Saturday, July 16, 2011

AIX user administration - lsuser


The lsuser command displays the user account attributes. You can use this command to list all attributes of all the users or all the attributes of specific users except their passwords. Since there is no default parameter, you must enter the ALL keywords to see the attributes of all the users. By default,  the lsuser command displays all user attributes. To view selected attributes, use the -a List
flag. If one or more attributes cannot be read, the lsuser command lists as much information as possible.

Note: 
If you have a Network Information Service (NIS) database installed on your system, some user information may not appear when you use the lsuser command.

By default, the lsuser command lists each user's attributes on one line. It displays attribute information as Attribute=Value definitions each separated by a blank space. To list the user attributes in stanza format, use the -f flag. To list the information as colon-separated records, use the -c flag.


Gathering all the information for a user from the various user files may seem cumbersome. The lsuser command returns all the attributes used on the user from the various administration files, which can be very helpful if you are comparing users, wanting to generate a complete listing of all users for backup purposes, or are troubleshooting an issue with an individual account.
To view a user's attributes, you can use the -f switch, which displays everything in a stanza structure. Listing provides an example of this output.
Listing. Output from lsuser -f

 
# lsuser -f xander
xander:
        id=214
        pgrp=staff
        groups=staff
        home=/home/xander
        shell=/usr/bin/ksh
        gecos=Xander Cormany,317.555.1234
        login=true
        su=true
        rlogin=true
        daemon=true
        admin=false
        sugroups=ALL
        admgroups=
        tpath=nosak
        ttys=ALL
        expires=0
        auth1=SYSTEM
        auth2=NONE
        umask=22
        registry=files
        SYSTEM=compat
        logintimes=
        loginretries=0
        pwdwarntime=0
        account_locked=false
        minage=0
        maxage=0
        maxexpired=-1
        minalpha=0
        minother=0
        mindiff=0
        maxrepeats=8
        minlen=0
        histexpire=0
        histsize=0
        pwdchecks=
        dictionlist=
        default_roles=
        fsize=-1
        cpu=-1
        data=-1
        stack=-1
        core=1048576
        rss=-1
        nofiles=-1
        roles=


If you are comparing users, simply change the switch from -f to -c and add the users you want to compare as a comma-delimited argument. Listing provides an example of this output.
Listing Output of lsuser -c

 
# lsuser -c xander,atc

#name:id:pgrp:groups:home:shell:gecos:login:su:rlogin:daemon:admin:
sugroups:tpath:ttys:expires:auth1:auth2:umask:registry:SYSTEM:loginretries:
pwdwarntime:account_locked:minage:maxage:maxexpired:minalpha:minother:
mindiff:maxrepeats:minlen:histexpire:histsize:fsize:cpu:data:stack:core:rss:nofiles
xander:214:staff:staff:/home/xander:/usr/bin/ksh:Xander Cormany,317.555.1234:
true:true:true:true:false:ALL:nosak:ALL:0:SYSTEM:NONE:22:files:compat:0:0:false:
0:0:-1:0:0:0:8:0:0:0:-1:-1:-1:-1:1048576:-1:-1
#name:id:pgrp:groups:home:shell:gecos:login:su:rlogin:daemon:admin:sugroups:
tpath:ttys:expires:auth1:auth2:umask:registry:SYSTEM:loginretries:pwdwarntime:
account_locked:minage:maxage:maxexpired:minalpha:minother:mindiff:maxrepeats:
minlen:histexpire:histsize:fsize:cpu:data:stack:core:rss:nofiles:time_last_login:
time_last_unsuccessful_login:tty_last_login:tty_last_unsuccessful_login:host_last_login:
host_last_unsuccessful_login:unsuccessful_login_count
cormany:215:staff:staff,support:/home/cormany:/bin/ksh:Adam Cormany:true:true:
true:true:false:ALL:nosak:ALL:0:SYSTEM:NONE:22:NIS:compat:0:0:false:0:0:
-1:0:0:0:8:0:0:0:-1:-1:-1:-1:-1:-1:-1:1250854405:1250522447:/dev/pts/3:/dev/pts/13:
10.20.30.40:10.20.30.41:0


That is a lot of information to look at and may be a bit overwhelming in its raw form. However, if you import this data into a spreadsheet, it will look much cleaner. Having a delimited format is also helpful when you are using the data in scripts to manage users.
If you are only looking for a few fields—say, the user's shell and home directory—the lsuser command can do the work for you with the -a switch. Listing  provides an example of this command using the fields from the chuser man page.

Listing  Running lsuser -c –a on a man page

 
# lsuser -c -a shell home xander,cormany
#name:shell:home
xander:/usr/bin/ksh:/home/xander
#name:shell:home
cormany:/bin/ksh:/home/cormany


Man Page for lsuser says the following:
Purpose
Displays user account attributes.

Syntax
lsuser [ -R load_module ] [ -c | -f ] [ -a List ] { ALL | Name [ ,Name ] ... }

Description
The lsuser command displays the user account attributes. You can use this command to list all attributes of all the system users or all the attributes of specific users. Since there is no default parameter, you must enter theALL keyword to see the attributes of all the users. By default, the lsuser command displays all user attributes. To view selected attributes, use the -a List flag. If one or more attributes cannot be read, the lsuser command lists as much information as possible.
Note: If you have a Network Information Service (NIS) database installed on your system, some user information may not appear when you use the lsuser command.
By default, the lsuser command lists each user's attributes on one line. It displays attribute information as Attribute=Value definitions, each separated by a blank space. To list the user attributes in stanza format, use the -fflag. To list the information as colon-separated records, use the -c flag.
You can use the Users application in Web-based System Manager (wsm) to change user characteristics. You could also use the System Management Interface Tool (SMIT) smit lsusers fast path to run this command.

Flags

-a List
Lists the attributes to display. The List variable can include any attribute defined in the chuser command and requires a blank space between attributes. If you specify an empty list, only the user names are displayed.
-c
Displays the user attributes in colon-separated records, as follows:
# name:  attribute1:  attribute2:  ...
  User:  value1:      value2:      ...
-f
Displays the output in stanzas, with each stanza identified by a user name. Each Attribute=Value pair is listed on a separate line:
user:
       attribute1=value
       attribute2=value
       attribute3=value
-R load_module
Specifies the loadable I&A module used to display the user account attributes.

Security
Access Control: This command should be a general user program with execute (x) access for all users. Since the attributes are read with the access rights of the user who invokes the command, some users may not be able to access all the information. This command should have the trusted computing base attribute.

Files Accessed: 
Mode
File
r
/etc/passwd
r
/etc/security/user
r
/etc/security/user.roles
r
/etc/security/limits
r
/etc/security/environ
r
/etc/group
r
/etc/security/audit/config

Examples
To display the user id and group-related information about the smith account in stanza form, enter:

lsuser -f -a id pgrp groups admgroups smith

Information similar to the following appears:

smith:
   ID=2457
   pgrp=system
   groups=system,finance,staff,accounting
   admgroups=finance,accounting

To display the user id, groups, and home directory of smith in colon format, enter:

lsuser -c -a id home groups smith

Information like the following appears:

# name: ID:home:groups
smith:  2457:/home/smith:system,finance,staff,accounting

To display all the attributes of user smith in the default format, enter:

lsuser smith
All the attribute information appears, with each attribute separated by a blank space.
To display all the attributes of all the users, enter:

lsuser ALL

All the attribute information appears, with each attribute separated by a blank space.



Alternatively, you can use SMIT:
  1. Run smitty lsuser, which will prompt you to a menu as shown in Figure 1 below.
  2. Type smith for the field User NAME and press Enter. This will display a screen as shown in Figure 2 below.
  3. When SMIT returns an OK prompt, press the F10 key to return to the command prompt.

Figure 1



Figure 2


No comments:

Post a Comment