Users and groups

From PacBSD Wiki
Jump to: navigation, search

File list

Warning: It is recommended to not edit these files by hand. There are utilities that properly handle locking and avoid invalidating the format of the database. See #User management and #Group management for an overview.
File Purpose
/etc/passwd User account information (Generated from master.passwd)
/etc/master.passwd User account information
/etc/group Defines the groups to which users belong
/etc/sudoers List of who can run what by sudo
/home/* Home directories

User management

Listing users

A list of all users currently logged into the system can be retrived with the who(1) command.

$ who

To get all users on the system, regardless of if they are currently logged in or not use the users(1) command.

$ users

To get information about a user on the system use the finger(1) command.

$ finger username

Creating a new user account

An easy way to create new user accounts is with the adduser(8) utility. The adduser utility can be used interactively to add one user, or it can work in batch mode reading from a file to create multiple users at once.

Running interactively

# adduser
Username: jsmith
Full name: John Smith
Uid (Leave empty for default):
Login group [jsmith]:
Login group is jsmith.  Invite jsmith into other groups?  []: wheel
Login class: [default]:
Shell (sh csh tcsh bash rbash zsh git-shell nologin) [sh]: bash
Home directory [/home/jsmith]:
Home directory permissions (Leave empty for default):
Use password-based authentications? [yes]:
Use an empty password?  (yes/no) [no]:
Use a random password?  (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation?  [no]:
Username    :  jsmith
Password    : *****
Full Name   : John Smith
Uid         : 1002
Class       :
Groups      : jsmith wheel
Home        : /home/jsmith
Home Mode   :
Shell       : /usr/bin/bash
Locked      : no
OK?  (yes/no) : yes
adduser: INFO: Successfully added (jsmith) to the user database.
Add another user?  (yes/no): no
Goodbye!
Warning: To be able to use an installed shell as a login shell it must be listed in /etc/shells, unless adduser command is ran with the -S flag which skips shell verification.

This adds a new user to the system with the username jsmith which is part of the jsmith and wheel group using /usr/bin/bash for the login shell and whose home directory is /home/jsmith. This also adds the user's full name to GECOS comment, to add other information for the user use chfn.

# chfn username

Running in batch mode

When running adduser in batch mode, it takes in a list of users from a file with one line per file. If adduser encounters an error while processing a line, it prints out an error to STDERR and moves on to the next line.

The format for the input file is # at the start of a line is a comment and is ignored, all other lines must consist of ten colon (:) separated fields. Only the password field may contain a : character as part of the string.

name:uid:gid:class:change:expire:gecos:home_dir:shell:password

Field details

name Login name. This field may not be empty.
uid Numeric login user ID. If this field is left empty, it will be automatically generated.
gid Numeric primary group ID. If this field is left empty, a group with the same name as the user name will be created and its GID will be used instead.
class Login class. This field may be left empty.
change Password ageing. This field denotes the password change date for the account. The format of this field is the same as the format of the -p argument to pw(8). It may be dd-mmm-yy[yy], where dd is for the day, mmm is for the month in numeric or alphabetical format: 10 or Oct, and yy[yy] is the four or two digit year. To denote a time relative to the current data the format is +n[mhdwoy], where n denotes a number, followed by the minutes, hours, days, weeks, months, or years after which the password must be changed. This field may be left empty to turn it off.
expire Account expiration. This field denotes the expiry date of the account. The account may not be used after the specified date. The format of this field is the same as that for password ageing. This field may be left empty to turn it off.
gecos Full name and other extra information about the user.
home_dir Home directory. If this field is left empty, it will be automatically created by appending the username to the home partition. The /nonexistent home directory is considered special and is understood to mean that no home directory is to be created for the user.
shell Login shell. This field should contain either the base name or the pull path to a valid login shell
password User password. THis field should contain a plaintext string, which will be encrypted before being placed in the user database. If the password type is yes and this field is empty, it is assumed the account will have an empty password. If the password type is random and this field is not empty, its contents will be used as a password. This field will be ignored if the -w option is used with a no or none argument. Be careful not to terminate this field with a closing : because it will be treated as part of the password.

An example of adding users in batch:

users.txt
jsmith:::wheel:::John Smith:/home/jsmith:bash:CorrectHorseBatteryStaple
# adduser -f users.txt

Edit and Remove Users

Besides adding users with adduser, tools to used to achieve other user maintenance tasks include rmuser to removing users, chpass to change user database information, passwd to change user passwords, and pw allows for editing all aspects of user accounts.

Editing Users

Details on already created user accounts can be changed with the chpass command. Non-privileged users have the ability to change their default shell and personal information, but the root user can change additional account information for users. When ran with no options other than a username for the account to edit, chpass displays an editor containing user information. When the user exits from the editor, the user database is updated with the new information.

# chpass jsmith
#Changing user database information for jru.
Login: jsmith
Password: *
Uid [#]: 1001
Gid [# or name]: 1001
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /home/jsmith
Shell: /usr/bin/bash
Full Name: John Smith
Office Location:
Office Phone:
Home Phone:
Other information:

Removing Users

The rmuser command takes the following steps when deleting an account:

  1. Removes the user's crontab entry, if one exists.
  2. Removes any at jobs belonging to the user.
  3. Kills all processes owned by the user.
  4. Removes the user from the systems's local password file.
  5. Optionally removes the user's home directory, if it is owned by the user.
  6. Removes the incoming mail files belonging to the users from /var/mail.
  7. Removes all the files owned by the user from temporary file storage areas such as /tmp.
  8. Finally, removes the username from all groups to which it belongs in /etc/group. If a group becomes empty and the group name is the same as the username, the group is removed. This complements the per-user unique groups created by adduser
# rmuser jsmith
Matching password entry:
jsmith:*:1001:1001::0:0:John Smith:/home/jsmith:/usr/bin/bash
Is this the entry you wish to remove? y
Remove user's home directory (/home/jsmith)? y
Removing user (jsmith): mailspool home passwd.

Updating User Password

Any user can easily change their password, and root can change anyone's password, using passwd. To prevent accidental or unauthorized changes, this command will prompt for the user's original password before a new password can be set (root user is an exception to this as root isn't required to enter a user's current password). To change another user's password, as root, passwd takes an optional argument of the username of the account to act on.

$ passwd
Changing local password for jsmith.
Old password:
New password:
Retype new password:
passwd: updating the database...
passwd: done

Group management

The /etc/group file defines the groups on the system. A entry in the group file consists of the group name, the encrypted password for the group, if any, the numeric Group ID (GID), and comma-delimited list of members. For more information about groups see groups(5).

The superuser can modify /etc/group using a text editor. Alternatively, pw(8) can be used to add and edit groups.


Note: The following examples will be using the pw command as it can avoid creating invalid entries.

Listing Groups and Group Membership

List all groups a user is a member of with the groups command:

$ groups user

If user is omitted, the current user's group names are displayed.

The id command provides additional detail, such as the user's UID and associated GIDs:

$ id user

To list all groups on the system:

$ cat /etc/group

To get information about a group:

# pw groupshow www
www:*:80:

Adding New Groups

To create a new group called alpha use:

# pw groupadd alpha

Adding users to a new group

# pw groupmod alpha -M jsmith

The -M argument takes a comma-delimited list of users to add the a new (empty) group or to replace the members of an existing group. To the user, this group membership is different from the user's primary group listed in the password file. This means that the user will not show up as a member when using pw groupshow, but will show up with the id command.

Adding New Member to a Group

Unlike the previous example which will replace any existing members of a group with the users listed as the argument. To add new users to a group that already has members:

# pw groupmod alpha -m jru

This adds the user named jru to the alpha group without affecting other members in the group. Like the uppercase counterpart -M, the lowercase -m takes a comma-delimited list of users to append to the group member list.

Removing a User from a Group

To remove a user from a group, pw usermod command can be used:

# pw groupmod group_name -d username

This will remove the user from the named group.

Deleting group

To remove a group from the system run pw groupdel:

# pw groupdel group

See Also