8) program needs to create a home directory for a new account, it first looks for directories named "/u#", where "#" is a single digit. Any such directories will be ignored if they contain a file called ".ManualHomeDirectoryCreation". If more than one "/u#" directory is found, the program will pick one randomly to start with and will cycle through them for each additional home directory that needs to be created. If no "/u#" directories are found, the directory "/u" will be used instead.
New home directories are initialized using the templates defined by "config/*/init_home". They are copied into place in the standard xhier configuration order (i.e. share, arch, admin, regional), with the last found instance of any file being the one used. For backward compatibility, if the directory "/soft- ware/accounts/data/host/standard" exists, it alone will be used to do the initialization. Administrators are encourage to remove this directory and to use the regional configura- tion instead. Note that the copying is done by following symbolic links, not copying them. This means that one cannot initialize symbolic links in home directories.
Some users will automatically get accounts on many machines (e.g. the accounts maintenance people, or UNIX maintainers) and if they are not aware of them these machines might become sink-holes for their mail. To avoid that problem, the "config/admin/common_users" file can contain lines of the form "userid@hostname.uwaterloo.ca". By itself, this will not have any immediate effect, but whenever a new account is created with a matching userid, this information will be used to initialize the new account's ".forward" and ".rhosts" files, forwarding mail to and allowing rlogin access from the given userid and hostname. This configura- tion also affects the init_home(1) program.
New accounts are created using the shell determined by "xh- options -p accounts -c initial Shell", i.e. by the "Shell=" option in the files "config/*/initial".
The last step of sponsor_accounts(8), which performs updates of account resources, will call an optional mkfinal program to do whatever may be needed on each local machine. If "config/regional/mkfinal" is decomment-empty, it will be run. Otherwise if "config/admin/mkfinal" is decomment- empty, it will be run.
The file "config/regional/rquotahosts" contains lines of the form "hosts:filesystem" that define hosts that can, for the given filesystems, supply rquotad(8) service (in particular to the diskquota (1) command). Typically this will be all faservers, and any other NFS server that supports the rquo- tad(8) protocol. If home directories are mounted from one or more faservers, the file "config/regional/fashosts" should contain a list of the names of those hosts. This is used by (at least) the mkquota(8) command so that it can initialize disk quotas on the servers. Note that the program that updates disk quotas (mkquota) ignores "/u" and "/u#" directories that are NFS mounted, so it will use the rquotad config file to determine where else it might be necessary to update the quota files.
Hosts with accounts managed by the sponsors mechanism nor- mally do not allow local control of group membership. the "edit_group" configuration allows one to optionally turn all group membership over to local control (not recommended), or to allow local control for some specific groups. See edit_group(8) for specific details.
Some hosts may wish to conform to a common set of numeric uids and gids. The "id_registry" configuration specifies which id registry host to use (default none), and what level of conformance to follow (default none). See idregistry(8) for specific details.
The local version of the first_time file is probably a lot less useful than a regional version.
/software/accounts/config/{share,admin,local}/first_time /software/accounts/config/{admin,regional}/mkfinal /software/accounts/config/regional/grace /software/accounts/config/regional/homehosts /software/accounts/config/regional/rquotahosts /software/accounts/config/regional/fashosts /software/accounts/config/local/orphan_ignore /software/accounts/config/local/orphan_nfs /software/accounts/data/standard/first_login /software/accounts/config/regional/edit_group /software/accounts/config/*/init_home /software/accounts/config/*/initial /u#/.ManualHomeDirectoryCreation
Copyright (C) 1992, 2005, MFCF, University of Waterloo
accounts_backup - save copies of some important files.
accounts_backup
accounts_backup makes copies of some important files, such as /etc/passwd, /etc/group, .../host/users, and secu- rity/data/super_users.
Copyright (C) 1988, MFCF, University of Waterloo.
accounts_check - check inconsistencies in accounts files
accounts_check [-doRegionalClient] [-checkCoursePasswords] [+checkUsersFile] [+checkRootPasswords] [+checkAllHomes] Note that default options may vary from machine to machine (see the configuration section below for details). Use "accounts_check {+|-}HELP" to find the current defaults.
accounts_check examines the files "/etc/passwd", "/etc/group", "/software/accounts/data/host/users", and "/software/security/data/super_users", "/software/secu- rity/data/securid_users", and reports any inconsistencies between them. Unless the "+doRegionalClient" option is given, on regional clients the program will skip certain tests that would already have been performed on the regional server. Warnings include: - duplicate entries. - entries out of order. - passwd entries with non-existent home directories. If an account is really not supposed to have a home direc- tory, the value "/dev/null" should be entered into the passwd file. Unless the "+checkAllHomes" option is specified, miss- ing home directories that begin with "/software/", and accounts that come with missing home directories in the stock passwd file will not be reported since such prob- lems are the responsibility of the corresponding xhier package or software vendor and are not something that can be fixed by the people normally responsible for the passwd file. Home directories will not be checked at all on xhier regional clients unless at least one of the "+checkAll- Homes" or "+doRegionalClient" options are given. - missing required groups or userids. - misnumbered aliases. If the groups "other" and "users" both exist, they should have the same gid. Similarly for "root" and "wheel". - course accounts with passwords other than "*". Course accounts are considered to be any userid ending with three digits and possibly a single letter. This check can be disabled by using the "-checkCoursePasswords" option. This can often be done in the "admin" configu- ration file to avoid having to individually configure every machine individually. - discrepancies between the passwd file and users file. Since some administrations do not record data for all accounts in the users file, this option is by default disabled, but can be enabled, typically in the admin configuration file, by using the "+checkUsersFile" option. - userids in the group file that are missing from the passwd file. - gids in the passwd file that are missing from the group file. - userids in the super_users file that are missing from the passwd file. - root accounts (uid=0) with valid login passwords and shells. Since some architectures require a root pass- word to work, this check is by default disabled, but can be enabled by using the "+checkRootPasswords" option. - userids in the passwd file but not the users file (and vice versa). This test is currently not performed.
The files "/software/accounts/config/<type>/accounts_check", where "type" is one of "admin", "regional", or "local", may be used to control some of the checks performed by this pro- gram by entering the default values for any of the command line options one per line into whichever of these configura- tion files are appropriate. There is an additional option, "RootPasswordHosts=host1,host2,...", that can be used only in an admin config file to allow some set of machines to bypass the check for valid root passwords. Setting this automatically implies "+checkRootPasswords" if the current host is not in the list, and "-checkRootPasswords" if it is in the list, in both cases regardless of any explicit set- tings of that option in any of the configuration files. Options given on the command line always override defaults set by configuration files.
syntax(i)
Copyright (C) 1988, 1996 MFCF, University of Waterloo.
accounts_check_region - record and check xhier regions
These hostin groups have now moved to the xhier package where they should have been in the first place. See RT#12751.
accounts_check_region {Client|Server}
accounts_check_region is run by the Install script of the accounts package, its argument indicating whether xh-is- regional-server(8) thinks the host is an xhier regional server or client. On an xhier regional server machine, checks are made to ensure that this is the only machine claiming to be the server for this region, that this server machine does not also claim to be a regional client, and that all clients have recently (within 25 days) registered themselves as regional clients. On an xhier regional client machine, checks are made to ensure that this client machine does not also claim to be a regional server, that there is exactly one host claiming to be a regional server, and that this server has recently reg- istered itself as the regional server.
The change date on each file indicates when this program last registered the host as the regional server or as a client. /software/accounts/data/regional-server/<hostname> /software/accounts/data/regional-clients/<hostname>* Note that if the configuration of a region changes, one may remove any of the above files, but one should never manually create or rename any of them. That is this program's job.
The command should be called xh-check-region(8), and all of this should be in the xhier package. I don't understand why it isn't. Actually, since it makes changes rather than simply report- ing problems, it shouldn't even have the word "check" in its name.
Copyright (C) 1995, MFCF, University of Waterloo.
check_rhosts - report dubious .rhosts entries
check_rhosts [userid=]userid * [+Verbose]
This command is still somewhat under development. Rule #1: Hostname must be in our domain. Rule #2: Userid must be the same user. Rule #3: There is no rule #3.
Copyright (C) 1995, MFCF, University of Waterloo.
currentdisk - display usage for local file systems with quota
currentdisk [+FileSystems] [+Headings] [+Percent]
This program displays the current disk usage, as reported by the kernel, for all local file systems with disk quota. Fields are separated by a colon, and by default only the userid and number of kilobytes used are displayed. +Percent displays the quota and percentage in use; +FileSys- tems displays the name of the filesystem; and +Headings pre- cedes the output with the following line (omitting fields as necessary): Userid:Filesystem:kbytes:Quota:Percent
# Find top-ten users currentdisk | sort -t : -k 2,2nr | head -10 | align -f: # Find over-quota users currentdisk +percent | sort -t : -k 4,4nr -k 3,3nr | head | align -f:
There are two regional configuration files: /software/accounts/config/regional/accounting_ignore all filesystems named in this file are silently ignored. /software/accounts/config/regional/accounting_nfs any filesystems named in this file are processed even though nfs mounted. Both files are decommentable and have lines with the format "hostname:filesystem", where the colon may be surrounded by white-space. Note that the hostname is the name of the host in the region (typically the regional server) that is supposed to process the disk accounting for this filesystem (typically nfs mounted from a machine not part of the region (e.g. a faserver)); it is not the name of the host where the files are mounted from.
Copyright (C) 1999,2000,2007 MFCF, University of Waterloo.
disable_user, enable_user - disable or enable an exceptional user
disable_user [userid=]userid [Reason='The reason.'] [SecretReason='The real reason.'] [cannedMessage=various-message-names] enable_user [userid=]userid [Reason='The reason.']
This command should not be used except under unusual circum- stances. It is not intended for normal accounts mainte- nance, but for cases where an account must be disabled imme- diately by a non-accounts person in order to prevent further abuse by the user. disable_user allows someone in group operator or accounts to disable the specified userid's account by changing the login shell. Exactly one of Reason= or cannedMessage= must be given. The new shell will display this reason whenever the user attempts to sign on. The names of the available canned mes- sages may vary from machine to machine, but can be found at any time using the command "disable_user -HELP". Use "+" instead of "-" for even more details. An optional SecretReason= can be recorded, but not shown to the user. This could be used to convey information to the people that might be reenabling the account without making that information available to the user.
The "disable_user" command will complain if you try to use it without the "accounts_client" package, which is not a dependency of the "accounts" package, and must be explicitly requested before this command can be used. This dependency was intentionally not made so as to avoid dragging in too many xhier packages for those that don't want it.
/software/accounts/logs/disable /software/accounts/config/*/disabled_messages/* /software/accounts/data/disabled/secret_why/userid /software/accounts/data/disabled/why/userid
Copyright (C) 1995, 1996, MFCF, University of Waterloo.
disabled_shell - politely reject a user
/xhbin/disabled_shell
The disabled_shell looks for specific messages for the user, displays them (or a generic rejection message if none is found), sleeps for a few seconds, and finally exits.
"/software/accounts/data/disabled/why/<userid>"
disable_user(8).
Copyright (C) 1995, 2000, MFCF, University of Waterloo.
edit_rhosts, edit_forward, edit_shell, edit_finger - set or change .rhosts, .forward, shell, or finger info for a non- password userid.
edit_rhosts userid edit_forward userid edit_shell userid edit_finger userid
edit_rhosts etc. allow someone in group accounts to edit the ".rhosts" or ".forward" file, or shell or finger information of any userid with uid not less than 32 that has an encrypted password beginning with the "*" character. This is primarily intended for setting up course accounts and other multiple-user userids. Such userids should not have passwords since that would allow anonymous access.
setpasswd(8) - edit or change some fields in passwd file.
Copyright (C) 1990, 1996, 1998, MFCF, University of Water- loo.
edit_rhosts, edit_forward, edit_shell, edit_finger - set or change .rhosts, .forward, shell, or finger info for a non- password userid.
edit_rhosts userid edit_forward userid edit_shell userid edit_finger userid
edit_rhosts etc. allow someone in group accounts to edit the ".rhosts" or ".forward" file, or shell or finger information of any userid with uid not less than 32 that has an encrypted password beginning with the "*" character. This is primarily intended for setting up course accounts and other multiple-user userids. Such userids should not have passwords since that would allow anonymous access.
setpasswd(8) - edit or change some fields in passwd file.
Copyright (C) 1990, 1996, 1998, MFCF, University of Water- loo.
edit_group - set or change /etc/group entries
edit_group [group=]groupname [+Create] [+Differences] [Add=userid[,...]]* [Delete=userid[,...]]* [Comment='To remember why.']
edit_group allows one to create or change the "/etc/group" entry for the given group. One may not add any userids to the group "none", since that group by definition is the group to which no users belong. [group=]groupname is the name of the group to be edited. +Create must be given if a new group is to be created, and must not be given otherwise. Add=userid,... specifies userid(s) to be added to the group. Delete=userid,... specifies userid(s) to be deleted from the group. Comment=Why. gives an optional comment to be entered into the log file. +Differences shows the differences between the old and new entries and confirms that they should be applied.
The file "/software/accounts/config/regional/edit_group" may contain the following options: MaxGroups=number restricts the maxumum number of groups that any userid may belong to. This should be used on systems where NFS software causes problems when someone is in more than 15 groups. The default is 0, which means unlim- ited. Note that it is more efficient to omit this option (or to set it to 0), than to set it to a very large number. LocalControl=TRUE allows this command to be used even though the "/soft- ware/accounts/data/users" file indicates that some accounts are remotely controlled by sponsors data. It's recommended that you don't use this option. SubGroups=group1_## group2_## ... allows local control of the specified subgroups, inde- pendent of the sponsored control of all other groups. The entry in the configuration file contains literal number signs ("#"), and not real digits. In use, typi- cally the groups will be like "cs446_03" or "cs452_17", with the number of number signs indicating the number of digits allowed in the subgroup. If an account exists with a name that matches the group name (e.g. "cs446"), that account will be allowed to make addi- tions and deletions to the account's subgroups.
Doesn't yet allow the renaming of groups. Doesn't yet allow the deletion of groups.
/software/accounts/logs/edit_group /software/accounts/config/regional/edit_group /etc/group /etc/group.lock
setpasswd(8) - edit or change some fields in passwd file.
Copyright (C) 1995,2003, MFCF, University of Waterloo.
edit_rhosts, edit_forward, edit_shell, edit_finger - set or change .rhosts, .forward, shell, or finger info for a non- password userid.
edit_rhosts userid edit_forward userid edit_shell userid edit_finger userid
edit_rhosts etc. allow someone in group accounts to edit the ".rhosts" or ".forward" file, or shell or finger information of any userid with uid not less than 32 that has an encrypted password beginning with the "*" character. This is primarily intended for setting up course accounts and other multiple-user userids. Such userids should not have passwords since that would allow anonymous access.
setpasswd(8) - edit or change some fields in passwd file.
Copyright (C) 1990, 1996, 1998, MFCF, University of Water- loo.
edit_rhosts, edit_forward, edit_shell, edit_finger - set or change .rhosts, .forward, shell, or finger info for a non- password userid.
edit_rhosts userid edit_forward userid edit_shell userid edit_finger userid
edit_rhosts etc. allow someone in group accounts to edit the ".rhosts" or ".forward" file, or shell or finger information of any userid with uid not less than 32 that has an encrypted password beginning with the "*" character. This is primarily intended for setting up course accounts and other multiple-user userids. Such userids should not have passwords since that would allow anonymous access.
setpasswd(8) - edit or change some fields in passwd file.
Copyright (C) 1990, 1996, 1998, MFCF, University of Water- loo.
disable_user, enable_user - disable or enable an exceptional user
disable_user [userid=]userid [Reason='The reason.'] [SecretReason='The real reason.'] [cannedMessage=various-message-names] enable_user [userid=]userid [Reason='The reason.']
This command should not be used except under unusual circum- stances. It is not intended for normal accounts mainte- nance, but for cases where an account must be disabled imme- diately by a non-accounts person in order to prevent further abuse by the user. disable_user allows someone in group operator or accounts to disable the specified userid's account by changing the login shell. Exactly one of Reason= or cannedMessage= must be given. The new shell will display this reason whenever the user attempts to sign on. The names of the available canned mes- sages may vary from machine to machine, but can be found at any time using the command "disable_user -HELP". Use "+" instead of "-" for even more details. An optional SecretReason= can be recorded, but not shown to the user. This could be used to convey information to the people that might be reenabling the account without making that information available to the user.
The "disable_user" command will complain if you try to use it without the "accounts_client" package, which is not a dependency of the "accounts" package, and must be explicitly requested before this command can be used. This dependency was intentionally not made so as to avoid dragging in too many xhier packages for those that don't want it.
/software/accounts/logs/disable /software/accounts/config/*/disabled_messages/* /software/accounts/data/disabled/secret_why/userid /software/accounts/data/disabled/why/userid
Copyright (C) 1995, 1996, MFCF, University of Waterloo.
findall - find files owned by any of a group of users
server findall [ f=fileout ] [ d=dirout ] [ u=userin ] directory users ...
Findall locates files under the specified directory owned by any of the indicated users. It's similar to find(1) but is faster at doing this simplified task. Findall prints the names of all the located files on the standard output. Options f=fileout and d=dirout can be used to direct the output of file names and directory names respectively to ``fileout'' and ``dirout''. Option u=userin can be used to specify a file of usernames, one per line, instead of specifying usernames on the command line. Findall traverses directories in depth-first order, so for instance file names that it prints can safely be removed in the order given. Findall is typically used by administrative shell scripts that want to locate files owned by users who are about to be deleted.
findall /u user1 user2 user3 find files in /u owned by user1, user2 or user3 findall f=/dev/null /u user1 user2 user3 Find files under /u but only print the names of the directories.
find(1)
fsuserclean - find and process files owned by deleted users
servers/fsuserclean [Orphan='orphan'] [Remove=/u[,...]] [Start=/] Uids=filename
fsuserclean walks the filesystem tree rooted at "Start", and finds all the files that belong to any of the numeric uids given (one per line) in the "Uids" file, removing any that are within any of the "Remove" subtrees. For any files that aren't in those subtrees, it reports them on standard output and chowns them to the "Orphan" userid. NFS filesystems are ignored unless "Start" itself is NFS mounted. Except for those paths given on the command-line, no symbolic links are followed.
[Orphan=orphan] Userid to which to chown non-deleted files. Give an empty string to suppress this action. If the default is used and that userid does not exist, this option will be silently ignored. [Remove=/u[,...]] Comma-separated list of filesystems from which to remove rather than chown user files. [Start=/] Filesystem root. Uids= File containing numeric uids, one per line, whose files are to be removed.
rmallusr(8)
Copyright (C) 2002, MFCF, University of Waterloo.
id_renumber - walk directory tree changing file ownership
id_renumber [+Quiet] [+Test] [+NFS] [Map=map]... [+Stdin] [directory]...
+Quiet produces no output if nothing is renumbered +Test shows changes which would be made without making them +NFS allows NFS filesystems to be traversed. Map=map specifies an id mapping to perform. +Stdin causes id mappings to be read from standard input. directory must be an absolute pathname (begin with "/" )
Id_renumber walks directory trees performing uid or gid map- ping on files and directories. The Test option can be specified to cause the output to indicate what files would have ownership changed, without actually performing the changes. Normally, the output begins and ends with headers indicating start time and finish time, even if no other output is gen- erated. If the Quiet option is given, those headers will only be generated if other output occurs. id_renumber does not follow symlinks or NFS mounted file systems. NFS mounted filesystems can be checked by using the +NFS option, but in that case non-NFS filesystems will be ignored. While walking a tree, it will skip (stop walking) any paths in the decomment(1)able file "/software/accounts/con- fig/local/orphan_ignore". These paths must begin with "/" If one of these roadblock paths is a symlink, it will be treated as its target. (See "Note" below).
Mappings must be of the form: uid:oldnumber:newnumber or gid:oldnumber:newnumber There may be leading or trailing blanks, but no embedded blanks. Comments beginning with "#" may be placed on the same line, after the mapping. The input on stdin may also contain blank lines (containing zero or more space charac- ters), or comment lines beginning with "#" after zero or more space characters, which will be ignored.
The program must be given at least one mapping to perform. If no mappings are found, the program complains and exits prematurely, on the assumption that there is no point in taking the possibly very long time to walk all the directory trees to do essentially nothing.
Because the roadblocks are implemented using device and inode numbers, if the "orphan_ignore" file contains "/one/two" and id_renumber is invoked with path "/one/two/three", this tree will not be ignored since the roadblock will never be encountered. Similarly, any "orphan_ignore" path that contains a symlink will use the device and inode numbers of the target. E.g. if "/one/two -> /eight/nine/ten" then roadblocks "/one/two" and "/eight/nine/ten" will have the same effect, as will "/one/two/three" and "/eight/nine/ten/three".
id_renumber performs no sanity checking on its input. If differing mappings are given with the same oldnumber, the later one is the only effective one. Remappings will not be performed. Multiple oldnumbers can be mapped to the same newnumber; after all that might be appropriate in some cases. Also, if a newnumber also occurs as an oldnumber, the change will end up being made. That is, you could actually switch two ids by mapping each to the other, since the result of the mapping will not be evaluated. (A problem might occur if the mapped inodes are moved to a different place in the directory trees, and later walked again). The given directories are walked from right to left, I.e. the directory specified last on the line is processed first.
# map gid 60042 to gid 1 in given directories id_renumber map=gid:60042:1 `pwd`/test `pwd`/test2 # show effect of mapping uid 109 to 60042, but don't make changes id_renumber +test map=uid:109:60042 `pwd`/test # also apply mappings read from stdin id_renumber +s m=uid:109:60042 `pwd`/test < file
It seems strange to use "/software/accounts/con- fig/local/orphan_ignore" to roadblock this program, but it's probably appropriate. It could be argued that id_renumber should not require the user to change relative paths to absolute paths, but should determine the absolute paths itself. You could actually switch two ids by mapping each to the other, since the result of the mapping will not be evalu- ated. But a problem might occur if the mapped inodes are moved to a different place in the directory trees, and later walked again. Therefore, since this is not theoretically sound, perhaps it should be disallowed.
accounts-config(7) - configuring the accounts package orphan(8) - look for unowned files decomment(1) - remove shell-style comments
Copyright (C) 2008, MFCF, CSCF, University of Waterloo.
idregistry - send request to the uidregd id registry daemon
idregistry {Request|Require|Report|Control} [RegistryHost=] [Conformance=None|Advisory|Strict] [Type=User|Group] [name=]
RegistryHost= specifies the name of the host that registers our user and group ids. Conformance={None|Advisory|Strict} specifies our conformance level. (See "Configuration" section below). One would normally not specify this, letting idregistry use the default from the "accounts" package configuration. Type specifies whether the names and id numbers are for userids or groups. name specifies a userid or group name. If the name is sim- ply "-", standard input should contain a one-per-line list of names. For reporting id maps, names must acually be pairs of the form "userid:uid" or "group:gid". The "name=" keyword may be omitted, except when using a name of "-" to indicate standard input.
idregistry provides a command-line interface to the uidregd(8) id registry daemon in the uid-registry package. Except for requests for current information ("idregistry request"), this command does not generally need to be used manually. Automated account maintenance programs automati- cally query the registry whenever creating new userids or groups, and ensure that existing IDs get regularly reported, to prevent them from expiring. Request and Require supply one or more names and ask the daemon for corre- sponding "name:id" pairs. If the name does not cur- rently exist in the database, the id will be "UNKNOWN" for Requests, and will cause a new uid to be assigned and registered for Requires. Except when a new id pairing was generated this will not update the "last- seen" date in the registry. Report supplies one or more "name:id" pairs for the daemon to register as currently used. If a pair matches what is in the registry no output is generated, and the reg- istry "last-seen" information will be updated. Other- wise, if there is a mismatch, the pairing is echoed back, possibly with a full uwuserid even if the submit- ted name was truncated to 8 characters, and possibly with the id number part changed to "NAMEINUSE" or "IDI- NUSE". Control makes a privileged request of a special action of the daemon. Currently available actions (specified by set- ting the name parameter) are Die and Cleanup. The for- mer simply kills the daemon, while the latter requests that the filesystem version of the database be cleaned up (e.g. remove entries which have been unreported for a long time).
For most subcommands, output is of the form "name:number". The remote daemon may supply a brief error code in place of the number: IDINUSE The reported "number" is already assigned to a differ- ent name. NAMEINUSE The reported "name" is already assigned to a different id number. UNKNOWN The given "name" is not in the registry. More serious problems may also be returned: *UNAVAILABLE No more id numbers are available for assignment. (i.e. ask someone to reduce the daemon's configured data expiry time). *NOID The reported number field was empty or non-numeric. *NOCOLON The reported "name:number" didn't contain a colon.
The files "/software/accounts/config/*/id_registry", where "*" is any of "share", "admin", and "regional", may contain the following options: RegistryHost=hostname The name of the host running the idregd(8) daemon. The shared default is to have no such daemon. For idreg- istry to work, this value must be set. Conformance={strict|advisory|none} How this region wishes to conform to the registry host's standard ids. "none" means that nothing hap- pens. "strict" means that all new passwd and group entries created by the sponsor mechanism or by edit_group(8) will automatically conform to the reg- istry host's standard ids. If conformance isn't possi- ble, the account or group will not be created. In addition, a nightly cron job will register the host's passwd and group files with the registry and report any discrepancies by mail to "accounts". "advisory" means that new ids will conform to the standard whenever pos- sible, and ids will be reported to the registry each night, but any discrepancies will be ignored. The shared default is "none".
uidregd(8) - maintains uid and gid registry database
Copyright (C) 2003, MFCF, University of Waterloo.
initialize_users - update the vendor and xhier entries in the data/users file
sort -t : -k 1,1 users | initialize_users >users.new
For each entry in the vendor passwd file that has an exist- ing entry in the "/etc/passwd" file, initialize_users makes sure that there is a corresponding entry in the data/users file, copying the finger information to the payment[sic] field, and setting the type field to "vendor". For each existing non-vendor account in any "/.soft- ware/*/*/export/passwd" or "/soft- ware/xhier/data/region/passwds/*" file, the type field is set to "xhier" and the info field is set to a comma-sepa- rated list of packages that require the account.
users(5).
/software/setpw/config/arch/vendor.passwd
Copyright (C) 1997,2009 MFCF, University of Waterloo.
make_cifs_exports - rebuild the links to user cifs_exports directories
servers/make_cifs_exports
The make_cifs_exports command creates symlinks under "/soft- ware/accounts/data/cifs_exports/all" from all "/u[0-9]/*/cifs_exports," or if they don't exist, from all "/u/*/cifs_exports". In addition, any /u-type subdirectories found in "/soft- ware/accounts/config/local/other_cifs_homes/" will also be searched, but no symlinks created in the first pass will be replaced. The directory is intended to be mounted on a PC client to allow easier browsing of other user's files. The command is normally run from the package's crontab on the regional server.
None.
"/software/accounts/data/cifs_exports/all/" /u/*/cifs_exports /u[0-9]/*/cifs_exports /software/accounts/config/local/other_cifs_homes/*/*/cifs_exports
Copyright (C) 1998, 2003, MFCF, University of Waterloo.
mergefasquotas - Generate a quotas file based on fragments generated by mkquota.
mergefasquotas hostname [fasgroupname]*
This command generates a quotas file on the faserver "host- name" from quotas file fragments generated by the "mkquota" command and defined by "fasgroupname" and then reinitilizes quotas on the faserver.
This command assumes the faserver has only one volume.
mkquota(8) - set all quotas according to the .../users file.
Written in July 2003 by Jason Testart, CSCF, University of Waterloo.
mkfasquotafile - generate a fas quota file from a users file.
mkfasquotafile [FileSystem=] [DefaultQuota=] [UserFilename=] [fasVolume=] [FasHost=]
FileSystem= specifies the name of the filesystem, as known to the relevant FAServer, on which to grant quota. DefaultQuota= specifies a default amount to use for users for whom no sponsored amount can be determined. Units should be specied as "K" (default), or "M", or "G". UserFilename specify a filename to use instead of the default /soft- ware/accounts/data/users. fasVolume= specify a name for the FAServer volume, in place of the default /vol/. FasHost= specifies the name of the FAServer host to use. (This is reserved for future use; i.e. currently not used for anything).
This command writes on stdout a FAServer-style quota file (fragment), which would allocate quota for users as speci- fied in the indicated UserFilename (default /soft- ware/accounts/data/users), according to the specified param- eters.
Normally an automated process will be used to update the /software/accounts/data/users file, or equivalent. Normally, another automated process will take output from one or more relevant invokations of mkfasquotafile and com- bine them, perhaps with other fragments, to make a complete quota file for a FAServer.
/etc/passwd or equivalent /software/accounts/data/users
Copyright (C) 2008, CSCF, MFCF, University of Waterloo.
mkhomes - create and initialize home directories
mkhomes
mkhomes is normally invoked via the sponsor_accounts(8) pro- gram. Any non-existent home directories of the form "/u/realuserid" or "/u#/realuserid" in the "/etc/passwd"file are created (mode 0751) and initialized.
realuser(1), init_home(1), link_homes(8).
Copyright (C) 1996 MFCF, University of Waterloo.
mkusers, mkmerge - merge commandline or file data to update and create user accounts
mkusers userid You probably don't really want to use any of the other options. Though maintained by us, this program is no longer used by MFCF or CSCF.
mkmerge [ -a ] [ -e ] [ -f ] [ -m ] [ -u[u] ] [ -l uidlen ] [ -k num_fs ] [ -P passwd ] [ -U users ] pwd_merge usr_merge mkusers [ -a ] [ -e ] [ -f ] [ -m ] [ -u[u] ] [ -l uidlen ] [ -k num_fs ] [ -P passwd ] [ -U users ] [ -p 'student'|'batch'|password ] [ -c comment ] [ -g group ] [ -h home ] [ -s shell ] [ -t type ] [ -q quota ] [ -i imagen ] [ -r resource ] [ -n 'fullname' ] [ -v vmid ] [ -b vmbillcd ] userid:sponsor ... where -m - do *not* run mkpw after update, normally one rebuilds the passwd dbm to install changes -a - add-only, do *not* update existing users, ie create an account, but do nothing if it already exists -e - existing accounts only, do *not* create new users, ie update info fields for existing accounts only -f - force finger info to be overidden by the update, normally values for active users are retained -u - verify mode, do *not* update active files or logfile -uu, update active files, do *not* create home_dirs etc. -P - flag: next option is to be used as active passwd filename also turns off creation of home_dirs, quota updates etc. default: /etc/passwd, /etc/ypsrc/mad/passwd (SUN domains) -U - flag: next option is to be used as active users filename also turns off creation of home_dirs, quota updates etc. default: /etc/users, /etc/ypsrc/mad/users (SUN domains) -p - flag: next option is the password or one of the keywords ('student','batch') default: '*No*Password*' unusable password -c - flag: next option is a comment inserted into us_type (see mkstuds for valid student classes xystudent-zzzz) the remaining options can be set in /software/accounts/data/standard/stdopts -l - maximum userid length default: UIDLEN (pre-programmed constant, eg 12) -g - flag: next option is a valid group name in /etc/group default: 'other' -h - flag: next option is the home directory or filesystem/, default: /u[0-9]*/userid (selected by max freespace) -k - count of home filesystems over which to spread users, default: 0 (don't spread, use maximum free space instead) -s - flag: next option is the users shell default: /bin/csh -t - flag: next option is the type of user, used to select initial .dotfiles from /software/accounts/data/standard/{type} default: 'other' -q - flag: next option is the disk soft quota, the hard quota is computed as 120% of the soft quota use a quota of 0 to indicate that no quota is desired default: 1000 disk blocks -i - flag: next option is the imagen pagelimit default: 0 no imagen access -r - flag: next option is the dollar resources (not used) default: -1 unlimited -n - flag: next option is usually 'fullname', a comment field for finger information default: "" (mandatory on some systems - eg Eng) the next options are activated by placing an entry in stdopts -v - flag: next option is a VM id number (dcsu) default: (mandatory entry) -b - flag: next option is a VM billcode (dcsu) default: (mandatory entry) -d - flag: next option is a Sun domain (not used) default: 'mad' (maintenance and development) userid:comment - the userid string, and an optional comment inserted into the us_payment field. If a keyword has been given for a password, then the actual password is taken from this comment field. Usually this field gives the sponsor or reason for the account. (For MFCF students, this is the student number).
Mkusers creates accounts or updates accounts info for one or more users as specified by the selected options and/or cor- responding system defaults. The entries are built in memory and merged with the active system files as documented in mkmerge below. Mkmerge merges information contained in the passwd- and users-formatted files pwd_merge and usr_merge with that in the active or indicated files, and carries out all appropri- ate system tasks to update or create new users as required. Updates to the merge entries are written back out to the merge files so they reflect the actual active account after merging (For example, the actual value of the uid number used in creating the account will be returned). The vmid and vmbillcd options are local options used only on WatDcsu.
Consult your local accounts person for administration prac- tices in specifying information and commentary fields. The presence of a null string ("") in the standard options file /software/accounts/data/standard/stdopts makes the cor- responding option mandatory. The format of the stdopts file is: [ keyword = value [ keyword = value [ ... where current keywords are {umask, group, home, shell, type, name, quota, impages, dollars, vmid, vmbillcd, domain}.
The directories "/software/accounts/config/*/init_home" con- tain templates for new home directories. They are copied into place in the standard xhier configuration order (i.e. share, arch, admin, regional), with the last found instance of any file being the one used. For backward compatibility, if the directory "/soft- ware/accounts/data/host/standard" exists, it alone will be used to do the initialization. Administrators are encourage to remove this directory and to use the regional configura- tion instead. Note that the copying is done by following symbolic links, not copying them. This means that one cannot initialize symbolic links in home directories.
/etc/passwd the password file itself /etc/ptmp the password lockfile /software/accounts/data/users local additions to passwd /u/username user home directory /u[0-9]+/username ditto /software/accounts/data/standard default options /software/accounts/config/*/init_home default home directory templates and options /software/accounts/data/host/standard local overrides of default (deprecated) /u[0-9]/quotas system quota entries /software/accounts/logs/change log file
accounts_admin(i), rmusr(8), undelete(8), edquota(8), vipw(8), add_all(8), .login(5), .profile(5)
mkpw - update the passwd dbm files
mkpw
Mkpw is a kludge used to update the passwd dbm files from its source.
/etc/passwd the password file itself /etc/passwd.pag /etc/passwd.dir /etc/ptmp password file lock
mkquota - set all quotas according to the .../users file.
mkquota [+TEST] [-Verbose] [fasgroup=...] [userid]*
This command finds all users with home directories on file systems with quota and sets their quota according to the value in the .../users file. A list of file systems with quotas and a summary of all accounts updated are displayed (updates will not be shown for faserver filesystems). Userids without entries in the .../users file are also reported. If the command is given the argument "+test", the output is the same, but no actual updates are performed. Unless the option "-verbose" is given, on systems with faserver quotas, the program will not exit until the quotas are properly initialized, displaying the current state of the initialization every few seconds until they are. The value of the option "fasgroup" is only used when there are faserver quotas in use. When used, the option will maintain a "quotas.fasgroupname" on the faserver instead of the standard quotas file. If any userids are given on the command line, if possible only those user's quotas will be set. Normally the configured quota is assigned to each user's home directory's filesystem, and a minimal quota is assigned to every other filesystem. However (for various historical reasons), every user with an explict entry in "/etc/group" will be assigned the quota on all filesystems that have quota controls. One may take advantage of this by creating a dummy group to cause the users in that group to have the same disk quota on all filesystems. Or, to affect all users on the machine, one may create a memberless /etc/group entry called "quota_everywhere".
If the ".../fashosts" file contains any host names, a faserver quota file will be constructed, copied to those hosts, and the quotas on those faservers will be reinitial- ized unless the "fasgroup" option is used. If the "fasgroup" command line option is used, a faserver quota file with the fasgroup name appended will be con- tructed, copied to those hosts, but the quota on those faservers will NOT be reinitialized. In this case, the ini- tialization must be handled by the mergefasquotas command.
Some machines mount their file sytems from other machines, so it is important to run this program in the right place. Manually changing quota values in the .../users file will only have a temporary effect for entries flagged as "spon- sor-math". Such entries are updated automatically by the account updates run from the accounts-master machine.
/etc/passwd /software/accounts/data/users /software/accounts/config/regional/fashosts /software/accounts/config/regional/rquotahosts
Copyright (C) 1989, 1998, MFCF, University of Waterloo.
mkstudents - process the registrar's student file
mkstudents [-g] [term] Options: g - Keep grads term - term to be processed (eg S86)
Mkstudents adds and deletes students on Unix machines with appropriate updates to the USERS source file, the PASSWD source file, the GROUP source file and the home directory to conform to the current state of the students file. A list of course names that deserve VAX/UNIX accounts is required as the file Courses. This is the last in the series of student accounts mainte- nance programs. It should not be run directly by naive users. Use add_all from the master machine instead.
/usr/accounts/data/Courses /usr/accounts/data/students /usr/accounts/logs/change /usr/accounts/logs/mkstud /usr/accounts/standard/student/home/* /etc/passwd /etc/group /etc/users /u/USERID
regtape(8), add_all(8), mkmatch(8), mkstuds(8), mkpw(8)
Mkstudents does not rebuild any dbm files.
mkstuds - process the registrar's student file
mkstuds [-g] [-h home] [-P pwdfile] [-U usrfile] [term] Options: -g delete grads (normally they are not deleted) -h home filesystem default: /u[0-9]* selected for maximum free space -P flag next option as the name of the passwd file default: /etc/passwd, /etc/ypsrc/mad/passwd -U flag next option as the name of the users file default: /etc/users, /etc/ypsrc/mad/users term select accounts for semester 'term' of form 'S87' if not interactive a bad or missing term is an error, if interactive the program will prompt for input. Note: the users:type field is preset to xystudent[-zzzz] for student accounts where x={u,g}, y={h,m,d,x} and zzzz={special,wait,ta}. The tag student is mandatory as it is used for identifica- tion.
Mkstuds adds and deletes students on Unix machines by making appropriate updates to the USERS file, and the PASSWD file to conform to the current entries in the file /usr/accounts/data/students. A list of course names with quotas that are to be given Unix accounts on any particular machine is required in the file /usr/accounts/data/Courses. The actual PASSWD and USERS file should not be updated directly. Rather the output from mkstuds (default: pwd, usr) should be installed with mkmerge to insure no conflicts occur and the appropriate directories and quotas are created. This is the last in the series of student accounts mainte- nance programs.
/usr/accounts/data/Courses /usr/accounts/data/students /usr/accounts/data/pwd /usr/accounts/data/usr /usr/accounts/logs/change /usr/accounts/logs/mkstud /usr/accounts/standard/student/home/* /etc/users /u[0-9]*/USERID
regtape(8), add_all(8), mkmatch(8), mkusers(8)
Bugs?
mkusers, mkmerge - merge commandline or file data to update and create user accounts
mkusers userid You probably don't really want to use any of the other options. Though maintained by us, this program is no longer used by MFCF or CSCF.
mkmerge [ -a ] [ -e ] [ -f ] [ -m ] [ -u[u] ] [ -l uidlen ] [ -k num_fs ] [ -P passwd ] [ -U users ] pwd_merge usr_merge mkusers [ -a ] [ -e ] [ -f ] [ -m ] [ -u[u] ] [ -l uidlen ] [ -k num_fs ] [ -P passwd ] [ -U users ] [ -p 'student'|'batch'|password ] [ -c comment ] [ -g group ] [ -h home ] [ -s shell ] [ -t type ] [ -q quota ] [ -i imagen ] [ -r resource ] [ -n 'fullname' ] [ -v vmid ] [ -b vmbillcd ] userid:sponsor ... where -m - do *not* run mkpw after update, normally one rebuilds the passwd dbm to install changes -a - add-only, do *not* update existing users, ie create an account, but do nothing if it already exists -e - existing accounts only, do *not* create new users, ie update info fields for existing accounts only -f - force finger info to be overidden by the update, normally values for active users are retained -u - verify mode, do *not* update active files or logfile -uu, update active files, do *not* create home_dirs etc. -P - flag: next option is to be used as active passwd filename also turns off creation of home_dirs, quota updates etc. default: /etc/passwd, /etc/ypsrc/mad/passwd (SUN domains) -U - flag: next option is to be used as active users filename also turns off creation of home_dirs, quota updates etc. default: /etc/users, /etc/ypsrc/mad/users (SUN domains) -p - flag: next option is the password or one of the keywords ('student','batch') default: '*No*Password*' unusable password -c - flag: next option is a comment inserted into us_type (see mkstuds for valid student classes xystudent-zzzz) the remaining options can be set in /software/accounts/data/standard/stdopts -l - maximum userid length default: UIDLEN (pre-programmed constant, eg 12) -g - flag: next option is a valid group name in /etc/group default: 'other' -h - flag: next option is the home directory or filesystem/, default: /u[0-9]*/userid (selected by max freespace) -k - count of home filesystems over which to spread users, default: 0 (don't spread, use maximum free space instead) -s - flag: next option is the users shell default: /bin/csh -t - flag: next option is the type of user, used to select initial .dotfiles from /software/accounts/data/standard/{type} default: 'other' -q - flag: next option is the disk soft quota, the hard quota is computed as 120% of the soft quota use a quota of 0 to indicate that no quota is desired default: 1000 disk blocks -i - flag: next option is the imagen pagelimit default: 0 no imagen access -r - flag: next option is the dollar resources (not used) default: -1 unlimited -n - flag: next option is usually 'fullname', a comment field for finger information default: "" (mandatory on some systems - eg Eng) the next options are activated by placing an entry in stdopts -v - flag: next option is a VM id number (dcsu) default: (mandatory entry) -b - flag: next option is a VM billcode (dcsu) default: (mandatory entry) -d - flag: next option is a Sun domain (not used) default: 'mad' (maintenance and development) userid:comment - the userid string, and an optional comment inserted into the us_payment field. If a keyword has been given for a password, then the actual password is taken from this comment field. Usually this field gives the sponsor or reason for the account. (For MFCF students, this is the student number).
Mkusers creates accounts or updates accounts info for one or more users as specified by the selected options and/or cor- responding system defaults. The entries are built in memory and merged with the active system files as documented in mkmerge below. Mkmerge merges information contained in the passwd- and users-formatted files pwd_merge and usr_merge with that in the active or indicated files, and carries out all appropri- ate system tasks to update or create new users as required. Updates to the merge entries are written back out to the merge files so they reflect the actual active account after merging (For example, the actual value of the uid number used in creating the account will be returned). The vmid and vmbillcd options are local options used only on WatDcsu.
Consult your local accounts person for administration prac- tices in specifying information and commentary fields. The presence of a null string ("") in the standard options file /software/accounts/data/standard/stdopts makes the cor- responding option mandatory. The format of the stdopts file is: [ keyword = value [ keyword = value [ ... where current keywords are {umask, group, home, shell, type, name, quota, impages, dollars, vmid, vmbillcd, domain}.
The directories "/software/accounts/config/*/init_home" con- tain templates for new home directories. They are copied into place in the standard xhier configuration order (i.e. share, arch, admin, regional), with the last found instance of any file being the one used. For backward compatibility, if the directory "/soft- ware/accounts/data/host/standard" exists, it alone will be used to do the initialization. Administrators are encourage to remove this directory and to use the regional configura- tion instead. Note that the copying is done by following symbolic links, not copying them. This means that one cannot initialize symbolic links in home directories.
/etc/passwd the password file itself /etc/ptmp the password lockfile /software/accounts/data/users local additions to passwd /u/username user home directory /u[0-9]+/username ditto /software/accounts/data/standard default options /software/accounts/config/*/init_home default home directory templates and options /software/accounts/data/host/standard local overrides of default (deprecated) /u[0-9]/quotas system quota entries /software/accounts/logs/change log file
accounts_admin(i), rmusr(8), undelete(8), edquota(8), vipw(8), add_all(8), .login(5), .profile(5)
orphan - walk a directory tree looking for unowned files
orphan [+NFS] [directory]...
Orphan walks directory trees looking for files whose uid or gid is no longer in the passwd or group file. If the userid "orphan" exists, any owner-orphaned files are adopted by that userid. Otherwise they are left as orphans. If the group "orphan" exists, any group-orphaned files are adopted by that group. Otherwise they are adopted by group "none". If the userid "delgroup" exits, any entries in the group file that have that userid as a member will be ignored. This allows one to mark a group for removal and let orphan claim all files that might be in that group, before actually removing the group entry from the file. Not using this method, or removing the entry before the files are found could cause problems if another group entry is added with the same gid, as any existing files will suddenly and inap- propriately become owned by that group. The groups "everyone", "other", or "users" are checked for existence in that order and the first one found is treated specially. For security, anything in that group is changed to be in group "none". Any files owned by the userids "delgroup", "help", "user- home", or "who" will be claimed by orphan, since these spe- cial-purpose userids are not intended for file ownership. It does not follow symlinks or NFS mounted file systems. When the NFS mounted filesystems can be checked by using the +NFS option, but in that case non-NFS filesystems will be ignored. While walking a tree, it will skip any paths (which must begin with "/") contained in the decomment(1)able file "/software/accounts/config/local/orphan_ignore". If one of these roadblock paths contains a symlink, it will be treated as if it were its target. (See "Note" below.)
This program is automatically run by an entry in the crontab, once examining all non-NFS filesystems, and once examinining any NFS filesystems named in "/soft- ware/accounts/config/local/orphan_nfs".
Because the roadblocks are implemented using device and inode numbers, if the "orphan_ignore" file contains "/one/two" and orphan is invoked as "orphan /one/two/three", this tree will not be ignored since the roadblock will never be encountered. Similarly, any "orphan_ignore" path that contains a symlink will use the device and inode numbers of the target. E.g. if "/one/two -> /eight/nine/ten" then roadblocks "/one/two" and "/eight/nine/ten" will have the same effect, as will "/one/two/three" and "/eight/nine/ten/three".
accounts-config(7)
Copyright (C) 1994, MFCF, University of Waterloo.
rmallusr - do final removal of deleted userids and their files.
rmallusr
rmallusr finds all userids in the passwd file that have a "/xhbin/Deleting*" login shell and completely removes them from the host. This program normally runs from the crontab on the 1st of each month. Deleted userids are removed from /etc/passwd, /etc/group, and /software/accounts/data/host/users. All home directories under "/u/.", "/u[0-9]/.", "/backup`absolute /u/.`", "/backup`absolute /u[0-9]/.`", and all substructure are removed. All files owned by the deleted userids anywhere under "/u/.", "/u[0-9]/.", "/backup/.", and "/usr/spool/." are removed. All remaining files owned by the deleted userids are reported.
Log files are left under "/software/accounts/logs/.".
Deleted userids in mailing lists or aliases are detected, but not removed. The program is an sh script that makes too many assumptions about portability and its own abilities.
rmclean - clean out files for deleted users on regional clients
servers/rmclean
rmclean is normally called by rmallusr(8) during month-end account cleanup. It runs on each regional client, cleaning up everything belonging to about to be deleted accounts. e.g. removing (or chowning to "orphan") filesystem entries, removing crontab entries, and killing processes.
None.
"/software/accounts/data/temp_regional/delete_uids" "/software/accounts/data/temp_regional/delete_userids"
Copyright (C) 2003, MFCF, University of Waterloo.
rmusr - remove user accounts
rmusr userid
Rmusr is used to disable an account and flag it for deletion given a userid. It simply calls chsh (ypchsh) to install an /xhbin/Deleting shell. The account is finally deleted on the 1st of the month, so be aware that removing an account on the last day of a month means that it will actually dis- appear very soon.
/etc/passwd /etc/shells_system /usr/accounts/logs/change
undelete(8), rmallusr(8)
setpasswd - change some fields in the passwd file.
setpasswd -help This command has been superseded by password(1), chfn(1), and chsh(1).
T.B.A.
stripnames - strip entries and members from /etc/{group,passwd} type files
stripnames entry [Input=-] [FieldNumber=0] [Name- File=/dev/null] [[name=]null]* [IfMember=killme] stripnames member [Input=-] [FieldNumber=0] [Name- File=/dev/null] [[name=]null]* [Input=-] Path of input file to be stripped. Default is standard input. [FieldNumber=0] Number of the colon-separated field containing the mem- ber names. A field number of 0 indicates that there is no such field. [NameFile=/dev/null] Path of a decommentable file containing names, one per line, to be stripped from the input file. [[name=]null]* Names to be stripped from the input file. May be used with or instead of "NameFile". [IfMember=killme] For the "stripnames"entry command, the entry will be stripped only if the given name is in the list in field position "FieldNumber".
# Remove groups "curly", "larry", and "moe" from /etc/group, but only if "userhome" is a member of the group: % cat /etc/group \ | stripnames entry fn=4 im=userhome curly larry moe \ >/etc/group.lock # Remove userids "curly", "larry", and "moe" from /etc/group: % cat /etc/group \ | stripnames member fn=4 curly larry moe \ >/etc/group.lock # Remove userids "curly", "larry", and "moe" from /etc/passwd: % cat /etc/passwd \ | stripnames entry curly larry moe \ >/etc/ptmp
stripnames is invoked with one of two subcommands. The member subcommand causes all occurences of the given "name"s to be removed from the comma-separated list in the given "FieldNumber" colon-separated field. The entry subcommand causes all lines whose first colon- separated field is the same as any of the given "name"s to be deleted. If the "IfMember" option is used, then the lines will be deleted only if the give member name is a mem- ber of the comma-separated list in the given "FieldNumber" field.
Copyright (C) 1999, MFCF, University of Waterloo.
undelete - restore user accounts deleted by rmusr
undelete userid
Undelete is used to renable an account that has been flagged for deletion but has not yet been deleted. It simply calls chsh (ypchsh) to change an /xhbin/Deleting shell.
/etc/passwd /etc/shells_system /usr/accounts/logs/change
rmusr(8), rmallusr(8)
[OBSOLETE: use `hostin group=admin_master`]
xhier_admin - return the name of the xhier admin server
xhier_admin_server
xhier_admin_server checks the local machine's configuration and reports the name of its xhier admin server.
/software/xhier/config/local/allowed-types
This command doesn't belong in the accounts package.
Copyright (C) 1995, MFCF, University of Waterloo.
[OBSOLETE: use `hostin group=admin_master`]
xhier_admin - return the name of the xhier admin server
xhier_admin_server
xhier_admin_server checks the local machine's configuration and reports the name of its xhier admin server.
/software/xhier/config/local/allowed-types
This command doesn't belong in the accounts package.
Copyright (C) 1995, MFCF, University of Waterloo.
[OBSOLETE: Superseded by `hostin group=regional_clients`]
xhier_regional_clients - return the name(s) of all clients in the region
xhier_regional_clients
xhier_regional_clients checks the local machine's configura- tion and reports the names, if any, of all clients in the xhier region. The regional server is not included in this list.
/software/accounts/data/regional-clients/<hostname>
The returned hostnames are the same as that returned by the hostname(1) command on each client, and as such may or may not be fully qualified with the domain name. The information is reliable only if the accounts package is installed on each client in the region. This command doesn't belong in the accounts package, but for some unknown reason the xhier package doesn't provide this basic xhier information.
Copyright (C) 1995, MFCF, University of Waterloo.
[OBSOLETE: use `hostin group=regional_server`]
xhier_regional_server - return the name of the xhier regional server
xhier_regional_server
xhier_regional_server checks the local machine's configura- tion and reports the name of its xhier regional server.
/software/accounts/data/regional-server/<hostname>
The returned hostname is the same as that returned by the hostname(1) command on the server, and as such may or may not be fully qualified with the domain name. This command doesn't belong in the accounts package, but for some unknown reason the xhier package doesn't provide this basic xhier information.
Copyright (C) 1995, MFCF, University of Waterloo.
Accounts_Admin - Account Administration Policy
A "userid" is a name used to identify a computer user, inde- pendent of its existence on any particular machine. An "account" is used to identify a particular instance of a userid on an particular machine. It is typically repre- sented in the form "userid@host".
For each administration, there will be one central registry containing all userids issued by that administration. No one should ever create (an account with) a new userid without first registering the userid. Details about the user, such as full name, UW student num- ber, employee number, SIN, association with UW, etc. will be required. This information is especially important for identifying the user when requests for passwords or other account changes are made. Note that the administration may issue a different userid than the one requested, either because the requested userid has already been assigned to another user or because the requested userid does not conform to the administration's standards. In the case of the MFCF administration, all userids are reg- istered in the accounts-userids package on the host "math". Requests for new userids or questions about existing userids should be mailed to "accounts@math".
If more than one person knows something, it isn't a secret. Thus, a good rule for security is that any password should never be known by more than one person. In particular, when creating communal accounts, such as cs123, one should not give an explicit password to the account, but use the account's ".rhosts" file to grant access to specific users.
No one should ever create an account on any machine without notifying the administration of the fact and including details as to who is sponsoring the account. In the case of the MFCF administration, this information should be mailed to "accounts@math".
Accounts that were not created following these rules may be disabled or removed by the administration (or by automated software) without warning.
In general it is always best to ask the central administra- tion to create accounts rather than attempting it oneself.
No one should ever create an account on any machine without first verifying that the userid is already registered to the same person for whom the account is intended. In the case of the MFCF administration, requests for new userids or other related questions should be mailed to "accounts@math". It is not generally safe to assume that a userid listed by the uwdir(1) command is necessarily the standard userid for your administration (in particular it often isn't for MFCF. It is generally safe to assume that if an account on one of the machines listed by "hostin group=mfcf_accounts", will have an MFCF-standard userid, but be sure you know the full form of the userid (e.g. the last component of the home directory shown by finger(1)). If you are going to manage your own accounts, you must be in group "accounts", and should set your search rules with the showpath(1) command to include the "accounts:guru" type. Here is a summary of some commands you will likely want to use: # mail accounts@math If you have any doubts that the userid you are about to use is the standard userid assigned to the person or organization you are creating it for, please ask first to make sure. # mkusers full-length-userid This creates the account and initializes the home directory. Be sure to use the full length userid (i.e. not a truncated form) so that mail and other programs will recognize the account properly. In any further commands, the userid may be entered in a shorter form so long as it is at least 8 characters long. # password +r userid This sets the user's login password to a randomly gen- erated string. The user can change it to something else later using the "password" command without any arguments. # edit_rhosts userid This lets you create and change the user's ".rhosts" file. # edit_forward userid This lets you create and change the user's ".forward" file. # rmusr userid Once the account is no longer needed, this command will change the login shell to prevent its further use. At the end of the month, the program rmallusr(8) will remove the "/etc/passwd" entry and clean up the home directory, mail spool, /etc/group, etc. # undelete userid If you change your mind before the end of the month, this will reset the user's login shell.
userids(i), mfcf-policy(i),
(C) 1992, 1996, MF, University of Waterloo
groups - how to use groups on MFCF supported machines.
When your new account is created, a group is assigned to your home directory (by default group "none") and one or more groups are assigned to your userid (by default group "everyone"). Some machines are configured to assign a per- sonal group (bearing the same name as the userid) to each account. In that case, this group will be used as both the login group and the home directory group. All files created directly under a directory will automati- cally inherit the group associated with that directory. Thus if you do nothing special, all your files and sub- directories will end up in group "none". (Note that this isn't true if you run commands on IBM AIX or other SysV- semantic machines.) You may use the chgrp(1) command to change the group associated with a file or directory to something else. This will not affect any files already under the changed directory, but any files created there in the future will inherit this new group. You may of course only change the group of a file that you own, and only to a group to which you belong (or to group "none", a group to which no user belongs). Normally, you will only belong to the one group "everyone", and all of your files will belong to the one group "none", so you don't need to be worry about groups. In some cases, you (i.e. your userid) will be assigned to more than one group. For instance you might be put into group "source" so that you may be permitted to read system source files. This is done by having the source directory owned by group "source", and that directory granting read and execute permissions to its group, but no permissions to others. Files and directories under that directory should be created with general read permissions and not in group source, but because of the roadblock in the parent directory they will only be accessible by those in group source. Similarly, for a class project you and your partner(s) may have a special group, say "cs123_45", created for you. What you would both then do is to create directories under each of your own accounts, put those directories into that new group, and change the permissions so that only you and your partner may use that directory. % mkdir $HOME/cs123_45 % chgrp cs123_45 $HOME/cs123_45 % chmod 770 $HOME/cs123_45 (or use ug=rwx instead of 770) Now, both of you may freely create or remove files or direc- tories under that directory, even though it might not be under your own home directory. No one else will even be able to find so much as the names of the files though. Note that for courses you are officially registered in, course directories will be automatically created under your home directory. A command, fixclassperms(1), allows course instructors to change the permissions on these directories to allow them to access your files for marking. In order for the files you create under such a directory to be readable by others in your group, you must have your "$UMASK" environment variable set to something like 022. This will allow others in your group to read the files, but not to change them. More likely though, you will want them to be able to change them as well, so you would set your mask to 002. In that case you would probably put the com- mand "umask 002" into your "$HOME/.cshrc" file, so that all files that you ever create will allow writing for members of their group, but not for anyone else.
.cshrc(5): Initial shell configuration umask(1): Determine permissions of newly created files mkdir(1): Create a new directory chgrp(1): Change the group of a file or directory find(1): Search for files under a directory ls(1): Show ownership etc. of files fixclassperms(1): For TAs: resets groups and permissions classgroup(1): For TAs: subshell to get around NFS problems
(C) 1988, 1996, MFCF, University of Waterloo.
check_userids - check Userids file.
check_userids
check_userids checks that the Userids file is valid.
/software/accounts-userids/data/Userids
You cannot specify an alternate file to check.
Copyright (C) 1991, MFCF, University of Waterloo.
id-to-userid - filter to map ID numbers to userids in colon- separated fields
id-to-userid [Id=1] [Userid=0]
% cat input one:two:71212246:four:five % id-to-userid <input id=3 one:two:rbutterworth:four:five % id-to-userid <input id=3 u=3 one:two:rbutterworth:71212246:four:five % id-to-userid <input id=3 u=-4 one:two:71212246:rbutterworth:five % id-to-userid <input id=2 one:?:71212246:four:five % id-to-userid <input id=3 u=10 one:two:71212246:four:five:::::rbutterworth
[Id=1] Field number (origin 1) of the input ID number. IDs can be watcard numbers (71212246), uwdir numbers (P-35580), etc. [Userid=0] Field number (origin 1) of the output userid. The default, "0", means to replace the ID field. A nega- tive number means to replace the specified field. Oth- erwise an addition field is inserted before the given field.
id-to-userid reads records of colon-separated fields from standard input and writes the records to standard output, replacing or inserting a field containing the userid that corresponds to the given "Id" field number. As processing the Userids database requires significant overhead, when multiple IDs need to be evaluated it is best to provide them all to a single invocation of this command rather than calling it once for each ID.
/software/accounts-userids/data/Userids
Copyright (C) 2006, MFCF, University of Waterloo.
isuser - check if a user id is in a list of ids
isuser known_id id_1 id_2 id_3 ...
if ( { isuser $user1 91999123 joe 11119876 } ) then echo $user1 matched at least one of the other ids endif
isuser looks in the "Userids" file and finds all knows ids and userids for each of the ids on the command line.
If any of the ids for the first argument match any of the ids for any of the other arguments, the function exits 0. Otherwise it exits 1.
/software/accounts-userids/data/Userids
realuser(1), sameuser(1), truncuser(1)
Copyright (C) 1996, MFCF, University of Waterloo.
update_userids - update the Userids database with uwdir data
servers/update_userids
update_userids This program normally runs from the crontab. It uses uwdir_update(8) to merge the latest dump of the UWdir database with the Userids database. Detected changes are logged, and the cron entry mails the signifcant parts to "accounts@math".
watserv1:/sagroup/UWdir-II/Extract /software/accounts- userids/data/Userids /software/accounts/logs/userids_update
uwdir_update(8), check_userids(8)
Copyright (C) 2002, MFCF, University of Waterloo.
uwdir_update - merge UWdir data into the Userids database
servers/uwdir_update [Extract=/software/accounts-userids/data/work/Extract] [Userids=/software/accounts-userids/data/Userids]
Extract=/software/accounts-userids/data/work/Extract Dump of UWdir data to be merged. Userids=/software/accounts-userids/data/Userids Master Userids database. The options are provided mostly for debugging purposes, and are not normally needed.
uwdir_update is intended to be run by another program (nor- mally from the crontab). It updates the master Userids database with IST uwdir data, reporting errors and inconsis- tencies. IST records with errors are ignored, while serious MFCF errors cause abnormal termination. The name of the updated file will be the same as the input file, but with a ".new" suffix appended.
Serious errors with the program itself are reported on stderr, as is the message indicating that fatal problems were discovered in the input data. All other problem reports appear on standard output, the most serious being prefixed with "***", and the least impor- tant being prefixed with "+++". In addition to the wording shown below, most messages will also indicate the text in which the problem was found, and mention the line number and file name where it was encountered. "*** Fatal: illegal missing newline" Badly formatted input data. "*** Fatal: illegal id number" The id number doesn't match any of the known id-number formats. "*** Fatal: illegal userid" The userid doesn't meet the standard for userids. "*** Fatal: mfcf record repeats id" The same id appears twice in the same record. "*** Fatal: two mfcf records with same id" The same id appears in two different records. "*** Fatal: mfcf record repeats userid" The same userid appears twice in the same record. "*** Fatal: two mfcf records with same userid" The same userid appears in two different records. "*** Fatal: file got shorter" Something strange happened. "Error: id xxx matches mfcf's userid1 and userid2" An IST record has ids that match two mfcf records. "Error: id xxx matches ist's userid1 and userid2" An mfcf record has ids that match two IST records. "Error: userid xxx matches mfcf's id1 and id2" An IST record has a userid that matches two mfcf records. "Error: userid xxx matches ist's id1 and id2" An mfcf record has a userid that matches two IST records. "Error: userids differ for xxx ist=yyy mfcf=zzz" An user has different uwdir and mfcf userids. "Error: userids match but no common ids" A userid occurs in both databases, but the entries have no other ids in common, and so might be for different users. "IST error: student id number" "IST error: HR id number" "IST error: userid" "IST error: other id" The ID doesn't match any of the known id formats. (IST records all kinds of ids in the same namespace.) "IST error: ist record repeats id" The same id appears twice in the same record. "IST error: two ist records with same id" The same id appears in two records. "IST error: ist record repeats userid" The same userid appears twice in the same record. "IST error: two ist records with same userid" The same userid appears in two records. "+++ changed %s: old-name -> new-name" A user's name has changed. "+++ removed privacy for xxx" "+++ added privacy for xxx" A user's privacy request has changed. "+++ added xxx to yyy" An existing userid entry got an additional id number. "+++ added [new userid entry]" A new userid entry was added to the Userids database. "+++ can't add xxx: no id number" A new userid doesn't have a valid id number.
Fatal errors mean that no update happened. The cause needs to be corrected as soon as possible. Non-fatal Errors affect only individual records. The cause should be investigated and corrected to allow those individ- ual updates to proceed, but this isn't as urgent (except possibly for the individuals affected) as the rest of the updates are still processed normally. IST errrors generally require corrections to the UWdir database itself. These are even less urgent, as they simply prevent bad data from entering the Userids database. Note that IST doesn't consider many of them to actually be errors (e.g. two records with the same id), in which case MFCF must make the corrections. The most commonly seen problems are: "Error: id xxx matches mfcf's userid1 and userid2" "Error: userid xxx matches mfcf's id1 and id2" One IST record matched two MFCF records. This usually means that the two MFCF records should be merged (after determining which userid is the correct one to retain). "Error: id xxx matches ist's userid1 and userid2" "Error: userid xxx matches ist's id1 and id2" One MFCF record matched two IST records. This usually means that the two IST records should be merged. It is best to let IST know about it so they can investigate further before merging their records. "Error: userids differ for xxx ist=yyy mfcf=zzz" A user has different userids in the two databases. This can be caused by: - the user's existing uwuserid changed, so change the userid in the Userids database. - the user lost their uwdir entry (or never had one) and their recently created entry was given a dif- ferent userid. Determine which of the two userids is the appropriate one to use, and change the Userids or UWdir database accordingly. "Error: userids match but no common ids" A userid appears in both databases, but the software can't tell that they are for the same person. These problems must be investigated by hand. If it turns out that they are for the same person, simply add one of the UWdir ids to the Userids entry to identify them. It they are for different people, it is usually the case that the Userids entry is old and no longer worth preserving, so simply remove it.
update_userids(8), check_userids(8)
Copyright (C) 2002, MFCF, University of Waterloo.
classlist, .classlist - list of students registered in a class.
/u/<classname>/.classlist Supported on undergrad.math only.
The file contains the following colon-separated fields, one per line. Blank lines and lines beginning with a "#" char- acter may be ignored (e.g. use decomment(1) to extract the data). Id Number the student id number associated with the userid. Userid the standard userid assigned to the account. Name the student's family name, a comma, and any given names. Some names might be prefixed with an asterisk (*). In such cases, University policy requires that these names not be made publicly available, and as such are restricted to internal administrative use only. In particular this applies to setting finger information on machines, publishing email addresses, and producing any other form of directory. Lecture the lecture section that the student is registered in. Study the study field (i.e. department (sort of)) that the student is registered in. Plan the plan that the student is registered in. Group the group (i.e. faculty) that the student is registered in. Year the current year the student is registered in. Degree the degree the student is currently registered in. Initials the given initials of the student (as currently recorded by the Registrar). Family the student's family name. Status the student's status (R-registered, E-pre-registered, W-withdrawn). Time the student's attendance (P-partime, F-fulltime). Session the session that the student is registered in. Sections The section number given in the fourth field is for lecture ("lec") enrollment. This lists that and all other sections in a comma separated list. e.g. "lec=002,tut=101,tst=201". Other Additional fields may be added in the future without further warning, so do not write programs that rely on there being exactly the current number. In some unusual cases, e.g. for non-student or non-people accounts, fields such as "student id number" and "family name" might have completely different meanings.
The information in these files is based on data provided to MFCF from the Registrar by Data Processing (and occasionally on other data). The files are updated soon after new data becomes available, quite frequently at the beginning of each term and less frequently at the end. These files are not created for all classes, but only those for which the instructors have made explicit requests.
The file for say class cs123 will be called "/u/cs123/.classlist" and will be owned by the userid "cs123" and the group "cs123". Since id numbers are consid- ered confidential, the files do not have general read per- mission. Typically the course instructors and TAs will be members of the group and will possibly be in the account's ".rhosts" file, which allows them to rlogin(1c) to the account.
#Print a list of names and userids, sorted by family name decomment /u/cs123/.classlist | cut -d: -f3,2 | sort
decomment(1), cut(1), cl2sc(1).
For students registered in more than one department or fac- ulty, only one of their registrations will appear in the file.
Copyright (C) 1992,1996,2000,2001 MFCF, University of Water- loo.
account_update - merge account information with /etc/passwd etc.
servers/account_update [+Groupcheck] [Update=-] [NewGroup=-] [NewPasswd=-] [NewUsers=-] [Group=/u/rbutterworth/test/group] [Passwd=/u/rbutterworth/test/passwd] [Users=/u/rbutterworth/test/users]
account_update is normally invoked from sponsor_accounts(8). The Update data (defaulting to standard input) contains records with the following colon-separated fields: Userid (full, non-truncated), Name (typically "Family, Given"), ID (student id or employee id), UID (suggested number), and Classes (comma-separated list with format: "Name(diskquota;group,group,...)"), as described in "<accounts/resources.h>". Group is normally "/etc/group", Passwd is normally "/etc/passwd", and Users is normally "/soft- ware/accounts/data/users". The three resulting sets of output (by default standard out- put) are normally set to temporary files (e.g "/etc/ptmp") that are eventually moved to replace the originals. +Groupcheck causes the program to report any unsponsored group memberships. If there are any "/u#" directories, new home directories will be created under them, starting at one randomly chosen and cycling through them for each new home directory. Oth- erwise home directories will be created under "/u". If any potential home directory directory contains a file called ".ManualHomeDirectoryCreation", that directory will not be considered.
sponsor_accounts(8), /usr/include/accounts/resources.h
Copyright (C) 1996 MFCF, University of Waterloo.
NAME cl2sc - filter to convert a ".classlist" file into "sc" form SYNOPSIS cl2sc EXAMPLES cayley% cl2sc <~cs456/.classlist >list cayley% sc list DESCRIPTION cl2sc is a filter that converts a .classlist file as produced by the accounts package in the home directories of course accounts into a file that the sc command will accept as input. The output is sorted by surname, and then given names. The spreadhseet columns defined are: Surname GivenNames StudentID Userid Division Section The titles for the columns are in row 0 of the spreadsheet. FILES ~CourseNumber/.classlist - where class list files are kept. SEE ALSO sc(1) - the spreadsheet that uses the output of this command. BUGS It's not obvious that this is useful when a .classlist file is updated.
classgroup - start a subshell in a class project group
classgroup groupnumber ['command and args']
[201]% wmi cs123@cayley (Group everyone) on ttyub at /u1/cs123 [202]% groups everyone ... cs123 ... [203]% classgroup 45 1>[57]% wmi cs123@cayley (Group everyone) on ttyub at /u1/cs123 1>[58]% groups everyone ... cs123 ... cs123_45 1>[59]% exit [204]% /* Back where we started */
The classgroup command is necessary on those systems that allow the class account to be in a very limited number of groups. If the caller is a class account (e.g. "cs123"), and in group "classgroup", a subshell, using "/bin/csh" if the "$SHELL" environment variable is not set, will be started in the given numbered project group. Note that leading zeros are significant in the group number. "cs123_4" is not the same as "cs123_04".
fixclassperms(1) userinfo(1) groups(i)
Copyright (C) 1995, 1996, MFCF, University of Waterloo.
classlist, .classlist - list of students registered in a class.
/u/<classname>/.classlist Supported on undergrad.math only.
The file contains the following colon-separated fields, one per line. Blank lines and lines beginning with a "#" char- acter may be ignored (e.g. use decomment(1) to extract the data). Id Number the student id number associated with the userid. Userid the standard userid assigned to the account. Name the student's family name, a comma, and any given names. Some names might be prefixed with an asterisk (*). In such cases, University policy requires that these names not be made publicly available, and as such are restricted to internal administrative use only. In particular this applies to setting finger information on machines, publishing email addresses, and producing any other form of directory. Lecture the lecture section that the student is registered in. Study the study field (i.e. department (sort of)) that the student is registered in. Plan the plan that the student is registered in. Group the group (i.e. faculty) that the student is registered in. Year the current year the student is registered in. Degree the degree the student is currently registered in. Initials the given initials of the student (as currently recorded by the Registrar). Family the student's family name. Status the student's status (R-registered, E-pre-registered, W-withdrawn). Time the student's attendance (P-partime, F-fulltime). Session the session that the student is registered in. Sections The section number given in the fourth field is for lecture ("lec") enrollment. This lists that and all other sections in a comma separated list. e.g. "lec=002,tut=101,tst=201". Other Additional fields may be added in the future without further warning, so do not write programs that rely on there being exactly the current number. In some unusual cases, e.g. for non-student or non-people accounts, fields such as "student id number" and "family name" might have completely different meanings.
The information in these files is based on data provided to MFCF from the Registrar by Data Processing (and occasionally on other data). The files are updated soon after new data becomes available, quite frequently at the beginning of each term and less frequently at the end. These files are not created for all classes, but only those for which the instructors have made explicit requests.
The file for say class cs123 will be called "/u/cs123/.classlist" and will be owned by the userid "cs123" and the group "cs123". Since id numbers are consid- ered confidential, the files do not have general read per- mission. Typically the course instructors and TAs will be members of the group and will possibly be in the account's ".rhosts" file, which allows them to rlogin(1c) to the account.
#Print a list of names and userids, sorted by family name decomment /u/cs123/.classlist | cut -d: -f3,2 | sort
decomment(1), cut(1), cl2sc(1).
For students registered in more than one department or fac- ulty, only one of their registrations will appear in the file.
Copyright (C) 1992,1996,2000,2001 MFCF, University of Water- loo.
expire_accounts - warn and/or disable expired accounts
expire_accounts
expire_accounts looks at the "users" file for expired accounts (i.e. those marked as no longer having reason to exist), and each account that has exceeded the host's grace period (default 21 days) is disabled (currently the login shell is set to "/xhbin/Deleting"). Accounts are not dis- abled on Friday, Saturday, or Sunday though. A warning is mailed to each expired account the day after it expires, every 5 weeks after that, and every week during its last month of life.
This command is not privileged but should be run as root.
/software/accounts/data/users -- state of regional accounts /software/accounts/config/regional/grace -- set grace period
Copyright (C) 1992,1999, MFCF, University of Waterloo.
fixclassperms - fix the permissions on a student's course directory
fixclassperms userid
The caller must be "root" or in the appropriate class group(s). Note that course accounts are normally in their own group, but TA's and instructors are not normally in the course group unless they explicitly request it (since they are usually in the course's ".rhosts" file and so can use "rsh -l cs123 ..." or "rlogin -l cs123 ..."). The fixclassperms command determines which classes the given student is enrolled in, and modifies the group ownership and permissions on all the student's class directories (e.g. "/u/userid/cs123") to allow the files to be read by the course instructors but not by anyone else. For courses that use subgroups for group projects, (e.g. "/u/userid/cs488_03"), these subdirectories will also be given group write permissions. Students should be warned to put their group projects under these directories and not under the general course directory to prevent the group per- missions from being changed incorrectly. Note that the class directories (e.g. cs123) are created automatically when the student enrolls in the course, but the group directories (e.g. cs123_45) must initially be cre- ated by the students.
userinfo(1) classgroup(1) groups(i)
Copyright (C) 1993, 1997, MFCF, University of Waterloo.
link_homes - create symlinks to home directories
link_homes [{+|-}NFS] directory
link_homes creates symlinks to all the home directories in the /etc/passwd file that are under "/u#". Typically this is run as part of the accounts creation pro- cess, with the "directory" containing the new links being "/u". To avoid accidents, by default an error message will appear if the directory is nfs mounted. The "+NFS" option causes an error unless the directory is nfs mounted, while the "-NFS" option causes the progam to silently exit if the directory is nfs mounted.
The file "/software/accounts/config/local/link_homes" may contain default option flags (currently only "+NFS"), one per line.
Copyright (C) 1992, 1998, MFCF, University of Waterloo.
mac_pw_sync - synchronizes passwords on a Mac with the cur- rent UNIX host
mac_pw_sync [+Debug] [hostname=]mac-hostname*
mac_pw_sync fetches the accounts information from the speci- fied Macs, selects those entries with "/u/..." home directo- ries, replaces all but the home directory and shell fields with the corresponding entries on the current host, and updates the Mac with the result. The +Debug flag displays the resulting update commands with- out actually executing them.
mac_to_passwd(8).
Copyright (C) 2005, MFCF, University of Waterloo.
mac_to_passwd - converts a Mac dump to /etc/passwd format
mac_to_passwd [no arguments]
mac_to_passwd is a filter that takes the output of one or more instances of the Mac command "nicl . -read /users/USERID" on standard input and produces the equivalent "/etc/passwd" style data on standard output. Note that in addition to the usual passwd fields, the Mac version also includes three fields (class, change, and expire) between the gid and gecos fields.
Copyright (C) 2005, MFCF, University of Waterloo.
sponsor_accounts - update the sponsored accounts
servers/sponsor_accounts [+Force] [+GroupCheck]
sponsor_accounts is normally invoked via an rsh from the accounts-master machine after it has first copied a list of sponsored accounts to the file "/soft- ware/accounts_client/data/sponsor_requests/accounts". If this update doesn't exist, or is the same as "/soft- ware/accounts_client/data/sponsor_requests/accounts.old", or if "/etc/passwd" is busy, the program exits with a message to that effect. Specifying +Force will cause the program to continue even if the update is the same as the old state. The update is merged with the current "/etc/passwd", "/etc/group", and "/software/accounts/data/users" files (account_update). Then missing home directories are created (mkhomes), sym- links to home directories from under /u are updated (link_homes), and disk quotas are updated (mkquota). Finally, if "/software/accounts/config/regional/mkfinal" is decomment empty it is run to do anything extra that is spe- cific to this host. Otherwise "/software/accounts/con- fig/admin/mkfinal" will similarly be tried.
account_update(8), mkquota(8), mkhomes(8), link_homes(8).
Copyright (C) 1996, 2001, MFCF, University of Waterloo.
sponsor_aliases - update the sponsored mail aliases
servers/sponsor_aliases [+Force]
sponsor_aliases is normally invoked via an rsh from the accounts-master machine after it has first copied a list of sponsored mail aliases to the file "/soft- ware/accounts_client/data/sponsor_requests/aliases". If this update doesn't exist, or is the same as "/soft- ware/accounts_client/data/sponsor_requests/aliases.old", the program exits with a message to that effect. Specifying +Force will cause the program to continue even if the update is the same as the old state. The update is put into the "/soft- ware/accounts_client/export/aliases" file. Then the package is reinstalled on all regional clients.
sponsor_accounts(8), account_update(8), mkquota(8), mkhomes(8), link_homes(8).
Copyright (C) 2004, MFCF, University of Waterloo.
usergroups - creates a private group for each user
servers/usergroups [[groups=]everyone]*
usergroups is used to give each user a personal /etc/group entry. The program exits silently if there is no "userhome" /etc/passwd entry. First, the program finds all passwd entries having login gids in the specified forbidden group(s). Then, for each such entry: if the home directory is under "/u", or "/u#", and the home directory path ends with the user's userid, and no existing group has the same name as the userid, a new personal group entry is added to the "/etc/group" file, with the group being named after the userid, and, to mark it as a personal group, having as a member the userid "userhome". Then, after the /etc/group file has been updated, the "/etc/passwd" file is examined, and all entries with gids for personal "/etc/group" entries (i.e. those with with userid "userhome" as a member) have their gids reset.
Copyright (C) 1995, 2003, MFCF, University of Waterloo.
userid_status - show the status of all userids on this host
servers/userid_status
userid_status checks various files, looking for all login and mail alias userids on the host, and determines the sta- tus of each one. Output consists of one line per userid in the form "userid:status", sorted alphabetically by userid. If more than one status applies to a userid, the first one encountered in the following list will be used. Zmail "/software/zmailer/data/config/lists" Sendmail "/var/adm/sendmail/aliases" DelForward "/etc/passwd" - login shell is "/xhbin/Deleting*", but the home directory contains a ".forward" file. Deleted "/etc/passwd" - login shell is "/xhbin/Deleting*". i.e. the account is unusable and will be removed at the end of the month. Expired "/software/accounts/data/users" - the account is living on borrowed time and unless circumstances change will become "Deleted". Unused "/etc/passwd" - encrypted password is "New-User*". i.e. the account has not yet been assigned a password. Active - /etc/passwd: the account has been assigned a pass- word.
This program is normally called only by get_userid_status(8) in the accounts-master package.
Copyright (C) 1995, MFCF, University of Waterloo.
userinfo - show information about a user
userinfo [userid|idnumber] [{+|-}Sponsors]
The userinfo command shows various information about a user. General information is shown first, followed by information specific to the current host. The amount and type of information depends both upon how privileged the caller is, and upon what information is available on the current host. For instance an anonymous user will be shown very little information, while root on the accounts_master machine ("math" for MFCF), will be shown much more. The userid "root", and the groups "operator" and "accounts" make extra information available. Other users may only use the command for themselves (no command arguments), or for other users (by id number only). Unless the -Sponsors option (may be abbreviated as "-spon", "-s", etc.) is given, information about various sponsored resources (printers, accounts, ppp access) will be shown (available only on the accounts_master machine). This information can be suppressed, since in many cases it can be quite verbose (and boring) and make the rest of the output difficult to read.
Sometimes the "Name:" field begins with an asterisk. This is based on a flag in the University's uwdir database, indi- cating that the user's name (and other personal information) must not be made public. Typically this occurs when a stu- dent's registration form requests that home phone numbers etc. not be published, though IST may also set the flag for other reasons. If the caller does not have the "$USER" environment variable set, or if that variable is defined as "help", the program will interactively ask for a student id number, indicate the status of the account, and make suggestions as to where the user can go for help. This behaviour is used for the login shell of the "help" userid.
The program exits with a status of 1 if no information at all can be found about the user on this machine.
"/software/accounts/config/regional/grace" "/software/accounts/data/users" "/software/accounts/data/Classes" "/software/accounts-userids/data/Students" "/software/accounts-userids/data/Userids" "/software/accounts/data/Accounts"
Copyright (C) 1992, 1998, MFCF, University of Waterloo.
-- AdrianPepper - 2019-02-05