FreeBSD  Release  8.0  Installer  Guide

Home______________________________________________________________________

 

User Account Admin

FBSD has built in commands for the administration of user accounts. FBSD only allows users that have a predefined account on the system to have access to its facilities. The account name/ID and password is what you are prompted for during the login process, whether locally from the FBSD console screen or remotely using some client application software. Email, Telnet, and FTP are some of the most popular facilities who's access is controlled by the user account. The FBSD Handbook at http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/users-modifying.html gives a very good explanation of FBSD custom account admin scripts. These scripts are implemented around the pw(8) command. The ‘man pw’ is also good.

 

Configure the pw Command

When FBSD is first installed the pw command does not have its pw.conf option file. The pw command stills works but you have no idea what the defaults are and the command line gets full using the pw command option flags.

The first thing you should do if you want to use the pw command to add users is to create the pw.conf file, do this by entering:

pw adduser -D   # this will create the /etc/pw.conf file.

The comments in the file are self explanatory. You have to edit /etc/pw.conf to change the defaults. I changed the default group "guest" and the additional groups to "mail". Everybody has to belong to the "mail" group to use the sendmail server.

My /etc/pw.conf looks like this

#
# /etc/pw.conf - user/group configuration defaults

# Password for new users? no=nologin yes=loginid none=blank random=random
defaultpasswd = "yes"

# Reuse gaps in uid sequence? (yes or no)
reuseuids = "yes"

# Reuse gaps in gid sequence? (yes or no)
reusegids = "yes"

# Path to the NIS passwd file (blank or 'no' for none)
nispasswd =

# Obtain default dotfiles from this directory
skeleton = "/usr/share/skel/"

# Mail this file to new user (/etc/newuser.msg or no)
newmail = "no"

# Log add/change/remove information in this file
logfile = "/var/log/userlog"

# Root directory in which $HOME directory is created
home = "/home"

# Colon separated list of directories containing valid shells
shellpath = "/bin"

# Comma separated list of available shells (without paths)
shells = "sh","csh","tcsh"

# Default shell (without path)
defaultshell = "csh"

# Default group (leave blank for new group per user)
defaultgroup = "guest"

# Extra groups for new users
extragroups = "mail"

# Default login class for new users
defaultclass = ""

# Range of valid default user ids
minuid = 1000
maxuid = 32000

# Range of valid default group ids
mingid = 1000
maxgid = 32000

# Days after which account expires (0=disabled)
expire_days = 0

# Days after which password expires (0=disabled)
password_days = 0

 

Examples of pw command usage

pw adduser -D = create /etc/pw.conf file>

pw adduser tom -m -c ‘tom brown’    # tom = userid,
                                    # -m = create home directory
                                    # -c = full name field
                                    # use quotes to enclose large name

The password will be the same as the userid.
The user needs to use the passwd command to set their secret password.

pw deluser tom -r         # -r = remove his home directory

pw showuser tom           # display users entry in password file

pw showuser tom -P        # display password info in human readable form.

pw showuser -a            # display all entries in password file

pw addgroup networking    # Add this new group

pw showgroup wheel        # List all users in this group

pw modgroup wheel -M tom  # Add user tom to group wheel

The pw subcommands can be written in reverse order:

adduser & useradd mean same thing.

 

pw command embedded in a script

#! /bin/sh
pw adduser tom -m -c testing -h 0 <<EOD
water
EOD
# water is the password to be assigned to tom

 

passwd command

The passwd command is the usual way to change your own password as a user or another user's password as the superuser root. Follow the prompts issued by the command.

passwd tom

This is the what is presented to the screen.

Changing local password for tom
New password:
Retype new password:
passwd: updating the database
passwd: done

 

chpass command

The chpass command is used to change user database info such as password, shells, and personal info (such as full name, phone number, etc.) as a user or another user's info as the superuser root.

chpass tom

 

Super User

There is a single user that stands above all others. The kernel gives user root special privileges over everything in the FBSD system. Apart from that, root is a user like any other. When you are logged in using your personal account, you may want to do something that requires the privileges of the root account. You can log out and log in again as root, of course, but there is a easier way: just use the superuser command su and respond with the password for the root user when prompted. Only users who belong to the group named wheel are authorized to use the su command.

Super User root has another special command vipw. This command will allow the editing of the FBSD master password database. With this command you can change all the account fields values except the hidden password. The user must know the relative position of the fields and their content to make changes with out destroying the master password database. Be very careful.

 

Permissions

FBSD, is a direct descendant of the multiuser system UNIX, and has inherited the underlining permission structure that FBSD uses for the control of sharing and managing requests for hardware devices, peripherals, memory, CPU time, files and directories. Everything FBSD manages has a set of permissions governing who can read, write, and execute the resource.

These permissions are stored as a 10 position control field.

The format of the permission control field, (from left to right) is

Position 1 values = d   This is a directory
                    l   This is a link file
                    -   This is a file

The remaining 9 positions are broken into groups of 3 positions. The first group of 3 positions refers to the owner, the next group of 3 positions refers to the account group, and the last 3 positions refer to all other users. Any of the positions may hold a ‘-‘ dash which means no permission.

Position 2, 3, 4 = owner
      Position 2 can contain an R means the owner has read access
                                - means the owner has no read access
      Position 3 can contain a  W means the owner has write access
                                - means the owner has no write access
      Position 4 can contain an X means the owner has execute access
                                - means the owner has no execute access

Position 5, 6, 7 = account group
      Position 2 can contain an R means the group has read access
                                - means the group has no read access
      Position 3 can contain a  W means the group has write access
                                - means the group has no write access
      Position 4 can contain an X means the group has execute access
                                - means the group has no execute access

Position 8, 9, 10 - all users
      Position 2 can contain an R means all users have read access
                                - means all users have no read access
      Position 3 can contain a  W means all users have write access
                                - means all users have no write access
      Position 4 can contain an X means all users have execute access
                                - means all users have no execute access

 

Read permission: Enables you to look at a file or directory. You can use an editor to see the content of the file. You can copy this file. If it's a directory, lets you list content of directory.

Write permission: Enables you to change the content of the file and save it. You need write permission to the directory to delete files or create new files.

Execute permission: Enables you to run the program or shell script contained in the file.

You can use the ls -l command to view a long directory listing that displays the 10 position permission control field to the far left side of the listing.

For example, a ls -l /etc/

drwxr-xr-x 2 root wheel 512 Oct 9 2002 X11
-rw-r--r-- 1 root wheel 1340 Jan 7 2003 adduser.conf
lrwxrwxrwx 1 root wheel 12 Jan 9 2003 aliases -> mail/aliases
-rw-r--r-- 1 root wheel 65536 Jan 9 2003 aliases.db
-rw-r--r-- 1 root wheel 208 Oct 9 2002 amd.map
-rwxr-xr-x 1 root wheel 7183 Jan 7 2003 cvsupfile
drwxr-xr-x 2 root wheel 512 Jan 9 2003 defaults
-rw-r--r-- 1 root wheel 271 Oct 9 2002 dhclient.conf
-rw-r--r-- 1 root wheel 6990 Oct 9 2002 disktab
-rw-r--r-- 1 root wheel 478 Oct 9 2002 dm.conf
-rw-rw-r-- 1 root operator 0 Oct 9 2002 dumpdates
-rw-r--r-- 1 root wheel 142 Oct 9 2002 fbtab
-rwxr-xr-x 1 root wheel 832 Nov 10 13:13 fstab
-rwxr-xr-x 1 root wheel 1886 Jan 7 2003 gettytab
drwxr-xr-x 2 root wheel 512 Jan 9 2003 gnats
-rw-r--r-- 1 root wheel 477 Jul 9 18:14 group
-rwxr-xr-x 1 root wheel 1996 Jan 7 2003 newsyslog.conf
-rw------- 1 root wheel 1603 Oct 9 2002 nsmb.conf

Lets look closely at the first line in the above listing.

drwxr-xr-x 2 root wheel 512 Oct 9 2002 X11

The file and directory names are on the far right side. This is a directory, because the first position of the permission control field is populated with a d. The word root means the owner of the directory is root. The word wheel is the name of the account group. The permission control field says the owner root has read, write, and execute permission. The account group wheel has read and execute permission, and the same for all other users.

Lets look at one more

-rw-rw-r-- 1 root operator 0 Oct 9 2002 dumpdates

Here, this is a file, because position one of the permission control field has a -. Owner root has read and write permission, account group operator has same permission as owner root, while all other users only have read permission.

 

Managing Permissions

Root and members of the account group 'wheel' are the only users who have permission to change settings of files not belonging to themselves. The command chmod is used to change the permission settings in the permission control field. It accepts a 3 digit numerical number or a group of r's and w's as input. The 3 digit numerical number form of input is easier to understand and use. The 3 digit numerical number represents the 3 groups in the permission control field, one digit per category: owner, account group, and all other users. The permission digits are:

Digit Permission

0  None
1  Execute Only
2  Write Only
3  Write and Execute
4  Read Only
5  Read and Execute
6  Read and Write
7  Read, Write, and Execute

 

Change file permissions

chmod 700 dumpdates

would assign owner read, write, and execute permissions, and account group and all other users get no permission.

An ls -l dumpdates would show this:

-rwx------ 1 root operator 0 Oct 9 2002 dumpdates

 

chmod 764 dumpdates

would assign owner read, write, and execute permissions, account group gets read and write permissions, and all other users get read only permission.

ls -l dumpdates  would show this:

-rwxrw-r-- 1 root operator 0 Oct 9 2002 dumpdates

 

Change file owner

The chown command is used to change the owner. If my personal FBSD account name was joe and I wanted to change the owner of dumpdates from root to joe, I would use this:

chown joe dumpdates

 

Change file group

The chgrp command is used the change the account group. If I wanted to change dumpdates group from operator to network, I would use this:

chgrp network dumpdates.

 

Previous Page                                        Next Page         

This FreeBSD Installer Guide is an public domain HOW-TO. This content may be reproduced, in any form or by any means, and used by all without permission in writing from the author.