User Administration

[Ref: BSD Certification | User Administration| New User (article) | Daemon News (article) | adduser(8), group(8), rmuser(8) ]

[ Required Decisions: user-name, account-type]

From the man pages adduser(8):

DESCRIPTION
    The adduser program adds new users to the system. The rmuser 
    program removes users from the system. When not passed any arguments, 
    both utilities operate in interactive mode and prompt for any required 
    information.

The first thing that a fresh install of OpenBSD warns of when you login is, do not login as root but use su. This is saying that you should create a user who can use su (the Substitute User program) to change to the "root" user when you want to perform administration tasks.

The following instructions guide you through the creation of a new user with SuperUser access privileges.

OpenBSD supplies the adduser script to simplify adding new users. All you have to know to create a new user is the name of the person, and what you want the login account name to be.

The adduser script is started at the command prompt.

# adduser 

When first started, adduser will query you to set or change the default settings. Once the standard configuration has been set, it will continue by prompting for adding new users.

Adding a New User

adduser supports two flags -silent or -verbose. You don't really need to know these at the beginning, but you can check the details in the man pages. Read through the example below and then start adduser to create your new account.

# adduser
Enter username [a-z0-9_-]: bricker
Enter full name [ ]: Sven De La Palmer
Enter shell bash csh ksh nologin sh [bash]: <hit ENTER>

The shell is your command line interpreter. It reads in the commands you type and tries to decipher them. There are several different shells to choose from. If bash does not show on the screen, then review adding packages in the 1st Time Config introduction. You can change your settings at a later time so do not worry if some settings are not as you want them right now. The documentation that comes with OpenBSD says that 'most people' use bash.

Enter home directory (full path) [/home/bricker]: 
<hit ENTER>
Uid [1002]: <hit ENTER>

The uid is the User ID number that the system uses to keep track of people. These should be unique on the system. Use the default values offered by the program unless you have good knowledge of previously granted ID numbers.

Enter login class: default []: <hit ENTER>

The login class allows you to set up resource limits for groups of users.

Specifying user-group privileges
Login group bricker [bricker]: <hit ENTER>
Login group is "bricker". Invite bricker into other groups: 
guest no
[no]:  <hit ENTER>

Login groups are used to divide security privileges by account groups. For most users you can use the default setting (NO) and just hit Enter to continue.

If the account you are creating will be your Administrator account, then you must make sure that you have specified the group 'wheel' in the above response. Don't worry if you make a mistake, we can fix it later.

Enter password []: 
Enter password again []: 

You will be asked for the user's password twice and it will not be displayed. Afterwards, it will display all of the user's information and ask if it is correct.

Name:     bricker 
Password: **** 
Fullname: Sven De La Palmer 
Uid:      1000 
Gid:      1000 (bricker) 
Class:    
Groups:   bricker
HOME:     /home/bricker 
Shell:    /bin/sh 
OK? (y/n) [y]: <hit ENTER> 

If you make a mistake, you can start over, or its possible to correct most of this information using the 'chpass' command (discussed below).

Changing User Information

[Ref: chpass(1), vipw(8)]

Once you've configured the base system for working, we can look at basic configuration of users. Note, for those with some previous Unix experience, Do not just edit /etc/passwd or /etc/Master.passwd

Use the chpass utility when adding or changing user information. If you try to modify the user shell selection manually (by changing /etc/passwd) it wont work, trust me I've made this mistake for weeks before I found out my errorneous ways.

Entered at the command line without a parameter (ie. typed by itself,) chpass will edit your personal information. As root, you can use it to modify any user account on the system. You can find more details on chpass in the man pages, but let's go through an example review of the account we created above.

# chpass bricker 

This will bring up information about the user 'bricker' in the 'vi' editor. The password line is encrypted, so don't change it. If you want to disable the user, one method would be to add a # at the beginning of the password string, so you can easily remove it later when you want to reactivate the user. There are methods of disabling user that may be better though.

Login: bricker 
Password: 
Uid [#]: 1000 
Gid [# or name]: 1000 
Change [month day year]: 
Expire [month day year]: 
Class: 
Home directory: /home/bricker 
Shell: /bin/sh 
Full Name: Sven De La Palmer 
Office Location: 
Office Phone: 
Home Phone: 
Other information: 
~ 
~ 
~ 
~ 
~ 
~ 
~ 
~ 
/path/temp-file: unmodified: line 1 

Remember your vi commands ?

  • :q (colon+q) quit,
  • :w (colon+w) write,
  • :q! (colon+q+exlamation-mark) quit without saving.

If you're still having problems, remember the tutorial

Alternative tools, useful for batch processing include: usermod

[Ref: What to do AFTER you have BSD installed] by Chris Coleman

Deleting a User

[Ref: rmuser(8), user(8), useradd(8), userinfo(8), usermod(8), userdel(8) ]

From the man page userdel(8)

The userdel utility removes a user from the system, 
optionally removing that user's home diretory and any subdirectories.

The main options are used during account deletion.

userdel [-prv] user

The following command line options are recognised:

-p preserve the user information in the password file, but do 
not allow the user to login, by switching the password to an ``impossible'' 
one, and by setting the user's shell to the false(1) program. This option 
can be helpful in preserving a user's files for later use by members of 
that person's group after the user has moved on. This value can also be 
set in the /etc/usermgmt.conf file, using the `preserve' field. If the 
field has any of the values `true', `yes', or a non-zero number, then 
user information preservation will take place.

-r remove the user's home directory, any subdirectories, and 
any files and other entries in them.

-v perform any actions in a verbose manner.

Group Management

[Ref: group(8), groupadd(8), groupdel(8), groupinfo(8), groupmod(8) ]

Groups are important categorisations for users that allow administrators to specify privileges, restrictions to a range of users depending on their group allocation.

OpenBSD 2.7 included a set of group management tools, including the wrapper program 'group' which can be used as the interface into the separate tools. /usr/sbin/group merely takes the parameters given it on the command line and passes it to the appropriate program.

Create a new Group

[Ref: group(8), groupadd(8) ]

To add new groups 'computerstaff' and 'class501' to the system, we can enter the commands.

# group info computerstaff
group: can't find group `computerstaff'
# group add computerstaff
# group info computerstaff 
name computerstaff
passwd *
gid 1002
members 

Note that gid (Group ID) is sequential to the last group I have on my system, and there are no members yet for computerstaff.

 # group info class501
group: can't find group `class501'
# group add class501
# group info class501
name class501
passwd *
gid 1003
members 

We have successfully created two new groups, and verified their creation.

Adding Users to an Existing Group

[ref user(8), userinfo(8), usermod(8), group(8), groupinfo(8)]

Now that we have created our groups, we can go through and allocate users to the separate groups. The simplest method is to use the given utilities user or usermod.

In our small scenario, we only have one user (bricker) but since bricker is going to be part of the 'computerstaff' we're putting that account into the group.

1st we can check what group 'bricker' is in, and we can review membership in 'computerstaff' again.

# userinfo bricker | grep "^groups"
groups bricker
# group info computerstaff | grep "^members"
members
We can simply add bricker using usermod -G (or user mod -G).
# user mod -G computerstaff bricker
# group info computerstaff | grep "^members"
members bricker

Root, Super Administrator

A common problem for novice Unix Administrators is not knowing how to setup a 'root' account or managing accounts with access to the 'root' account.

The Super Administrator 'root' is any account configured with UserID as '0' and GroupID as '0'. This user has near fatal authority on your machine and you must be very careful in selecting any accounts with 0:0 privileges.

You can quickly view the above by checking your /etc/passwd file, or by using a script similar that shown here.

$ /usr/bin/grep :0:0: /etc/passwd 
root:*:0:0:Charlie &,,,:/root:/usr/local/bin/bash

Assigning Root Privileges to Ordinary Users

Your administrator account should be a member of the group wheel. Regular users of your host should not be members of the wheel group.

You can specify the group in three ways:

  • at the creation of the account (as above) or
  • using usermod -G or
  • by manually editing the file /etc/group.

Setting wheel during account creation

During account creation (using adduser) you are given the option to set the group an account belongs to, and any additional groups to include the user into.

 
Login group bricker [bricker]: <hit ENTER>
Login group is "bricker". Invite bricker into other groups: 
guest no 
[no]:  wheel

During the user creation, you can specify that you want the userid to be invited, or included into the 'wheel' group.

Using the usermod -G command

From the man page usermod(8)

-G  secondary-group[,group,...]
    are the secondary groups the user will be a member of in the 
    /etc/group file.

First we check to make sure that 'wheel' is the superuser group.

# /usr/bin/grep ':0:' /etc/group
wheel:*:0:root

In this scenario, bricker has not been added to the group 'wheel' which is the superuser group.

To add the group wheel to the groups allocated for bricker you use the following usermod command.

# usermod -G wheel bricker
# user info bricker | /usr/bin/grep "^groups"
groups bricker computerstaff wheel

Our user information tells us bricker is now part of three groups: bricker, computerstaff, and wheel.

We can verify the contents of the /etc/group file, specific to the group wheel by using group info or just grep:

# /usr/bin/grep ':0:' /etc/group
wheel:*:0:root,bricker
# group info wheel | grep "^members" 
members root bricker

Manually Editing the file /etc/group

The third method for adding a new user to the group 'wheel' is to edit the entry.

The format of the file is a line for each record, of the form

'GroupName:*:GroupIDNumber:UserIDA[[,UserIDn]...]

and no spaces are allowed(?)

For example file: /etc/group

wheel:*:0:root,bricker
daemon:*:1:daemon
kmem:*:2:root
sys:*:3:root
tty:*:4:root
operator:*:5:root
bin:*:7:
news:*:8:
wsrc:*:9:
users:*:10:

As indicated in the above example, edit the file and add your userid 'bricker' to the line 'wheel'. Remember that the special group is the group that corresponds to GroupID '0'.

Moving from your UserID to root

With your administrator account in the 'wheel' group you can substitute/switch user from bricker to root using the 'su' command.

For example, while logged in as bricker, you can use 'su' to switch to root and perform the necessary tasks as 'root' before returning to your 'bricker' account.

$ whoami
bricker
$ su -
Password:
# 
# whoami
root

From the man page su(1):

If group 0 (normally ``wheel'') has users 
listed then only those users
can su to ``root''. It is not sufficient to change a user's /etc/passwd
entry to add them to the ``wheel'' group; they must explicitly be listed
in /etc/group. If no one is in the ``wheel'' group, it is ignored, and
anyone who knows the root password is permitted to su to ``root''.

For a more granular control of what applications you allow users to perform, take a look at the sudo command.

Relative Reference

Red Hat Linux Administrator's Handbook 2nd Edition. Mohammed J. Kabir, (M&T Books, Foster City, 2001)

Essential System Administration 2nd Edition. AEleen Frisch (O'Reilly & Associates, Inc., Sebastopol, 1995)