From 4225fc88f371faff201ab4c2960d0e14d39b3a69 Mon Sep 17 00:00:00 2001
From: Dru Lavigne <dru@FreeBSD.org>
Date: Mon, 14 Oct 2013 16:44:15 +0000
Subject: [PATCH] This patch integrates the contents of users/chapter.xml into
basics/chapter.xml.
Approved by: hrs (mentor)
---
en_US.ISO8859-1/books/handbook/Makefile | 1 -
.../books/handbook/basics/chapter.xml | 995 ++++++++++++++++
en_US.ISO8859-1/books/handbook/book.xml | 1 -
.../books/handbook/bsdinstall/chapter.xml | 2 +-
en_US.ISO8859-1/books/handbook/chapters.ent | 1 -
.../books/handbook/preface/preface.xml | 9 -
en_US.ISO8859-1/books/handbook/users/Makefile | 15 -
.../books/handbook/users/chapter.xml | 1001 -----------------
8 files changed, 996 insertions(+), 1029 deletions(-)
delete mode 100644 en_US.ISO8859-1/books/handbook/users/Makefile
delete mode 100644 en_US.ISO8859-1/books/handbook/users/chapter.xml
diff --git a/en_US.ISO8859-1/books/handbook/Makefile b/en_US.ISO8859-1/books/handbook/Makefile
index 5f176c6f62..f2e41fc06f 100644
--- a/en_US.ISO8859-1/books/handbook/Makefile
+++ b/en_US.ISO8859-1/books/handbook/Makefile
@@ -275,7 +275,6 @@ SRCS+= preface/preface.xml
SRCS+= printing/chapter.xml
SRCS+= security/chapter.xml
SRCS+= serialcomms/chapter.xml
-SRCS+= users/chapter.xml
SRCS+= virtualization/chapter.xml
SRCS+= x11/chapter.xml
diff --git a/en_US.ISO8859-1/books/handbook/basics/chapter.xml b/en_US.ISO8859-1/books/handbook/basics/chapter.xml
index 2d6e0c3171..58d0ebfa43 100644
--- a/en_US.ISO8859-1/books/handbook/basics/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/basics/chapter.xml
@@ -35,6 +35,11 @@
<para>How to use and configure virtual consoles.</para>
</listitem>
+ <listitem>
+ <para>How to create and manage users and groups on
+ &os;.</para>
+ </listitem>
+
<listitem>
<para>How &unix; file permissions and &os; file flags
work.</para>
@@ -286,6 +291,996 @@ console none unknown off secure</programlisting>
</sect2>
</sect1>
+ <!--
+ <chapterinfo>
+ <authorgroup>
+ <author>
+ <firstname>Neil</firstname>
+ <surname>Blakey-Milner</surname>
+ <contrib>Contributed by in Feb 2000</contrib>
+ </author>
+ </authorgroup>
+ </chapterinfo>
+ -->
+
+ <sect1 id="users-synopsis">
+ <title>Users and Basic Account Management</title>
+
+ <para>&os; allows multiple users to use the computer at the same
+ time. While only one user can sit in front of the screen and
+ use the keyboard at any one time, any number of users can log
+ in to the system through the network. To use the system, each
+ user should have their own user account.</para>
+
+ <para>This chapter describes:</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>The different types of user accounts on a
+ &os; system.</para>
+ </listitem>
+
+ <listitem>
+ <para>How to add, remove, and modify user accounts.</para>
+ </listitem>
+
+ <listitem>
+ <para>How to set limits to control the
+ resources that users and
+ groups are allowed to access.</para>
+ </listitem>
+
+ <listitem>
+ <para>How to create groups and add users as members of a group.</para>
+ </listitem>
+ </itemizedlist>
+
+ <sect2 id="users-introduction">
+ <title>Account Types</title>
+
+ <para>Since all access to the &os; system is achieved using accounts
+ and all processes are run by users, user and account management
+ is important.</para>
+
+ <para>There are three main types of accounts:
+ system accounts,
+ user accounts, and the
+ superuser account.</para>
+
+ <sect3 id="users-system">
+ <title>System Accounts</title>
+
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary>system</secondary>
+ </indexterm>
+
+ <para>System accounts are used to run services such as DNS,
+ mail, and web servers. The reason for this is security; if
+ all services ran as the superuser, they could act without
+ restriction.</para>
+
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary><username>daemon</username></secondary>
+ </indexterm>
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary><username>operator</username></secondary>
+ </indexterm>
+
+ <para>Examples of system accounts are
+ <username>daemon</username>, <username>operator</username>,
+ <username>bind</username>, <username>news</username>, and
+ <username>www</username>.</para>
+
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary><username>nobody</username></secondary>
+ </indexterm>
+
+ <para><username>nobody</username> is the generic unprivileged
+ system account. However, the more services that use
+ <username>nobody</username>, the more files and processes that
+ user will become associated with, and hence the more
+ privileged that user becomes.</para>
+ </sect3>
+
+ <sect3 id="users-user">
+ <title>User Accounts</title>
+
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary>user</secondary>
+ </indexterm>
+
+ <para>User accounts are
+ assigned to real people and are used to log in and use the
+ system. Every person accessing the system should have a unique
+ user account. This allows the administrator to find out who
+ is doing what and prevents users from clobbering the
+ settings of other users.</para>
+
+ <para>Each user can set up their own environment to accommodate
+ their use of the system, by configuring their default shell, editor,
+ key bindings, and language settings.</para>
+ <para>Every user account on a &os; system has certain information
+ associated with it:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term>User name</term>
+
+ <listitem>
+ <para>The user name is typed at the <prompt>login:</prompt>
+ prompt. User names must be unique on the system as no two
+ users can have the same user name. There are a number of
+ rules for creating valid user names which are documented in
+ &man.passwd.5;. It is recommended to use user names that consist of eight or
+ fewer, all lower case characters in order to maintain
+ backwards compatibility with applications.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Password</term>
+
+ <listitem>
+ <para>Each user account should have an associated password. While the
+ password can be blank, this is highly discouraged.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User ID (<acronym>UID</acronym>)</term>
+
+ <listitem>
+ <para>The User ID (<acronym>UID</acronym>) is a number
+ used to uniquely identify the user to the
+ &os; system. Commands that
+ allow a user name to be specified will first convert it to
+ the <acronym>UID</acronym>. It is recommended to use a UID of
+ 65535 or lower as higher UIDs may cause compatibility
+ issues with software that does not support integers larger
+ than 32-bits.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Group ID (<acronym>GID</acronym>)</term>
+
+ <listitem>
+ <para>The Group ID (<acronym>GID</acronym>) is a number used to uniquely identify
+ the primary group that the user belongs to. Groups are a
+ mechanism for controlling access to resources based on a
+ user's <acronym>GID</acronym> rather than their
+ <acronym>UID</acronym>. This can significantly reduce the
+ size of some configuration files and allows users to be
+ members of more than one group. It is recommended to use a GID of
+ 65535 or lower as higher GIDs may break some
+ software.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Login class</term>
+
+ <listitem>
+ <para>Login classes are an extension to the group mechanism
+ that provide additional flexibility when tailoring the
+ system to different users. Login classes are discussed
+ further in <xref linkend="users-limiting"/></para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Password change time</term>
+
+ <listitem>
+ <para>By default, &os; does not force users to change their
+ passwords periodically. Password expiration can be
+ enforced on a per-user basis using &man.pw.8;, forcing some or all users to
+ change their passwords after a certain amount of time has
+ elapsed.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Account expiry time</term>
+
+ <listitem>
+ <para>By default, &os; does not expire accounts. When
+ creating accounts that need a limited lifespan, such as
+ student accounts in a school, specify the account expiry
+ date using &man.pw.8;. After the expiry time has elapsed, the account
+ cannot be used to log in to the system, although the
+ account's directories and files will remain.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User's full name</term>
+
+ <listitem>
+ <para>The user name uniquely identifies the account to &os;,
+ but does not necessarily reflect the user's real name.
+ Similar to a comment, this information
+ can contain a space, uppercase characters, and be more
+ than 8 characters long.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>Home directory</term>
+
+ <listitem>
+ <para>The home directory is the full path to a directory on
+ the system. This is the user's starting directory when
+ the user logs in. A common convention is to put all user
+ home directories under <filename
+ class="directory">/home/<replaceable>username</replaceable></filename>
+ or <filename
+ class="directory">/usr/home/<replaceable>username</replaceable></filename>.
+ Each user stores their personal files and subdirectories
+ in their own home directory.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>User shell</term>
+
+ <listitem>
+ <para>The shell provides the user's default environment for
+ interacting with the system. There are many different
+ kinds of shells and experienced users will have their own
+ preferences, which can be reflected in their account
+ settings.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+ </sect3>
+
+ <sect3 id="users-superuser">
+ <title>The Superuser Account</title>
+
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary>superuser (root)</secondary>
+ </indexterm>
+
+ <para>The superuser account, usually called
+ <username>root</username>, is used to
+ manage the system with no limitations on privileges. For this
+ reason, it should not be used for day-to-day
+ tasks like sending and receiving mail, general exploration of
+ the system, or programming.</para>
+
+ <para>The superuser, unlike other user
+ accounts, can operate without limits, and misuse of the
+ superuser account may result in spectacular disasters. User
+ accounts are unable to destroy the operating system by mistake, so it is
+ recommended to login as a user account and to only become the superuser
+ when a command requires extra privilege.</para>
+
+ <para>Always double and triple-check any commands issued as the
+ superuser, since an extra space or missing character can mean
+ irreparable data loss.</para>
+
+ <para>There are several ways to become gain superuser privilege. While one
+ can log in as <username>root</username>, this is highly discouraged.</para>
+
+ <para>Instead, use &man.su.1; to become the superuser. If
+ <literal>-</literal> is specified when running this command, the user will also inherit the root user's environment.
+ The user running this command must
+ be in the <groupname>wheel</groupname> group or else the command
+ will fail. The user must also know the password for the
+ <username>root</username> user account.</para>
+
+ <para>In this example, the user only becomes superuser in order to run
+ <command>make install</command> as this step requires superuser privilege.
+ Once the command completes, the user types <command>exit</command>
+ to leave the superuser account and return to the privilege of
+ their user account.</para>
+
+ <example>
+ <title>Install a Program As The Superuser</title>
+
+ <screen>&prompt.user; <userinput>configure</userinput>
+&prompt.user; <userinput>make</userinput>
+&prompt.user; <userinput>su -</userinput>
+Password:
+&prompt.root; <userinput>make install</userinput>
+&prompt.root; <userinput>exit</userinput>
+&prompt.user;</screen>
+ </example>
+
+ <para>The built-in &man.su.1; framework works well for single systems or small
+ networks with just one system administrator. An alternative
+ is to install the
+ <filename role="package">security/sudo</filename> package or port. This software
+ provides activity logging and allows the administrator to configure which users
+ can run which commands
+ as the superuser.</para>
+ </sect3>
+ </sect2>
+
+ <sect2 id="users-modifying">
+ <title>Managing Accounts</title>
+
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary>modifying</secondary>
+ </indexterm>
+
+ <para>&os; provides a variety of different commands to manage
+ user accounts. The most common commands are summarized below,
+ followed by more detailed examples of their usage.</para>
+
+ <informaltable frame="none" pgwide="1">
+ <tgroup cols="2">
+ <colspec colwidth="1*"/>
+ <colspec colwidth="2*"/>
+
+ <thead>
+ <row>
+ <entry>Command</entry>
+ <entry>Summary</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry>&man.adduser.8;</entry>
+ <entry>The recommended command-line application for adding
+ new users.</entry>
+ </row>
+
+ <row>
+ <entry>&man.rmuser.8;</entry>
+ <entry>The recommended command-line application for
+ removing users.</entry>
+ </row>
+
+ <row>
+ <entry>&man.chpass.1;</entry>
+ <entry>A flexible tool for changing user database
+ information.</entry>
+ </row>
+
+ <row>
+ <entry>&man.passwd.1;</entry>
+ <entry>The simple command-line tool to change user
+ passwords.</entry>
+ </row>
+
+ <row>
+ <entry>&man.pw.8;</entry>
+ <entry>A powerful and flexible tool for modifying all
+ aspects of user accounts.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </informaltable>
+
+ <sect3 id="users-adduser">
+ <title><command>adduser</command></title>
+
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary>adding</secondary>
+ </indexterm>
+ <indexterm>
+ <primary><command>adduser</command></primary>
+ </indexterm>
+ <indexterm>
+ <primary><filename
+ class="directory">/usr/share/skel</filename></primary>
+ </indexterm>
+ <indexterm><primary>skeleton directory</primary></indexterm>
+ <para>&man.adduser.8; is a simple program for adding new users
+ When a new user is added, this program automatically updates
+ <filename>/etc/passwd</filename> and
+ <filename>/etc/group</filename>. It also creates a home
+ directory for the new user, copies in the default
+ configuration files from <filename
+ class="directory">/usr/share/skel</filename>, and can
+ optionally mail the new user a welcome message.</para>
+
+ <example>
+ <title>Adding a User on &os;</title>
+
+ <screen>&prompt.root; <userinput>adduser</userinput>
+Username: <userinput>jru</userinput>
+Full name: <userinput>J. Random User</userinput>
+Uid (Leave empty for default):
+Login group [jru]:
+Login group is jru. Invite jru into other groups? []: <userinput>wheel</userinput>
+Login class [default]:
+Shell (sh csh tcsh zsh nologin) [sh]: <userinput>zsh</userinput>
+Home directory [/home/jru]:
+Home directory permissions (Leave empty for default):
+Use password-based authentication? [yes]:
+Use an empty password? (yes/no) [no]:
+Use a random password? (yes/no) [no]:
+Enter password:
+Enter password again:
+Lock out the account after creation? [no]:
+Username : jru
+Password : ****
+Full Name : J. Random User
+Uid : 1001
+Class :
+Groups : jru wheel
+Home : /home/jru
+Shell : /usr/local/bin/zsh
+Locked : no
+OK? (yes/no): <userinput>yes</userinput>
+adduser: INFO: Successfully added (jru) to the user database.
+Add another user? (yes/no): <userinput>no</userinput>
+Goodbye!
+&prompt.root;</screen>
+ </example>
+
+ <note>
+ <para>Since the password is not echoed when typed, be careful
+ to not mistype the password when creating the user
+ account.</para>
+ </note>
+ </sect3>
+
+ <sect3 id="users-rmuser">
+ <title><command>rmuser</command></title>
+
+ <indexterm><primary><command>rmuser</command></primary></indexterm>
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary>removing</secondary>
+ </indexterm>
+
+ <para>To completely remove a user from the system use
+ &man.rmuser.8;. This command performs the following
+ steps:</para>
+
+ <procedure>
+ <step>
+ <para>Removes the user's &man.crontab.1; entry if one
+ exists.</para>
+ </step>
+
+ <step>
+ <para>Removes any &man.at.1; jobs belonging to the
+ user.</para>
+ </step>
+
+ <step>
+ <para>Kills all processes owned by the user.</para>
+ </step>
+
+ <step>
+ <para>Removes the user from the system's local password
+ file.</para>
+ </step>
+
+ <step>
+ <para>Removes the user's home directory, if it is owned by
+ the user.</para>
+ </step>
+
+ <step>
+ <para>Removes the incoming mail files belonging to the user
+ from <filename
+ class="directory">/var/mail</filename>.</para>
+ </step>
+
+ <step>
+ <para>Removes all files owned by the user from temporary
+ file storage areas such as <filename
+ class="directory">/tmp</filename>.</para>
+ </step>
+
+ <step>
+ <para>Finally, removes the username from all groups to which
+ it belongs in <filename>/etc/group</filename>.</para>
+
+ <note>
+ <para>If a group becomes empty and the group name is the
+ same as the username, the group is removed. This
+ complements the per-user unique groups created by
+ &man.adduser.8;.</para>
+ </note>
+ </step>
+ </procedure>
+
+ <para>&man.rmuser.8; cannot be used to remove superuser
+ accounts since that is almost always an indication of massive
+ destruction.</para>
+
+ <para>By default, an interactive mode is used, as shown
+ in the following example.</para>
+
+ <example>
+ <title><command>rmuser</command> Interactive Account
+ Removal</title>
+
+ <screen>&prompt.root; <userinput>rmuser jru</userinput>
+Matching password entry:
+jru:*:1001:1001::0:0:J. Random User:/home/jru:/usr/local/bin/zsh
+Is this the entry you wish to remove? <userinput>y</userinput>
+Remove user's home directory (/home/jru)? <userinput>y</userinput>
+Updating password file, updating databases, done.
+Updating group file: trusted (removing group jru -- personal group is empty) done.
+Removing user's incoming mail file /var/mail/jru: done.
+Removing files belonging to jru from /tmp: done.
+Removing files belonging to jru from /var/tmp: done.
+Removing files belonging to jru from /var/tmp/vi.recover: done.
+&prompt.root;</screen>
+ </example>
+ </sect3>
+
+ <sect3 id="users-chpass">
+ <title><command>chpass</command></title>
+
+ <indexterm><primary><command>chpass</command></primary></indexterm>
+ <para>&man.chpass.1; can be used to change user database
+ information such as passwords, shells, and personal
+ information.</para>
+
+ <para>Only the superuser can change other users' information and
+ passwords with &man.chpass.1;.</para>
+
+ <para>When passed no options, aside from an optional username,
+ &man.chpass.1; displays an editor containing user information.
+ When the user exists from the editor, the user database is
+ updated with the new information.</para>
+
+ <note>
+ <para>You will be asked for your password after exiting the
+ editor if you are not the superuser.</para>
+ </note>
+
+ <example>
+ <title>Interactive <command>chpass</command> by
+ Superuser</title>
+
+ <screen>#Changing user database information for jru.
+Login: jru
+Password: *
+Uid [#]: 1001
+Gid [# or name]: 1001
+Change [month day year]:
+Expire [month day year]:
+Class:
+Home directory: /home/jru
+Shell: /usr/local/bin/zsh
+Full Name: J. Random User
+Office Location:
+Office Phone:
+Home Phone:
+Other information:</screen>
+ </example>
+
+ <para>A user can change only a small subset of this
+ information, and only for their own user account.</para>
+
+ <example>
+ <title>Interactive <command>chpass</command> by Normal
+ User</title>
+
+ <screen>#Changing user database information for jru.
+Shell: /usr/local/bin/zsh
+Full Name: J. Random User
+Office Location:
+Office Phone:
+Home Phone:
+Other information:</screen>
+ </example>
+
+ <note>
+ <para>&man.chfn.1; and &man.chsh.1; are links to
+ &man.chpass.1;, as are &man.ypchpass.1;, &man.ypchfn.1;, and
+ &man.ypchsh.1;. <acronym>NIS</acronym> support is
+ automatic, so specifying the <literal>yp</literal> before
+ the command is not necessary. How to configure NIS is
+ covered in <xref linkend="network-servers"/>.</para>
+ </note>
+ </sect3>
+ <sect3 id="users-passwd">
+ <title><command>passwd</command></title>
+
+ <indexterm><primary><command>passwd</command></primary></indexterm>
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary>changing password</secondary>
+ </indexterm>
+ <para>&man.passwd.1; is the usual way to change your own
+ password as a user, or another user's password as the
+ superuser.</para>
+
+ <note>
+ <para>To prevent accidental or unauthorized changes, the user
+ must enter their original password before a new password can
+ be set. This is not the case when the superuser changes a
+ user's password.</para>
+ </note>
+
+ <example>
+ <title>Changing Your Password</title>
+
+ <screen>&prompt.user; <userinput>passwd</userinput>
+Changing local password for jru.
+Old password:
+New password:
+Retype new password:
+passwd: updating the database...
+passwd: done</screen>
+ </example>
+
+ <example>
+ <title>Changing Another User's Password as the
+ Superuser</title>
+
+ <screen>&prompt.root; <userinput>passwd jru</userinput>
+Changing local password for jru.
+New password:
+Retype new password:
+passwd: updating the database...
+passwd: done</screen>
+ </example>
+
+ <note>
+ <para>As with &man.chpass.1;, &man.yppasswd.1; is a link to
+ &man.passwd.1;, so NIS works with either command.</para>
+ </note>
+ </sect3>
+
+
+ <sect3 id="users-pw">
+ <title><command>pw</command></title>
+
+ <indexterm><primary><command>pw</command></primary></indexterm>
+
+ <para>&man.pw.8; is a command line utility to create, remove,
+ modify, and display users and groups. It functions as a front
+ end to the system user and group files. &man.pw.8; has a very
+ powerful set of command line options that make it suitable for
+ use in shell scripts, but new users may find it more
+ complicated than the other commands presented in this
+ section.</para>
+ </sect3>
+ </sect2>
+
+ <sect2 id="users-limiting">
+ <title>Limiting Users</title>
+
+ <indexterm><primary>limiting users</primary></indexterm>
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary>limiting</secondary>
+ </indexterm>
+ <para>&os; provides several methods for an administrator to limit
+ the amount of system resources an individual may use. These
+ limits are discussed in two sections: disk quotas and other
+ resource limits.</para>
+
+ <indexterm><primary>quotas</primary></indexterm>
+ <indexterm>
+ <primary>limiting users</primary>
+ <secondary>quotas</secondary>
+ </indexterm>
+ <indexterm><primary>disk quotas</primary></indexterm>
+ <para>Disk quotas limit the amount of disk space available to
+ users and provide a way to quickly check that usage without
+ calculating it every time. Quotas are discussed in <xref
+ linkend="quotas"/>.</para>
+
+ <para>The other resource limits include ways to limit the amount
+ of CPU, memory, and other resources a user may consume. These
+ are defined using login classes and are discussed here.</para>
+
+ <indexterm>
+ <primary><filename>/etc/login.conf</filename></primary>
+ </indexterm>
+ <para>Login classes are defined in
+ <filename>/etc/login.conf</filename> and are described in detail
+ in &man.login.conf.5;. Each user account is assigned to a login
+ class, <literal>default</literal> by default, and each login
+ class has a set of login capabilities associated with it. A
+ login capability is a
+ <literal><replaceable>name</replaceable>=<replaceable>value</replaceable></literal>
+ pair, where <replaceable>name</replaceable> is a well-known
+ identifier and <replaceable>value</replaceable> is an arbitrary
+ string which is processed accordingly depending on the
+ <replaceable>name</replaceable>. Setting up login classes and
+ capabilities is rather straightforward and is also described in
+ &man.login.conf.5;.</para>
+
+ <note>
+ <para>&os; does not normally read the configuration in
+ <filename>/etc/login.conf</filename> directly, but instead
+ reads the <filename>/etc/login.conf.db</filename> database
+ which provides faster lookups. Whenever
+ <filename>/etc/login.conf</filename> is edited, the
+ <filename>/etc/login.conf.db</filename> must be updated by
+ executing the following command:</para>
+
+ <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
+ </note>
+
+ <para>Resource limits differ from the default login capabilities
+ in two ways. First, for every limit, there is a soft (current)
+ and hard limit. A soft limit may be adjusted by the user or
+ application, but may not be set higher than the hard limit. The
+ hard limit may be lowered by the user, but can only be raised
+ by the superuser. Second, most resource limits apply per
+ process to a specific user, not to the user as a whole. These
+ differences are mandated by the specific handling of the limits,
+ not by the implementation of the login capability
+ framework.</para>
+
+ <para>Below are the most commonly used resource limits. The rest
+ of the limits, along with all the other login capabilities, can
+ be found in &man.login.conf.5;.</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><literal>coredumpsize</literal></term>
+
+ <listitem>
+ <para>The limit on the size of a core file<indexterm><primary>coredumpsize</primary></indexterm> generated by a
+ program is subordinate to other limits<indexterm><primary>limiting users</primary><secondary>coredumpsize</secondary></indexterm> on disk usage, such
+ as <literal>filesize</literal>, or disk quotas.
+ This limit is often used as a less-severe method of
+ controlling disk space consumption. Since users do not
+ generate core files themselves, and often do not delete
+ them, setting this may save them from running out of disk
+ space should a large program crash.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>cputime</literal></term>
+
+ <listitem>
+ <para>The maximum amount of CPU<indexterm><primary>cputime</primary></indexterm><indexterm><primary>limiting users</primary><secondary>cputime</secondary></indexterm> time a user's process may
+ consume. Offending processes will be killed by the
+ kernel.</para>
+
+ <note>
+ <para>This is a limit on CPU <emphasis>time</emphasis>
+ consumed, not percentage of the CPU as displayed in
+ some fields by &man.top.1; and &man.ps.1;.</para>
+ </note>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>filesize</literal></term>
+
+ <listitem>
+ <para>The maximum size of a file<indexterm><primary>filesize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>filesize</secondary></indexterm> the user may own. Unlike
+ <link linkend="quotas">disk quotas</link>, this limit is
+ enforced on individual files, not the set of all files a
+ user owns.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>maxproc</literal></term>
+
+ <listitem>
+ <para>The maximum number of processes<indexterm><primary>maxproc</primary></indexterm><indexterm><primary>limiting users</primary><secondary>maxproc</secondary></indexterm> a user can run. This
+ includes foreground and background processes. This limit
+ may not be larger than the system limit specified by the
+ <varname>kern.maxproc</varname> &man.sysctl.8;. Setting
+ this limit too small may hinder a user's productivity as
+ it is often useful to be logged in multiple times or to
+ execute pipelines. Some tasks, such as compiling a large
+ program, spawn multiple processes and other intermediate
+ preprocessors.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>memorylocked</literal></term>
+
+ <listitem>
+ <para>The maximum amount of memory<indexterm><primary>memorylocked</primary></indexterm><indexterm><primary>limiting users</primary><secondary>memorylocked</secondary></indexterm> a process may request
+ to be locked into main memory using &man.mlock.2;. Some
+ system-critical programs, such as &man.amd.8;, lock into
+ main memory so that if the system begins to swap, they do
+ not contribute to disk thrashing.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>memoryuse</literal></term>
+
+ <listitem>
+ <para>The maximum amount of memory<indexterm><primary>memoryuse</primary></indexterm><indexterm><primary>limiting users</primary><secondary>memoryuse</secondary></indexterm> a process may consume at
+ any given time. It includes both core memory and swap
+ usage. This is not a catch-all limit for restricting
+ memory consumption, but is a good start.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>openfiles</literal></term>
+
+ <listitem>
+ <para>The maximum number of files a process may have open<indexterm><primary>openfiles</primary></indexterm><indexterm><primary>limiting users</primary><secondary>openfiles</secondary></indexterm>.
+ In &os;, files are used to represent sockets and IPC
+ channels, so be careful not to set this too low. The
+ system-wide limit for this is defined by the
+ <varname>kern.maxfiles</varname> &man.sysctl.8;.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>sbsize</literal></term>
+
+ <listitem>
+ <para>The limit on the amount of network memory, and
+ thus mbufs<indexterm><primary>sbsize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>sbsize</secondary></indexterm>, a user may consume in order to limit network
+ communications.</para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>stacksize</literal></term>
+
+ <listitem>
+ <para>The maximum size of a process stack<indexterm><primary>stacksize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>stacksize</secondary></indexterm>. This alone is
+ not sufficient to limit the amount of memory a program
+ may use so it should be used in conjunction with other
+ limits.</para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>There are a few other things to remember when setting
+ resource limits. Following are some general tips, suggestions,
+ and miscellaneous comments.</para>
+
+ <itemizedlist>
+ <listitem>
+ <para>Processes started at system startup by
+ <filename>/etc/rc</filename> are assigned to the
+ <literal>daemon</literal> login class.</para>
+ </listitem>
+
+ <listitem>
+ <para>Although the <filename>/etc/login.conf</filename> that
+ comes with the system is a good source of reasonable values
+ for most limits, they may not be appropriate for every
+ system. Setting a limit too high may open the system up to
+ abuse, while setting it too low may put a strain on
+ productivity.</para>
+ </listitem>
+
+ <listitem>
+ <para>Users of <application>&xorg;</application> should
+ probably be granted more resources than other users.
+ <application>&xorg;</application> by itself takes a lot of
+ resources, but it also encourages users to run more programs
+ simultaneously.</para>
+ </listitem>
+
+ <listitem>
+ <para>Many limits apply to individual processes, not the user
+ as a whole. For example, setting
+ <varname>openfiles</varname> to 50 means that each process
+ the user runs may open up to 50 files. The total amount
+ of files a user may open is the value of
+ <literal>openfiles</literal> multiplied by the value of
+ <literal>maxproc</literal>. This also applies to memory
+ consumption.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>For further information on resource limits and login classes
+ and capabilities in general, refer to &man.cap.mkdb.1;,
+ &man.getrlimit.2;, and &man.login.conf.5;.</para>
+ </sect2>
+
+ <sect2 id="users-groups">
+ <title>Managing Groups</title>
+
+ <indexterm><primary>groups</primary></indexterm>
+ <indexterm>
+ <primary><filename>/etc/groups</filename></primary>
+ </indexterm>
+ <indexterm>
+ <primary>accounts</primary>
+ <secondary>groups</secondary>
+ </indexterm>
+ <para>A group is a list of users. A group is identified by its
+ group name and <acronym>GID</acronym>. In &os;, the
+ kernel uses the <acronym>UID</acronym> of a process, and the
+ list of groups it belongs to, to determine what the process is
+ allowed to do. Most of the time, the <acronym>GID</acronym> of
+ a user or process usually means the first group in the
+ list.</para>
+
+ <para>The group name to <acronym>GID</acronym> mapping is listed
+ in <filename>/etc/group</filename>. This is a plain text file
+ with four colon-delimited fields. The first field is the group
+ name, the second is the encrypted password, the third the
+ <acronym>GID</acronym>, and the fourth the comma-delimited list
+ of members. For a more complete description of the syntax,
+ refer to &man.group.5;.</para>
+
+ <para>The superuser can modify <filename>/etc/group</filename>
+ using a text editor. Alternatively, &man.pw.8; can be used to
+ add and edit groups. For example, to add a group called
+ <groupname>teamtwo</groupname> and then confirm that it
+ exists:</para>
+
+ <example>
+ <title>Adding a Group Using &man.pw.8;</title>
+
+ <screen>&prompt.root; <userinput>pw groupadd teamtwo</userinput>
+&prompt.root; <userinput>pw groupshow teamtwo</userinput>
+teamtwo:*:1100:</screen>
+ </example>
+
+ <para>In this example, <literal>1100</literal> is the
+ <acronym>GID</acronym> of <groupname>teamtwo</groupname>. Right
+ now, <groupname>teamtwo</groupname> has no members. This
+ command will add <username>jru</username> as a member of
+ <groupname>teamtwo</groupname>.</para>
+
+ <example>
+ <title>Adding User Accounts to a New Group Using
+ &man.pw.8;</title>
+
+ <screen>&prompt.root; <userinput>pw groupmod teamtwo -M jru</userinput>
+&prompt.root; <userinput>pw groupshow teamtwo</userinput>
+teamtwo:*:1100:jru</screen>
+ </example>
+
+ <para>The argument to <option>-M</option> is a comma-delimited
+ list of users to be added to a new (empty) group or to replace
+ the members of an existing group. To the user, this group
+ membership is different from (and in addition to) the user's
+ primary group listed in the password file. This means that
+ the user will not show up as a member when using
+ <option>groupshow</option> with &man.pw.8;, but will show up
+ when the information is queried via &man.id.1; or a similar
+ tool. When &man.pw.8; is used to add a user to a group, it only
+ manipulates <filename>/etc/group</filename> and does not attempt
+ to read additional data from
+ <filename>/etc/passwd</filename>.</para>
+
+ <example>
+ <title>Adding a New Member to a Group Using &man.pw.8;</title>
+
+ <screen>&prompt.root; <userinput>pw groupmod teamtwo -m db</userinput>
+&prompt.root; <userinput>pw groupshow teamtwo</userinput>
+teamtwo:*:1100:jru,db</screen>
+ </example>
+
+ <para>In this example, the argument to <option>-m</option> is a
+ comma-delimited list of users who are to be added to the group.
+ Unlike the previous example, these users are appended to the
+ group list and do not replace the list of existing users in the
+ group.</para>
+
+ <example>
+ <title>Using &man.id.1; to Determine Group Membership</title>
+
+ <screen>&prompt.user; <userinput>id jru</userinput>
+uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
+ </example>
+
+ <para>In this example, <username>jru</username> is a member of the
+ groups <groupname>jru</groupname> and
+ <groupname>teamtwo</groupname>.</para>
+
+ <para>For more information about this command and the format of
+ <filename>/etc/group</filename>, refer to &man.pw.8; and
+ &man.group.5;.</para>
+ </sect2>
+ </sect1>
+
<sect1 id="permissions">
<title>Permissions</title>
diff --git a/en_US.ISO8859-1/books/handbook/book.xml b/en_US.ISO8859-1/books/handbook/book.xml
index f30705c8e4..e23d7ec009 100644
--- a/en_US.ISO8859-1/books/handbook/book.xml
+++ b/en_US.ISO8859-1/books/handbook/book.xml
@@ -225,7 +225,6 @@
&chap.config;
&chap.boot;
- &chap.users;
&chap.security;
&chap.jails;
&chap.mac;
diff --git a/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml b/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml
index 620615895e..70e676e6c6 100644
--- a/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/bsdinstall/chapter.xml
@@ -2291,7 +2291,7 @@ Trying to mount root from cd9660:/dev/iso9660/FREEBSD_INSTALL [ro]...</screen>
installation.</para>
<para>For more information on adding users and user management,
- see <xref linkend="users"/>.</para>
+ see <xref linkend="users-synopsis"/>.</para>
</sect2>
<sect2 id="bsdinstall-final-conf">
diff --git a/en_US.ISO8859-1/books/handbook/chapters.ent b/en_US.ISO8859-1/books/handbook/chapters.ent
index 8bcfe3497c..d5cd395e7f 100644
--- a/en_US.ISO8859-1/books/handbook/chapters.ent
+++ b/en_US.ISO8859-1/books/handbook/chapters.ent
@@ -31,7 +31,6 @@
<!-- Part Three -->
<!ENTITY chap.config SYSTEM "config/chapter.xml">
<!ENTITY chap.boot SYSTEM "boot/chapter.xml">
- <!ENTITY chap.users SYSTEM "users/chapter.xml">
<!ENTITY chap.security SYSTEM "security/chapter.xml">
<!ENTITY chap.jails SYSTEM "jails/chapter.xml">
<!ENTITY chap.mac SYSTEM "mac/chapter.xml">
diff --git a/en_US.ISO8859-1/books/handbook/preface/preface.xml b/en_US.ISO8859-1/books/handbook/preface/preface.xml
index 1c62859409..4fcdec1d0a 100644
--- a/en_US.ISO8859-1/books/handbook/preface/preface.xml
+++ b/en_US.ISO8859-1/books/handbook/preface/preface.xml
@@ -415,15 +415,6 @@
options.</para>
</listitem>
</varlistentry>
- <varlistentry>
- <term><emphasis><xref linkend="users"/>, Users and Basic Account
- Management</emphasis></term>
- <listitem>
- <para>Describes the creation and manipulation of user
- accounts. Also discusses resource limitations that can be
- set on users and other account management tasks.</para>
- </listitem>
- </varlistentry>
<varlistentry>
<term><emphasis><xref linkend="security"/>,
Security</emphasis></term>
diff --git a/en_US.ISO8859-1/books/handbook/users/Makefile b/en_US.ISO8859-1/books/handbook/users/Makefile
deleted file mode 100644
index b44bd80628..0000000000
--- a/en_US.ISO8859-1/books/handbook/users/Makefile
+++ /dev/null
@@ -1,15 +0,0 @@
-#
-# Build the Handbook with just the content from this chapter.
-#
-# $FreeBSD$
-#
-
-CHAPTERS= users/chapter.xml
-
-VPATH= ..
-
-MASTERDOC= ${.CURDIR}/../${DOC}.${DOCBOOKSUFFIX}
-
-DOC_PREFIX?= ${.CURDIR}/../../../..
-
-.include "../Makefile"
diff --git a/en_US.ISO8859-1/books/handbook/users/chapter.xml b/en_US.ISO8859-1/books/handbook/users/chapter.xml
deleted file mode 100644
index 9a9b1b27b4..0000000000
--- a/en_US.ISO8859-1/books/handbook/users/chapter.xml
+++ /dev/null
@@ -1,1001 +0,0 @@
-<?xml version="1.0" encoding="iso-8859-1"?>
-<!--
- The FreeBSD Documentation Project
-
- $FreeBSD$
--->
-
-<chapter id="users">
- <chapterinfo>
- <authorgroup>
- <author>
- <firstname>Neil</firstname>
- <surname>Blakey-Milner</surname>
- <contrib>Contributed by </contrib>
- </author>
- </authorgroup>
- <!-- Feb 2000 -->
- </chapterinfo>
-
- <title>Users and Basic Account Management</title>
-
- <sect1 id="users-synopsis">
- <title>Synopsis</title>
-
- <para>&os; allows multiple users to use the computer at the same
- time. While only one user can sit in front of the screen and
- use the keyboard at any one time, any number of users can log
- in to the system through the network. To use the system, each
- user should have their own user account.</para>
-
- <para>This chapter describes:</para>
-
- <itemizedlist>
- <listitem>
- <para>The different types of user accounts on a
- &os; system.</para>
- </listitem>
-
- <listitem>
- <para>How to add, remove, and modify user accounts.</para>
- </listitem>
-
- <listitem>
- <para>How to set limits to control the
- resources that users and
- groups are allowed to access.</para>
- </listitem>
-
- <listitem>
- <para>How to create groups and add users as members of a group.</para>
- </listitem>
- </itemizedlist>
- </sect1>
-
- <sect1 id="users-introduction">
- <title>Account Types</title>
-
- <para>Since all access to the &os; system is achieved using accounts
- and all processes are run by users, user and account management
- is important.</para>
-
- <para>There are three main types of accounts:
- system accounts,
- user accounts, and the
- superuser account.</para>
-
- <sect2 id="users-system">
- <title>System Accounts</title>
-
- <indexterm>
- <primary>accounts</primary>
- <secondary>system</secondary>
- </indexterm>
-
- <para>System accounts are used to run services such as DNS,
- mail, and web servers. The reason for this is security; if
- all services ran as the superuser, they could act without
- restriction.</para>
-
- <indexterm>
- <primary>accounts</primary>
- <secondary><username>daemon</username></secondary>
- </indexterm>
- <indexterm>
- <primary>accounts</primary>
- <secondary><username>operator</username></secondary>
- </indexterm>
-
- <para>Examples of system accounts are
- <username>daemon</username>, <username>operator</username>,
- <username>bind</username>, <username>news</username>, and
- <username>www</username>.</para>
-
- <indexterm>
- <primary>accounts</primary>
- <secondary><username>nobody</username></secondary>
- </indexterm>
-
- <para><username>nobody</username> is the generic unprivileged
- system account. However, the more services that use
- <username>nobody</username>, the more files and processes that
- user will become associated with, and hence the more
- privileged that user becomes.</para>
- </sect2>
-
- <sect2 id="users-user">
- <title>User Accounts</title>
-
- <indexterm>
- <primary>accounts</primary>
- <secondary>user</secondary>
- </indexterm>
-
- <para>User accounts are
- assigned to real people and are used to log in and use the
- system. Every person accessing the system should have a unique
- user account. This allows the administrator to find out who
- is doing what and prevents users from clobbering the
- settings of other users.</para>
-
- <para>Each user can set up their own environment to accommodate
- their use of the system, by configuring their default shell, editor,
- key bindings, and language settings.</para>
- <para>Every user account on a &os; system has certain information
- associated with it:</para>
-
- <variablelist>
- <varlistentry>
- <term>User name</term>
-
- <listitem>
- <para>The user name is typed at the <prompt>login:</prompt>
- prompt. User names must be unique on the system as no two
- users can have the same user name. There are a number of
- rules for creating valid user names which are documented in
- &man.passwd.5;. It is recommended to use user names that consist of eight or
- fewer, all lower case characters in order to maintain
- backwards compatibility with applications.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>Password</term>
-
- <listitem>
- <para>Each user account should have an associated password. While the
- password can be blank, this is highly discouraged.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>User ID (<acronym>UID</acronym>)</term>
-
- <listitem>
- <para>The User ID (<acronym>UID</acronym>) is a number
- used to uniquely identify the user to the
- &os; system. Commands that
- allow a user name to be specified will first convert it to
- the <acronym>UID</acronym>. It is recommended to use a UID of
- 65535 or lower as higher UIDs may cause compatibility
- issues with software that does not support integers larger
- than 32-bits.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>Group ID (<acronym>GID</acronym>)</term>
-
- <listitem>
- <para>The Group ID (<acronym>GID</acronym>) is a number used to uniquely identify
- the primary group that the user belongs to. Groups are a
- mechanism for controlling access to resources based on a
- user's <acronym>GID</acronym> rather than their
- <acronym>UID</acronym>. This can significantly reduce the
- size of some configuration files and allows users to be
- members of more than one group. It is recommended to use a GID of
- 65535 or lower as higher GIDs may break some
- software.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>Login class</term>
-
- <listitem>
- <para>Login classes are an extension to the group mechanism
- that provide additional flexibility when tailoring the
- system to different users. Login classes are discussed
- further in <xref linkend="users-limiting"/></para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>Password change time</term>
-
- <listitem>
- <para>By default, &os; does not force users to change their
- passwords periodically. Password expiration can be
- enforced on a per-user basis using &man.pw.8;, forcing some or all users to
- change their passwords after a certain amount of time has
- elapsed.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>Account expiry time</term>
-
- <listitem>
- <para>By default, &os; does not expire accounts. When
- creating accounts that need a limited lifespan, such as
- student accounts in a school, specify the account expiry
- date using &man.pw.8;. After the expiry time has elapsed, the account
- cannot be used to log in to the system, although the
- account's directories and files will remain.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>User's full name</term>
-
- <listitem>
- <para>The user name uniquely identifies the account to &os;,
- but does not necessarily reflect the user's real name.
- Similar to a comment, this information
- can contain a space, uppercase characters, and be more
- than 8 characters long.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>Home directory</term>
-
- <listitem>
- <para>The home directory is the full path to a directory on
- the system. This is the user's starting directory when
- the user logs in. A common convention is to put all user
- home directories under <filename
- class="directory">/home/<replaceable>username</replaceable></filename>
- or <filename
- class="directory">/usr/home/<replaceable>username</replaceable></filename>.
- Each user stores their personal files and subdirectories
- in their own home directory.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term>User shell</term>
-
- <listitem>
- <para>The shell provides the user's default environment for
- interacting with the system. There are many different
- kinds of shells and experienced users will have their own
- preferences, which can be reflected in their account
- settings.</para>
- </listitem>
- </varlistentry>
- </variablelist>
- </sect2>
-
- <sect2 id="users-superuser">
- <title>The Superuser Account</title>
-
- <indexterm>
- <primary>accounts</primary>
- <secondary>superuser (root)</secondary>
- </indexterm>
-
- <para>The superuser account, usually called
- <username>root</username>, is used to
- manage the system with no limitations on privileges. For this
- reason, it should not be used for day-to-day
- tasks like sending and receiving mail, general exploration of
- the system, or programming.</para>
-
- <para>The superuser, unlike other user
- accounts, can operate without limits, and misuse of the
- superuser account may result in spectacular disasters. User
- accounts are unable to destroy the operating system by mistake, so it is
- recommended to login as a user account and to only become the superuser
- when a command requires extra privilege.</para>
-
- <para>Always double and triple-check any commands issued as the
- superuser, since an extra space or missing character can mean
- irreparable data loss.</para>
-
- <para>There are several ways to become gain superuser privilege. While one
- can log in as <username>root</username>, this is highly discouraged.</para>
-
- <para>Instead, use &man.su.1; to become the superuser. If
- <literal>-</literal> is specified when running this command, the user will also inherit the root user's environment.
- The user running this command must
- be in the <groupname>wheel</groupname> group or else the command
- will fail. The user must also know the password for the
- <username>root</username> user account.</para>
-
- <para>In this example, the user only becomes superuser in order to run
- <command>make install</command> as this step requires superuser privilege.
- Once the command completes, the user types <command>exit</command>
- to leave the superuser account and return to the privilege of
- their user account.</para>
-
- <example>
- <title>Install a Program As The Superuser</title>
-
- <screen>&prompt.user; <userinput>configure</userinput>
-&prompt.user; <userinput>make</userinput>
-&prompt.user; <userinput>su -</userinput>
-Password:
-&prompt.root; <userinput>make install</userinput>
-&prompt.root; <userinput>exit</userinput>
-&prompt.user;</screen>
- </example>
-
- <para>The built-in &man.su.1; framework works well for single systems or small
- networks with just one system administrator. An alternative
- is to install the
- <filename role="package">security/sudo</filename> package or port. This software
- provides activity logging and allows the administrator to configure which users
- can run which commands
- as the superuser.</para>
- </sect2>
- </sect1>
-
- <sect1 id="users-modifying">
- <title>Managing Accounts</title>
-
- <indexterm>
- <primary>accounts</primary>
- <secondary>modifying</secondary>
- </indexterm>
-
- <para>&os; provides a variety of different commands to manage
- user accounts. The most common commands are summarized below,
- followed by more detailed examples of their usage.</para>
-
- <informaltable frame="none" pgwide="1">
- <tgroup cols="2">
- <colspec colwidth="1*"/>
- <colspec colwidth="2*"/>
-
- <thead>
- <row>
- <entry>Command</entry>
- <entry>Summary</entry>
- </row>
- </thead>
- <tbody>
- <row>
- <entry>&man.adduser.8;</entry>
- <entry>The recommended command-line application for adding
- new users.</entry>
- </row>
-
- <row>
- <entry>&man.rmuser.8;</entry>
- <entry>The recommended command-line application for
- removing users.</entry>
- </row>
-
- <row>
- <entry>&man.chpass.1;</entry>
- <entry>A flexible tool for changing user database
- information.</entry>
- </row>
-
- <row>
- <entry>&man.passwd.1;</entry>
- <entry>The simple command-line tool to change user
- passwords.</entry>
- </row>
-
- <row>
- <entry>&man.pw.8;</entry>
- <entry>A powerful and flexible tool for modifying all
- aspects of user accounts.</entry>
- </row>
- </tbody>
- </tgroup>
- </informaltable>
-
- <sect2 id="users-adduser">
- <title><command>adduser</command></title>
-
- <indexterm>
- <primary>accounts</primary>
- <secondary>adding</secondary>
- </indexterm>
- <indexterm>
- <primary><command>adduser</command></primary>
- </indexterm>
- <indexterm>
- <primary><filename
- class="directory">/usr/share/skel</filename></primary>
- </indexterm>
- <indexterm><primary>skeleton directory</primary></indexterm>
- <para>&man.adduser.8; is a simple program for adding new users
- When a new user is added, this program automatically updates
- <filename>/etc/passwd</filename> and
- <filename>/etc/group</filename>. It also creates a home
- directory for the new user, copies in the default
- configuration files from <filename
- class="directory">/usr/share/skel</filename>, and can
- optionally mail the new user a welcome message.</para>
-
- <example>
- <title>Adding a User on &os;</title>
-
- <screen>&prompt.root; <userinput>adduser</userinput>
-Username: <userinput>jru</userinput>
-Full name: <userinput>J. Random User</userinput>
-Uid (Leave empty for default):
-Login group [jru]:
-Login group is jru. Invite jru into other groups? []: <userinput>wheel</userinput>
-Login class [default]:
-Shell (sh csh tcsh zsh nologin) [sh]: <userinput>zsh</userinput>
-Home directory [/home/jru]:
-Home directory permissions (Leave empty for default):
-Use password-based authentication? [yes]:
-Use an empty password? (yes/no) [no]:
-Use a random password? (yes/no) [no]:
-Enter password:
-Enter password again:
-Lock out the account after creation? [no]:
-Username : jru
-Password : ****
-Full Name : J. Random User
-Uid : 1001
-Class :
-Groups : jru wheel
-Home : /home/jru
-Shell : /usr/local/bin/zsh
-Locked : no
-OK? (yes/no): <userinput>yes</userinput>
-adduser: INFO: Successfully added (jru) to the user database.
-Add another user? (yes/no): <userinput>no</userinput>
-Goodbye!
-&prompt.root;</screen>
- </example>
-
- <note>
- <para>Since the password is not echoed when typed, be careful
- to not mistype the password when creating the user
- account.</para>
- </note>
- </sect2>
-
- <sect2 id="users-rmuser">
- <title><command>rmuser</command></title>
-
- <indexterm><primary><command>rmuser</command></primary></indexterm>
- <indexterm>
- <primary>accounts</primary>
- <secondary>removing</secondary>
- </indexterm>
-
- <para>To completely remove a user from the system use
- &man.rmuser.8;. This command performs the following
- steps:</para>
-
- <procedure>
- <step>
- <para>Removes the user's &man.crontab.1; entry if one
- exists.</para>
- </step>
-
- <step>
- <para>Removes any &man.at.1; jobs belonging to the
- user.</para>
- </step>
-
- <step>
- <para>Kills all processes owned by the user.</para>
- </step>
-
- <step>
- <para>Removes the user from the system's local password
- file.</para>
- </step>
-
- <step>
- <para>Removes the user's home directory, if it is owned by
- the user.</para>
- </step>
-
- <step>
- <para>Removes the incoming mail files belonging to the user
- from <filename
- class="directory">/var/mail</filename>.</para>
- </step>
-
- <step>
- <para>Removes all files owned by the user from temporary
- file storage areas such as <filename
- class="directory">/tmp</filename>.</para>
- </step>
-
- <step>
- <para>Finally, removes the username from all groups to which
- it belongs in <filename>/etc/group</filename>.</para>
-
- <note>
- <para>If a group becomes empty and the group name is the
- same as the username, the group is removed. This
- complements the per-user unique groups created by
- &man.adduser.8;.</para>
- </note>
- </step>
- </procedure>
-
- <para>&man.rmuser.8; cannot be used to remove superuser
- accounts since that is almost always an indication of massive
- destruction.</para>
-
- <para>By default, an interactive mode is used, as shown
- in the following example.</para>
-
- <example>
- <title><command>rmuser</command> Interactive Account
- Removal</title>
-
- <screen>&prompt.root; <userinput>rmuser jru</userinput>
-Matching password entry:
-jru:*:1001:1001::0:0:J. Random User:/home/jru:/usr/local/bin/zsh
-Is this the entry you wish to remove? <userinput>y</userinput>
-Remove user's home directory (/home/jru)? <userinput>y</userinput>
-Updating password file, updating databases, done.
-Updating group file: trusted (removing group jru -- personal group is empty) done.
-Removing user's incoming mail file /var/mail/jru: done.
-Removing files belonging to jru from /tmp: done.
-Removing files belonging to jru from /var/tmp: done.
-Removing files belonging to jru from /var/tmp/vi.recover: done.
-&prompt.root;</screen>
- </example>
- </sect2>
-
- <sect2 id="users-chpass">
- <title><command>chpass</command></title>
-
- <indexterm><primary><command>chpass</command></primary></indexterm>
- <para>&man.chpass.1; can be used to change user database
- information such as passwords, shells, and personal
- information.</para>
-
- <para>Only the superuser can change other users' information and
- passwords with &man.chpass.1;.</para>
-
- <para>When passed no options, aside from an optional username,
- &man.chpass.1; displays an editor containing user information.
- When the user exists from the editor, the user database is
- updated with the new information.</para>
-
- <note>
- <para>You will be asked for your password after exiting the
- editor if you are not the superuser.</para>
- </note>
-
- <example>
- <title>Interactive <command>chpass</command> by
- Superuser</title>
-
- <screen>#Changing user database information for jru.
-Login: jru
-Password: *
-Uid [#]: 1001
-Gid [# or name]: 1001
-Change [month day year]:
-Expire [month day year]:
-Class:
-Home directory: /home/jru
-Shell: /usr/local/bin/zsh
-Full Name: J. Random User
-Office Location:
-Office Phone:
-Home Phone:
-Other information:</screen>
- </example>
-
- <para>A user can change only a small subset of this
- information, and only for their own user account.</para>
-
- <example>
- <title>Interactive <command>chpass</command> by Normal
- User</title>
-
- <screen>#Changing user database information for jru.
-Shell: /usr/local/bin/zsh
-Full Name: J. Random User
-Office Location:
-Office Phone:
-Home Phone:
-Other information:</screen>
- </example>
-
- <note>
- <para>&man.chfn.1; and &man.chsh.1; are links to
- &man.chpass.1;, as are &man.ypchpass.1;, &man.ypchfn.1;, and
- &man.ypchsh.1;. <acronym>NIS</acronym> support is
- automatic, so specifying the <literal>yp</literal> before
- the command is not necessary. How to configure NIS is
- covered in <xref linkend="network-servers"/>.</para>
- </note>
- </sect2>
- <sect2 id="users-passwd">
- <title><command>passwd</command></title>
-
- <indexterm><primary><command>passwd</command></primary></indexterm>
- <indexterm>
- <primary>accounts</primary>
- <secondary>changing password</secondary>
- </indexterm>
- <para>&man.passwd.1; is the usual way to change your own
- password as a user, or another user's password as the
- superuser.</para>
-
- <note>
- <para>To prevent accidental or unauthorized changes, the user
- must enter their original password before a new password can
- be set. This is not the case when the superuser changes a
- user's password.</para>
- </note>
-
- <example>
- <title>Changing Your Password</title>
-
- <screen>&prompt.user; <userinput>passwd</userinput>
-Changing local password for jru.
-Old password:
-New password:
-Retype new password:
-passwd: updating the database...
-passwd: done</screen>
- </example>
-
- <example>
- <title>Changing Another User's Password as the
- Superuser</title>
-
- <screen>&prompt.root; <userinput>passwd jru</userinput>
-Changing local password for jru.
-New password:
-Retype new password:
-passwd: updating the database...
-passwd: done</screen>
- </example>
-
- <note>
- <para>As with &man.chpass.1;, &man.yppasswd.1; is a link to
- &man.passwd.1;, so NIS works with either command.</para>
- </note>
- </sect2>
-
-
- <sect2 id="users-pw">
- <title><command>pw</command></title>
-
- <indexterm><primary><command>pw</command></primary></indexterm>
-
- <para>&man.pw.8; is a command line utility to create, remove,
- modify, and display users and groups. It functions as a front
- end to the system user and group files. &man.pw.8; has a very
- powerful set of command line options that make it suitable for
- use in shell scripts, but new users may find it more
- complicated than the other commands presented in this
- section.</para>
- </sect2>
-
-
- </sect1>
-
- <sect1 id="users-limiting">
- <title>Limiting Users</title>
-
- <indexterm><primary>limiting users</primary></indexterm>
- <indexterm>
- <primary>accounts</primary>
- <secondary>limiting</secondary>
- </indexterm>
- <para>&os; provides several methods for an administrator to limit
- the amount of system resources an individual may use. These
- limits are discussed in two sections: disk quotas and other
- resource limits.</para>
-
- <indexterm><primary>quotas</primary></indexterm>
- <indexterm>
- <primary>limiting users</primary>
- <secondary>quotas</secondary>
- </indexterm>
- <indexterm><primary>disk quotas</primary></indexterm>
- <para>Disk quotas limit the amount of disk space available to
- users and provide a way to quickly check that usage without
- calculating it every time. Quotas are discussed in <xref
- linkend="quotas"/>.</para>
-
- <para>The other resource limits include ways to limit the amount
- of CPU, memory, and other resources a user may consume. These
- are defined using login classes and are discussed here.</para>
-
- <indexterm>
- <primary><filename>/etc/login.conf</filename></primary>
- </indexterm>
- <para>Login classes are defined in
- <filename>/etc/login.conf</filename> and are described in detail
- in &man.login.conf.5;. Each user account is assigned to a login
- class, <literal>default</literal> by default, and each login
- class has a set of login capabilities associated with it. A
- login capability is a
- <literal><replaceable>name</replaceable>=<replaceable>value</replaceable></literal>
- pair, where <replaceable>name</replaceable> is a well-known
- identifier and <replaceable>value</replaceable> is an arbitrary
- string which is processed accordingly depending on the
- <replaceable>name</replaceable>. Setting up login classes and
- capabilities is rather straightforward and is also described in
- &man.login.conf.5;.</para>
-
- <note>
- <para>&os; does not normally read the configuration in
- <filename>/etc/login.conf</filename> directly, but instead
- reads the <filename>/etc/login.conf.db</filename> database
- which provides faster lookups. Whenever
- <filename>/etc/login.conf</filename> is edited, the
- <filename>/etc/login.conf.db</filename> must be updated by
- executing the following command:</para>
-
- <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
- </note>
-
- <para>Resource limits differ from the default login capabilities
- in two ways. First, for every limit, there is a soft (current)
- and hard limit. A soft limit may be adjusted by the user or
- application, but may not be set higher than the hard limit. The
- hard limit may be lowered by the user, but can only be raised
- by the superuser. Second, most resource limits apply per
- process to a specific user, not to the user as a whole. These
- differences are mandated by the specific handling of the limits,
- not by the implementation of the login capability
- framework.</para>
-
- <para>Below are the most commonly used resource limits. The rest
- of the limits, along with all the other login capabilities, can
- be found in &man.login.conf.5;.</para>
-
- <variablelist>
- <varlistentry>
- <term><literal>coredumpsize</literal></term>
-
- <listitem>
- <para>The limit on the size of a core file<indexterm><primary>coredumpsize</primary></indexterm> generated by a
- program is subordinate to other limits<indexterm><primary>limiting users</primary><secondary>coredumpsize</secondary></indexterm> on disk usage, such
- as <literal>filesize</literal>, or disk quotas.
- This limit is often used as a less-severe method of
- controlling disk space consumption. Since users do not
- generate core files themselves, and often do not delete
- them, setting this may save them from running out of disk
- space should a large program crash.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>cputime</literal></term>
-
- <listitem>
- <para>The maximum amount of CPU<indexterm><primary>cputime</primary></indexterm><indexterm><primary>limiting users</primary><secondary>cputime</secondary></indexterm> time a user's process may
- consume. Offending processes will be killed by the
- kernel.</para>
-
- <note>
- <para>This is a limit on CPU <emphasis>time</emphasis>
- consumed, not percentage of the CPU as displayed in
- some fields by &man.top.1; and &man.ps.1;.</para>
- </note>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>filesize</literal></term>
-
- <listitem>
- <para>The maximum size of a file<indexterm><primary>filesize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>filesize</secondary></indexterm> the user may own. Unlike
- <link linkend="quotas">disk quotas</link>, this limit is
- enforced on individual files, not the set of all files a
- user owns.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>maxproc</literal></term>
-
- <listitem>
- <para>The maximum number of processes<indexterm><primary>maxproc</primary></indexterm><indexterm><primary>limiting users</primary><secondary>maxproc</secondary></indexterm> a user can run. This
- includes foreground and background processes. This limit
- may not be larger than the system limit specified by the
- <varname>kern.maxproc</varname> &man.sysctl.8;. Setting
- this limit too small may hinder a user's productivity as
- it is often useful to be logged in multiple times or to
- execute pipelines. Some tasks, such as compiling a large
- program, spawn multiple processes and other intermediate
- preprocessors.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>memorylocked</literal></term>
-
- <listitem>
- <para>The maximum amount of memory<indexterm><primary>memorylocked</primary></indexterm><indexterm><primary>limiting users</primary><secondary>memorylocked</secondary></indexterm> a process may request
- to be locked into main memory using &man.mlock.2;. Some
- system-critical programs, such as &man.amd.8;, lock into
- main memory so that if the system begins to swap, they do
- not contribute to disk thrashing.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>memoryuse</literal></term>
-
- <listitem>
- <para>The maximum amount of memory<indexterm><primary>memoryuse</primary></indexterm><indexterm><primary>limiting users</primary><secondary>memoryuse</secondary></indexterm> a process may consume at
- any given time. It includes both core memory and swap
- usage. This is not a catch-all limit for restricting
- memory consumption, but is a good start.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>openfiles</literal></term>
-
- <listitem>
- <para>The maximum number of files a process may have open<indexterm><primary>openfiles</primary></indexterm><indexterm><primary>limiting users</primary><secondary>openfiles</secondary></indexterm>.
- In &os;, files are used to represent sockets and IPC
- channels, so be careful not to set this too low. The
- system-wide limit for this is defined by the
- <varname>kern.maxfiles</varname> &man.sysctl.8;.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>sbsize</literal></term>
-
- <listitem>
- <para>The limit on the amount of network memory, and
- thus mbufs<indexterm><primary>sbsize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>sbsize</secondary></indexterm>, a user may consume in order to limit network
- communications.</para>
- </listitem>
- </varlistentry>
-
- <varlistentry>
- <term><literal>stacksize</literal></term>
-
- <listitem>
- <para>The maximum size of a process stack<indexterm><primary>stacksize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>stacksize</secondary></indexterm>. This alone is
- not sufficient to limit the amount of memory a program
- may use so it should be used in conjunction with other
- limits.</para>
- </listitem>
- </varlistentry>
- </variablelist>
-
- <para>There are a few other things to remember when setting
- resource limits. Following are some general tips, suggestions,
- and miscellaneous comments.</para>
-
- <itemizedlist>
- <listitem>
- <para>Processes started at system startup by
- <filename>/etc/rc</filename> are assigned to the
- <literal>daemon</literal> login class.</para>
- </listitem>
-
- <listitem>
- <para>Although the <filename>/etc/login.conf</filename> that
- comes with the system is a good source of reasonable values
- for most limits, they may not be appropriate for every
- system. Setting a limit too high may open the system up to
- abuse, while setting it too low may put a strain on
- productivity.</para>
- </listitem>
-
- <listitem>
- <para>Users of <application>&xorg;</application> should
- probably be granted more resources than other users.
- <application>&xorg;</application> by itself takes a lot of
- resources, but it also encourages users to run more programs
- simultaneously.</para>
- </listitem>
-
- <listitem>
- <para>Many limits apply to individual processes, not the user
- as a whole. For example, setting
- <varname>openfiles</varname> to 50 means that each process
- the user runs may open up to 50 files. The total amount
- of files a user may open is the value of
- <literal>openfiles</literal> multiplied by the value of
- <literal>maxproc</literal>. This also applies to memory
- consumption.</para>
- </listitem>
- </itemizedlist>
-
- <para>For further information on resource limits and login classes
- and capabilities in general, refer to &man.cap.mkdb.1;,
- &man.getrlimit.2;, and &man.login.conf.5;.</para>
- </sect1>
-
- <sect1 id="users-groups">
- <title>Managing Groups</title>
-
- <indexterm><primary>groups</primary></indexterm>
- <indexterm>
- <primary><filename>/etc/groups</filename></primary>
- </indexterm>
- <indexterm>
- <primary>accounts</primary>
- <secondary>groups</secondary>
- </indexterm>
- <para>A group is a list of users. A group is identified by its
- group name and <acronym>GID</acronym>. In &os;, the
- kernel uses the <acronym>UID</acronym> of a process, and the
- list of groups it belongs to, to determine what the process is
- allowed to do. Most of the time, the <acronym>GID</acronym> of
- a user or process usually means the first group in the
- list.</para>
-
- <para>The group name to <acronym>GID</acronym> mapping is listed
- in <filename>/etc/group</filename>. This is a plain text file
- with four colon-delimited fields. The first field is the group
- name, the second is the encrypted password, the third the
- <acronym>GID</acronym>, and the fourth the comma-delimited list
- of members. For a more complete description of the syntax,
- refer to &man.group.5;.</para>
-
- <para>The superuser can modify <filename>/etc/group</filename>
- using a text editor. Alternatively, &man.pw.8; can be used to
- add and edit groups. For example, to add a group called
- <groupname>teamtwo</groupname> and then confirm that it
- exists:</para>
-
- <example>
- <title>Adding a Group Using &man.pw.8;</title>
-
- <screen>&prompt.root; <userinput>pw groupadd teamtwo</userinput>
-&prompt.root; <userinput>pw groupshow teamtwo</userinput>
-teamtwo:*:1100:</screen>
- </example>
-
- <para>In this example, <literal>1100</literal> is the
- <acronym>GID</acronym> of <groupname>teamtwo</groupname>. Right
- now, <groupname>teamtwo</groupname> has no members. This
- command will add <username>jru</username> as a member of
- <groupname>teamtwo</groupname>.</para>
-
- <example>
- <title>Adding User Accounts to a New Group Using
- &man.pw.8;</title>
-
- <screen>&prompt.root; <userinput>pw groupmod teamtwo -M jru</userinput>
-&prompt.root; <userinput>pw groupshow teamtwo</userinput>
-teamtwo:*:1100:jru</screen>
- </example>
-
- <para>The argument to <option>-M</option> is a comma-delimited
- list of users to be added to a new (empty) group or to replace
- the members of an existing group. To the user, this group
- membership is different from (and in addition to) the user's
- primary group listed in the password file. This means that
- the user will not show up as a member when using
- <option>groupshow</option> with &man.pw.8;, but will show up
- when the information is queried via &man.id.1; or a similar
- tool. When &man.pw.8; is used to add a user to a group, it only
- manipulates <filename>/etc/group</filename> and does not attempt
- to read additional data from
- <filename>/etc/passwd</filename>.</para>
-
- <example>
- <title>Adding a New Member to a Group Using &man.pw.8;</title>
-
- <screen>&prompt.root; <userinput>pw groupmod teamtwo -m db</userinput>
-&prompt.root; <userinput>pw groupshow teamtwo</userinput>
-teamtwo:*:1100:jru,db</screen>
- </example>
-
- <para>In this example, the argument to <option>-m</option> is a
- comma-delimited list of users who are to be added to the group.
- Unlike the previous example, these users are appended to the
- group list and do not replace the list of existing users in the
- group.</para>
-
- <example>
- <title>Using &man.id.1; to Determine Group Membership</title>
-
- <screen>&prompt.user; <userinput>id jru</userinput>
-uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
- </example>
-
- <para>In this example, <username>jru</username> is a member of the
- groups <groupname>jru</groupname> and
- <groupname>teamtwo</groupname>.</para>
-
- <para>For more information about this command and the format of
- <filename>/etc/group</filename>, refer to &man.pw.8; and
- &man.group.5;.</para>
- </sect1>
-</chapter>