NAME
userhelper - A helper interface to PAM.
SYNOPSIS
userhelper [ -t ] [ -w prog args ] [ -c ] [ -f full-name ]
[ -o office ] [ -p office-phone ] [ -h home-phone ] [ -s shell ]
[ username ]
DESCRIPTION
NOTE this program is NOT intended to be run interactively. If you want
to change this information on the command line use passwd(1), chfn(1),
or chsh(1).
This program provides a basic interface to change a user’s password,
gecos information, and shell. The main difference between this program
and its traditional equivalents is that prompts are written to standard
out to make it easy for a GUI wrapper to interface to it as a child
process.
The output is in the form of:
<number> <string>
Where the number is the type of prompt returned from libpam, and the
string is the prompt to give the user.
The prompt numbers are as follows:
1 Prompt with visible input.
2 Prompt with invisible input.
3 Suggested answer for the current prompt.
4 Informational message.
5 Error message.
6 Count of messages sent in this block so far.
7 The name of the service being used.
8 Whether or not the command will be executed as the user if
authentication fails.
9 The name of the user being authenticated.
OPTIONS
-t Use text mode authentication instead of the numbered message
types just described; only used with -w.
-w Specify a program name to be run and arguments to be passed to
it. userhelper will look in the file
/etc/security/console.apps/programname for the name of a user to
authenticate, the path of the binary to be run, and other
settings described below. userhelper will then attempt to
authenticate the user using PAM, specifying programname as the
PAM service name. If authentication succeeds, the binary will
be run with superuser privileges. If the configuration file
specifies that PAM session management should be performed,
userhelper will also open a PAM session before starting the
program, and close the session when the program terminates. If
authentication fails, userhelper can be configured run the
program with the user’s privileges instead.
-c Change the current user’s password. Note that this option
cannot be used with any of the other options. This is due to
the limitation in the interface to libpam.
-f Specify a new Full Name.
-o Specify a new Office.
-p Specify a new Office Phone.
-h Specify a new Home Phone.
-s Specify a new shell.
WRAPPER CONFIGURATION
The wrapper configuration file used with -w contains variable
assignments and file inclusions.
A file inclusion line has the following form:
. path
(that is a dot and a space, followed by path). If path is relative, it
is interpreted relative to the directory containing the current file.
The file inclusion line is interpreted by inserting contents of path to
the current file. Nested file inclusions are possible, recursive file
inclusion results in undefined behavior.
A variable assignment line has the following form:
name=value
No additional white space is allowed. If value is surrounded by a
matching pair of " or ’ quotes, the quotes are removed; otherwise, the
\ characters are removed, except that \\ is replaced by a single \.
The following variables are recognized:
USER The name of the user userhelper should attempt to authenticate
the invoking user as. Typically this is root. The special
value <user> (which is also the default) indicates that
userhelper should authenticate the invoking user.
The special value <none> indicates that access should be denied;
when used in conjunction with UGROUPS, members of the given
groups can authenticate but all others are given an Insufficient
Rights message.
UGROUPS
A comma-separated list of groups whose members will be
authenticated as if USER were set to the special value <user>.
If the invoking user is not a member of one of these groups, the
name defined in USER will be used as normal. For example,
setting UGROUPS to wheel and USER to root allows members of
wheel (traditionally used for administrative privileges) to
authenticate with their own credentials and requires other users
to provide the root password.
PROGRAM
The name of the binary to execute if authentication succeeds.
This should always be specified as an absolute path. If not
specified, userhelper will attempt to run /sbin/programname
first, and failing that, it will attempt to run
/usr/sbin/programname.
SESSION
Specifies whether or not userhelper should perform PAM session
management when running the program. Typically this is needed
if the PAM configuration uses a module such as pam_xauth.so to
forward X11 authentication tokens for use by the program. Valid
values are yes and no, with the default being no.
KEEP_ENV_VARS
A comma-separated list of names of environment variables that
should be kept in the environment of the wrapped program. The
environment is cleared by default and only a few selected
variables are kept in the environment if they do not contain any
potentially dangerous substrings.
RETRY Specifies the number of times userhelper should attempt to
authenticate the user if the initial attempt fails. The default
value is 2, which causes userhelper to attempt to authenticate
the user a total of 3 times.
FALLBACK
Specifies whether or not the specified binary should be run with
the invoking user’s privileges if authentication fails. This
option is useful for running applications which gain additional
abilities when run with superuser privileges, but which are
still useful when run without them.
NOXOPTION
The name of an option which, if passed to userhelper as an
argument for the program it will run, will cause userhelper to
behave as if the -t flag had been passed to it.
GUI Specifies whether or not userhelper should use consolehelper to
present graphical dialog boxes when prompting the user for
information. This is the inverse of the -t option. Valid
values are yes and no, with the default being yes.
BANNER Specifies specific text which userhelper should present to the
user when userhelper prompts for information. The default is a
generic message based on the PAM service name.
BANNER_DOMAIN
Specifies the text domain in which translations of the banner
are stored. This setting is deprecated in favor of the DOMAIN
setting.
DOMAIN Specifies the text domain in which translations of strings are
stored. If this setting is specified, it overrides any setting
for BANNER_DOMAIN which may also be set.
STARTUP_NOTIFICATION_NAME
Specifies the startup notification name used for startup
notification.
STARTUP_NOTIFICATION_DESCRIPTION
Specifies the startup notification name used for startup
notification.
STARTUP_NOTIFICATION_WORKSPACE
Specifies the startup notification workspace used for startup
notification.
STARTUP_NOTIFICATION_WMCLASS
Specifies the startup notification binary wmclass used for
startup notification.
STARTUP_NOTIFICATION_BINARY_NAME
Specifies the startup notification binary name used for startup
notification.
STARTUP_NOTIFICATION_ICON_NAME
Specifies the startup notification icon name used for startup
notification.
EXIT STATUS
A non-zero exit status indicates an error occurred. Those errors are:
1 The authentication passwords was incorrect.
2 One or more of the GECOS fields is invalid. This occurs when
there is a colon supplied in one of the fields.
3 Password resetting error.
4 Some system files are locked.
5 User unknown.
6 Insufficient rights.
7 Invalid call to this program.
8 The shell provided is not valid (i.e., does not exist in
/etc/shells).
9 Ran out of memory.
10 Could not find the program.
11 exec failed even though program exists.
12 the user canceled the operation.
255 Unknown error.
FILES
/etc/passwd The gecos and shell information is stored in
this file.
/etc/shells This file is checked to see if the new shell
supplied is valid.
/etc/security/console.apps/prog
This file contains the values which will be
used for the variables when userhelper is used
with the -w flag.
/etc/pam.d/prog This file contains the PAM configuration used
when userhelper is used with the -w flag.
SEE ALSO
userpasswd(1), userinfo(1), consolehelper(8), chfn(1), chsh(1),
passwd(5)
AUTHOR
Otto Hammersmith <otto@redhat.com>
Michael K. Johnson <johnsonm@redhat.com>