Table of Contents
[ref: http://andrsn.stanford.edu/FreeBSD/newuser.html]
[ref: What to do AFTER you have BSD installed by Chris Coleman, http://www.daemonnews.org/200005/chrisc@daemonnews.org]
[ref: adduser(8), group(8), rmuser(8)]
[Config info: user-name, account-type]
From the man pages adduser(8):
|
DESCRIPTION |
The first thing that a fresh install of OpenBSD warns of when you login is, do not login as root but use su. This is saying that you should create a user who can use su (the Substitute User program) to change to the "root" user when you want to perform administration tasks.
The following instructions guide you through the creation of a new user with SuperUser access privileges.
OpenBSD supplies the adduser script to simplify adding new users. All you have to know to create a new user is the name of the person, and what you want the login account name to be.
The adduser script is started at the command prompt.
| # adduser |
When first started, adduser will query you to set or change the default settings. Once the standard configuration has been set, it will continue by prompting for adding new users.
adduser supports two flags -silent or -verbose. You don't really need to know these at the beginning, but you can check the details in the man pages. Read through the example below and then start adduser to create your new account.
|
# adduser |
|
Enter username [a-z0-9_-]: bricker |
The shell is your command line interpreter. It reads in the commands you type and tries to decipher them. There are several different shells to choose from. If bash does not show on the screen, then review adding packages in the 1st Time Config introduction. You can change your settings at a later time so do not worry if some settings are not as you want them right now. The documentation that comes with OpenBSD says that 'most people' use bash.
|
Enter home directory (full path) [/home/bricker]:
<hit ENTER> |
The uid is the User ID number that the system uses to keep track of people. These should be unique on the system. Use the default values offered by the program unless you have good knowledge of previously granted ID numbers.
|
Enter login class: default []: <hit ENTER> |
The login class allows you to set up resource limits for groups of users.
|
Login group bricker [bricker]: <hit ENTER> |
Login groups are used to divide security privileges by account groups. For most users you can use the default setting (NO) and just hit Enter to continue.
If the account you are creating will be your Administrator account, then you must make sure that you have specified the group 'wheel' in the above response. Don't worry if you make a mistake, we can fix it later.
|
Enter password []: |
You will be asked for the user's password twice and it will not be displayed. Afterwards, it will display all of the user's information and ask if it is correct.
|
Name: bricker |
If you make a mistake, you can start over, or its possible to correct most of this information using the 'chpass' command (discussed below).
[ref: chpass(1), vipw(8)]
Once you've configured the base system for working, we can look at basic configuration of users. Note, for those with some previous Unix experience, Do not just edit /etc/passwd or /etc/Master.passwd
Use the chpass utility when adding or changing user information. If you try to modify the user shell selection manually (by changing /etc/passwd) it wont work, trust me I've made this mistake for weeks before I found out my errorneous ways.
Entered at the command line without a parameter (ie. typed by itself,) chpass will edit your personal information. As root, you can use it to modify any user account on the system. You can find more details on chpass in the man pages, but let's go through an example review of the account we created above.
|
# chpass bricker |
This will bring up information about the user 'bricker' in the 'vi' editor. The password line is encrypted, so don't change it. If you want to disable the user, one method would be to add a # at the beginning of the password string, so you can easily remove it later when you want to reactivate the user. There are methods of disabling user that may be better though.
|
Login: bricker |
Remember your vi commands ? :q (colon+q) quit, :w (colon+w) write, :q! (colon+q+exlamation-mark) quit without saving. If you're still having problems, remember the tutorial http://www.freebsd.org/tutorials/new-users
Alternative tools, useful for batch processing include: usermod
[ref: What to do AFTER you have BSD installed by Chris Coleman,http://www.daemonnews.org/200005/chrisc@daemonnews.org]
[ref rmuser(8), user(8), useradd(8), userdel(8), userinfo(8), usermod(8)]
From the man page userdel(8)
| The userdel utility removes a user from the system, optionally removing that user's home diretory and any subdirectories. |
The main options are used during account deletion.
|
userdel [-prv] user The following command line options are recognised: -p preserve the user information in the password file, but do not allow the user to login, by switching the password to an ``impossible'' one, and by setting the user's shell to the false(1) program. This option can be helpful in preserving a user's files for later use by members of that person's group after the user has moved on. This value can also be set in the /etc/usermgmt.conf file, using the `preserve' field. If the field has any of the values `true', `yes', or a non-zero number, then user information preservation will take place. -r remove the user's home directory, any subdirectories, and any files and other entries in them. -v perform any actions in a verbose manner. |
[ref group(8), groupadd(8), groupdel(8), groupinfo(8), groupmod(8)]
Groups are important categorisations for users that allow administrators to specify privileges, restrictions to a range of users depending on their group allocation.
OpenBSD 2.7 included a set of group management tools, including the wrapper program 'group' which can be used as the interface into the separate tools. /usr/sbin/group merely takes the parameters given it on the command line and passes it to the appropriate program.
[ref: group(8), groupadd(8)]
To add new groups 'computerstaff' and 'class501' to the system, we can enter the commands.
| # group info computerstaff |
| group: can't find group `computerstaff' |
| # group add computerstaff |
| # group info computerstaff |
| name computerstaff passwd * gid 1002 members |
Note that gid (Group ID) is sequential to the last group I have on my system, and there are no members yet for computerstaff.
| # group info class501 |
| group: can't find group `class501' |
| # group add class501 |
| # group info class501 |
| name class501 passwd * gid 1003 members |
We have successfully created two new groups, and verified their creation.
[ref user(8), userinfo(8), usermod(8), group(8), groupinfo(8)]
Now that we have created our groups, we can go through and allocate users to the separate groups. The simplest method is to use the given utilities user or usermod.
In our small scenario, we only have one user (bricker) but since bricker is going to be part of the 'computerstaff' we're putting that account into the group.
1st we can check what group 'bricker' is in, and we can review membership in 'computerstaff' again.
| # userinfo bricker | grep "^groups" |
| groups bricker |
| # group info computerstaff | grep "^members" |
| members |
We can simply add bricker using usermod -G (or user mod -G).
| # user mod -G computerstaff bricker |
| # group info computerstaff | grep "^members" |
| members bricker |
A common problem for novice Unix Administrators is not knowing how to setup a 'root' account or managing accounts with access to the 'root' account.
The Super Administrator 'root' is any account configured with UserID as '0' and GroupID as '0'. This user has near fatal authority on your machine and you must be very careful in selecting any accounts with 0:0 privileges.
You can quickly view the above by checking your /etc/passwd file, or by using a script similar that shown here.
| $ /usr/bin/grep :0:0: /etc/passwd |
| root:*:0:0:Charlie &,,,:/root:/usr/local/bin/bash |
Your administrator account should be a member of the group wheel. Regular users of your host should not be members of the wheel group.
You can specify the group in three ways:
(a) at the creation of the account (as above) or
(b) using usermod -G or
(c) by manually editing the file /etc/group.
During account creation (using adduser) you are given the option to set the group an account belongs to, and any additional groups to include the user into.
|
Login group bricker [bricker]: <hit ENTER> |
During the user creation, you can specify that you want the userid to be invited, or included into the 'wheel' group.
From the man page usermod(8)
| -G secondary-group[,group,...] are the secondary groups the user will be a member of in the /etc/group file. |
First we check to make sure that 'wheel' is the superuser group.
| # /usr/bin/grep ':0:' /etc/group |
| wheel:*:0:root |
In this scenario, bricker has not been added to the group 'wheel' which is the superuser group.
To add the group wheel to the groups allocated for bricker you use the following usermod command.
| # usermod -G wheel bricker |
| # user info bricker | /usr/bin/grep "^groups" |
| groups bricker computerstaff wheel |
Our user information tells us bricker is now part of three groups: bricker, computerstaff, and wheel.
We can verify the contents of the /etc/group file, specific to the group wheel by using group info or just grep:
| # /usr/bin/grep ':0:' /etc/group |
| wheel:*:0:root,bricker |
| # group info wheel | grep "^members" |
| members root bricker |
The third method for adding a new user to the group 'wheel' is to edit the entry.
The format of the file is a line for each record, of the form
'GroupName:*:GroupIDNumber:UserIDA[[,UserIDn]...] |
and no spaces are allowed(?)
For example file: /etc/group
| wheel:*:0:root,bricker daemon:*:1:daemon kmem:*:2:root sys:*:3:root tty:*:4:root operator:*:5:root bin:*:7: news:*:8: wsrc:*:9: users:*:10: |
As indicated in the above example, edit the file and add your userid 'bricker' to the line 'wheel'. Remember that the special group is the group that corresponds to GroupID '0'.
With your administrator account in the 'wheel' group you can substitute/switch user from bricker to root using the 'su' command.
For example, while logged in as bricker, you can use 'su' to switch to root and perform the necessary tasks as 'root' before returning to your 'bricker' account.
| $ whoami |
| bricker |
| $ su - |
| Password: |
| # |
| # whoami |
| root |
| # |
From the man page su(1):
| If group 0 (normally ``wheel'') has users
listed then only those users can su to ``root''. It is not sufficient to change a user's /etc/passwd entry to add them to the ``wheel'' group; they must explicitly be listed in /etc/group. If no one is in the ``wheel'' group, it is ignored, and anyone who knows the root password is permitted to su to ``root''. |
For a more granular control of what applications you allow users to perform,
take a look at the sudo command.
Red Hat Linux Administrator's Handbook 2nd Edition. Mohammed J. Kabir, (M&T Books, Foster City, 2001)
Essential System Administration 2nd Edition. AEleen Frisch (O'Reilly & Associates, Inc., Sebastopol, 1995)
Copyright (c) 2000/1/2 Samiuela LV Taufa. All Rights Reserved.
I reserve the right to be totally incorrect even at the best advice of betters. In other words, I'm probably wrong in enough places for you to call me an idiot, but don't 'cause you'll hurt my sensibilities, just tell me where I went wrong and I'll try again.
You are permitted and encouraged to use this guide for fun or for profit as you see fit. If you republish this work in what-ever form, it would be nice (though not enforceable) to be credited.
|
User Administration - for newbies like me |
Copyright © 2000/1/2 NoMoa.COM All rights reserved.