ap(ADM)

ap -- generate account profile for propagation to other machines

Syntax

ap -d [-g ] [ -v ] [ usernames ]

ap -r -f file [ -o ] [ -v ] [ usernames ]

ap -u directory [ -o ] [ -v ] [ usernames ]

Description

ap provides a simple method of propagating user account profiles between machines.

An account profile entry consists of the user's line from the password file followed by all relevant parts of their Protected Password database entry. The following Protected Password database fields are irrelevant and are not copied:

Time of last unsuccessful password change.
Time of last successful and last unsuccessful login.
Terminal of last successful and last unsuccessful login.
Number of consecutive unsuccessful logins.

ap -d writes an account profile entry to the standard output for each username specified. If no usernames are specified, account profiles are written for all users listed in the password file.

The -g (group) option causes ap to include group membership in the account profile information that is written out.

ap -r restores account profile information from the file specified by the -f option, which is assumed to be the product of a previous ap -d. If no usernames are specified, all the account profiles contained in the file are restored; otherwise only the account profiles for the specified users are restored.

ap -u updates the system with account profile information copied from other SCO OpenServer systems. The directory specified is expected to contain the /etc/passwd and /tcb/files/auth/?/* files copied from another system. To preserve group membership, the /etc/group file may (optionally) also be included under the directory. If no usernames are specified, all the account profiles contained in the files under the specified directory are restored; otherwise only the account profiles for the specified users are restored.

The -v (verbose) option causes ap to output a message to the standard error for each account profile dumped or restored.

The -o (overwrite) option causes ap to overwrite an existing account profile which has the same username and user ID as one being restored. If the -o option is not specified a message is output and existing entries are not overwritten.

Exit values

If ap detects a fatal error, it displays an appropriate error message and exits with status greater than zero. If no errors are encountered, ap exits with status zero.

Examples

To dump the account profiles for users root and guest to a file called profiles and display a message after each account profile is dumped:

ap -dv root guest > profiles

This file can then be transferred to another machine. To restore the account profile for user root, overwriting any existing profile:

ap -ro -f profiles root

Limitations

As different machines may have different System Default values, the same profile transferred to another machine may give the user different capabilities simply because different default values are picked up for fields not present in the user's Protected Password database entry.

As the file containing the dumped account profile information is used to update the password and Protected Password database, it must be protected from unauthorized access in the same way the Protected Password database entries themselves are protected.

Authorization

ap requires the invoking user to be the superuser or have the auth subsystem authorization, and have both the chown and execsuid kernel privileges.

Files

/etc/passwd: Password file
/etc/shadow: Shadow Password file
/etc/group: Group file
/tcb/files/auth/?/: Protected Password database
/etc/auth/subsystems/: Subsystem Authorizations database

Standards conformance

ap is not part of any currently supported standard; it is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.