White space fix only. Translators can ignore.
This commit is contained in:
Dru Lavigne
parent
f5b45a50b7
commit
e2574f975f
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=42956
1 changed files with 285 additions and 250 deletions
|
|
@ -85,46 +85,48 @@
|
||||||
|
|
||||||
<indexterm><primary>virtual consoles</primary></indexterm>
|
<indexterm><primary>virtual consoles</primary></indexterm>
|
||||||
<indexterm><primary>terminals</primary></indexterm>
|
<indexterm><primary>terminals</primary></indexterm>
|
||||||
<indexterm><primary>console</primary></indexterm>
|
<indexterm><primary>console</primary></indexterm>
|
||||||
|
|
||||||
<para>Unless &os; has been configured to automatically start a
|
<para>Unless &os; has been configured to automatically start a
|
||||||
graphical environment during startup, the system will boot
|
graphical environment during startup, the system will boot
|
||||||
into a command line login prompt, as seen in this
|
into a command line login prompt, as seen in this
|
||||||
example:</para>
|
example:</para>
|
||||||
|
|
||||||
<screen>FreeBSD/amd64 (pc3.example.org) (ttyv0)
|
<screen>FreeBSD/amd64 (pc3.example.org) (ttyv0)
|
||||||
|
|
||||||
login:</screen>
|
login:</screen>
|
||||||
|
|
||||||
<para>The first line contains some information about the system.
|
<para>The first line contains some information about the system.
|
||||||
The <literal>amd64</literal> indicates that the system in this
|
The <literal>amd64</literal> indicates that the system in this
|
||||||
example is running a 64-bit version of &os;. The hostname is
|
example is running a 64-bit version of &os;. The hostname is
|
||||||
<hostid>pc3.example.org</hostid>, and
|
<hostid>pc3.example.org</hostid>, and
|
||||||
<devicename>ttyv0</devicename> indicates that this is the
|
<devicename>ttyv0</devicename> indicates that this is the
|
||||||
<quote>system console</quote>. The second line is the login prompt.</para>
|
<quote>system console</quote>. The second line is the login
|
||||||
|
prompt.</para>
|
||||||
|
|
||||||
<para>Since &os; is a multiuser system, it needs some way to distinguish
|
<para>Since &os; is a multiuser system, it needs some way to
|
||||||
between different users. This is accomplished by
|
distinguish between different users. This is accomplished by
|
||||||
requiring every user to log into the
|
requiring every user to log into the system before gaining
|
||||||
system before gaining access to the programs on the system. Every user has a
|
access to the programs on the system. Every user has a
|
||||||
unique name <quote>username</quote> and a personal
|
unique name <quote>username</quote> and a personal
|
||||||
<quote>password</quote>.</para>
|
<quote>password</quote>.</para>
|
||||||
|
|
||||||
<para>To log into the system console, type the username that was configured during system
|
<para>To log into the system console, type the username that
|
||||||
installation, as described in
|
was configured during system installation, as described in
|
||||||
<xref linkend="bsdinstall-addusers"/>, and press
|
<xref linkend="bsdinstall-addusers"/>, and press
|
||||||
<keycap>Enter</keycap>. Then enter the password associated
|
<keycap>Enter</keycap>. Then enter the password associated
|
||||||
with the username and press <keycap>Enter</keycap>. The
|
with the username and press <keycap>Enter</keycap>. The
|
||||||
password is <emphasis>not echoed</emphasis> for security
|
password is <emphasis>not echoed</emphasis> for security
|
||||||
reasons.</para>
|
reasons.</para>
|
||||||
|
|
||||||
<para>Once the correct password is input, the message of the
|
<para>Once the correct password is input, the message of the
|
||||||
day (<acronym>MOTD</acronym>) will be displayed followed
|
day (<acronym>MOTD</acronym>) will be displayed followed
|
||||||
by a command prompt. Depending upon the shell that was selected
|
by a command prompt. Depending upon the shell that was
|
||||||
when the user was created, this prompt will be a <literal>#</literal>,
|
selected when the user was created, this prompt will be a
|
||||||
<literal>$</literal>, or <literal>%</literal> character. The
|
<literal>#</literal>, <literal>$</literal>, or
|
||||||
prompt indicates that the user is now logged into the &os; system console and ready to try the
|
<literal>%</literal> character. The prompt indicates that
|
||||||
available commands.</para>
|
the user is now logged into the &os; system console and ready
|
||||||
|
to try the available commands.</para>
|
||||||
|
|
||||||
<sect2 id="consoles-virtual">
|
<sect2 id="consoles-virtual">
|
||||||
<title>Virtual Consoles</title>
|
<title>Virtual Consoles</title>
|
||||||
|
|
@ -138,19 +140,22 @@ login:</screen>
|
||||||
user is working on, making it difficult to concentrate on
|
user is working on, making it difficult to concentrate on
|
||||||
the work at hand.</para>
|
the work at hand.</para>
|
||||||
|
|
||||||
<para>By default, &os; is configured to provide several virtual consoles
|
<para>By default, &os; is configured to provide several virtual
|
||||||
for inputting commands. Each virtual console has its own
|
consoles for inputting commands. Each virtual console has
|
||||||
login prompt and shell and it is easy to switch between
|
its own login prompt and shell and it is easy to switch
|
||||||
virtual consoles. This essentially provides the command line
|
between virtual consoles. This essentially provides the
|
||||||
equivalent of having several windows open at the same time
|
command line equivalent of having several windows open at the
|
||||||
in a graphical environment.</para>
|
same time in a graphical environment.</para>
|
||||||
|
|
||||||
<para>The key combinations <keycombo><keycap>Alt</keycap><keycap>F1</keycap></keycombo>
|
<para>The key combinations
|
||||||
through
|
|
||||||
<keycombo><keycap>Alt</keycap><keycap>F8</keycap></keycombo> have been reserved by &os; for
|
|
||||||
switching between virtual consoles. Use
|
|
||||||
<keycombo><keycap>Alt</keycap><keycap>F1</keycap></keycombo>
|
<keycombo><keycap>Alt</keycap><keycap>F1</keycap></keycombo>
|
||||||
to switch to the system console (<devicename>ttyv0</devicename>),
|
through
|
||||||
|
<keycombo><keycap>Alt</keycap><keycap>F8</keycap></keycombo>
|
||||||
|
have been reserved by &os; for switching between virtual
|
||||||
|
consoles. Use
|
||||||
|
<keycombo><keycap>Alt</keycap><keycap>F1</keycap></keycombo>
|
||||||
|
to switch to the system console
|
||||||
|
(<devicename>ttyv0</devicename>),
|
||||||
<keycombo><keycap>Alt</keycap><keycap>F2</keycap></keycombo>
|
<keycombo><keycap>Alt</keycap><keycap>F2</keycap></keycombo>
|
||||||
to access the first virtual console
|
to access the first virtual console
|
||||||
(<devicename>ttyv1</devicename>),
|
(<devicename>ttyv1</devicename>),
|
||||||
|
|
@ -159,22 +164,19 @@ login:</screen>
|
||||||
(<devicename>ttyv2</devicename>), and so on.</para>
|
(<devicename>ttyv2</devicename>), and so on.</para>
|
||||||
|
|
||||||
<para>When switching from one console to the next, &os; takes
|
<para>When switching from one console to the next, &os; takes
|
||||||
manages the screen output. The result is
|
manages the screen output. The result is an illusion of
|
||||||
an illusion of having multiple
|
having multiple virtual screens and keyboards that can be used
|
||||||
virtual screens and keyboards that can be used
|
|
||||||
to type commands for &os; to run. The programs that are
|
to type commands for &os; to run. The programs that are
|
||||||
launched in one virtual console do not stop running when
|
launched in one virtual console do not stop running when
|
||||||
the user switches to a
|
the user switches to a different virtual console.</para>
|
||||||
different virtual console.</para>
|
|
||||||
|
|
||||||
<para>Refer to &man.syscons.4;, &man.atkbd.4;,
|
<para>Refer to &man.syscons.4;, &man.atkbd.4;,
|
||||||
&man.vidcontrol.1; and &man.kbdcontrol.1; for a more
|
&man.vidcontrol.1; and &man.kbdcontrol.1; for a more
|
||||||
technical description of the &os; console and its keyboard
|
technical description of the &os; console and its keyboard
|
||||||
drivers.</para>
|
drivers.</para>
|
||||||
|
|
||||||
<para>In &os;, the number of available virtual
|
<para>In &os;, the number of available virtual consoles is
|
||||||
consoles is configured in this
|
configured in this section of
|
||||||
section of
|
|
||||||
<filename>/etc/ttys</filename>:</para>
|
<filename>/etc/ttys</filename>:</para>
|
||||||
|
|
||||||
<programlisting># name getty type status comments
|
<programlisting># name getty type status comments
|
||||||
|
|
@ -191,11 +193,12 @@ ttyv7 "/usr/libexec/getty Pc" cons25 on secure
|
||||||
ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure</programlisting>
|
ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure</programlisting>
|
||||||
|
|
||||||
|
|
||||||
<para>To disable a virtual console, put a comment symbol (<literal>#</literal>)
|
<para>To disable a virtual console, put a comment symbol
|
||||||
at the beginning of the line representing that virtual console.
|
(<literal>#</literal>) at the beginning of the line
|
||||||
For example, to reduce the number of available virtual consoles
|
representing that virtual console. For example, to reduce
|
||||||
from eight to four, put a <literal>#</literal> in front of
|
the number of available virtual consoles from eight to four,
|
||||||
the last four lines representing virtual consoles
|
put a <literal>#</literal> in front of the last four lines
|
||||||
|
representing virtual consoles
|
||||||
<devicename>ttyv5</devicename> through
|
<devicename>ttyv5</devicename> through
|
||||||
<devicename>ttyv8</devicename>. <emphasis>Do not</emphasis>
|
<devicename>ttyv8</devicename>. <emphasis>Do not</emphasis>
|
||||||
comment out the line for the system console
|
comment out the line for the system console
|
||||||
|
|
@ -204,7 +207,7 @@ ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure</programlisting>
|
||||||
the graphical environment if <application>&xorg;</application>
|
the graphical environment if <application>&xorg;</application>
|
||||||
has been installed and configured as described in <xref
|
has been installed and configured as described in <xref
|
||||||
linkend="x11"/>.</para>
|
linkend="x11"/>.</para>
|
||||||
|
|
||||||
<para>For a detailed description of every column in this file
|
<para>For a detailed description of every column in this file
|
||||||
and the available options for the virtual consoles, refer to
|
and the available options for the virtual consoles, refer to
|
||||||
&man.ttys.5;.</para>
|
&man.ttys.5;.</para>
|
||||||
|
|
@ -216,40 +219,38 @@ ttyv8 "/usr/X11R6/bin/xdm -nodaemon" xterm off secure</programlisting>
|
||||||
<para>The &os; boot menu provides an option labelled as
|
<para>The &os; boot menu provides an option labelled as
|
||||||
<quote>Boot Single User</quote>. If this option is selected,
|
<quote>Boot Single User</quote>. If this option is selected,
|
||||||
the system will boot into a special mode known as
|
the system will boot into a special mode known as
|
||||||
<quote>single user mode</quote>. This mode is typically used to
|
<quote>single user mode</quote>. This mode is typically used
|
||||||
repair a system that will not boot or to reset the
|
to repair a system that will not boot or to reset the
|
||||||
<username>root</username> password when it is not known.
|
<username>root</username> password when it is not known.
|
||||||
While in single user mode, networking and other
|
While in single user mode, networking and other virtual
|
||||||
virtual consoles are not available. However, full
|
consoles are not available. However, full
|
||||||
<username>root</username> access to the system is available,
|
<username>root</username> access to the system is available,
|
||||||
and by default, the <username>root</username> password is not
|
and by default, the <username>root</username> password is not
|
||||||
needed. For these reasons, physical access to the keyboard
|
needed. For these reasons, physical access to the keyboard
|
||||||
is needed to boot into this mode and determining who has physical
|
is needed to boot into this mode and determining who has
|
||||||
access to the keyboard is something to consider when securing
|
physical access to the keyboard is something to consider when
|
||||||
a &os; system.</para>
|
securing a &os; system.</para>
|
||||||
|
|
||||||
<para>The settings which control
|
<para>The settings which control single user mode are found in
|
||||||
single user mode are found in this section of
|
this section of <filename>/etc/ttys</filename>:</para>
|
||||||
<filename>/etc/ttys</filename>:</para>
|
|
||||||
|
|
||||||
<programlisting># name getty type status comments
|
<programlisting># name getty type status comments
|
||||||
#
|
#
|
||||||
# If console is marked "insecure", then init will ask for the root password
|
# If console is marked "insecure", then init will ask for the root password
|
||||||
# when going to single-user mode.
|
# when going to single-user mode.
|
||||||
console none unknown off secure</programlisting>
|
console none unknown off secure</programlisting>
|
||||||
|
|
||||||
<para>By default, the status is set to <literal>secure</literal>.
|
<para>By default, the status is set to
|
||||||
This assumes that who has physical access to the keyboard
|
<literal>secure</literal>. This assumes that who has
|
||||||
is either not important or it is controlled by a physical
|
physical access to the keyboard is either not important or it
|
||||||
security policy. If this setting is changed to
|
is controlled by a physical security policy. If this setting
|
||||||
<literal>insecure</literal>, the assumption is that the
|
is changed to <literal>insecure</literal>, the assumption is
|
||||||
environment itself is insecure because anyone can access
|
that the environment itself is insecure because anyone can
|
||||||
the keyboard. When this line is changed to
|
access the keyboard. When this line is changed to
|
||||||
<literal>insecure</literal>, &os; will prompt for the
|
<literal>insecure</literal>, &os; will prompt for the
|
||||||
<username>root</username> password when a user selects to boot into single
|
<username>root</username> password when a user selects to
|
||||||
user mode.
|
boot into single user mode.</para>
|
||||||
</para>
|
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para><emphasis>Be careful when changing this setting to
|
<para><emphasis>Be careful when changing this setting to
|
||||||
<literal>insecure</literal></emphasis>! If the
|
<literal>insecure</literal></emphasis>! If the
|
||||||
|
|
@ -331,94 +332,95 @@ console none unknown off secure</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>How to create groups and add users as members of a group.</para>
|
<para>How to create groups and add users as members of a
|
||||||
|
group.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<sect2 id="users-introduction">
|
<sect2 id="users-introduction">
|
||||||
<title>Account Types</title>
|
<title>Account Types</title>
|
||||||
|
|
||||||
<para>Since all access to the &os; system is achieved using accounts
|
<para>Since all access to the &os; system is achieved using
|
||||||
and all processes are run by users, user and account management
|
accounts and all processes are run by users, user and account
|
||||||
is important.</para>
|
management is important.</para>
|
||||||
|
|
||||||
<para>There are three main types of accounts:
|
<para>There are three main types of accounts: system accounts,
|
||||||
system accounts,
|
user accounts, and the superuser account.</para>
|
||||||
user accounts, and the
|
|
||||||
superuser account.</para>
|
|
||||||
|
|
||||||
<sect3 id="users-system">
|
<sect3 id="users-system">
|
||||||
<title>System Accounts</title>
|
<title>System Accounts</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>accounts</primary>
|
<primary>accounts</primary>
|
||||||
<secondary>system</secondary>
|
<secondary>system</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>System accounts are used to run services such as DNS,
|
<para>System accounts are used to run services such as DNS,
|
||||||
mail, and web servers. The reason for this is security; if
|
mail, and web servers. The reason for this is security; if
|
||||||
all services ran as the superuser, they could act without
|
all services ran as the superuser, they could act without
|
||||||
restriction.</para>
|
restriction.</para>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>accounts</primary>
|
<primary>accounts</primary>
|
||||||
<secondary><username>daemon</username></secondary>
|
<secondary><username>daemon</username></secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>accounts</primary>
|
<primary>accounts</primary>
|
||||||
<secondary><username>operator</username></secondary>
|
<secondary><username>operator</username></secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>Examples of system accounts are
|
<para>Examples of system accounts are
|
||||||
<username>daemon</username>, <username>operator</username>,
|
<username>daemon</username>, <username>operator</username>,
|
||||||
<username>bind</username>, <username>news</username>, and
|
<username>bind</username>, <username>news</username>, and
|
||||||
<username>www</username>.</para>
|
<username>www</username>.</para>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>accounts</primary>
|
<primary>accounts</primary>
|
||||||
<secondary><username>nobody</username></secondary>
|
<secondary><username>nobody</username></secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para><username>nobody</username> is the generic unprivileged
|
<para><username>nobody</username> is the generic unprivileged
|
||||||
system account. However, the more services that use
|
system account. However, the more services that use
|
||||||
<username>nobody</username>, the more files and processes that
|
<username>nobody</username>, the more files and processes
|
||||||
user will become associated with, and hence the more
|
that user will become associated with, and hence the more
|
||||||
privileged that user becomes.</para>
|
privileged that user becomes.</para>
|
||||||
</sect3>
|
</sect3>
|
||||||
|
|
||||||
<sect3 id="users-user">
|
<sect3 id="users-user">
|
||||||
<title>User Accounts</title>
|
<title>User Accounts</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>accounts</primary>
|
<primary>accounts</primary>
|
||||||
<secondary>user</secondary>
|
<secondary>user</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>User accounts are
|
<para>User accounts are assigned to real people and are used
|
||||||
assigned to real people and are used to log in and use the
|
to log in and use the system. Every person accessing the
|
||||||
system. Every person accessing the system should have a unique
|
system should have a unique user account. This allows the
|
||||||
user account. This allows the administrator to find out who
|
administrator to find out who is doing what and prevents
|
||||||
is doing what and prevents users from clobbering the
|
users from clobbering the settings of other users.</para>
|
||||||
settings of other users.</para>
|
|
||||||
|
|
||||||
<para>Each user can set up their own environment to accommodate
|
<para>Each user can set up their own environment to
|
||||||
their use of the system, by configuring their default shell, editor,
|
accommodate their use of the system, by configuring their
|
||||||
key bindings, and language settings.</para>
|
default shell, editor, key bindings, and language
|
||||||
<para>Every user account on a &os; system has certain information
|
settings.</para>
|
||||||
associated with it:</para>
|
|
||||||
|
|
||||||
<variablelist>
|
<para>Every user account on a &os; system has certain
|
||||||
<varlistentry>
|
information associated with it:</para>
|
||||||
<term>User name</term>
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term>User name</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The user name is typed at the <prompt>login:</prompt>
|
<para>The user name is typed at the <prompt>login:</prompt>
|
||||||
prompt. User names must be unique on the system as no two
|
prompt. User names must be unique on the system as no two
|
||||||
users can have the same user name. There are a number of
|
users can have the same user name. There are a number of
|
||||||
rules for creating valid user names which are documented in
|
rules for creating valid user names which are documented
|
||||||
&man.passwd.5;. It is recommended to use user names that consist of eight or
|
in &man.passwd.5;. It is recommended to use user names
|
||||||
fewer, all lower case characters in order to maintain
|
that consist of eight or fewer, all lower case characters
|
||||||
backwards compatibility with applications.</para>
|
in order to maintain backwards compatibility with
|
||||||
|
applications.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -426,8 +428,9 @@ console none unknown off secure</programlisting>
|
||||||
<term>Password</term>
|
<term>Password</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Each user account should have an associated password. While the
|
<para>Each user account should have an associated password.
|
||||||
password can be blank, this is highly discouraged.</para>
|
While the password can be blank, this is highly
|
||||||
|
discouraged.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -435,14 +438,13 @@ console none unknown off secure</programlisting>
|
||||||
<term>User ID (<acronym>UID</acronym>)</term>
|
<term>User ID (<acronym>UID</acronym>)</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The User ID (<acronym>UID</acronym>) is a number
|
<para>The User ID (<acronym>UID</acronym>) is a number used
|
||||||
used to uniquely identify the user to the
|
to uniquely identify the user to the &os; system.
|
||||||
&os; system. Commands that
|
Commands that allow a user name to be specified will
|
||||||
allow a user name to be specified will first convert it to
|
first convert it to the <acronym>UID</acronym>. It is
|
||||||
the <acronym>UID</acronym>. It is recommended to use a UID of
|
recommended to use a UID of 65535 or lower as higher UIDs
|
||||||
65535 or lower as higher UIDs may cause compatibility
|
may cause compatibility issues with software that does
|
||||||
issues with software that does not support integers larger
|
not support integers larger than 32-bits.</para>
|
||||||
than 32-bits.</para>
|
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -450,14 +452,15 @@ console none unknown off secure</programlisting>
|
||||||
<term>Group ID (<acronym>GID</acronym>)</term>
|
<term>Group ID (<acronym>GID</acronym>)</term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The Group ID (<acronym>GID</acronym>) is a number used to uniquely identify
|
<para>The Group ID (<acronym>GID</acronym>) is a number
|
||||||
the primary group that the user belongs to. Groups are a
|
used to uniquely identify the primary group that the user
|
||||||
mechanism for controlling access to resources based on a
|
belongs to. Groups are a mechanism for controlling
|
||||||
user's <acronym>GID</acronym> rather than their
|
access to resources based on a user's
|
||||||
|
<acronym>GID</acronym> rather than their
|
||||||
<acronym>UID</acronym>. This can significantly reduce the
|
<acronym>UID</acronym>. This can significantly reduce the
|
||||||
size of some configuration files and allows users to be
|
size of some configuration files and allows users to be
|
||||||
members of more than one group. It is recommended to use a GID of
|
members of more than one group. It is recommended to use
|
||||||
65535 or lower as higher GIDs may break some
|
a GID of 65535 or lower as higher GIDs may break some
|
||||||
software.</para>
|
software.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
@ -479,9 +482,9 @@ console none unknown off secure</programlisting>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>By default, &os; does not force users to change their
|
<para>By default, &os; does not force users to change their
|
||||||
passwords periodically. Password expiration can be
|
passwords periodically. Password expiration can be
|
||||||
enforced on a per-user basis using &man.pw.8;, forcing some or all users to
|
enforced on a per-user basis using &man.pw.8;, forcing
|
||||||
change their passwords after a certain amount of time has
|
some or all users to change their passwords after a
|
||||||
elapsed.</para>
|
certain amount of time has elapsed.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -492,9 +495,10 @@ console none unknown off secure</programlisting>
|
||||||
<para>By default, &os; does not expire accounts. When
|
<para>By default, &os; does not expire accounts. When
|
||||||
creating accounts that need a limited lifespan, such as
|
creating accounts that need a limited lifespan, such as
|
||||||
student accounts in a school, specify the account expiry
|
student accounts in a school, specify the account expiry
|
||||||
date using &man.pw.8;. After the expiry time has elapsed, the account
|
date using &man.pw.8;. After the expiry time has
|
||||||
cannot be used to log in to the system, although the
|
elapsed, the account cannot be used to log in to the
|
||||||
account's directories and files will remain.</para>
|
system, although the account's directories and files will
|
||||||
|
remain.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -504,9 +508,9 @@ console none unknown off secure</programlisting>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The user name uniquely identifies the account to &os;,
|
<para>The user name uniquely identifies the account to &os;,
|
||||||
but does not necessarily reflect the user's real name.
|
but does not necessarily reflect the user's real name.
|
||||||
Similar to a comment, this information
|
Similar to a comment, this information can contain a
|
||||||
can contain a space, uppercase characters, and be more
|
space, uppercase characters, and be more than 8
|
||||||
than 8 characters long.</para>
|
characters long.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -538,9 +542,9 @@ console none unknown off secure</programlisting>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</sect3>
|
</sect3>
|
||||||
|
|
||||||
<sect3 id="users-superuser">
|
<sect3 id="users-superuser">
|
||||||
<title>The Superuser Account</title>
|
<title>The Superuser Account</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
|
|
@ -558,50 +562,53 @@ console none unknown off secure</programlisting>
|
||||||
<para>The superuser, unlike other user
|
<para>The superuser, unlike other user
|
||||||
accounts, can operate without limits, and misuse of the
|
accounts, can operate without limits, and misuse of the
|
||||||
superuser account may result in spectacular disasters. User
|
superuser account may result in spectacular disasters. User
|
||||||
accounts are unable to destroy the operating system by mistake, so it is
|
accounts are unable to destroy the operating system by
|
||||||
recommended to login as a user account and to only become the superuser
|
mistake, so it is recommended to login as a user account and
|
||||||
when a command requires extra privilege.</para>
|
to only become the superuser when a command requires extra
|
||||||
|
privilege.</para>
|
||||||
|
|
||||||
<para>Always double and triple-check any commands issued as the
|
<para>Always double and triple-check any commands issued as the
|
||||||
superuser, since an extra space or missing character can mean
|
superuser, since an extra space or missing character can mean
|
||||||
irreparable data loss.</para>
|
irreparable data loss.</para>
|
||||||
|
|
||||||
<para>There are several ways to become gain superuser privilege. While one
|
<para>There are several ways to become gain superuser privilege.
|
||||||
can log in as <username>root</username>, this is highly discouraged.</para>
|
While one can log in as <username>root</username>, this is
|
||||||
|
highly discouraged.</para>
|
||||||
|
|
||||||
<para>Instead, use &man.su.1; to become the superuser. If
|
<para>Instead, use &man.su.1; to become the superuser. If
|
||||||
<literal>-</literal> is specified when running this command, the user will also inherit the root user's environment.
|
<literal>-</literal> is specified when running this command,
|
||||||
The user running this command must
|
the user will also inherit the root user's environment. The
|
||||||
be in the <groupname>wheel</groupname> group or else the command
|
user running this command must be in the
|
||||||
will fail. The user must also know the password for the
|
<groupname>wheel</groupname> group or else the command will
|
||||||
<username>root</username> user account.</para>
|
fail. The user must also know the password for the
|
||||||
|
<username>root</username> user account.</para>
|
||||||
|
|
||||||
<para>In this example, the user only becomes superuser in order to run
|
<para>In this example, the user only becomes superuser in order
|
||||||
<command>make install</command> as this step requires superuser privilege.
|
to run <command>make install</command> as this step requires
|
||||||
Once the command completes, the user types <command>exit</command>
|
superuser privilege. Once the command completes, the user
|
||||||
to leave the superuser account and return to the privilege of
|
types <command>exit</command> to leave the superuser account
|
||||||
their user account.</para>
|
and return to the privilege of their user account.</para>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Install a Program As The Superuser</title>
|
<title>Install a Program As The Superuser</title>
|
||||||
|
|
||||||
<screen>&prompt.user; <userinput>configure</userinput>
|
<screen>&prompt.user; <userinput>configure</userinput>
|
||||||
&prompt.user; <userinput>make</userinput>
|
&prompt.user; <userinput>make</userinput>
|
||||||
&prompt.user; <userinput>su -</userinput>
|
&prompt.user; <userinput>su -</userinput>
|
||||||
Password:
|
Password:
|
||||||
&prompt.root; <userinput>make install</userinput>
|
&prompt.root; <userinput>make install</userinput>
|
||||||
&prompt.root; <userinput>exit</userinput>
|
&prompt.root; <userinput>exit</userinput>
|
||||||
&prompt.user;</screen>
|
&prompt.user;</screen>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
<para>The built-in &man.su.1; framework works well for single systems or small
|
<para>The built-in &man.su.1; framework works well for single
|
||||||
networks with just one system administrator. An alternative
|
systems or small networks with just one system administrator.
|
||||||
is to install the
|
An alternative is to install the <filename
|
||||||
<filename role="package">security/sudo</filename> package or port. This software
|
role="package">security/sudo</filename> package or port.
|
||||||
provides activity logging and allows the administrator to configure which users
|
This software provides activity logging and allows the
|
||||||
can run which commands
|
administrator to configure which users can run which commands
|
||||||
as the superuser.</para>
|
as the superuser.</para>
|
||||||
</sect3>
|
</sect3>
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2 id="users-modifying">
|
<sect2 id="users-modifying">
|
||||||
|
|
@ -918,7 +925,7 @@ passwd: done</screen>
|
||||||
<title>Changing Another User's Password as the
|
<title>Changing Another User's Password as the
|
||||||
Superuser</title>
|
Superuser</title>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>passwd jru</userinput>
|
<screen>&prompt.root; <userinput>passwd jru</userinput>
|
||||||
Changing local password for jru.
|
Changing local password for jru.
|
||||||
New password:
|
New password:
|
||||||
Retype new password:
|
Retype new password:
|
||||||
|
|
@ -1025,14 +1032,17 @@ passwd: done</screen>
|
||||||
<term><literal>coredumpsize</literal></term>
|
<term><literal>coredumpsize</literal></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The limit on the size of a core file<indexterm><primary>coredumpsize</primary></indexterm> generated by a
|
<para>The limit on the size of a core file
|
||||||
program is subordinate to other limits<indexterm><primary>limiting users</primary><secondary>coredumpsize</secondary></indexterm> on disk usage, such
|
<indexterm><primary>coredumpsize</primary></indexterm>
|
||||||
as <literal>filesize</literal>, or disk quotas.
|
generated by a program is subordinate to other
|
||||||
This limit is often used as a less-severe method of
|
limits <indexterm><primary>limiting users
|
||||||
controlling disk space consumption. Since users do not
|
</primary><secondary>coredumpsize</secondary></indexterm>
|
||||||
generate core files themselves, and often do not delete
|
on disk usage, such as <literal>filesize</literal>, or
|
||||||
them, setting this may save them from running out of disk
|
disk quotas. This limit is often used as a less-severe
|
||||||
space should a large program crash.</para>
|
method of controlling disk space consumption. Since
|
||||||
|
users do not generate core files themselves, and often do
|
||||||
|
not delete them, setting this may save them from running
|
||||||
|
out of disk space should a large program crash.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -1040,9 +1050,12 @@ passwd: done</screen>
|
||||||
<term><literal>cputime</literal></term>
|
<term><literal>cputime</literal></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The maximum amount of CPU<indexterm><primary>cputime</primary></indexterm><indexterm><primary>limiting users</primary><secondary>cputime</secondary></indexterm> time a user's process may
|
<para>The maximum amount of CPU
|
||||||
consume. Offending processes will be killed by the
|
<indexterm><primary>cputime</primary></indexterm><indexterm><primary>
|
||||||
kernel.</para>
|
limiting users
|
||||||
|
</primary><secondary>cputime</secondary></indexterm>
|
||||||
|
time a user's process may consume. Offending processes
|
||||||
|
will be killed by the kernel.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>This is a limit on CPU <emphasis>time</emphasis>
|
<para>This is a limit on CPU <emphasis>time</emphasis>
|
||||||
|
|
@ -1056,10 +1069,13 @@ passwd: done</screen>
|
||||||
<term><literal>filesize</literal></term>
|
<term><literal>filesize</literal></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The maximum size of a file<indexterm><primary>filesize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>filesize</secondary></indexterm> the user may own. Unlike
|
<para>The maximum size of a file
|
||||||
<link linkend="quotas">disk quotas</link>, this limit is
|
<indexterm><primary>filesize</primary></indexterm><indexterm><primary>
|
||||||
enforced on individual files, not the set of all files a
|
limiting users
|
||||||
user owns.</para>
|
</primary><secondary>filesize</secondary></indexterm>
|
||||||
|
the user may own. Unlike <link linkend="quotas">disk
|
||||||
|
quotas</link>, this limit is enforced on individual
|
||||||
|
files, not the set of all files a user owns.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -1067,9 +1083,13 @@ passwd: done</screen>
|
||||||
<term><literal>maxproc</literal></term>
|
<term><literal>maxproc</literal></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The maximum number of processes<indexterm><primary>maxproc</primary></indexterm><indexterm><primary>limiting users</primary><secondary>maxproc</secondary></indexterm> a user can run. This
|
<para>The maximum number of processes
|
||||||
includes foreground and background processes. This limit
|
<indexterm><primary>maxproc</primary></indexterm><indexterm><primary>
|
||||||
may not be larger than the system limit specified by the
|
limiting users
|
||||||
|
</primary><secondary>maxproc</secondary></indexterm> a
|
||||||
|
user can run. This includes foreground and background
|
||||||
|
processes. This limit may not be larger than the system
|
||||||
|
limit specified by the
|
||||||
<varname>kern.maxproc</varname> &man.sysctl.8;. Setting
|
<varname>kern.maxproc</varname> &man.sysctl.8;. Setting
|
||||||
this limit too small may hinder a user's productivity as
|
this limit too small may hinder a user's productivity as
|
||||||
it is often useful to be logged in multiple times or to
|
it is often useful to be logged in multiple times or to
|
||||||
|
|
@ -1083,11 +1103,15 @@ passwd: done</screen>
|
||||||
<term><literal>memorylocked</literal></term>
|
<term><literal>memorylocked</literal></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The maximum amount of memory<indexterm><primary>memorylocked</primary></indexterm><indexterm><primary>limiting users</primary><secondary>memorylocked</secondary></indexterm> a process may request
|
<para>The maximum amount of memory
|
||||||
to be locked into main memory using &man.mlock.2;. Some
|
<indexterm><primary>memorylocked</primary></indexterm><indexterm><primary>
|
||||||
system-critical programs, such as &man.amd.8;, lock into
|
limiting users
|
||||||
main memory so that if the system begins to swap, they do
|
</primary><secondary>memorylocked</secondary></indexterm>
|
||||||
not contribute to disk thrashing.</para>
|
a process may request to be locked into main memory using
|
||||||
|
&man.mlock.2;. Some system-critical programs, such as
|
||||||
|
&man.amd.8;, lock into main memory so that if the system
|
||||||
|
begins to swap, they do not contribute to disk
|
||||||
|
thrashing.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -1095,10 +1119,14 @@ passwd: done</screen>
|
||||||
<term><literal>memoryuse</literal></term>
|
<term><literal>memoryuse</literal></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The maximum amount of memory<indexterm><primary>memoryuse</primary></indexterm><indexterm><primary>limiting users</primary><secondary>memoryuse</secondary></indexterm> a process may consume at
|
<para>The maximum amount of memory
|
||||||
any given time. It includes both core memory and swap
|
<indexterm><primary>memoryuse</primary></indexterm><indexterm><primary>
|
||||||
usage. This is not a catch-all limit for restricting
|
limiting
|
||||||
memory consumption, but is a good start.</para>
|
users</primary><secondary>memoryuse</secondary></indexterm>
|
||||||
|
a process may consume at any given time. It includes both
|
||||||
|
core memory and swap usage. This is not a catch-all limit
|
||||||
|
for restricting memory consumption, but is a good
|
||||||
|
start.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
|
@ -1106,7 +1134,10 @@ passwd: done</screen>
|
||||||
<term><literal>openfiles</literal></term>
|
<term><literal>openfiles</literal></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The maximum number of files a process may have open<indexterm><primary>openfiles</primary></indexterm><indexterm><primary>limiting users</primary><secondary>openfiles</secondary></indexterm>.
|
<para>The maximum number of files a process may have open
|
||||||
|
<indexterm><primary>openfiles</primary></indexterm><indexterm><primary>
|
||||||
|
limiting
|
||||||
|
users</primary><secondary>openfiles</secondary></indexterm>.
|
||||||
In &os;, files are used to represent sockets and IPC
|
In &os;, files are used to represent sockets and IPC
|
||||||
channels, so be careful not to set this too low. The
|
channels, so be careful not to set this too low. The
|
||||||
system-wide limit for this is defined by the
|
system-wide limit for this is defined by the
|
||||||
|
|
@ -1119,7 +1150,10 @@ passwd: done</screen>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The limit on the amount of network memory, and
|
<para>The limit on the amount of network memory, and
|
||||||
thus mbufs<indexterm><primary>sbsize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>sbsize</secondary></indexterm>, a user may consume in order to limit network
|
thus mbufs
|
||||||
|
<indexterm><primary>sbsize</primary></indexterm><indexterm><primary>limiting
|
||||||
|
users</primary><secondary>sbsize</secondary></indexterm>,
|
||||||
|
a user may consume in order to limit network
|
||||||
communications.</para>
|
communications.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
@ -1128,10 +1162,12 @@ passwd: done</screen>
|
||||||
<term><literal>stacksize</literal></term>
|
<term><literal>stacksize</literal></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The maximum size of a process stack<indexterm><primary>stacksize</primary></indexterm><indexterm><primary>limiting users</primary><secondary>stacksize</secondary></indexterm>. This alone is
|
<para>The maximum size of a process stack
|
||||||
not sufficient to limit the amount of memory a program
|
<indexterm><primary>stacksize</primary></indexterm><indexterm><primary>limiting
|
||||||
may use so it should be used in conjunction with other
|
users</primary><secondary>stacksize</secondary></indexterm>.
|
||||||
limits.</para>
|
This alone is not sufficient to limit the amount of memory
|
||||||
|
a program may use so it should be used in conjunction with
|
||||||
|
other limits.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
@ -1271,13 +1307,13 @@ teamtwo:*:1100:jru,db</screen>
|
||||||
uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
|
uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
|
||||||
</example>
|
</example>
|
||||||
|
|
||||||
<para>In this example, <username>jru</username> is a member of the
|
<para>In this example, <username>jru</username> is a member of
|
||||||
groups <groupname>jru</groupname> and
|
the groups <groupname>jru</groupname> and
|
||||||
<groupname>teamtwo</groupname>.</para>
|
<groupname>teamtwo</groupname>.</para>
|
||||||
|
|
||||||
<para>For more information about this command and the format of
|
<para>For more information about this command and the format of
|
||||||
<filename>/etc/group</filename>, refer to &man.pw.8; and
|
<filename>/etc/group</filename>, refer to &man.pw.8; and
|
||||||
&man.group.5;.</para>
|
&man.group.5;.</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
</sect1>
|
</sect1>
|
||||||
|
|
||||||
|
|
@ -1294,15 +1330,14 @@ uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
|
||||||
the files used by the operating system or owned by other
|
the files used by the operating system or owned by other
|
||||||
users.</para>
|
users.</para>
|
||||||
|
|
||||||
<para>This section discusses the traditional &unix;
|
<para>This section discusses the traditional &unix; permissions
|
||||||
permissions used in &os;. For finer grained file system access control,
|
used in &os;. For finer grained file system access control,
|
||||||
refer to
|
refer to <xref linkend="fs-acl"/>.</para>
|
||||||
<xref linkend="fs-acl"/>.</para>
|
|
||||||
|
|
||||||
<para>In &unix;, basic permissions are assigned using
|
<para>In &unix;, basic permissions are assigned using
|
||||||
three types of access: read, write, and execute. These access
|
three types of access: read, write, and execute. These access
|
||||||
types are used to determine file access to the file's owner,
|
types are used to determine file access to the file's owner,
|
||||||
group, and others (everyone else). The read, write, and execute
|
group, and others (everyone else). The read, write, and execute
|
||||||
permissions can be represented as the letters
|
permissions can be represented as the letters
|
||||||
<literal>r</literal>, <literal>w</literal>, and
|
<literal>r</literal>, <literal>w</literal>, and
|
||||||
<literal>x</literal>. They can also be represented as binary
|
<literal>x</literal>. They can also be represented as binary
|
||||||
|
|
@ -1315,10 +1350,10 @@ uid=1001(jru) gid=1001(jru) groups=1001(jru), 1100(teamtwo)</screen>
|
||||||
<literal>1</literal>.</para>
|
<literal>1</literal>.</para>
|
||||||
|
|
||||||
<para>Table 4.1 summarizes the possible numeric and alphabetic
|
<para>Table 4.1 summarizes the possible numeric and alphabetic
|
||||||
possibilities. When reading the <quote>Directory Listing</quote>
|
possibilities. When reading the <quote>Directory
|
||||||
column, a <literal>-</literal> is used to represent a permission
|
Listing</quote> column, a <literal>-</literal> is used to
|
||||||
that is set to off.</para>
|
represent a permission that is set to off.</para>
|
||||||
|
|
||||||
<indexterm><primary>permissions</primary></indexterm>
|
<indexterm><primary>permissions</primary></indexterm>
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>file permissions</primary>
|
<primary>file permissions</primary>
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue