os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

White space fix only. Translators can ignore.

Browse source
This commit is contained in:
Dru Lavigne 2013-10-14 17:45:55 +00:00
parent f5b45a50b7
commit e2574f975f
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=42956
1 changed files with 285 additions and 250 deletions

535
en_US.ISO8859-1/books/handbook/basics/chapter.xml
View file

@ -85,46 +85,48 @@
<indexterm><primary>virtual consoles</primary></indexterm>
<indexterm><primary>terminals</primary></indexterm>
<indexterm><primary>console</primary></indexterm>
<indexterm><primary>console</primary></indexterm>
<para>Unless &os; has been configured to automatically start a
graphical environment during startup, the system will boot
into a command line login prompt, as seen in this
example:</para>
<para>Unless &os; has been configured to automatically start a
graphical environment during startup, the system will boot
into a command line login prompt, as seen in this
example:</para>
<screen>FreeBSD/amd64 (pc3.example.org) (ttyv0)
<screen>FreeBSD/amd64 (pc3.example.org) (ttyv0)
login:</screen>
<para>The first line contains some information about the system.
The <literal>amd64</literal> indicates that the system in this
example is running a 64-bit version of &os;. The hostname is
<hostid>pc3.example.org</hostid>, and
<devicename>ttyv0</devicename> indicates that this is the
<quote>system console</quote>. The second line is the login prompt.</para>
<para>The first line contains some information about the system.
The <literal>amd64</literal> indicates that the system in this
example is running a 64-bit version of &os;. The hostname is
<hostid>pc3.example.org</hostid>, and
<devicename>ttyv0</devicename> indicates that this is the
<quote>system console</quote>. The second line is the login
prompt.</para>
<para>Since &os; is a multiuser system, it needs some way to distinguish
between different users. This is accomplished by
requiring every user to log into the
system before gaining access to the programs on the system. Every user has a
unique name <quote>username</quote> and a personal
<quote>password</quote>.</para>
<para>Since &os; is a multiuser system, it needs some way to
distinguish between different users. This is accomplished by
requiring every user to log into the system before gaining
access to the programs on the system. Every user has a
unique name <quote>username</quote> and a personal
<quote>password</quote>.</para>
<para>To log into the system console, type the username that was configured during system
installation, as described in
<xref linkend="bsdinstall-addusers"/>, and press
<keycap>Enter</keycap>. Then enter the password associated
with the username and press <keycap>Enter</keycap>. The
password is <emphasis>not echoed</emphasis> for security
reasons.</para>
<para>To log into the system console, type the username that
was configured during system installation, as described in
<xref linkend="bsdinstall-addusers"/>, and press
<keycap>Enter</keycap>. Then enter the password associated
with the username and press <keycap>Enter</keycap>. The
password is <emphasis>not echoed</emphasis> for security
reasons.</para>
<para>Once the correct password is input, the message of the
day (<acronym>MOTD</acronym>) will be displayed followed
by a command prompt. Depending upon the shell that was selected
when the user was created, this prompt will be a <literal>#</literal>,
<literal>$</literal>, or <literal>%</literal> character. The
prompt indicates that the user is now logged into the &os; system console and ready to try the
available commands.</para>
<para>Once the correct password is input, the message of the
day (<acronym>MOTD</acronym>) will be displayed followed
by a command prompt. Depending upon the shell that was
selected when the user was created, this prompt will be a
<literal>#</literal>, <literal>$</literal>, or
<literal>%</literal> character. The prompt indicates that
the user is now logged into the &os; system console and ready
to try the available commands.</para>
<sect2 id="consoles-virtual">
<title>Virtual Consoles</title>
@ -138,19 +140,22 @@ login:</screen>
user is working on, making it difficult to concentrate on
the work at hand.</para>
<para>By default, &os; is configured to provide several virtual consoles
for inputting commands. Each virtual console has its own
login prompt and shell and it is easy to switch between
virtual consoles. This essentially provides the command line
equivalent of having several windows open at the same time
in a graphical environment.</para>
<para>By default, &os; is configured to provide several virtual
consoles for inputting commands. Each virtual console has
its own login prompt and shell and it is easy to switch
between virtual consoles. This essentially provides the
command line equivalent of having several windows open at the
same time in a graphical environment.</para>
<para>The key combinations <keycombo><keycap>Alt</keycap><keycap>F1</keycap></keycombo>
through
<keycombo><keycap>Alt</keycap><keycap>F8</keycap></keycombo> have been reserved by &os; for
switching between virtual consoles. Use
<para>The key combinations
<keycombo><keycap>Alt</keycap><keycap>F1</keycap></keycombo>
to switch to the system console (<devicename>ttyv0</devicename>),
through
<keycombo><keycap>Alt</keycap><keycap>F8</keycap></keycombo>
have been reserved by &os; for switching between virtual
consoles. Use
<keycombo><keycap>Alt</keycap><keycap>F1</keycap></keycombo>
to switch to the system console
(<devicename>ttyv0</devicename>),
<keycombo><keycap>Alt</keycap><keycap>F2</keycap></keycombo>
to access the first virtual console
(<devicename>ttyv1</devicename>),
@ -159,22 +164,19 @@ login:</screen>
(<devicename>ttyv2</devicename>), and so on.</para>
<para>When switching from one console to the next, &os; takes
manages the screen output. The result is
an illusion of having multiple
virtual screens and keyboards that can be used
manages the screen output. The result is an illusion of
having multiple virtual screens and keyboards that can be used
to type commands for &os; to run. The programs that are
launched in one virtual console do not stop running when
the user switches to a
different virtual console.</para>
the user switches to a different virtual console.</para>
<para>Refer to &man.syscons.4;, &man.atkbd.4;,
&man.vidcontrol.1; and &man.kbdcontrol.1; for a more
technical description of the &os; console and its keyboard
drivers.</para>
<para>In &os;, the number of available virtual
consoles is configured in this
section of
<para>In &os;, the number of available virtual consoles is
configured in this section of
<filename>/etc/ttys</filename>:</para>
<programlisting># name getty type status comments
@ -191,11 +193,12 @@ ttyv7 "/usr/libexec/getty Pc" cons25 on secure
ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure</programlisting>
<para>To disable a virtual console, put a comment symbol (<literal>#</literal>)
at the beginning of the line representing that virtual console.
For example, to reduce the number of available virtual consoles
from eight to four, put a <literal>#</literal> in front of
the last four lines representing virtual consoles
<para>To disable a virtual console, put a comment symbol
(<literal>#</literal>) at the beginning of the line
representing that virtual console. For example, to reduce
the number of available virtual consoles from eight to four,
put a <literal>#</literal> in front of the last four lines
representing virtual consoles
<devicename>ttyv5</devicename> through
<devicename>ttyv8</devicename>. <emphasis>Do not</emphasis>
comment out the line for the system console
@ -204,7 +207,7 @@ ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure</programlisting>
the graphical environment if <application>&xorg;</application>
has been installed and configured as described in <xref
linkend="x11"/>.</para>
<para>For a detailed description of every column in this file
and the available options for the virtual consoles, refer to
&man.ttys.5;.</para>
@ -216,40 +219,38 @@ ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure</programlisting>
<para>The &os; boot menu provides an option labelled as
<quote>Boot Single User</quote>. If this option is selected,
the system will boot into a special mode known as
<quote>single user mode</quote>. This mode is typically used to
repair a system that will not boot or to reset the
<quote>single user mode</quote>. This mode is typically used
to repair a system that will not boot or to reset the
<username>root</username> password when it is not known.
While in single user mode, networking and other
virtual consoles are not available. However, full
While in single user mode, networking and other virtual
consoles are not available. However, full
<username>root</username> access to the system is available,
and by default, the <username>root</username> password is not
needed. For these reasons, physical access to the keyboard
is needed to boot into this mode and determining who has physical
access to the keyboard is something to consider when securing
a &os; system.</para>
is needed to boot into this mode and determining who has
physical access to the keyboard is something to consider when
securing a &os; system.</para>
<para>The settings which control
single user mode are found in this section of
<filename>/etc/ttys</filename>:</para>
<para>The settings which control single user mode are found in
this section of <filename>/etc/ttys</filename>:</para>
<programlisting># name getty type status comments
#
# If console is marked "insecure", then init will ask for the root password
# when going to single-user mode.
console none unknown off secure</programlisting>
<para>By default, the status is set to <literal>secure</literal>.
This assumes that who has physical access to the keyboard
is either not important or it is controlled by a physical
security policy. If this setting is changed to
<literal>insecure</literal>, the assumption is that the
environment itself is insecure because anyone can access
the keyboard. When this line is changed to
<literal>insecure</literal>, &os; will prompt for the
<username>root</username> password when a user selects to boot into single
user mode.
</para>
<para>By default, the status is set to
<literal>secure</literal>. This assumes that who has
physical access to the keyboard is either not important or it
is controlled by a physical security policy. If this setting
is changed to <literal>insecure</literal>, the assumption is
that the environment itself is insecure because anyone can
access the keyboard. When this line is changed to
<literal>insecure</literal>, &os; will prompt for the
<username>root</username> password when a user selects to
boot into single user mode.</para>
<note>
<para><emphasis>Be careful when changing this setting to
<literal>insecure</literal></emphasis>! If the
@ -331,94 +332,95 @@ console none unknown off secure</programlisting>
</listitem>
<listitem>
<para>How to create groups and add users as members of a group.</para>
<para>How to create groups and add users as members of a
group.</para>
</listitem>
</itemizedlist>
<sect2 id="users-introduction">
<title>Account Types</title>
<sect2 id="users-introduction">
<title>Account Types</title>
<para>Since all access to the &os; system is achieved using accounts
and all processes are run by users, user and account management
is important.</para>
<para>Since all access to the &os; system is achieved using
accounts and all processes are run by users, user and account
management is important.</para>
<para>There are three main types of accounts:
system accounts,
user accounts, and the
superuser account.</para>
<para>There are three main types of accounts: system accounts,
user accounts, and the superuser account.</para>
<sect3 id="users-system">
<title>System Accounts</title>
<sect3 id="users-system">
<title>System Accounts</title>
<indexterm>
<primary>accounts</primary>
<secondary>system</secondary>
</indexterm>
<indexterm>
<primary>accounts</primary>
<secondary>system</secondary>
</indexterm>
<para>System accounts are used to run services such as DNS,
mail, and web servers. The reason for this is security; if
all services ran as the superuser, they could act without
restriction.</para>
<para>System accounts are used to run services such as DNS,
mail, and web servers. The reason for this is security; if
all services ran as the superuser, they could act without
restriction.</para>
<indexterm>
<primary>accounts</primary>
<secondary><username>daemon</username></secondary>
</indexterm>
<indexterm>
<primary>accounts</primary>
<secondary><username>operator</username></secondary>
</indexterm>
<indexterm>
<primary>accounts</primary>
<secondary><username>daemon</username></secondary>
</indexterm>
<indexterm>
<primary>accounts</primary>
<secondary><username>operator</username></secondary>
</indexterm>
<para>Examples of system accounts are
<username>daemon</username>, <username>operator</username>,
<username>bind</username>, <username>news</username>, and
<username>www</username>.</para>
<para>Examples of system accounts are
<username>daemon</username>, <username>operator</username>,
<username>bind</username>, <username>news</username>, and
<username>www</username>.</para>
<indexterm>
<primary>accounts</primary>
<secondary><username>nobody</username></secondary>
</indexterm>
<indexterm>
<primary>accounts</primary>
<secondary><username>nobody</username></secondary>
</indexterm>
<para><username>nobody</username> is the generic unprivileged
system account. However, the more services that use
<username>nobody</username>, the more files and processes that
user will become associated with, and hence the more
privileged that user becomes.</para>
</sect3>
<para><username>nobody</username> is the generic unprivileged
system account. However, the more services that use
<username>nobody</username>, the more files and processes
that user will become associated with, and hence the more
privileged that user becomes.</para>
</sect3>
<sect3 id="users-user">
<title>User Accounts</title>
<sect3 id="users-user">
<title>User Accounts</title>
<indexterm>
<primary>accounts</primary>
<secondary>user</secondary>
</indexterm>
<indexterm>
<primary>accounts</primary>
<secondary>user</secondary>
</indexterm>
<para>User accounts are
assigned to real people and are used to log in and use the
system. Every person accessing the system should have a unique
user account. This allows the administrator to find out who
is doing what and prevents users from clobbering the
settings of other users.</para>
<para>User accounts are assigned to real people and are used
to log in and use the system. Every person accessing the
system should have a unique user account. This allows the
administrator to find out who is doing what and prevents
users from clobbering the settings of other users.</para>
<para>Each user can set up their own environment to accommodate
their use of the system, by configuring their default shell, editor,
key bindings, and language settings.</para>
<para>Every user account on a &os; system has certain information
associated with it:</para>
<para>Each user can set up their own environment to
accommodate their use of the system, by configuring their
default shell, editor, key bindings, and language
settings.</para>
<variablelist>
<varlistentry>
<term>User name</term>
<para>Every user account on a &os; system has certain
information associated with it:</para>
<variablelist>
<varlistentry>
<term>User name</term>
<listitem>
<para>The user name is typed at the <prompt>login:</prompt>
prompt. User names must be unique on the system as no two
users can have the same user name. There are a number of
rules for creating valid user names which are documented in
&man.passwd.5;. It is recommended to use user names that consist of eight or
fewer, all lower case characters in order to maintain
backwards compatibility with applications.</para>
rules for creating valid user names which are documented
in &man.passwd.5;. It is recommended to use user names
that consist of eight or fewer, all lower case characters
in order to maintain backwards compatibility with
applications.</para>
</listitem>
</varlistentry>
@ -426,8 +428,9 @@ console none unknown off secure</programlisting>
<term>Password</term>
<listitem>
<para>Each user account should have an associated password. While the
password can be blank, this is highly discouraged.</para>
<para>Each user account should have an associated password.
While the password can be blank, this is highly
discouraged.</para>
</listitem>
</varlistentry>
@ -435,14 +438,13 @@ console none unknown off secure</programlisting>
<term>User ID (<acronym>UID</acronym>)</term>
<listitem>
<para>The User ID (<acronym>UID</acronym>) is a number
used to uniquely identify the user to the
&os; system. Commands that
allow a user name to be specified will first convert it to
the <acronym>UID</acronym>. It is recommended to use a UID of
65535 or lower as higher UIDs may cause compatibility
issues with software that does not support integers larger
than 32-bits.</para>
<para>The User ID (<acronym>UID</acronym>) is a number used
to uniquely identify the user to the &os; system.
Commands that allow a user name to be specified will
first convert it to the <acronym>UID</acronym>. It is
recommended to use a UID of 65535 or lower as higher UIDs
may cause compatibility issues with software that does
not support integers larger than 32-bits.</para>
</listitem>
</varlistentry>
@ -450,14 +452,15 @@ console none unknown off secure</programlisting>
<term>Group ID (<acronym>GID</acronym>)</term>
<listitem>
<para>The Group ID (<acronym>GID</acronym>) is a number used to uniquely identify
the primary group that the user belongs to. Groups are a
mechanism for controlling access to resources based on a
user's <acronym>GID</acronym> rather than their
<para>The Group ID (<acronym>GID</acronym>) is a number
used to uniquely identify the primary group that the user
belongs to. Groups are a mechanism for controlling
access to resources based on a user's
<acronym>GID</acronym> rather than their
<acronym>UID</acronym>. This can significantly reduce the
size of some configuration files and allows users to be
members of more than one group. It is recommended to use a GID of
65535 or lower as higher GIDs may break some
members of more than one group. It is recommended to use
a GID of 65535 or lower as higher GIDs may break some
software.</para>
</listitem>
</varlistentry>
@ -479,9 +482,9 @@ console none unknown off secure</programlisting>
<listitem>
<para>By default, &os; does not force users to change their
passwords periodically. Password expiration can be
enforced on a per-user basis using &man.pw.8;, forcing some or all users to
change their passwords after a certain amount of time has
elapsed.</para>
enforced on a per-user basis using &man.pw.8;, forcing
some or all users to change their passwords after a
certain amount of time has elapsed.</para>
</listitem>
</varlistentry>
@ -492,9 +495,10 @@ console none unknown off secure</programlisting>
<para>By default, &os; does not expire accounts. When
creating accounts that need a limited lifespan, such as
student accounts in a school, specify the account expiry
date using &man.pw.8;. After the expiry time has elapsed, the account
cannot be used to log in to the system, although the
account's directories and files will remain.</para>
date using &man.pw.8;. After the expiry time has
elapsed, the account cannot be used to log in to the
system, although the account's directories and files will
remain.</para>
</listitem>
</varlistentry>
@ -504,9 +508,9 @@ console none unknown off secure</programlisting>
<listitem>
<para>The user name uniquely identifies the account to &os;,
but does not necessarily reflect the user's real name.
Similar to a comment, this information
can contain a space, uppercase characters, and be more
than 8 characters long.</para>
Similar to a comment, this information can contain a
space, uppercase characters, and be more than 8
characters long.</para>
</listitem>
</varlistentry>
@ -538,9 +542,9 @@ console none unknown off secure</programlisting>
</listitem>
</varlistentry>
</variablelist>
</sect3>
</sect3>
<sect3 id="users-superuser">
<sect3 id="users-superuser">
<title>The Superuser Account</title>
<indexterm>
@ -558,50 +562,53 @@ console none unknown off secure</programlisting>
<para>The superuser, unlike other user
accounts, can operate without limits, and misuse of the
superuser account may result in spectacular disasters. User
accounts are unable to destroy the operating system by mistake, so it is
recommended to login as a user account and to only become the superuser
when a command requires extra privilege.</para>
accounts are unable to destroy the operating system by
mistake, so it is recommended to login as a user account and
to only become the superuser when a command requires extra
privilege.</para>
<para>Always double and triple-check any commands issued as the
superuser, since an extra space or missing character can mean
irreparable data loss.</para>
<para>There are several ways to become gain superuser privilege. While one
can log in as <username>root</username>, this is highly discouraged.</para>
<para>There are several ways to become gain superuser privilege.
While one can log in as <username>root</username>, this is
highly discouraged.</para>
<para>Instead, use &man.su.1; to become the superuser. If
<literal>-</literal> is specified when running this command, the user will also inherit the root user's environment.
The user running this command must
be in the <groupname>wheel</groupname> group or else the command
will fail. The user must also know the password for the
<username>root</username> user account.</para>
<para>Instead, use &man.su.1; to become the superuser. If
<literal>-</literal> is specified when running this command,
the user will also inherit the root user's environment. The
user running this command must be in the
<groupname>wheel</groupname> group or else the command will
fail. The user must also know the password for the
<username>root</username> user account.</para>
<para>In this example, the user only becomes superuser in order to run
<command>make install</command> as this step requires superuser privilege.
Once the command completes, the user types <command>exit</command>
to leave the superuser account and return to the privilege of
their user account.</para>
<para>In this example, the user only becomes superuser in order
to run <command>make install</command> as this step requires
superuser privilege. Once the command completes, the user
types <command>exit</command> to leave the superuser account
and return to the privilege of their user account.</para>
<example>
<title>Install a Program As The Superuser</title>
<example>
<title>Install a Program As The Superuser</title>
<screen>&prompt.user; <userinput>configure</userinput>
<screen>&prompt.user; <userinput>configure</userinput>
&prompt.user; <userinput>make</userinput>
&prompt.user; <userinput>su -</userinput>
Password:
&prompt.root; <userinput>make install</userinput>
&prompt.root; <userinput>exit</userinput>
&prompt.user;</screen>
</example>
</example>
<para>The built-in &man.su.1; framework works well for single systems or small
networks with just one system administrator. An alternative
is to install the
<filename role="package">security/sudo</filename> package or port. This software
provides activity logging and allows the administrator to configure which users
can run which commands
as the superuser.</para>
</sect3>
<para>The built-in &man.su.1; framework works well for single
systems or small networks with just one system administrator.
An alternative is to install the <filename
role="package">security/sudo</filename> package or port.
This software provides activity logging and allows the
administrator to configure which users can run which commands
as the superuser.</para>
</sect3>
</sect2>
<sect2 id="users-modifying">
@ -918,7 +925,7 @@ passwd: done</screen>
<title>Changing Another User's Password as the
Superuser</title>
<screen>&prompt.root; <userinput>passwd jru</userinput>
<screen>&prompt.root; <userinput>passwd jru</userinput>
Changing local password for jru.
New password:
Retype new password:
@ -1025,14 +1032,17 @@ passwd: done</screen>
<term><literal>coredumpsize</literal></term>
<listitem>
<para>The limit on the size of a core file<indexterm><primary>coredumpsize</primary></indexterm> generated by a
program is subordinate to other limits<indexterm><primary>limiting users</primary><secondary>coredumpsize</secondary></indexterm> on disk usage, such
as <literal>filesize</literal>, or disk quotas.
This limit is often used as a less-severe method of
controlling disk space consumption. Since users do not
generate core files themselves, and often do not delete
them, setting this may save them from running out of disk
space should a large program crash.</para>
<para>The limit on the size of a core file
<indexterm><primary>coredumpsize</primary></indexterm>
generated by a program is subordinate to other
limits <indexterm><primary>limiting users
</primary><secondary>coredumpsize</secondary></indexterm>
on disk usage, such as <literal>filesize</literal>, or
disk quotas. This limit is often used as a less-severe
method of controlling disk space consumption. Since
users do not generate core files themselves, and often do
not delete them, setting this may save them from running
out of disk space should a large program crash.</para>
</listitem>
</varlistentry>
@ -1040,9 +1050,12 @@ passwd: done</screen>
<term><literal>cputime</literal></term>
<listitem>
<para>The maximum amount of CPU<indexterm><primary>cputime</primary></indexterm><indexterm><primary>limiting users</primary><secondary>cputime</secondary></indexterm> time a user's process may
consume. Offending processes will be killed by the
kernel.</para>
<para>The maximum amount of CPU
<indexterm><primary>cputime</primary></indexterm><indexterm><primary>
limiting users
</primary><secondary>cputime</secondary></indexterm>
time a user's process may consume. Offending processes
will be killed by the kernel.</para>
<note>
<para>This is a limit on CPU <emphasis>time</emphasis>
@ -1056,10 +1069,13 @@ passwd: done</screen>
<term><literal>filesize</literal></term>
<listitem>
<para>The maximum size of a file<indexterm><primary>filesize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>filesize</secondary></indexterm> the user may own. Unlike
<link linkend="quotas">disk quotas</link>, this limit is
enforced on individual files, not the set of all files a
user owns.</para>
<para>The maximum size of a file
<indexterm><primary>filesize</primary></indexterm><indexterm><primary>
limiting users
</primary><secondary>filesize</secondary></indexterm>
the user may own. Unlike <link linkend="quotas">disk
quotas</link>, this limit is enforced on individual
files, not the set of all files a user owns.</para>
</listitem>
</varlistentry>
@ -1067,9 +1083,13 @@ passwd: done</screen>
<term><literal>maxproc</literal></term>
<listitem>
<para>The maximum number of processes<indexterm><primary>maxproc</primary></indexterm><indexterm><primary>limiting users</primary><secondary>maxproc</secondary></indexterm> a user can run. This
includes foreground and background processes. This limit
may not be larger than the system limit specified by the
<para>The maximum number of processes
<indexterm><primary>maxproc</primary></indexterm><indexterm><primary>
limiting users
</primary><secondary>maxproc</secondary></indexterm> a
user can run. This includes foreground and background
processes. This limit may not be larger than the system
limit specified by the
<varname>kern.maxproc</varname> &man.sysctl.8;. Setting
this limit too small may hinder a user's productivity as
it is often useful to be logged in multiple times or to
@ -1083,11 +1103,15 @@ passwd: done</screen>
<term><literal>memorylocked</literal></term>
<listitem>
<para>The maximum amount of memory<indexterm><primary>memorylocked</primary></indexterm><indexterm><primary>limiting users</primary><secondary>memorylocked</secondary></indexterm> a process may request
to be locked into main memory using &man.mlock.2;. Some
system-critical programs, such as &man.amd.8;, lock into
main memory so that if the system begins to swap, they do
not contribute to disk thrashing.</para>
<para>The maximum amount of memory
<indexterm><primary>memorylocked</primary></indexterm><indexterm><primary>
limiting users
</primary><secondary>memorylocked</secondary></indexterm>
a process may request to be locked into main memory using
&man.mlock.2;. Some system-critical programs, such as
&man.amd.8;, lock into main memory so that if the system
begins to swap, they do not contribute to disk
thrashing.</para>
</listitem>
</varlistentry>
@ -1095,10 +1119,14 @@ passwd: done</screen>
<term><literal>memoryuse</literal></term>
<listitem>
<para>The maximum amount of memory<indexterm><primary>memoryuse</primary></indexterm><indexterm><primary>limiting users</primary><secondary>memoryuse</secondary></indexterm> a process may consume at
any given time. It includes both core memory and swap
usage. This is not a catch-all limit for restricting
memory consumption, but is a good start.</para>
<para>The maximum amount of memory
<indexterm><primary>memoryuse</primary></indexterm><indexterm><primary>
limiting
users</primary><secondary>memoryuse</secondary></indexterm>
a process may consume at any given time. It includes both
core memory and swap usage. This is not a catch-all limit
for restricting memory consumption, but is a good
start.</para>
</listitem>
</varlistentry>
@ -1106,7 +1134,10 @@ passwd: done</screen>
<term><literal>openfiles</literal></term>
<listitem>
<para>The maximum number of files a process may have open<indexterm><primary>openfiles</primary></indexterm><indexterm><primary>limiting users</primary><secondary>openfiles</secondary></indexterm>.
<para>The maximum number of files a process may have open
<indexterm><primary>openfiles</primary></indexterm><indexterm><primary>
limiting
users</primary><secondary>openfiles</secondary></indexterm>.
In &os;, files are used to represent sockets and IPC
channels, so be careful not to set this too low. The
system-wide limit for this is defined by the
@ -1119,7 +1150,10 @@ passwd: done</screen>
<listitem>
<para>The limit on the amount of network memory, and
thus mbufs<indexterm><primary>sbsize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>sbsize</secondary></indexterm>, a user may consume in order to limit network
thus mbufs
<indexterm><primary>sbsize</primary></indexterm><indexterm><primary>limiting
users</primary><secondary>sbsize</secondary></indexterm>,
a user may consume in order to limit network
communications.</para>
</listitem>
</varlistentry>
@ -1128,10 +1162,12 @@ passwd: done</screen>
<term><literal>stacksize</literal></term>
<listitem>
<para>The maximum size of a process stack<indexterm><primary>stacksize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>stacksize</secondary></indexterm>. This alone is
not sufficient to limit the amount of memory a program
may use so it should be used in conjunction with other
limits.</para>
<para>The maximum size of a process stack
<indexterm><primary>stacksize</primary></indexterm><indexterm><primary>limiting
users</primary><secondary>stacksize</secondary></indexterm>.
This alone is not sufficient to limit the amount of memory
a program may use so it should be used in conjunction with
other limits.</para>
</listitem>
</varlistentry>
</variablelist>
@ -1271,13 +1307,13 @@ teamtwo:*:1100:jru,db</screen>
uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
</example>
<para>In this example, <username>jru</username> is a member of the
groups <groupname>jru</groupname> and
<groupname>teamtwo</groupname>.</para>
<para>In this example, <username>jru</username> is a member of
the groups <groupname>jru</groupname> and
<groupname>teamtwo</groupname>.</para>
<para>For more information about this command and the format of
<filename>/etc/group</filename>, refer to &man.pw.8; and
&man.group.5;.</para>
<para>For more information about this command and the format of
<filename>/etc/group</filename>, refer to &man.pw.8; and
&man.group.5;.</para>
</sect2>
</sect1>
@ -1294,15 +1330,14 @@ uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
the files used by the operating system or owned by other
users.</para>
<para>This section discusses the traditional &unix;
permissions used in &os;. For finer grained file system access control,
refer to
<xref linkend="fs-acl"/>.</para>
<para>This section discusses the traditional &unix; permissions
used in &os;. For finer grained file system access control,
refer to <xref linkend="fs-acl"/>.</para>
<para>In &unix;, basic permissions are assigned using
three types of access: read, write, and execute. These access
types are used to determine file access to the file's owner,
group, and others (everyone else). The read, write, and execute
group, and others (everyone else). The read, write, and execute
permissions can be represented as the letters
<literal>r</literal>, <literal>w</literal>, and
<literal>x</literal>. They can also be represented as binary
@ -1315,10 +1350,10 @@ uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
<literal>1</literal>.</para>
<para>Table 4.1 summarizes the possible numeric and alphabetic
possibilities. When reading the <quote>Directory Listing</quote>
column, a <literal>-</literal> is used to represent a permission
that is set to off.</para>
possibilities. When reading the <quote>Directory
Listing</quote> column, a <literal>-</literal> is used to
represent a permission that is set to off.</para>
<indexterm><primary>permissions</primary></indexterm>
<indexterm>
<primary>file permissions</primary>