From 898791508c909cc74d547c2196468298136dfd6c Mon Sep 17 00:00:00 2001
From: Neil Blakey-Milner <nbm@FreeBSD.org>
Date: Wed, 8 Mar 2000 11:12:22 +0000
Subject: [PATCH] Add the users chapter, as discussed on -doc.

Reviewed by:	freebsd-doc
---
 en_US.ISO8859-1/books/handbook/Makefile       |   3 +-
 en_US.ISO8859-1/books/handbook/book.sgml      |   5 +-
 en_US.ISO8859-1/books/handbook/chapters.ent   |   3 +-
 .../books/handbook/users/chapter.sgml         | 425 ++++++++++++++++++
 en_US.ISO_8859-1/books/handbook/Makefile      |   3 +-
 en_US.ISO_8859-1/books/handbook/book.sgml     |   5 +-
 en_US.ISO_8859-1/books/handbook/chapters.ent  |   3 +-
 .../books/handbook/users/chapter.sgml         | 425 ++++++++++++++++++
 8 files changed, 864 insertions(+), 8 deletions(-)
 create mode 100644 en_US.ISO8859-1/books/handbook/users/chapter.sgml
 create mode 100644 en_US.ISO_8859-1/books/handbook/users/chapter.sgml

diff --git a/en_US.ISO8859-1/books/handbook/Makefile b/en_US.ISO8859-1/books/handbook/Makefile
index d2b5b4df67..dc859e7253 100644
--- a/en_US.ISO8859-1/books/handbook/Makefile
+++ b/en_US.ISO8859-1/books/handbook/Makefile
@@ -1,5 +1,5 @@
 # 
-# $FreeBSD$
+# $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/Makefile,v 1.26 1999/09/06 06:52:44 peter Exp $
 #
 # Build the FreeBSD Handbook.
 #
@@ -47,6 +47,7 @@ SRCS+= quotas/chapter.sgml
 SRCS+= security/chapter.sgml
 SRCS+= serialcomms/chapter.sgml
 SRCS+= staff/chapter.sgml
+SRCS+= users/chapter.sgml
 SRCS+= x11/chapter.sgml
 SRCS+= ports/chapter.sgml
 
diff --git a/en_US.ISO8859-1/books/handbook/book.sgml b/en_US.ISO8859-1/books/handbook/book.sgml
index 506aa8db83..7105fec7b8 100644
--- a/en_US.ISO8859-1/books/handbook/book.sgml
+++ b/en_US.ISO8859-1/books/handbook/book.sgml
@@ -1,7 +1,7 @@
 <!--
      The FreeBSD Documentation Project
 
-     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/book.sgml,v 1.82 2000/01/11 17:25:37 jdp Exp $
+     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/book.sgml,v 1.83 2000/01/20 11:28:56 nbm Exp $
 -->
 
 <!DOCTYPE BOOK PUBLIC "-//FreeBSD//DTD DocBook V3.1-Based Extension//EN" [
@@ -76,7 +76,8 @@
     &chap.introduction;
     &chap.install;
     &chap.basics;
-    &chap.ports
+    &chap.ports;
+    &chap.users;
   </part>
   
   <part>
diff --git a/en_US.ISO8859-1/books/handbook/chapters.ent b/en_US.ISO8859-1/books/handbook/chapters.ent
index 5fbe889406..64101f5af5 100644
--- a/en_US.ISO8859-1/books/handbook/chapters.ent
+++ b/en_US.ISO8859-1/books/handbook/chapters.ent
@@ -6,7 +6,7 @@
    
      Chapters should be listed in the order in which they are referenced.
  
-     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/chapters.ent,v 1.4 1999/09/06 06:52:47 peter Exp $
+     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/chapters.ent,v 1.5 2000/01/20 11:28:59 nbm Exp $
 -->
 
 <!-- Part one -->
@@ -14,6 +14,7 @@
 <!ENTITY chap.install			SYSTEM "install/chapter.sgml">
 <!ENTITY chap.basics			SYSTEM "basics/chapter.sgml">
 <!ENTITY chap.ports			SYSTEM "ports/chapter.sgml">
+<!ENTITY chap.users			SYSTEM "users/chapter.sgml">
 
 <!-- Part two -->
 <!ENTITY chap.kernelconfig		SYSTEM "kernelconfig/chapter.sgml">
diff --git a/en_US.ISO8859-1/books/handbook/users/chapter.sgml b/en_US.ISO8859-1/books/handbook/users/chapter.sgml
new file mode 100644
index 0000000000..7cd67e2bf5
--- /dev/null
+++ b/en_US.ISO8859-1/books/handbook/users/chapter.sgml
@@ -0,0 +1,425 @@
+<!--
+     The FreeBSD Documentation Project
+
+     $FreeBSD$
+-->
+
+<chapter id="users">
+  <title>Users and basic account management</title>
+  
+  <sect1 id="users-synopsis">
+    <title>Synopsis</title>
+    
+    <para><emphasis>Contributed by &a.nbm; February 2000</emphasis>.</para>
+    
+    <para>All access to the system is achieved via accounts, and all
+      processes are run by users, so user and account management are
+      of integral importance on FreeBSD systems.</para>
+
+    <para>There are three main types of accounts; the <link
+	linkend="users-superuser">Superuser</link>, <link
+	linkend="users-system">system users</link>, and <link
+	linkend="users-user">user accounts</link>.  The Superuser
+      account, usually called <username>root</username>, is used to
+      manage the system with no limitations on privileges.  System
+      users run services.  Finally, user accounts are used by real
+      people, who log on, read mail, and so forth.</para>
+  </sect1>
+    
+  <sect1 id="users-superuser">
+    <title>The superuser account</title>
+    
+    <para>The superuser account, usually called
+      <username>root</username>, comes preconfigured, and facilitates
+      system administration, and should not be used for day-to-date
+      tasks like sending and receiving mail, general exploration of
+      the system, or programming.</para>
+      
+    <para>This is because the superuser, unlike normal user accounts,
+      can operate without limits, and misuse of the superuse account
+      may result in spectacular disasters.  User accounts are unable
+      to destroy the system by mistake, so it is generally best to use
+      normal user accounts whenever possible, unless you especially
+      need the extra privilege.</para>
+
+    <para>In addition, always double and triple-check commands you
+      issue as the superuser, since an extra space or missing
+      character can mean irreparable data loss.  Those extra
+      privileges you needed when you decided to change to the
+      superuser mean that the safeguards of your normal user account
+      no longer apply.</para>
+
+    <para>So, the first thing you should do after reading this
+      chapter, is to create an unprivileged user account for yourself
+      for general usage, if you haven't already.  This applies equally
+      whether you're running a multi-user or single-user machine.
+      Later in this chapter, we discuss how to create additional
+      accounts, and how to change between the normal user and
+      superuser.</para>
+  </sect1>
+    
+  <sect1 id="users-system">
+    <title>System accounts</title>
+
+    <para>System users are those used to run services such as DNS,
+      mail, web servers, and so forth.  The reason for this is
+      security, as if all services ran as the superuser, they could
+      act without restriction.</para>
+
+    <para>Examples of system users are <username>daemon</username>,
+      <username>operator</username>, <username>bind</username> (for
+      the Domain Name Service), and <username>news</username>.  Often
+      sysadmins create <username>httpd</username> to run web servers
+      they install.</para>
+
+    <para><username>nobody</username> is the generic unprivileged
+      system user, but the more services that use
+      <username>nobody</username>, the more privileged it
+      becomes.</para>
+  </sect1>
+
+  <sect1 id="users-user">
+    <title>User accounts</title>
+
+    <para>User accounts are the primary means of access for real
+      people to the system, and these accounts insulate the user and
+      the environment, preventing the users from damaging the system
+      or other users, and allowing users to customize their
+      environment without affecting others.</para>
+
+    <para>Every person accessing your system should have their own
+      unique user account.  This allows you to find out who is doing
+      what, and prevent people from clobbering each others' settings,
+      and reading mail meant for the other, and so forth.</para>
+
+    <para>Each user can set up their own environment to accomodate
+      their use of the system, by using alternate shells, editors, key
+      bindings, and language.</para>
+  </sect1>
+
+  <sect1 id="users-modifying">
+    <title>Modifying accounts</title>
+
+    <para><application>pw</application> is a powerful and flexible
+      means to modify accounts, but <application>adduser</application>
+      is recommended for creating new accounts, and
+      <application>rmuser</application> for deleting accounts.</para>
+
+    <para><application>chpass</application> allows both the system
+      administrator and normal users to adjust passwords, shells, and
+      personal information.  <application>passwd</application> is the
+      more common means to change passwords specifically,
+      however.</para>
+
+
+    <sect2 id="users-adduser">
+      <title>adduser</title>
+
+      <para><application>adduser</application> is a simple program for
+	adding new users.  It creates <filename>passwd</filename> and
+	<filename>group</filename> entries for the user, as well as
+	creating their home directory, copy in some default dotfiles
+	from <filename>/usr/share/skel</filename>, and can optionally
+	mail the user a welcome message.</para>
+
+      <para>To create the initial configuration file, use
+	<command>adduser -s -config_create</command>.
+	<footnote>
+	  <para>The <option>-s</option> makes adduser default to
+	    quiet.  We use <option>-v</option> later when we want to
+	    change defaults.</para>
+	</footnote>Next, we configure adduser defaults, and create our
+	first user account, since using root for normal usage is evil
+	and nasty.</para>
+
+      <example>
+	<title>Changing the configuration for adduser</title>
+
+	<screen>&prompt.root; <userinput>adduser -v</userinput>
+Use option ``-silent'' if you don't want to see all warnings and questions.
+Check /etc/shells
+Check /etc/master.passwd
+Check /etc/group
+Enter your default shell: csh date no sh tcsh [sh]: <userinput>tcsh</userinput>
+Your default shell is: tcsh -> /usr/local/bin/tcsh
+Enter your default HOME partition: [/home]:
+Copy dotfiles from: /usr/share/skel no [/usr/share/skel]: 
+Send message from file: /etc/adduser.message no 
+[/etc/adduser.message]: <userinput>no</userinput>
+Do not send message
+Use passwords (y/n) [y]: <userinput>y</userinput>
+
+Write your changes to /etc/adduser.conf? (y/n) [n]: <userinput>y</userinput>
+
+Ok, let's go.
+Don't worry about mistakes. I will give you the chance later to correct any input.
+Enter username [a-z0-9_-]: <userinput>jru</userinput>
+Enter full name []: <userinput>J. Random User</userinput>
+Enter shell csh date no sh tcsh [tcsh]: 
+Enter home directory (full path) [/home/jru]: 
+Uid [1001]: 
+Enter login class: default []: 
+Login group jru [jru]: 
+Login group is ``jru''. Invite jru into other groups: guest no 
+[no]: <userinput>wheel</userinput>
+Enter password []: 
+Enter password again []: 
+
+Name:	  jru
+Password: ****
+Fullname: J. Random User
+Uid:	  1007
+Gid:	  1007 (jru)
+Class:	  
+Groups:	  jru wheel
+HOME:     /home/jru
+Shell:	  /usr/local/bin/tcsh
+OK? (y/n) [y]: <userinput>y</userinput>
+Added user ``jru''
+Copy files from /usr/share/skel to /home/jru
+Add another user? (y/n) [y]: <userinput>n</userinput>
+Goodbye!
+&prompt.root;</screen>
+      </example>
+
+      <para>In summary, we changed the default shell to
+	<application>tcsh</application> (an additional shell found in
+	packages), and turned off the sending of a welcome mail to
+	added users.  We then saved the configuration, and then
+	created an account for <username>jru</username>, and we made
+	sure <username>jru</username> is in <username>wheel</username>
+	group (which we'll see is important later).</para>
+
+      <note>
+	<para>The password you type in isn't echoed, nor are asterisks
+	  displayed.  Make sure you don't mistype the password twice
+	  :-)</para>
+      </note>
+
+      <note>
+	<para>Just use <command>adduser</command> without arguments
+	  from now on, and you won't have to go through changing the
+	  defaults.  If the program asks you to change the defaults,
+	  exit the program, and try the <option>-s</option>
+	  option.</para>
+      </note>
+    </sect2>
+
+    <sect2 id="users-rmuser">
+      <title>rmuser</title>
+
+      <para><application>rmuser</application> removes users from the
+	system, including any traces beyond the user database.</para>
+
+      <para><application>rmuser</application> performs the following
+	steps:</para>
+
+      <procedure>
+	<step>
+	  <para>Removes the user's &man.crontab.1; entry (if
+	    any).</para>
+	</step>
+	<step>
+	  <para>Removes any &man.at.1; jobs belonging to the
+	    user.</para>
+	</step>
+	<step>
+	  <para>Kills all processes owned by the user</para>
+	</step>
+	<step>
+	  <para>Removes the user from the system's local password
+	    file.</para>
+	</step>
+	<step>
+	  <para>Removes the user's home directory (if it is owned by
+	    the user)</para>
+	</step>
+	<step>
+	  <para>Removes the incoming mail files belonging to the user
+	    from <filename>/var/mail</filename>.</para>
+	</step>
+	<step>
+	  <para>Removes all files owned by the user from temporary
+	    file storage areas such as <filename>/tmp</filename>.</para>
+	</step>
+	<step>
+	  <para>Finally, removes the username from all groups to which
+	    it belongs in <filename>/etc/group</filename>.
+	    
+	    <note>
+	      <para>If a group becomes empty and the group name is the
+		same as the username, the group is removed; this
+		complements the per-user unique groups created by
+		&man.adduser.8;.</para>
+	    </note>
+	  </para>
+	</step>
+      </procedure>
+
+      <para><application>rmuser</application> can't be used to remove
+	superuser accounts, since that is almost always an indication
+	of massive destruction.</para>
+
+      <para>By default, an interactive mode is used, which attempts to
+	make sure you know what you're doing.</para>
+
+      <example>
+	<title>rmuser interactive account removal</title>
+
+	<screen>&prompt.root; <userinput>rmuser jru</userinput>
+Matching password entry:
+jru:*:1000:1000::0:0:J. Random User:/home/jru:/usr/local/bin/tcsh
+Is this the entry you wish to remove? <userinput>y</userinput>
+Remove user's home directory (/home/jru)? <userinput>y</userinput>
+Updating password file, updating databases, done.
+Updating group file: trusted (removing group jru -- personal group is empty) done.
+Removing user's incoming mail file /var/mail/jru: done.
+Removing files belonging to jru from /tmp: done.
+Removing files belonging to jru from /var/tmp: done.
+Removing files belonging to jru from /var/tmp/vi.recover: done.
+&prompt.root;</screen>
+      </example>
+    </sect2>
+
+    <sect2 id="users-pw">
+      <title>pw</title>
+
+      <para><application>pw</application> is a command line utility to
+	create, remove, modify, and display users and groups, and
+	functions as an editor of the system user and group
+	files.</para>
+
+      <para>It is designed to be useful both as a directly executed
+	command and for use from shell scripts.</para>
+
+      <para>&man.pw.8; has all the information.</para>
+    </sect2>
+
+    <sect2 id="users-chpass">
+      <title>chpass</title>
+
+      <para><application>chpass</application> changes user database
+	information such as passwords, shells, and personal
+	information.</para>
+
+      <para>Only system administrators, as the superuser, may change
+	other users' information and passwords with chpass.</para>
+
+      <para>Passed no options, besides the optional username,
+	<application>chpass</application> displays an editor
+	containing user information, and upon exit from the editor,
+	attempts to change the information in the user
+	database.</para>
+
+      <example>
+	<title>Interactive chpass by superuser</title>
+
+	<screen>#Changing user database information for jru.
+Login: jru
+Password: *
+Uid [#]: 1000
+Gid [# or name]: 1000
+Change [month day year]:
+Expire [month day year]:
+Class:
+Home directory: /home/jru
+Shell: /usr/local/bin/tcsh
+Full Name: J. Random User
+Office Location:
+Office Phone:
+Home Phone:
+Other information:</screen>
+      </example>
+
+      <para>The normal user can change only a small subsection of this
+	information, and only for themselves.</para>
+
+      <example>
+	<title>Interactive chpass by normal user</title>
+
+	<screen>#Changing user database information for jru.
+Shell: /usr/local/bin/tcsh
+Full Name: J. Random User
+Office Location:
+Office Phone:
+Home Phone:
+Other information:</screen>
+      </example>
+
+      <note>
+	<para><command>chfn</command> and <command>chsh</command> are
+	  just links to chpass, as are <command>ypchpass</command>,
+	  <command>ypchfn</command>, and
+	  <command>ypchsh</command>.  NIS support is automatic, so
+	  specifying the <literal>yp</literal> before the command is
+	  not necessary.</para>
+      </note>
+    </sect2>
+    <sect2 id="users-passwd">
+      <title>passwd</title>
+
+      <para><application>passwd</application> is the usual way to
+	change your own password as a user, or another user's password
+	as the superuser.</para>
+
+      <note>
+	<para>Users must type in their original password before
+	  changing their password, to prevent an unauthorized person
+	  from changing their password when the user is away from
+	  their console.</para>
+      </note>
+
+      <example>
+	<title>passwd</title>
+
+	<screen>&prompt.user; <userinput>passwd</userinput>
+Changing local password for jru.
+Old password:
+New password:
+Retype new password:
+passwd: updating the database...
+passwd: done
+
+&prompt.root; <userinput>passwd jru</userinput>
+Changing local password for jru.
+New password:
+Retype new password:
+passwd: updating the database...
+passwd: done</screen>
+      </example>
+
+      <note>
+	<para><command>yppasswd</command> is just a link to
+	  <command>yppasswd</command>.  NIS support is automatic, so
+	  specifying the <literal>yp</literal> before the command is
+	  not necessary.</para>
+      </note>
+    </sect2>
+  </sect1>
+
+  <sect1 id="users-limiting-and-personalizing">
+    <title>Limiting and personalizing users</title>
+
+    <para>Quotas allow the system administrator to set disk usage
+      maximums, and users to check their disk usage, if quotas are
+      used on the system.  Quotas are discussed in their <link
+	linkend="quotas">own chapter</link>.</para>
+
+    <para>Localization is an environment set up by the system
+      administrator or user to accomodate different languages,
+      character sets, date and time standards, and so on.  This is
+      discussed in the <link linkend="l10n">localization</link>
+      chapter.</para>
+  </sect1>
+</chapter>
+
+<!-- 
+     Local Variables:
+     mode: sgml
+     sgml-declaration: "../chapter.decl"
+     sgml-indent-data: t
+     sgml-omittag: nil
+     sgml-always-quote-attributes: t
+     sgml-parent-document: ("../book.sgml" "part" "chapter")
+     End:
+-->
diff --git a/en_US.ISO_8859-1/books/handbook/Makefile b/en_US.ISO_8859-1/books/handbook/Makefile
index d2b5b4df67..dc859e7253 100644
--- a/en_US.ISO_8859-1/books/handbook/Makefile
+++ b/en_US.ISO_8859-1/books/handbook/Makefile
@@ -1,5 +1,5 @@
 # 
-# $FreeBSD$
+# $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/Makefile,v 1.26 1999/09/06 06:52:44 peter Exp $
 #
 # Build the FreeBSD Handbook.
 #
@@ -47,6 +47,7 @@ SRCS+= quotas/chapter.sgml
 SRCS+= security/chapter.sgml
 SRCS+= serialcomms/chapter.sgml
 SRCS+= staff/chapter.sgml
+SRCS+= users/chapter.sgml
 SRCS+= x11/chapter.sgml
 SRCS+= ports/chapter.sgml
 
diff --git a/en_US.ISO_8859-1/books/handbook/book.sgml b/en_US.ISO_8859-1/books/handbook/book.sgml
index 506aa8db83..7105fec7b8 100644
--- a/en_US.ISO_8859-1/books/handbook/book.sgml
+++ b/en_US.ISO_8859-1/books/handbook/book.sgml
@@ -1,7 +1,7 @@
 <!--
      The FreeBSD Documentation Project
 
-     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/book.sgml,v 1.82 2000/01/11 17:25:37 jdp Exp $
+     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/book.sgml,v 1.83 2000/01/20 11:28:56 nbm Exp $
 -->
 
 <!DOCTYPE BOOK PUBLIC "-//FreeBSD//DTD DocBook V3.1-Based Extension//EN" [
@@ -76,7 +76,8 @@
     &chap.introduction;
     &chap.install;
     &chap.basics;
-    &chap.ports
+    &chap.ports;
+    &chap.users;
   </part>
   
   <part>
diff --git a/en_US.ISO_8859-1/books/handbook/chapters.ent b/en_US.ISO_8859-1/books/handbook/chapters.ent
index 5fbe889406..64101f5af5 100644
--- a/en_US.ISO_8859-1/books/handbook/chapters.ent
+++ b/en_US.ISO_8859-1/books/handbook/chapters.ent
@@ -6,7 +6,7 @@
    
      Chapters should be listed in the order in which they are referenced.
  
-     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/chapters.ent,v 1.4 1999/09/06 06:52:47 peter Exp $
+     $FreeBSD: doc/en_US.ISO_8859-1/books/handbook/chapters.ent,v 1.5 2000/01/20 11:28:59 nbm Exp $
 -->
 
 <!-- Part one -->
@@ -14,6 +14,7 @@
 <!ENTITY chap.install			SYSTEM "install/chapter.sgml">
 <!ENTITY chap.basics			SYSTEM "basics/chapter.sgml">
 <!ENTITY chap.ports			SYSTEM "ports/chapter.sgml">
+<!ENTITY chap.users			SYSTEM "users/chapter.sgml">
 
 <!-- Part two -->
 <!ENTITY chap.kernelconfig		SYSTEM "kernelconfig/chapter.sgml">
diff --git a/en_US.ISO_8859-1/books/handbook/users/chapter.sgml b/en_US.ISO_8859-1/books/handbook/users/chapter.sgml
new file mode 100644
index 0000000000..7cd67e2bf5
--- /dev/null
+++ b/en_US.ISO_8859-1/books/handbook/users/chapter.sgml
@@ -0,0 +1,425 @@
+<!--
+     The FreeBSD Documentation Project
+
+     $FreeBSD$
+-->
+
+<chapter id="users">
+  <title>Users and basic account management</title>
+  
+  <sect1 id="users-synopsis">
+    <title>Synopsis</title>
+    
+    <para><emphasis>Contributed by &a.nbm; February 2000</emphasis>.</para>
+    
+    <para>All access to the system is achieved via accounts, and all
+      processes are run by users, so user and account management are
+      of integral importance on FreeBSD systems.</para>
+
+    <para>There are three main types of accounts; the <link
+	linkend="users-superuser">Superuser</link>, <link
+	linkend="users-system">system users</link>, and <link
+	linkend="users-user">user accounts</link>.  The Superuser
+      account, usually called <username>root</username>, is used to
+      manage the system with no limitations on privileges.  System
+      users run services.  Finally, user accounts are used by real
+      people, who log on, read mail, and so forth.</para>
+  </sect1>
+    
+  <sect1 id="users-superuser">
+    <title>The superuser account</title>
+    
+    <para>The superuser account, usually called
+      <username>root</username>, comes preconfigured, and facilitates
+      system administration, and should not be used for day-to-date
+      tasks like sending and receiving mail, general exploration of
+      the system, or programming.</para>
+      
+    <para>This is because the superuser, unlike normal user accounts,
+      can operate without limits, and misuse of the superuse account
+      may result in spectacular disasters.  User accounts are unable
+      to destroy the system by mistake, so it is generally best to use
+      normal user accounts whenever possible, unless you especially
+      need the extra privilege.</para>
+
+    <para>In addition, always double and triple-check commands you
+      issue as the superuser, since an extra space or missing
+      character can mean irreparable data loss.  Those extra
+      privileges you needed when you decided to change to the
+      superuser mean that the safeguards of your normal user account
+      no longer apply.</para>
+
+    <para>So, the first thing you should do after reading this
+      chapter, is to create an unprivileged user account for yourself
+      for general usage, if you haven't already.  This applies equally
+      whether you're running a multi-user or single-user machine.
+      Later in this chapter, we discuss how to create additional
+      accounts, and how to change between the normal user and
+      superuser.</para>
+  </sect1>
+    
+  <sect1 id="users-system">
+    <title>System accounts</title>
+
+    <para>System users are those used to run services such as DNS,
+      mail, web servers, and so forth.  The reason for this is
+      security, as if all services ran as the superuser, they could
+      act without restriction.</para>
+
+    <para>Examples of system users are <username>daemon</username>,
+      <username>operator</username>, <username>bind</username> (for
+      the Domain Name Service), and <username>news</username>.  Often
+      sysadmins create <username>httpd</username> to run web servers
+      they install.</para>
+
+    <para><username>nobody</username> is the generic unprivileged
+      system user, but the more services that use
+      <username>nobody</username>, the more privileged it
+      becomes.</para>
+  </sect1>
+
+  <sect1 id="users-user">
+    <title>User accounts</title>
+
+    <para>User accounts are the primary means of access for real
+      people to the system, and these accounts insulate the user and
+      the environment, preventing the users from damaging the system
+      or other users, and allowing users to customize their
+      environment without affecting others.</para>
+
+    <para>Every person accessing your system should have their own
+      unique user account.  This allows you to find out who is doing
+      what, and prevent people from clobbering each others' settings,
+      and reading mail meant for the other, and so forth.</para>
+
+    <para>Each user can set up their own environment to accomodate
+      their use of the system, by using alternate shells, editors, key
+      bindings, and language.</para>
+  </sect1>
+
+  <sect1 id="users-modifying">
+    <title>Modifying accounts</title>
+
+    <para><application>pw</application> is a powerful and flexible
+      means to modify accounts, but <application>adduser</application>
+      is recommended for creating new accounts, and
+      <application>rmuser</application> for deleting accounts.</para>
+
+    <para><application>chpass</application> allows both the system
+      administrator and normal users to adjust passwords, shells, and
+      personal information.  <application>passwd</application> is the
+      more common means to change passwords specifically,
+      however.</para>
+
+
+    <sect2 id="users-adduser">
+      <title>adduser</title>
+
+      <para><application>adduser</application> is a simple program for
+	adding new users.  It creates <filename>passwd</filename> and
+	<filename>group</filename> entries for the user, as well as
+	creating their home directory, copy in some default dotfiles
+	from <filename>/usr/share/skel</filename>, and can optionally
+	mail the user a welcome message.</para>
+
+      <para>To create the initial configuration file, use
+	<command>adduser -s -config_create</command>.
+	<footnote>
+	  <para>The <option>-s</option> makes adduser default to
+	    quiet.  We use <option>-v</option> later when we want to
+	    change defaults.</para>
+	</footnote>Next, we configure adduser defaults, and create our
+	first user account, since using root for normal usage is evil
+	and nasty.</para>
+
+      <example>
+	<title>Changing the configuration for adduser</title>
+
+	<screen>&prompt.root; <userinput>adduser -v</userinput>
+Use option ``-silent'' if you don't want to see all warnings and questions.
+Check /etc/shells
+Check /etc/master.passwd
+Check /etc/group
+Enter your default shell: csh date no sh tcsh [sh]: <userinput>tcsh</userinput>
+Your default shell is: tcsh -> /usr/local/bin/tcsh
+Enter your default HOME partition: [/home]:
+Copy dotfiles from: /usr/share/skel no [/usr/share/skel]: 
+Send message from file: /etc/adduser.message no 
+[/etc/adduser.message]: <userinput>no</userinput>
+Do not send message
+Use passwords (y/n) [y]: <userinput>y</userinput>
+
+Write your changes to /etc/adduser.conf? (y/n) [n]: <userinput>y</userinput>
+
+Ok, let's go.
+Don't worry about mistakes. I will give you the chance later to correct any input.
+Enter username [a-z0-9_-]: <userinput>jru</userinput>
+Enter full name []: <userinput>J. Random User</userinput>
+Enter shell csh date no sh tcsh [tcsh]: 
+Enter home directory (full path) [/home/jru]: 
+Uid [1001]: 
+Enter login class: default []: 
+Login group jru [jru]: 
+Login group is ``jru''. Invite jru into other groups: guest no 
+[no]: <userinput>wheel</userinput>
+Enter password []: 
+Enter password again []: 
+
+Name:	  jru
+Password: ****
+Fullname: J. Random User
+Uid:	  1007
+Gid:	  1007 (jru)
+Class:	  
+Groups:	  jru wheel
+HOME:     /home/jru
+Shell:	  /usr/local/bin/tcsh
+OK? (y/n) [y]: <userinput>y</userinput>
+Added user ``jru''
+Copy files from /usr/share/skel to /home/jru
+Add another user? (y/n) [y]: <userinput>n</userinput>
+Goodbye!
+&prompt.root;</screen>
+      </example>
+
+      <para>In summary, we changed the default shell to
+	<application>tcsh</application> (an additional shell found in
+	packages), and turned off the sending of a welcome mail to
+	added users.  We then saved the configuration, and then
+	created an account for <username>jru</username>, and we made
+	sure <username>jru</username> is in <username>wheel</username>
+	group (which we'll see is important later).</para>
+
+      <note>
+	<para>The password you type in isn't echoed, nor are asterisks
+	  displayed.  Make sure you don't mistype the password twice
+	  :-)</para>
+      </note>
+
+      <note>
+	<para>Just use <command>adduser</command> without arguments
+	  from now on, and you won't have to go through changing the
+	  defaults.  If the program asks you to change the defaults,
+	  exit the program, and try the <option>-s</option>
+	  option.</para>
+      </note>
+    </sect2>
+
+    <sect2 id="users-rmuser">
+      <title>rmuser</title>
+
+      <para><application>rmuser</application> removes users from the
+	system, including any traces beyond the user database.</para>
+
+      <para><application>rmuser</application> performs the following
+	steps:</para>
+
+      <procedure>
+	<step>
+	  <para>Removes the user's &man.crontab.1; entry (if
+	    any).</para>
+	</step>
+	<step>
+	  <para>Removes any &man.at.1; jobs belonging to the
+	    user.</para>
+	</step>
+	<step>
+	  <para>Kills all processes owned by the user</para>
+	</step>
+	<step>
+	  <para>Removes the user from the system's local password
+	    file.</para>
+	</step>
+	<step>
+	  <para>Removes the user's home directory (if it is owned by
+	    the user)</para>
+	</step>
+	<step>
+	  <para>Removes the incoming mail files belonging to the user
+	    from <filename>/var/mail</filename>.</para>
+	</step>
+	<step>
+	  <para>Removes all files owned by the user from temporary
+	    file storage areas such as <filename>/tmp</filename>.</para>
+	</step>
+	<step>
+	  <para>Finally, removes the username from all groups to which
+	    it belongs in <filename>/etc/group</filename>.
+	    
+	    <note>
+	      <para>If a group becomes empty and the group name is the
+		same as the username, the group is removed; this
+		complements the per-user unique groups created by
+		&man.adduser.8;.</para>
+	    </note>
+	  </para>
+	</step>
+      </procedure>
+
+      <para><application>rmuser</application> can't be used to remove
+	superuser accounts, since that is almost always an indication
+	of massive destruction.</para>
+
+      <para>By default, an interactive mode is used, which attempts to
+	make sure you know what you're doing.</para>
+
+      <example>
+	<title>rmuser interactive account removal</title>
+
+	<screen>&prompt.root; <userinput>rmuser jru</userinput>
+Matching password entry:
+jru:*:1000:1000::0:0:J. Random User:/home/jru:/usr/local/bin/tcsh
+Is this the entry you wish to remove? <userinput>y</userinput>
+Remove user's home directory (/home/jru)? <userinput>y</userinput>
+Updating password file, updating databases, done.
+Updating group file: trusted (removing group jru -- personal group is empty) done.
+Removing user's incoming mail file /var/mail/jru: done.
+Removing files belonging to jru from /tmp: done.
+Removing files belonging to jru from /var/tmp: done.
+Removing files belonging to jru from /var/tmp/vi.recover: done.
+&prompt.root;</screen>
+      </example>
+    </sect2>
+
+    <sect2 id="users-pw">
+      <title>pw</title>
+
+      <para><application>pw</application> is a command line utility to
+	create, remove, modify, and display users and groups, and
+	functions as an editor of the system user and group
+	files.</para>
+
+      <para>It is designed to be useful both as a directly executed
+	command and for use from shell scripts.</para>
+
+      <para>&man.pw.8; has all the information.</para>
+    </sect2>
+
+    <sect2 id="users-chpass">
+      <title>chpass</title>
+
+      <para><application>chpass</application> changes user database
+	information such as passwords, shells, and personal
+	information.</para>
+
+      <para>Only system administrators, as the superuser, may change
+	other users' information and passwords with chpass.</para>
+
+      <para>Passed no options, besides the optional username,
+	<application>chpass</application> displays an editor
+	containing user information, and upon exit from the editor,
+	attempts to change the information in the user
+	database.</para>
+
+      <example>
+	<title>Interactive chpass by superuser</title>
+
+	<screen>#Changing user database information for jru.
+Login: jru
+Password: *
+Uid [#]: 1000
+Gid [# or name]: 1000
+Change [month day year]:
+Expire [month day year]:
+Class:
+Home directory: /home/jru
+Shell: /usr/local/bin/tcsh
+Full Name: J. Random User
+Office Location:
+Office Phone:
+Home Phone:
+Other information:</screen>
+      </example>
+
+      <para>The normal user can change only a small subsection of this
+	information, and only for themselves.</para>
+
+      <example>
+	<title>Interactive chpass by normal user</title>
+
+	<screen>#Changing user database information for jru.
+Shell: /usr/local/bin/tcsh
+Full Name: J. Random User
+Office Location:
+Office Phone:
+Home Phone:
+Other information:</screen>
+      </example>
+
+      <note>
+	<para><command>chfn</command> and <command>chsh</command> are
+	  just links to chpass, as are <command>ypchpass</command>,
+	  <command>ypchfn</command>, and
+	  <command>ypchsh</command>.  NIS support is automatic, so
+	  specifying the <literal>yp</literal> before the command is
+	  not necessary.</para>
+      </note>
+    </sect2>
+    <sect2 id="users-passwd">
+      <title>passwd</title>
+
+      <para><application>passwd</application> is the usual way to
+	change your own password as a user, or another user's password
+	as the superuser.</para>
+
+      <note>
+	<para>Users must type in their original password before
+	  changing their password, to prevent an unauthorized person
+	  from changing their password when the user is away from
+	  their console.</para>
+      </note>
+
+      <example>
+	<title>passwd</title>
+
+	<screen>&prompt.user; <userinput>passwd</userinput>
+Changing local password for jru.
+Old password:
+New password:
+Retype new password:
+passwd: updating the database...
+passwd: done
+
+&prompt.root; <userinput>passwd jru</userinput>
+Changing local password for jru.
+New password:
+Retype new password:
+passwd: updating the database...
+passwd: done</screen>
+      </example>
+
+      <note>
+	<para><command>yppasswd</command> is just a link to
+	  <command>yppasswd</command>.  NIS support is automatic, so
+	  specifying the <literal>yp</literal> before the command is
+	  not necessary.</para>
+      </note>
+    </sect2>
+  </sect1>
+
+  <sect1 id="users-limiting-and-personalizing">
+    <title>Limiting and personalizing users</title>
+
+    <para>Quotas allow the system administrator to set disk usage
+      maximums, and users to check their disk usage, if quotas are
+      used on the system.  Quotas are discussed in their <link
+	linkend="quotas">own chapter</link>.</para>
+
+    <para>Localization is an environment set up by the system
+      administrator or user to accomodate different languages,
+      character sets, date and time standards, and so on.  This is
+      discussed in the <link linkend="l10n">localization</link>
+      chapter.</para>
+  </sect1>
+</chapter>
+
+<!-- 
+     Local Variables:
+     mode: sgml
+     sgml-declaration: "../chapter.decl"
+     sgml-indent-data: t
+     sgml-omittag: nil
+     sgml-always-quote-attributes: t
+     sgml-parent-document: ("../book.sgml" "part" "chapter")
+     End:
+-->