1USERHELPER(8) System Manager's Manual USERHELPER(8)
2
3
4
6 userhelper - A helper interface to PAM.
7
9 userhelper [ -t ] [ -w prog args ] [ -c ] [ -f full-name ]
10 [ -o office ] [ -p office-phone ] [ -h home-phone ] [ -s shell ]
11 [ username ]
12
13
15 NOTE this program is NOT intended to be run interactively. If you want
16 to change this information on the command line use passwd(1), chfn(1),
17 or chsh(1).
18
19 This program provides a basic interface to change a user's password,
20 gecos information, and shell. The main difference between this program
21 and its traditional equivalents is that prompts are written to standard
22 out to make it easy for a GUI wrapper to interface to it as a child
23 process.
24
25 The output is in the form of:
26
27 <number> <string>
28
29 Where the number is the type of prompt returned from libpam, and the
30 string is the prompt to give the user.
31
32 The prompt numbers are as follows:
33
34 1 Prompt with visible input.
35
36 2 Prompt with invisible input.
37
38 3 Suggested answer for the current prompt.
39
40 4 Informational message.
41
42 5 Error message.
43
44 6 Count of messages sent in this block so far.
45
46 7 The name of the service being used.
47
48 8 Whether or not the command will be executed as the user if
49 authentication fails.
50
51 9 The name of the user being authenticated.
52
53
55 -t Use text mode authentication instead of the numbered message
56 types just described; only used with -w.
57
58 -w Specify a program name to be run and arguments to be passed to
59 it. userhelper will look in the file /etc/security/con‐
60 sole.apps/programname for the name of a user to authenticate,
61 the path of the binary to be run, and other settings described
62 below. userhelper will then attempt to authenticate the user
63 using PAM, specifying programname as the PAM service name. If
64 authentication succeeds, the binary will be run with superuser
65 privileges. If the configuration file specifies that PAM ses‐
66 sion management should be performed, userhelper will also open a
67 PAM session before starting the program, and close the session
68 when the program terminates. If authentication fails, user‐
69 helper can be configured run the program with the user's privi‐
70 leges instead.
71
72 -c Change the current user's password. Note that this option can‐
73 not be used with any of the other options. This is due to the
74 limitation in the interface to libpam.
75
76 -f Specify a new Full Name.
77
78 -o Specify a new Office.
79
80 -p Specify a new Office Phone.
81
82 -h Specify a new Home Phone.
83
84 -s Specify a new shell.
85
87 The wrapper configuration file used with -w contains variable assign‐
88 ments and file inclusions.
89
90 A file inclusion line has the following form:
91 . path
92 (that is a dot and a space, followed by path). If path is relative, it
93 is interpreted relative to the directory containing the current file.
94 The file inclusion line is interpreted by inserting contents of path to
95 the current file. Nested file inclusions are possible, recursive file
96 inclusion results in undefined behavior.
97
98 A variable assignment line has the following form:
99 name=value
100 No additional white space is allowed. If value is surrounded by a
101 matching pair of " or ' quotes, the quotes are removed; otherwise, the
102 \ characters are removed, except that \\ is replaced by a single \.
103
104 The following variables are recognized:
105
106 USER The name of the user userhelper should attempt to authenticate
107 the invoking user as. Typically this is root. The special
108 value <user> (which is also the default) indicates that user‐
109 helper should authenticate the invoking user.
110
111 The special value <none> indicates that access should be denied;
112 when used in conjunction with UGROUPS, members of the given
113 groups can authenticate but all others are given an Insufficient
114 Rights message.
115
116 UGROUPS
117 A comma-separated list of groups whose members will be authenti‐
118 cated as if USER were set to the special value <user>. If the
119 invoking user is not a member of one of these groups, the name
120 defined in USER will be used as normal. For example, setting
121 UGROUPS to wheel and USER to root allows members of wheel (tra‐
122 ditionally used for administrative privileges) to authenticate
123 with their own credentials and requires other users to provide
124 the root password.
125
126 PROGRAM
127 The name of the binary to execute if authentication succeeds.
128 This should always be specified as an absolute path. If not
129 specified, userhelper will attempt to run /sbin/programname
130 first, and failing that, it will attempt to run /usr/sbin/pro‐
131 gramname.
132
133 SESSION
134 Specifies whether or not userhelper should perform PAM session
135 management when running the program. Typically this is needed
136 if the PAM configuration uses a module such as pam_xauth.so to
137 forward X11 authentication tokens for use by the program. Valid
138 values are yes and no, with the default being no.
139
140 KEEP_ENV_VARS
141 A comma-separated list of names of environment variables that
142 should be kept in the environment of the wrapped program. The
143 environment is cleared by default and only a few selected vari‐
144 ables are kept in the environment if they do not contain any
145 potentially dangerous substrings.
146
147 RETRY Specifies the number of times userhelper should attempt to
148 authenticate the user if the initial attempt fails. The default
149 value is 2, which causes userhelper to attempt to authenticate
150 the user a total of 3 times.
151
152 FALLBACK
153 Specifies whether or not the specified binary should be run with
154 the invoking user's privileges if authentication fails. This
155 option is useful for running applications which gain additional
156 abilities when run with superuser privileges, but which are
157 still useful when run without them.
158
159 NOXOPTION
160 The name of an option which, if passed to userhelper as an argu‐
161 ment for the program it will run, will cause userhelper to
162 behave as if the -t flag had been passed to it.
163
164 GUI Specifies whether or not userhelper should use consolehelper to
165 present graphical dialog boxes when prompting the user for
166 information. This is the inverse of the -t option. Valid val‐
167 ues are yes and no, with the default being yes.
168
169 BANNER Specifies specific text which userhelper should present to the
170 user when userhelper prompts for information. The default is a
171 generic message based on the PAM service name.
172
173 BANNER_DOMAIN
174 Specifies the text domain in which translations of the banner
175 are stored. This setting is deprecated in favor of the DOMAIN
176 setting.
177
178 DOMAIN Specifies the text domain in which translations of strings are
179 stored. If this setting is specified, it overrides any setting
180 for BANNER_DOMAIN which may also be set.
181
182 STARTUP_NOTIFICATION_NAME
183 Specifies the startup notification name used for startup notifi‐
184 cation.
185
186 STARTUP_NOTIFICATION_DESCRIPTION
187 Specifies the startup notification name used for startup notifi‐
188 cation.
189
190 STARTUP_NOTIFICATION_WORKSPACE
191 Specifies the startup notification workspace used for startup
192 notification.
193
194 STARTUP_NOTIFICATION_WMCLASS
195 Specifies the startup notification binary wmclass used for
196 startup notification.
197
198 STARTUP_NOTIFICATION_BINARY_NAME
199 Specifies the startup notification binary name used for startup
200 notification.
201
202 STARTUP_NOTIFICATION_ICON_NAME
203 Specifies the startup notification icon name used for startup
204 notification.
205
206
208 A non-zero exit status indicates an error occurred. Those errors are:
209
210 1 The authentication passwords was incorrect.
211
212 2 One or more of the GECOS fields is invalid. This occurs when
213 there is a colon supplied in one of the fields.
214
215 3 Password resetting error.
216
217 4 Some system files are locked.
218
219 5 User unknown.
220
221 6 Insufficient rights.
222
223 7 Invalid call to this program.
224
225 8 The shell provided is not valid (i.e., does not exist in
226 /etc/shells).
227
228 9 Ran out of memory.
229
230 10 Could not find the program.
231
232 11 exec failed even though program exists.
233
234 12 the user canceled the operation.
235
236 255 Unknown error.
237
239 /etc/passwd The gecos and shell information is stored in
240 this file.
241
242 /etc/shells This file is checked to see if the new shell
243 supplied is valid.
244
245 /etc/security/console.apps/prog
246 This file contains the values which will be
247 used for the variables when userhelper is used
248 with the -w flag.
249
250 /etc/pam.d/prog This file contains the PAM configuration used
251 when userhelper is used with the -w flag.
252
254 userpasswd(1), userinfo(1), consolehelper(8), chfn(1), chsh(1),
255 passwd(5)
256
258 Otto Hammersmith <otto@redhat.com>
259 Michael K. Johnson <johnsonm@redhat.com>
260
261
262
263Red Hat, Inc. January 8 2008 USERHELPER(8)