- Adding a New User
- Changing details of a User
- Deleting a User
- Group Management
- Root, Super Administrator
- Moving from UserID to root
[ Required Decisions: user-name, account-type]
From the man pages adduser(8):
DESCRIPTION The adduser program adds new users to the system. The rmuser program removes users from the system. When not passed any arguments, both utilities operate in interactive mode and prompt for any required information.
The first thing that a fresh install of OpenBSD warns of when you login is, do not login as root but use su. This is saying that you should create a user who can use su (the Substitute User program) to change to the "root" user when you want to perform administration tasks.
The following instructions guide you through the creation of a new user with SuperUser access privileges.
OpenBSD supplies the adduser script to simplify adding new users. All you have to know to create a new user is the name of the person, and what you want the login account name to be.
The adduser script is started at the command prompt.
When first started, adduser will query you to set or change the default settings. Once the standard configuration has been set, it will continue by prompting for adding new users.
adduser supports two flags -silent or -verbose. You don't really need to know these at the beginning, but you can check the details in the man pages. Read through the example below and then start adduser to create your new account.
Enter username [a-z0-9_-]: bricker Enter full name [ ]: Sven De La Palmer Enter shell bash csh ksh nologin sh [bash]: <hit ENTER>
The shell is your command line interpreter. It reads in the commands you type and tries to decipher them. There are several different shells to choose from. If bash does not show on the screen, then review adding packages in the 1st Time Config introduction. You can change your settings at a later time so do not worry if some settings are not as you want them right now. The documentation that comes with OpenBSD says that 'most people' use bash.
Enter home directory (full path) [/home/bricker]: <hit ENTER> Uid : <hit ENTER>
The uid is the User ID number that the system uses to keep track of people. These should be unique on the system. Use the default values offered by the program unless you have good knowledge of previously granted ID numbers.
Enter login class: default : <hit ENTER>
The login class allows you to set up resource limits for groups of users.
Login group bricker [bricker]: <hit ENTER> Login group is "bricker". Invite bricker into other groups: guest no [no]: <hit ENTER>
Login groups are used to divide security privileges by account groups. For most users you can use the default setting (NO) and just hit Enter to continue.
If the account you are creating will be your Administrator account, then you must make sure that you have specified the group 'wheel' in the above response. Don't worry if you make a mistake, we can fix it later.
Enter password : Enter password again :
You will be asked for the user's password twice and it will not be displayed. Afterwards, it will display all of the user's information and ask if it is correct.
Name: bricker Password: **** Fullname: Sven De La Palmer Uid: 1000 Gid: 1000 (bricker) Class: Groups: bricker HOME: /home/bricker Shell: /bin/sh OK? (y/n) [y]: <hit ENTER>
If you make a mistake, you can start over, or its possible to correct most of this information using the 'chpass' command (discussed below).
Changing User Information
Once you've configured the base system for working, we can look at basic configuration of users. Note, for those with some previous Unix experience, Do not just edit /etc/passwd or /etc/Master.passwd
Use the chpass utility when adding or changing user information. If you try to modify the user shell selection manually (by changing /etc/passwd) it wont work, trust me I've made this mistake for weeks before I found out my errorneous ways.
Entered at the command line without a parameter (ie. typed by itself,) chpass will edit your personal information. As root, you can use it to modify any user account on the system. You can find more details on chpass in the man pages, but let's go through an example review of the account we created above.
# chpass bricker
This will bring up information about the user 'bricker' in the 'vi' editor. The password line is encrypted, so don't change it. If you want to disable the user, one method would be to add a # at the beginning of the password string, so you can easily remove it later when you want to reactivate the user. There are methods of disabling user that may be better though.
Login: bricker Password: Uid [#]: 1000 Gid [# or name]: 1000 Change [month day year]: Expire [month day year]: Class: Home directory: /home/bricker Shell: /bin/sh Full Name: Sven De La Palmer Office Location: Office Phone: Home Phone: Other information: ~ ~ ~ ~ ~ ~ ~ ~ /path/temp-file: unmodified: line 1
Remember your vi commands ?
- :q (colon+q) quit,
- :w (colon+w) write,
- :q! (colon+q+exlamation-mark) quit without saving.
If you're still having problems, remember the tutorial
Alternative tools, useful for batch processing include: usermod
[Ref: What to do AFTER you have BSD installed] by Chris Coleman
Deleting a User
From the man page userdel(8)
The userdel utility removes a user from the system, optionally removing that user's home diretory and any subdirectories.
The main options are used during account deletion.
userdel [-prv] user The following command line options are recognised: -p preserve the user information in the password file, but do not allow the user to login, by switching the password to an ``impossible'' one, and by setting the user's shell to the false(1) program. This option can be helpful in preserving a user's files for later use by members of that person's group after the user has moved on. This value can also be set in the /etc/usermgmt.conf file, using the `preserve' field. If the field has any of the values `true', `yes', or a non-zero number, then user information preservation will take place. -r remove the user's home directory, any subdirectories, and any files and other entries in them. -v perform any actions in a verbose manner.
Groups are important categorisations for users that allow administrators to specify privileges, restrictions to a range of users depending on their group allocation.
OpenBSD 2.7 included a set of group management tools, including the wrapper program 'group' which can be used as the interface into the separate tools. /usr/sbin/group merely takes the parameters given it on the command line and passes it to the appropriate program.
Create a new Group
To add new groups 'computerstaff' and 'class501' to the system, we can enter the commands.
# group info computerstaff
group: can't find group `computerstaff'
# group add computerstaff # group info computerstaff
name computerstaff passwd * gid 1002 members
Note that gid (Group ID) is sequential to the last group I have on my system, and there are no members yet for computerstaff.
# group info class501
group: can't find group `class501'
# group add class501 # group info class501
name class501 passwd * gid 1003 members
We have successfully created two new groups, and verified their creation.
Adding Users to an Existing Group
Now that we have created our groups, we can go through and allocate users to the separate groups. The simplest method is to use the given utilities user or usermod.
In our small scenario, we only have one user (bricker) but since bricker is going to be part of the 'computerstaff' we're putting that account into the group.
1st we can check what group 'bricker' is in, and we can review membership in 'computerstaff' again.
# userinfo bricker | grep "^groups"
# group info computerstaff | grep "^members"
membersWe can simply add bricker using usermod -G (or user mod -G).
# user mod -G computerstaff bricker
# group info computerstaff | grep "^members"
Root, Super Administrator
A common problem for novice Unix Administrators is not knowing how to setup a 'root' account or managing accounts with access to the 'root' account.
The Super Administrator 'root' is any account configured with UserID as '0' and GroupID as '0'. This user has near fatal authority on your machine and you must be very careful in selecting any accounts with 0:0 privileges.
You can quickly view the above by checking your /etc/passwd file, or by using a script similar that shown here.
$ /usr/bin/grep :0:0: /etc/passwd
Assigning Root Privileges to Ordinary Users
Your administrator account should be a member of the group wheel. Regular users of your host should not be members of the wheel group.
You can specify the group in three ways:
- at the creation of the account (as above) or
- using usermod -G or
- by manually editing the file /etc/group.
Setting wheel during account creation
During account creation (using adduser) you are given the option to set the group an account belongs to, and any additional groups to include the user into.
Login group bricker [bricker]: <hit ENTER> Login group is "bricker". Invite bricker into other groups: guest no [no]: wheel
During the user creation, you can specify that you want the userid to be invited, or included into the 'wheel' group.
Using the usermod -G command
From the man page usermod(8)
-G secondary-group[,group,...] are the secondary groups the user will be a member of in the /etc/group file.
First we check to make sure that 'wheel' is the superuser group.
# /usr/bin/grep ':0:' /etc/group
In this scenario, bricker has not been added to the group 'wheel' which is the superuser group.
To add the group wheel to the groups allocated for bricker you use the following usermod command.
# usermod -G wheel bricker
# user info bricker | /usr/bin/grep "^groups"
groups bricker computerstaff wheel
Our user information tells us bricker is now part of three groups: bricker, computerstaff, and wheel.
We can verify the contents of the /etc/group file, specific to the group wheel by using group info or just grep:
# /usr/bin/grep ':0:' /etc/group
# group info wheel | grep "^members"
members root bricker
Manually Editing the file /etc/group
The third method for adding a new user to the group 'wheel' is to edit the entry.
The format of the file is a line for each record, of the form
and no spaces are allowed(?)
For example file: /etc/group
wheel:*:0:root,bricker daemon:*:1:daemon kmem:*:2:root sys:*:3:root tty:*:4:root operator:*:5:root bin:*:7: news:*:8: wsrc:*:9: users:*:10:
As indicated in the above example, edit the file and add your userid 'bricker' to the line 'wheel'. Remember that the special group is the group that corresponds to GroupID '0'.
Moving from your UserID to root
With your administrator account in the 'wheel' group you can substitute/switch user from bricker to root using the 'su' command.
For example, while logged in as bricker, you can use 'su' to switch to root and perform the necessary tasks as 'root' before returning to your 'bricker' account.
$ su -
# # whoami
From the man page su(1):
If group 0 (normally ``wheel'') has users listed then only those users can su to ``root''. It is not sufficient to change a user's /etc/passwd entry to add them to the ``wheel'' group; they must explicitly be listed in /etc/group. If no one is in the ``wheel'' group, it is ignored, and anyone who knows the root password is permitted to su to ``root''.
For a more granular control of what applications you allow users to perform, take a look at the sudo command.
Red Hat Linux Administrator's Handbook 2nd Edition. Mohammed J. Kabir, (M&T Books, Foster City, 2001)Essential System Administration 2nd Edition. AEleen Frisch (O'Reilly & Associates, Inc., Sebastopol, 1995)