[Pkg-shadow-devel] Bug#1005253: Bug#1005253: shadow: Improved manual page useradd.8

Fri Feb 11 18:14:27 GMT 2022

Hi Serge,

"Serge E. Hallyn" <serge at hallyn.com> schrieb am 11. Februar 2022 um 18:13

> Thanks.  The diff is especially helpful.  Although a few of these hunks
> appear to be just changes to the line breaks.

> > @@ -219,14 +221,17 @@
> >  	</term>
> >  	<listitem>
> >  	  <para>
> > -	    The number of days after a password expires until the account is
> > -	    permanently disabled. A value of 0 disables the account as soon
> > -	    as the password has expired, and a value of -1 disables the
> > -	    feature.
> > +            defines the number of days after the password exceeded its maximum
> > +            age where the user is expected to replace this password. The value
> 
> How about 'number of days after the password exceeded its maximum
> age during which the user may login by immediately replacing this
> password. The value is stored in the shadow password file.'

I also thought that there is something better then "where the user..."

> >  	  <para>
> >  	    If not specified, <command>useradd</command> will use the
> > -	    default inactivity period specified by the
> > +	    default inactivity onset specified by the
> 
> "onset" is weird here.

I looked up in a dictionary: "onset is the first attack or beginning
(of something bad)" . There are similar usages: "onset of winter", a
"hard onset" in phonetics, in medicine they speak of the "onset" of a
disease.

What do you think of "begin of inactivity"?

You know I also suggested "grace period". But, expressing it this way,
the connection to inactivity gets lost.

I really dislike "inactivity period" as the user does not define the
duration of inactivity but the number of days he will be able to do
something against a shift of his account into the inactive state.

> >  	    <option>INACTIVE</option> variable in
> >  	    <filename>/etc/default/useradd</filename>, or -1 by default.
> >  	  </para>
> > @@ -237,8 +242,9 @@
> >  	  <option>-g</option>, <option>--gid</option> <replaceable>GROUP</replaceable>
> >  	</term>
> >  	<listitem>
> > +	  <!--MH35-->
> 
> This i assume is leftover marker to be dropped.

Sure.

> > @@ -398,10 +407,18 @@
> >  	  <option>-o</option>, <option>--non-unique</option>
> >  	</term>
> >  	<listitem>
> > -	  <para>Allow the creation of a user account with a duplicate (non-unique) UID.</para>
> > +	  <para>
> > +	    allows the creation of an account with an already existing
> > +	    UID.
> > +	  </para>
> >  	  <para>
> >  	    This option is only valid in combination with the
> > -	    <option>-u</option> option.
> > +	    <option>-u</option> option. As a user identity
> > +	    serves as
> > +	    key to map between users on one hand and permissions, file
> > +	    ownerships and other aspects that determine the system's
> > +	    behavior on the other hand, more than one login name
> > +	    will access the account of the given UID.
> >  	  </para>
> >  	</listitem>
> >        </varlistentry>
> > @@ -410,14 +427,25 @@
> >  	  <option>-p</option>, <option>--password</option> <replaceable>PASSWORD</replaceable>
> >  	</term>
> >  	<listitem>
> > +	  <!--MH37-->

> Drop this?

yes

> > @@ -488,11 +516,11 @@
> >  	</term>
> >  	<listitem>
> >  	  <para>
> > -	    The name of the user's login shell. The default is to leave this
> > -	    field blank, which causes the system to select the default login
> > -	    shell specified by the <option>SHELL</option> variable in
> > -	    <filename>/etc/default/useradd</filename>, or an empty string
> > -	    by default.
> > +            sets the path to the user's login shell. Without this option,
> > +            the system will use the <option>SHELL</option> variable specified
> > +	    in <filename>/etc/default/useradd</filename>, or, if that is as
> > +	    well not set, the field for the login shell in <filename>/etc/passwd
> > +	    </filename>remains empty.
> >  	  </para>
> >  	</listitem>
> >        </varlistentry>
> > @@ -533,13 +561,16 @@
> >        </varlistentry>
> >        <varlistentry>
> >  	<term>
> > -	  <option>-Z</option>, <option>--selinux-user</option> <replaceable>SEUSER</replaceable>
> > +	  <option>-Z</option>, <option>--selinux
> > +	  -user</option> <replaceable>SEUSER</replaceable>

> Is the line break here accidental?

Yes. I did not care for line breaks. This is a case where it would be
better avoided or done in another way, without separation of --selinux-user.

> >  	</term>
> >  	<listitem>
> >  	  <para>
> > -	    The SELinux user for the user's login. The default is to leave this
> > -	    field blank, which causes the system to select the default SELinux
> > -	    user.
> > +	    defines the SELinux user for the new account. Without this
> > +	    option, a SELinux uses the default user. Note that the
> 
> s/a SELinux/SELinux/

Yes.

> > +	    shadow system doesn't store the selinux-user, it uses
> > +	    <citerefentry><refentrytitle>semanage</refentrytitle>
> > +	    <manvolnum>8</manvolnum></citerefentry> for that.
> >  	  </para>
> >  	</listitem>
> >        </varlistentry>
> > @@ -561,7 +592,7 @@
> >  	  </term>
> >  	  <listitem>
> >  	    <para>
> > -	      The path prefix for a new user's home directory. The
> > +	      The path prefix for new users' home directory. The
> 
> the 'a' is more natural in English.

No problen, use the singular

> > @@ -578,7 +609,8 @@
> >  	    <option>-e</option>, <option>--expiredate</option> <replaceable>EXPIRE_DATE</replaceable>
> >  	  </term>
> >  	  <listitem>
> > -	    <para>The date on which the user account is disabled.</para>
> > +	    <!--MH43-->

All of these can be be erased

> > +	    <para>The date on which newly created user accounts are disabled.</para>
> >  	    <para>
> >  	      This option sets the <option>EXPIRE</option> variable in
> >  	      <filename>/etc/default/useradd</filename>.
> > @@ -590,9 +622,12 @@
> >  	    <option>-f</option>, <option>--inactive</option> <replaceable>INACTIVE</replaceable>
> >  	  </term>
> >  	  <listitem>
> > +	    <!--MH44--><!--MH45-->
> >  	    <para>
> > -	      The number of days after a password has expired before the
> > -	      account will be disabled.
> > +              defines the number of days after the password exceeded its maximum
> > +              age where the user is expected to replace this password. See <citerefentry>
> 

> maybe s/is expected to replace/is allowed to login after replacing/ ?

I' neutral. The first action of useradd is _forcing_ the user to
replace it. The consequece, i.e. the second effect, is, that he is
_allowed_ to work again with the system.

> > +	      <refentrytitle>shadow</refentrytitle><manvolnum>5</manvolnum>
> > +              </citerefentry>for more information.
> >  	    </para>
> >  	    <para>
> >  	      This option sets the <option>INACTIVE</option> variable in
> > @@ -605,13 +640,9 @@
> >  	    <option>-g</option>, <option>--gid</option> <replaceable>GROUP</replaceable>
> >  	  </term>
> >  	  <listitem>
> > -	    <para>
> > -	      The group name or ID for a new user's initial group (when
> > -	      the <option>-N/--no-user-group</option> is used or when the
> > -	      <option>USERGROUPS_ENAB</option> variable is set to
> > -	      <replaceable>no</replaceable> in
> > -	      <filename>/etc/login.defs</filename>). The named
> > -	      group must exist, and a numerical group ID must have an
> > +	    <para>sets the default primary group for newly created users,
> > +	      accepting group names or a numerical group ID. The named
> > +	      group must exist, and the GID must have an
> >  	      existing entry.

> I think this should still point out that this default only applies
> when using --no-user-group/USERGROUPS_ENAB=no.

I'm fine with re-inserting the parenthesis. 

With the exception of the "inactivity onset" "begin of inactivity"
"grace period" problem, I would be able to edit the xml-file. But I
think it spares you not much work.

Best regards
Markus