1 <?xml version=
"1.0" encoding=
"UTF-8"?>
2 <chapter id=
"HDRWQ581">
3 <title>Managing Administrative Privilege
</title>
5 <para>This chapter explains how to enable system administrators and operators to perform privileged AFS operations.
</para>
8 <title>Summary of Instructions
</title>
10 <para>This chapter explains how to perform the following tasks by using the indicated commands:
</para>
12 <informaltable frame=
"none">
14 <colspec colwidth=
"70*" />
16 <colspec colwidth=
"30*" />
20 <entry>Display members of
<emphasis role=
"bold">system:administrators
</emphasis> group
</entry>
22 <entry><emphasis role=
"bold">pts membership
</emphasis></entry>
26 <entry>Add user to
<emphasis role=
"bold">system:administrators
</emphasis> group
</entry>
28 <entry><emphasis role=
"bold">pts adduser
</emphasis></entry>
32 <entry>Remove user from
<emphasis role=
"bold">system:administrators
</emphasis> group
</entry>
34 <entry><emphasis role=
"bold">pts removeuser
</emphasis></entry>
38 <entry>Display
<computeroutput>ADMIN
</computeroutput> flag in Authentication Database entry
</entry>
40 <entry><emphasis role=
"bold">kas examine
</emphasis></entry>
44 <entry>Set or remove
<computeroutput>ADMIN
</computeroutput> flag on Authentication Database entry
</entry>
46 <entry><emphasis role=
"bold">kas setfields
</emphasis></entry>
50 <entry>Display users in
<emphasis role=
"bold">UserList
</emphasis> file
</entry>
52 <entry><emphasis role=
"bold">bos listusers
</emphasis></entry>
56 <entry>Add user to
<emphasis role=
"bold">UserList
</emphasis> file
</entry>
58 <entry><emphasis role=
"bold">bos adduser
</emphasis></entry>
62 <entry>Remove user from
<emphasis role=
"bold">UserList
</emphasis> file
</entry>
64 <entry><emphasis role=
"bold">bos removeuser
</emphasis></entry>
72 <title>An Overview of Administrative Privilege
</title>
75 <primary>administrative privilege
</primary>
77 <secondary>three types
</secondary>
81 <primary>privilege
</primary>
83 <secondary></secondary>
85 <see>administrative privilege
</see>
88 <para>A fully privileged AFS system administrator has the following characteristics:
<itemizedlist>
90 <para>Membership in the cell's
<emphasis role=
"bold">system:administrators
</emphasis> group. See
<link
91 linkend=
"HDRWQ586">Administering the system:administrators Group
</link>.
</para>
95 <para>The
<computeroutput>ADMIN
</computeroutput> flag on his or her entry in the cell's Authentication Database. See
<link
96 linkend=
"HDRWQ589">Granting Privilege for kas Commands: the ADMIN Flag
</link>.
</para>
100 <para>Inclusion in the file
<emphasis role=
"bold">/usr/afs/etc/UserList
</emphasis> on the local disk of each AFS server
101 machine in the cell. See
<link linkend=
"HDRWQ592">Administering the UserList File
</link>.
</para>
103 </itemizedlist></para>
105 <para>This section describes the three privileges and explains why more than one privilege is necessary.
</para>
108 <para>Never grant any administrative privilege to the user
<emphasis role=
"bold">anonymous
</emphasis>, even when a server
109 outage makes it impossible to mutually authenticate. If you grant such privilege, then any user who can access a machine in
110 your cell can issue privileged commands. The alternative solution is to put the affected server machine into no-authentication
111 mode and use the
<emphasis role=
"bold">-noauth
</emphasis> flag available on many commands to prevent mutual authentication
112 attempts. For further discussion, see
<link linkend=
"HDRWQ123">Managing Authentication and Authorization
113 Requirements
</link>.
</para>
116 <sect2 id=
"HDRWQ585">
117 <title>The Reason for Separate Privileges
</title>
119 <para>Often, a cell's administrators require full administrative privileges to perform their jobs effectively. However,
120 separating the three types of privilege makes it possible to grant only the minimum set of privileges that a given
121 administrator needs to complete his or her work.
</para>
123 <para>The
<emphasis role=
"bold">system:administrators
</emphasis> group privilege is perhaps the most basic, and most
124 frequently used during normal operation (when all the servers are running normally). When the Protection Database is
125 unavailable due to machine or server outage, it is not possible to issue commands that require this type of privilege.
</para>
127 <para>The
<computeroutput>ADMIN
</computeroutput> flag privilege is separate because of the extreme sensitivity of the
128 information in the Authentication Database, especially the server encryption key in the
<emphasis role=
"bold">afs
</emphasis>
129 entry. When the Authentication Database is unavailable due to machine or server outage, it is not possible to issue commands
130 that require this type of privilege.
</para>
132 <para>The ability to issue privileged
<emphasis role=
"bold">bos
</emphasis> and
<emphasis role=
"bold">vos
</emphasis> command is
133 recorded in the
<emphasis role=
"bold">/usr/afs/etc/UserList
</emphasis> file on the local disk of each AFS server machine
134 rather than in a database, so that in case of serious server or network problems administrators can still log onto server
135 machines and use those commands while solving the problem.
</para>
139 <sect1 id=
"HDRWQ586">
140 <title>Administering the system:administrators Group
</title>
143 <primary>pts commands
</primary>
145 <secondary>granting privilege for
</secondary>
149 <primary>fs commands
</primary>
151 <secondary>granting privilege for
</secondary>
155 <primary>privilege
</primary>
157 <secondary>granting for pts commands
</secondary>
161 <primary>privilege
</primary>
163 <secondary>granting for fs commands
</secondary>
167 <primary>granting
</primary>
169 <secondary>privilege for fs commands
</secondary>
173 <primary>granting
</primary>
175 <secondary>privilege for pts commands
</secondary>
179 <primary>system:administrators group
</primary>
181 <secondary>privileges resulting
</secondary>
184 <para>The first type of AFS administrative privilege is membership . Members of the
<emphasis
185 role=
"bold">system:administrators
</emphasis> group in the Protection Database have the following privileges:
<itemizedlist>
187 <para>Permission to issue all
<emphasis role=
"bold">pts
</emphasis> commands, which are used to administer the Protection
188 Database. See
<link linkend=
"HDRWQ531">Administering the Protection Database
</link>.
</para>
192 <para>Permission to issue the
<emphasis role=
"bold">fs setvol
</emphasis> and
<emphasis role=
"bold">fs setquota
</emphasis>
193 commands, which set the space quota on volumes as described in
<link linkend=
"HDRWQ234">Setting and Displaying Volume
194 Quota and Current Size
</link>.
</para>
198 <para>Implicit
<emphasis role=
"bold">a
</emphasis> (
<emphasis role=
"bold">administer
</emphasis>) and by default
<emphasis
199 role=
"bold">l
</emphasis> (
<emphasis role=
"bold">lookup
</emphasis>) permissions on the access control list (ACL) on every
200 directory in the cell's AFS filespace. Members of the group can use the
<emphasis role=
"bold">fs setacl
</emphasis> command
201 to grant themselves any other permissions they require, as described in
<link linkend=
"HDRWQ573">Setting ACL
202 Entries
</link>.
</para>
204 <para>You can change the ACL permissions that the File Server on a given file server machine implicitly grants to the
205 members of the
<emphasis role=
"bold">system:administrators
</emphasis> group for the data in volumes that it houses. When
206 you issue the
<emphasis role=
"bold">bos create
</emphasis> command to create and start the
<emphasis
207 role=
"bold">fs
</emphasis> process on the machine, include the
<emphasis role=
"bold">-implicit
</emphasis> argument to the
208 <emphasis role=
"bold">fileserver
</emphasis> initialization command. For syntax details, see the
<emphasis
209 role=
"bold">fileserver
</emphasis> reference page in the
<emphasis>OpenAFS Administration Reference
</emphasis>. You can
210 grant additional permissions, or remove the
<emphasis role=
"bold">l
</emphasis> permission. However, the File Server always
211 implicitly grants the
<emphasis role=
"bold">a
</emphasis> permission to members of the group, even if you set the value of
212 the
<emphasis role=
"bold">-implicit
</emphasis> argument to
<emphasis role=
"bold">none
</emphasis>.
</para>
214 </itemizedlist></para>
217 <primary>system:administrators group
</primary>
219 <secondary>members
</secondary>
221 <tertiary>displaying
</tertiary>
225 <primary>displaying
</primary>
227 <secondary>system:administrators group members
</secondary>
231 <primary>pts commands
</primary>
233 <secondary>membership
</secondary>
235 <tertiary>displaying system:administrators group
</tertiary>
239 <primary>commands
</primary>
241 <secondary>pts membership
</secondary>
243 <tertiary>displaying system:administrators group
</tertiary>
246 <sect2 id=
"HDRWQ587">
247 <title>To display the members of the system:administrators group
</title>
251 <para>Issue the
<emphasis role=
"bold">pts membership
</emphasis> command to display the
<emphasis
252 role=
"bold">system:administrators
</emphasis> group's list of members. Any user can issue this command as long as the first
253 privacy flag on the
<emphasis role=
"bold">system:administrators
</emphasis> group's Protection Database entry is not
254 changed from the default value of uppercase
<computeroutput>S
</computeroutput>.
<programlisting>
255 %
<emphasis role=
"bold">pts membership system:administrators
</emphasis>
256 </programlisting></para>
258 <para>where
<emphasis role=
"bold">m
</emphasis> is the shortest acceptable abbreviation of
<emphasis
259 role=
"bold">membership
</emphasis>.
</para>
264 <sect2 id=
"Header_657">
265 <title>To add users to the system:administrators group
</title>
268 <primary>system:administrators group
</primary>
270 <secondary>members
</secondary>
272 <tertiary>adding
</tertiary>
276 <primary>adding
</primary>
278 <secondary>system:administrators group members
</secondary>
282 <primary>pts commands
</primary>
284 <secondary>adduser
</secondary>
286 <tertiary>for system:administrators group
</tertiary>
290 <primary>commands
</primary>
292 <secondary>pts adduser
</secondary>
294 <tertiary>for system:administrators group
</tertiary>
299 <para>Verify that you belong to the
<emphasis role=
"bold">system:administrators
</emphasis> group. If necessary, issue the
300 <emphasis role=
"bold">pts membership
</emphasis> command, which is fully described in
<link linkend=
"HDRWQ587">To display
301 the members of the system:administrators group
</link>.
<programlisting>
302 %
<emphasis role=
"bold">pts membership system:administrators
</emphasis>
303 </programlisting></para>
307 <para>Issue the
<emphasis role=
"bold">pts adduser
</emphasis> group to add one or more users.
<programlisting>
308 %
<emphasis role=
"bold">pts adduser -user
</emphasis> <<replaceable>user name
</replaceable>>+
<emphasis role=
"bold">-group system:administrators
</emphasis>
309 </programlisting></para>
311 <para>where
<variablelist>
313 <term><emphasis role=
"bold">ad
</emphasis></term>
316 <para>Is the shortest acceptable abbreviation of
<emphasis role=
"bold">adduser
</emphasis>.
</para>
321 <term><emphasis role=
"bold">-user
</emphasis></term>
324 <para>Names each user to add to the
<emphasis role=
"bold">system:administrators
</emphasis> group.
</para>
327 </variablelist></para>
332 <sect2 id=
"HDRWQ588">
333 <title>To remove users from the system:administrators group
</title>
336 <primary>system:administrators group
</primary>
338 <secondary>members
</secondary>
340 <tertiary>removing
</tertiary>
344 <primary>removing
</primary>
346 <secondary>system:administrators group members
</secondary>
350 <primary>pts commands
</primary>
352 <secondary>removeuser
</secondary>
354 <tertiary>for system:administrators group
</tertiary>
358 <primary>commands
</primary>
360 <secondary>pts removeuser
</secondary>
362 <tertiary>for system:administrators group
</tertiary>
367 <para>Verify that you belong to the
<emphasis role=
"bold">system:administrators
</emphasis> group. If necessary, issue the
368 <emphasis role=
"bold">pts membership
</emphasis> command, which is fully described in
<link linkend=
"HDRWQ587">To display
369 the members of the system:administrators group
</link>.
<programlisting>
370 %
<emphasis role=
"bold">pts membership system:administrators
</emphasis>
371 </programlisting></para>
375 <para>Issue the
<emphasis role=
"bold">pts removeuser
</emphasis> command to remove one or more users.
<programlisting>
376 %
<emphasis role=
"bold">pts removeuser -user
</emphasis> <<replaceable>user name
</replaceable>>+
<emphasis role=
"bold">-group system:administrators
</emphasis>
377 </programlisting></para>
379 <para>where
<variablelist>
381 <term><emphasis role=
"bold">rem
</emphasis></term>
384 <para>Is the shortest acceptable abbreviation of
<emphasis role=
"bold">removeuser
</emphasis>.
</para>
389 <term><emphasis role=
"bold">-user
</emphasis></term>
392 <para>Names each user to remove from the
<emphasis role=
"bold">system:administrators
</emphasis> group.
</para>
395 </variablelist></para>
401 <sect1 id=
"HDRWQ589">
402 <title>Granting Privilege for kas Commands: the ADMIN Flag
</title>
405 <primary>ADMIN flag in Authentication Database entry
</primary>
407 <secondary>privileges resulting
</secondary>
410 <para>Administrators who have the
<computeroutput>ADMIN
</computeroutput> flag on their Authentication Database entry can issue
411 all
<emphasis role=
"bold">kas
</emphasis> commands, which enable them to administer the Authentication Database.
<indexterm>
412 <primary>kas commands
</primary>
414 <secondary>granting privilege for
</secondary>
415 </indexterm> <indexterm>
416 <primary>privilege
</primary>
418 <secondary>granting for kas commands
</secondary>
419 </indexterm> <indexterm>
420 <primary>granting
</primary>
422 <secondary>privilege for kas commands
</secondary>
425 <sect2 id=
"HDRWQ590">
426 <title>To check if the ADMIN flag is set
</title>
429 <primary>ADMIN flag in Authentication Database entry
</primary>
431 <secondary>displaying
</secondary>
435 <primary>displaying
</primary>
437 <secondary>ADMIN flag in Authentication Database entry
</secondary>
441 <primary>kas commands
</primary>
443 <secondary>examine
</secondary>
445 <tertiary>to display ADMIN flag
</tertiary>
449 <primary>commands
</primary>
451 <secondary>kas examine
</secondary>
453 <tertiary>to display ADMIN flag
</tertiary>
458 <para>Issue the
<emphasis role=
"bold">kas examine
</emphasis> command to display an entry from the
459 Authentication Database.
</para>
461 <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
462 it authenticates your local (UFS) identity, which possibly does not correspond to an AFS-privileged administrator. Include
463 the
<emphasis role=
"bold">-admin_username
</emphasis> argument (here abbreviated to
<emphasis
464 role=
"bold">-admin
</emphasis>) to name a user identity that has the
<computeroutput>ADMIN
</computeroutput> flag on its
465 Authentication Database entry.
</para>
468 %
<emphasis role=
"bold">kas examine
</emphasis> <<replaceable>name of user
</replaceable>> \
469 <emphasis role=
"bold">-admin
</emphasis> <<replaceable>admin principal to use for authentication
</replaceable>>
470 Administrator's (admin_user) password:
<<replaceable>admin_password
</replaceable>>
473 <para>where
<variablelist>
475 <term><emphasis role=
"bold">e
</emphasis></term>
478 <para>Is the shortest acceptable abbreviation of
<emphasis role=
"bold">examine
</emphasis>.
</para>
483 <term><emphasis role=
"bold">name of user
</emphasis></term>
486 <para>Names the entry to display.
</para>
491 <term><emphasis role=
"bold">-admin
</emphasis></term>
494 <para>Names an administrative account with the
<computeroutput>ADMIN
</computeroutput> flag on its Authentication
495 Database entry, such as the
<emphasis role=
"bold">admin
</emphasis> account. The password prompt echoes it as
496 admin_user. Enter the appropriate password as admin_password.
</para>
499 </variablelist></para>
503 <para>If the
<computeroutput>ADMIN
</computeroutput> flag is turned on, it appears on the first line, as in this
507 %
<emphasis role=
"bold">kas e terry -admin admin
</emphasis>
508 Administrator's (admin) password:
<<replaceable>admin_password
</replaceable>>
509 User data for terry (ADMIN)
510 key version is
0, etc...
514 <primary>commands
</primary>
516 <secondary>kas setfields
</secondary>
518 <tertiary>setting ADMIN flag
</tertiary>
522 <primary>kas commands
</primary>
524 <secondary>setfields
</secondary>
526 <tertiary>setting ADMIN flag
</tertiary>
530 <primary>ADMIN flag in Authentication Database entry
</primary>
532 <secondary>setting or removing
</secondary>
536 <primary>adding
</primary>
538 <secondary>ADMIN flag to Authentication Database entry
</secondary>
542 <primary>setting
</primary>
544 <secondary>ADMIN flag in Authentication Database entry
</secondary>
548 <primary>removing
</primary>
550 <secondary>ADMIN flag from Authentication Database entry
</secondary>
554 <sect2 id=
"Header_661">
555 <title>To set or remove the ADMIN flag
</title>
559 <para>Issue the
<emphasis role=
"bold">kas setfields
</emphasis> command to turn on the
560 <computeroutput>ADMIN
</computeroutput> flag in an Authentication Database entry.
</para>
562 <para>The Authentication Server performs its own authentication rather than accepting your existing AFS token. By default,
563 it authenticates your local (UNIX) identity, which possibly does not correspond to an AFS-privileged administrator.
564 Include the
<emphasis role=
"bold">-admin
</emphasis> argument to name an identity that has the
565 <computeroutput>ADMIN
</computeroutput> flag on its Authentication Database entry. To verify that an entry has the flag,
566 issue the
<emphasis role=
"bold">kas examine
</emphasis> command as described in
<link linkend=
"HDRWQ590">To check if the
567 ADMIN flag is set
</link>.
</para>
569 <para>The following command appears on two lines only for legibility.
</para>
572 %
<emphasis role=
"bold">kas setfields
</emphasis> <<replaceable>name of user
</replaceable>> {
<emphasis role=
"bold">ADMIN
</emphasis> |
<emphasis
573 role=
"bold">NOADMIN
</emphasis>} \
574 <emphasis role=
"bold">-admin
</emphasis> <<replaceable>admin principal to use for authentication
</replaceable>>
575 Administrator's (admin_user) password:
<<replaceable>admin_password
</replaceable>>
578 <para>where
<variablelist>
580 <term><emphasis role=
"bold">sf
</emphasis></term>
583 <para>Is an alias for
<emphasis role=
"bold">setfields
</emphasis> (and
<emphasis role=
"bold">setf
</emphasis> is the
584 shortest acceptable abbreviation).
</para>
589 <term><emphasis role=
"bold">name of user
</emphasis></term>
592 <para>Names the entry for which to set or remove the
<computeroutput>ADMIN
</computeroutput> flag.
</para>
597 <term><emphasis role=
"bold">ADMIN | NOADMIN
</emphasis></term>
600 <para>Sets or removes the
<computeroutput>ADMIN
</computeroutput> flag, respectively.
</para>
605 <term><emphasis role=
"bold">-admin
</emphasis></term>
608 <para>Names an administrative account with the
<computeroutput>ADMIN
</computeroutput> flag on its Authentication
609 Database entry, such as the
<emphasis role=
"bold">admin
</emphasis> account. The password prompt echoes it as
610 admin_user. Enter the appropriate password as admin_password.
</para>
613 </variablelist></para>
619 <sect1 id=
"HDRWQ592">
620 <title>Administering the UserList File
</title>
623 <primary>UserList file
</primary>
625 <secondary>privileges resulting
</secondary>
628 <para>Inclusion in the file
<emphasis role=
"bold">/usr/afs/etc/UserList
</emphasis> on the local disk of each AFS server machine
629 enables an administrator to issue commands from the indicated suites.
<itemizedlist>
631 <para>The
<emphasis role=
"bold">bos
</emphasis> commands enable the administrator to manage server processes and the server
632 configuration files that define the cell's database server machines, server encryption keys, and privileged users. See
633 <link linkend=
"HDRWQ80">Administering Server Machines
</link> and
<link linkend=
"HDRWQ142">Monitoring and Controlling
634 Server Processes
</link>.
</para>
638 <para>The
<emphasis role=
"bold">vos
</emphasis> commands enable the administrator to manage volumes and the Volume Location
639 Database (VLDB). See
<link linkend=
"HDRWQ174">Managing Volumes
</link>.
</para>
643 <para>The
<emphasis role=
"bold">backup
</emphasis> commands enable the administrator to use the AFS Backup System to copy
644 data to permanent storage. See
<link linkend=
"HDRWQ248">Configuring the AFS Backup System
</link> and
<link
645 linkend=
"HDRWQ283">Backing Up and Restoring AFS Data
</link>.
</para>
647 </itemizedlist></para>
650 <primary>granting
</primary>
652 <secondary>privilege for kas commands
</secondary>
656 <primary>bos commands
</primary>
658 <secondary>granting privilege for
</secondary>
662 <primary>vos commands
</primary>
664 <secondary>granting privilege for
</secondary>
668 <primary>backup commands
</primary>
670 <secondary>granting privilege for
</secondary>
674 <primary>privilege
</primary>
676 <secondary>granting for bos commands
</secondary>
680 <primary>privilege
</primary>
682 <secondary>granting for vos commands
</secondary>
686 <primary>privilege
</primary>
688 <secondary>granting for backup commands
</secondary>
692 <primary>granting
</primary>
694 <secondary>privilege for bos commands
</secondary>
698 <primary>granting
</primary>
700 <secondary>privilege for vos commands
</secondary>
704 <primary>granting
</primary>
706 <secondary>privilege for backup commands
</secondary>
709 <para>Although each AFS server machine maintains a separate copy of the file on its local disk, it is conventional to keep all
710 copies the same. It can be confusing for an administrator to have the privilege on some machines but not others.
<indexterm>
711 <primary>system control machine
</primary>
713 <secondary>as distributor of UserList file
</secondary>
716 <para>If your cell uses the Update Server to distribute the contents of the system
717 control machine's
<emphasis role=
"bold">/usr/afs/etc
</emphasis> directory, then edit only the copy of the
<emphasis
718 role=
"bold">UserList
</emphasis> file stored on the system control machine. If you have forgotten which machine is the system
719 control machine, see
<link linkend=
"HDRWQ90">The Four Roles for File Server Machines
</link>.
</para>
721 <para>To avoid making formatting errors that can result in performance problems, never edit the
<emphasis
722 role=
"bold">UserList
</emphasis> file directly. Instead, use the
<emphasis role=
"bold">bos adduser
</emphasis> or
<emphasis
723 role=
"bold">bos removeuser
</emphasis> commands as described in this section.
<indexterm>
724 <primary>UserList file
</primary>
726 <secondary>displaying
</secondary>
727 </indexterm> <indexterm>
728 <primary>displaying
</primary>
730 <secondary>UserList file
</secondary>
731 </indexterm> <indexterm>
732 <primary>bos commands
</primary>
734 <secondary>listusers
</secondary>
735 </indexterm> <indexterm>
736 <primary>commands
</primary>
738 <secondary>bos listusers
</secondary>
741 <sect2 id=
"HDRWQ593">
742 <title>To display the users in the UserList file
</title>
746 <para>Issue the
<emphasis role=
"bold">bos listusers
</emphasis> command to display the contents of the
<emphasis
747 role=
"bold">/usr/afs/etc/UserList
</emphasis> file.
<programlisting>
748 %
<emphasis role=
"bold">bos listusers
</emphasis> <<replaceable>machine name
</replaceable>>
749 </programlisting></para>
751 <para>where
<variablelist>
753 <term><emphasis role=
"bold">listu
</emphasis></term>
756 <para>Is the shortest acceptable abbreviation of
<emphasis role=
"bold">listusers
</emphasis>.
</para>
761 <term><emphasis role=
"bold">machine name
</emphasis></term>
764 <para>Names an AFS server machine. In the normal case, any machine is acceptable because the file is the same on
768 </variablelist></para>
773 <sect2 id=
"HDRWQ594">
774 <title>To add users to the UserList file
</title>
777 <primary>UserList file
</primary>
779 <secondary>adding users
</secondary>
783 <primary>adding
</primary>
785 <secondary>UserList file users
</secondary>
789 <primary>bos commands
</primary>
791 <secondary>adduser
</secondary>
795 <primary>commands
</primary>
797 <secondary>bos adduser
</secondary>
802 <para>Verify you are listed in the
<emphasis role=
"bold">/usr/afs/etc/UserList
</emphasis> file. If not, you must have a
803 qualified administrator add you before you can add entries to it yourself. If necessary, issue the
<emphasis
804 role=
"bold">bos listusers
</emphasis> command, which is fully described in
<link linkend=
"HDRWQ593">To display the users in
805 the UserList file
</link>.
<programlisting>
806 %
<emphasis role=
"bold">bos listusers
</emphasis> <<replaceable>machine name
</replaceable>>
807 </programlisting></para>
811 <para>Issue the
<emphasis role=
"bold">bos adduser
</emphasis> command to add one or more users to the
<emphasis
812 role=
"bold">UserList
</emphasis> file.
<programlisting>
813 %
<emphasis role=
"bold">bos adduser
</emphasis> <<replaceable>machine name
</replaceable>> <<replaceable>user names
</replaceable>>+
814 </programlisting></para>
816 <para>where
<variablelist>
818 <term><emphasis role=
"bold">addu
</emphasis></term>
821 <para>Is the shortest acceptable abbreviation of
<emphasis role=
"bold">adduser
</emphasis>.
</para>
826 <term><emphasis role=
"bold">machine name
</emphasis></term>
829 <para>Names the system control machine if you use the Update Server to distribute the contents of the
<emphasis
830 role=
"bold">/usr/afs/etc
</emphasis> directory.
831 By default, it can take up to five minutes for the Update Server to distribute the changes, so newly added users
832 must wait that long before attempting to issue privileged commands.
</para>
837 <term><emphasis role=
"bold">user names
</emphasis></term>
840 <para>Specifies the username of each administrator to add to the
<emphasis role=
"bold">UserList
</emphasis>
844 </variablelist></para>
849 <sect2 id=
"Header_665">
850 <title>To remove users from the UserList file
</title>
853 <primary>UserList file
</primary>
855 <secondary>removing users
</secondary>
859 <primary>removing
</primary>
861 <secondary>UserList file users
</secondary>
865 <primary>bos commands
</primary>
867 <secondary>removeuser
</secondary>
871 <primary>commands
</primary>
873 <secondary>bos removeuser
</secondary>
878 <para>Verify you are listed in the
<emphasis role=
"bold">/usr/afs/etc/UserList
</emphasis> file. If not, you must have a
879 qualified administrator add you before you can remove entries from it yourself. If necessary, issue the
<emphasis
880 role=
"bold">bos listusers
</emphasis> command, which is fully described in
<link linkend=
"HDRWQ593">To display the users in
881 the UserList file
</link>.
<programlisting>
882 %
<emphasis role=
"bold">bos listusers
</emphasis> <<replaceable>machine name
</replaceable>>
883 </programlisting></para>
887 <para>Issue the
<emphasis role=
"bold">bos removeuser
</emphasis> command to remove one or more users from the
<emphasis
888 role=
"bold">UserList
</emphasis> file.
<programlisting>
889 %
<emphasis role=
"bold">bos removeuser
</emphasis> <<replaceable>machine name
</replaceable>> <<replaceable>user names
</replaceable>>+
890 </programlisting></para>
892 <para>where
<variablelist>
894 <term><emphasis role=
"bold">removeu
</emphasis></term>
897 <para>Is the shortest acceptable abbreviation of
<emphasis role=
"bold">removeuser
</emphasis>.
</para>
902 <term><emphasis role=
"bold">machine name
</emphasis></term>
905 <para>Names the system control machine if you use the Update Server to distribute the contents of the
<emphasis
906 role=
"bold">/usr/afs/etc
</emphasis> directory.
907 By default, it can take up to five minutes for the Update Server to distribute the change, so newly removed users
908 can continue to issue privileged commands during that time.
</para>
913 <term><emphasis role=
"bold">user names
</emphasis></term>
916 <para>Specifies the username of each administrator to add to the
<emphasis role=
"bold">UserList
</emphasis>
920 </variablelist></para>