FreeBSD allows multiple users to use the computer at the same time. While only one user can sit in front of the screen and use the keyboard at any one time, any number of users can log in to the system through the network. To use the system, each user should have their own user account.
This chapter describes:
- The different types of user accounts on a FreeBSD system.
- How to add, remove, and modify user accounts.
- How to set limits to control the resources that users and groups are allowed to access.
- How to create groups and add users as members of a group.
Since all access to the FreeBSD system is achieved using accounts and all processes are run by users, user and account management is important.
There are three main types of accounts: system accounts, user accounts, and the superuser account.
There are three main types of accounts: system accounts, user accounts, and the superuser account.
System accounts are used to run services such as DNS, mail, and web servers. The reason for this is security; if all services ran as the superuser, they could act without restriction.
Examples of system accounts are
Examples of system accounts are
daemon
, operator
, bind
, news
, and www
.nobody
is the generic unprivileged system account. However, the more services that use nobody
, the more files and processes that user will become associated with, and hence the more privileged that user becomes.
User accounts are assigned to real people and are used to log in and use the system. Every person accessing the system should have a unique user account. This allows the administrator to find out who is doing what and prevents users from clobbering the settings of other users.
Each user can set up their own environment to accommodate their use of the system, by configuring their default shell, editor, key bindings, and language settings.
Every user account on a FreeBSD system has certain information associated with it:
Each user can set up their own environment to accommodate their use of the system, by configuring their default shell, editor, key bindings, and language settings.
Every user account on a FreeBSD system has certain information associated with it:
- User name
- The user name is typed at the
login:
prompt. Each user must have a unique user name. There are a number of rules for creating valid user names which are documented in passwd(5). It is recommended to use user names that consist of eight or fewer, all lower case characters in order to maintain backwards compatibility with applications. - Password
- Each account has an associated password.
- User ID (UID)
- The User ID (UID) is a number used to uniquely identify the user to the FreeBSD system. Commands that allow a user name to be specified will first convert it to the UID. It is recommended to use a UID less than 65535, since higher values may cause compatibility issues with some software.
- Group ID (GID)
- The Group ID (GID) is a number used to uniquely identify the primary group that the user belongs to. Groups are a mechanism for controlling access to resources based on a user's GID rather than their UID. This can significantly reduce the size of some configuration files and allows users to be members of more than one group. It is recommended to use a GID of 65535 or lower as higher GIDs may break some software.
- Login class
- Login classes are an extension to the group mechanism that provide additional flexibility when tailoring the system to different users. Login classes are discussed further in Section 14.13.1, “Configuring Login Classes”.
- Password change time
- By default, passwords do not expire. However, password expiration can be enabled on a per-user basis, forcing some or all users to change their passwords after a certain amount of time has elapsed.
- Account expiry time
- By default, FreeBSD does not expire accounts. When creating accounts that need a limited lifespan, such as student accounts in a school, specify the account expiry date using pw(8). After the expiry time has elapsed, the account cannot be used to log in to the system, although the account's directories and files will remain.
- User's full name
- The user name uniquely identifies the account to FreeBSD, but does not necessarily reflect the user's real name. Similar to a comment, this information can contain spaces, uppercase characters, and be more than 8 characters long.
- Home directory
- The home directory is the full path to a directory on the system. This is the user's starting directory when the user logs in. A common convention is to put all user home directories under
/home/username
or/usr/home/username
. Each user stores their personal files and subdirectories in their own home directory. - User shell
- The shell provides the user's default environment for interacting with the system. There are many different kinds of shells and experienced users will have their own preferences, which can be reflected in their account settings.
The superuser account, usually called
The superuser, unlike other user accounts, can operate without limits, and misuse of the superuser account may result in spectacular disasters. User accounts are unable to destroy the operating system by mistake, so it is recommended to login as a user account and to only become the superuser when a command requires extra privilege.
Always double and triple-check any commands issued as the superuser, since an extra space or missing character can mean irreparable data loss.
There are several ways to gain superuser privilege. While one can log in as
Instead, use su(1) to become the superuser. If
In this example, the user only becomes superuser in order to run
The built-in su(1) framework works well for single systems or small networks with just one system administrator. An alternative is to install thesecurity/sudo package or port. This software provides activity logging and allows the administrator to configure which users can run which commands as the superuser.
root
, is used to manage the system with no limitations on privileges. For this reason, it should not be used for day-to-day tasks like sending and receiving mail, general exploration of the system, or programming.The superuser, unlike other user accounts, can operate without limits, and misuse of the superuser account may result in spectacular disasters. User accounts are unable to destroy the operating system by mistake, so it is recommended to login as a user account and to only become the superuser when a command requires extra privilege.
Always double and triple-check any commands issued as the superuser, since an extra space or missing character can mean irreparable data loss.
There are several ways to gain superuser privilege. While one can log in as
root
, this is highly discouraged.Instead, use su(1) to become the superuser. If
-
is specified when running this command, the user will also inherit the root user's environment. The user running this command must be in the wheel
group or else the command will fail. The user must also know the password for the root
user account.In this example, the user only becomes superuser in order to run
make install
as this step requires superuser privilege. Once the command completes, the user types exit
to leave the superuser account and return to the privilege of their user account.
Example Install a Program As the Superuser
%
configure
%
make
%
su -
Password:#
make install
#
exit
%
The built-in su(1) framework works well for single systems or small networks with just one system administrator. An alternative is to install thesecurity/sudo package or port. This software provides activity logging and allows the administrator to configure which users can run which commands as the superuser.
FreeBSD provides a variety of different commands to manage user accounts. The most common commands are summarized in Table 4.1, “Utilities for Managing User Accounts”, followed by some examples of their usage. See the manual page for each utility for more details and usage examples.
Table Utilities for Managing User Accounts
Command | Summary |
---|---|
adduser(8) | The recommended command-line application for adding new users. |
rmuser(8) | The recommended command-line application for removing users. |
chpass(1) | A flexible tool for changing user database information. |
passwd(1) | The command-line tool to change user passwords. |
pw(8) | A powerful and flexible tool for modifying all aspects of user accounts. |
The recommended program for adding new users is adduser(8). When a new user is added, this program automatically updates
The adduser(8) utility is interactive and walks through the steps for creating a new user account. As seen in Example 4.2, “Adding a User on FreeBSD”, either input the required information or press Return to accept the default value shown in square brackets. In this example, the user has been invited into the
/etc/passwd
and/etc/group
. It also creates a home directory for the new user, copies in the default configuration files from /usr/share/skel
, and can optionally mail the new user a welcome message. This utility must be run as the superuser.The adduser(8) utility is interactive and walks through the steps for creating a new user account. As seen in Example 4.2, “Adding a User on FreeBSD”, either input the required information or press Return to accept the default value shown in square brackets. In this example, the user has been invited into the
wheel
group, allowing them to become the superuser with su(1). When finished, the utility will prompt to either create another user or to exit.
Example Adding a User on FreeBSD
#
adduser
Username:jru
Full name:J. Random User
Uid (Leave empty for default): Login group [jru]: Login group is jru. Invite jru into other groups? []:wheel
Login class [default]: Shell (sh csh tcsh zsh nologin) [sh]:zsh
Home directory [/home/jru]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: Enter password again: Lock out the account after creation? [no]: Username : jru Password : **** Full Name : J. Random User Uid : 1001 Class : Groups : jru wheel Home : /home/jru Shell : /usr/local/bin/zsh Locked : no OK? (yes/no):yes
adduser: INFO: Successfully added (jru) to the user database. Add another user? (yes/no):no
Goodbye!#
Note:
Since the password is not echoed when typed, be careful to not mistype the password when creating the user account.
To completely remove a user from the system, run rmuser(8) as the superuser. This command performs the following steps:
rmuser(8) cannot be used to remove superuser accounts since that is almost always an indication of massive destruction.
By default, an interactive mode is used, as shown in the following example.
- Removes the user's crontab(1) entry, if one exists.
- Removes any at(1) jobs belonging to the user.
- Kills all processes owned by the user.
- Removes the user from the system's local password file.
- Optionally removes the user's home directory, if it is owned by the user.
- Removes the incoming mail files belonging to the user from
/var/mail
. - Removes all files owned by the user from temporary file storage areas such as
/tmp
. - Finally, removes the username from all groups to which it belongs in
/etc/group
. If a group becomes empty and the group name is the same as the username, the group is removed. This complements the per-user unique groups created by adduser(8).
By default, an interactive mode is used, as shown in the following example.
Any user can use chpass(1) to change their default shell and personal information associated with their user account. The superuser can use this utility to change additional account information for any user.
When passed no options, aside from an optional username, chpass(1) displays an editor containing user information. When the user exits from the editor, the user database is updated with the new information.
In Example 4.4, “Using
When passed no options, aside from an optional username, chpass(1) displays an editor containing user information. When the user exits from the editor, the user database is updated with the new information.
Note:
This utility will prompt for the user's password when exiting the editor, unless the utility is run as the superuser.
chpass
as Superuser”, the superuser has typed chpass jru
and is now viewing the fields that can be changed for this user. Ifjru
runs this command instead, only the last six fields will be displayed and available for editing. This is shown in Example 4.5, “Using chpass
as Regular User”.
Example Using
chpass
as Superuser#Changing user database information for jru. Login: jru Password: * Uid [#]: 1001 Gid [# or name]: 1001 Change [month day year]: Expire [month day year]: Class: Home directory: /home/jru Shell: /usr/local/bin/zsh Full Name: J. Random User Office Location: Office Phone: Home Phone: Other information:
Example Using
chpass
as Regular User#Changing user database information for jru. Shell: /usr/local/bin/zsh Full Name: J. Random User Office Location: Office Phone: Home Phone: Other information:
Note:
The commands chfn(1) and chsh(1) are links to chpass(1), as are ypchpass(1), ypchfn(1), and ypchsh(1). Since NIS support is automatic, specifying the
yp
before the command is not necessary. How to configure NIS is covered in Chapter 29, Network Servers.
Any user can easily change their password using passwd(1). To prevent accidental or unauthorized changes, this command will prompt for the user's original password before a new password can be set:
The superuser can change any user's password by specifying the username when running passwd(1). When this utility is run as the superuser, it will not prompt for the user's current password. This allows the password to be changed when a user cannot remember the original password.
Example Changing Your Password
%
passwd
Changing local password for jru. Old password: New password: Retype new password: passwd: updating the database... passwd: done
The superuser can change any user's password by specifying the username when running passwd(1). When this utility is run as the superuser, it will not prompt for the user's current password. This allows the password to be changed when a user cannot remember the original password.
Example Changing Another User's Password as the Superuser
#
passwd jru
Changing local password for jru. New password: Retype new password: passwd: updating the database... passwd: done
Note:
The pw(8) utility can create, remove, modify, and display users and groups. It functions as a front end to the system user and group files. pw(8) has a very powerful set of command line options that make it suitable for use in shell scripts, but new users may find it more complicated than the other commands presented in this section.
A group is a list of users. A group is identified by its group name and GID. In FreeBSD, the kernel uses the UID of a process, and the list of groups it belongs to, to determine what the process is allowed to do. Most of the time, the GID of a user or process usually means the first group in the list.
The group name to GID mapping is listed in
The superuser can modify
In this example,
The argument to
In this example, the argument to
In this example,
For more information about this command and the format of
The group name to GID mapping is listed in
/etc/group
. This is a plain text file with four colon-delimited fields. The first field is the group name, the second is the encrypted password, the third the GID, and the fourth the comma-delimited list of members. For a more complete description of the syntax, refer to group(5).The superuser can modify
/etc/group
using a text editor. Alternatively, pw(8) can be used to add and edit groups. For example, to add a group calledteamtwo
and then confirm that it exists:In this example,
1100
is the GID of teamtwo
. Right now, teamtwo
has no members. This command will add jru
as a member of teamtwo
.
Example Adding User Accounts to a New Group Using pw(8)
#
pw groupmod teamtwo -M jru
#
pw groupshow teamtwo
teamtwo:*:1100:jru
The argument to
-M
is a comma-delimited list of users to be added to a new (empty) group or to replace the members of an existing group. To the user, this group membership is different from (and in addition to) the user's primary group listed in the password file. This means that the user will not show up as a member when using groupshow
with pw(8), but will show up when the information is queried via id(1) or a similar tool. When pw(8) is used to add a user to a group, it only manipulates /etc/group
and does not attempt to read additional data from /etc/passwd
.
Example Adding a New Member to a Group Using pw(8)
#
pw groupmod teamtwo -m db
#
pw groupshow teamtwo
teamtwo:*:1100:jru,db
In this example, the argument to
-m
is a comma-delimited list of users who are to be added to the group. Unlike the previous example, these users are appended to the group and do not replace existing users in the group.
Example Using id(1) to Determine Group Membership
%
id jru
uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)
In this example,
jru
is a member of the groups jru
and teamtwo
.For more information about this command and the format of
/etc/group
, refer to pw(8) and group(5).
Tidak ada komentar:
Posting Komentar