How to Manage Users & Groups on FreeBSD?
FreeBSD permits concurrent use of the machine by numerous people. While only one person may utilize the keyboard and monitor at any one time, any number of users can log in to the machine over the network. To access the system, each user must have a unique user account.
FreeBSD, like other Unix-like operating systems, allows users to establish accounts for interactive system access. When correctly administered, user accounts may provide a layer of system security by allowing users to access just the files and folders they need to complete their duties.
In this tutorial we will outline the following topics:
-
User account types on a FreeBSD system
-
How to create, manage, lock, and delete user accounts
-
How to govern the resources that individuals and organizations may access by establishing access restrictions
-
How to build groups and include people as group members.
To follow along with this tutorial, root access to a FreeBSD server is required. Thus, you must be able to log in as root or another user with superuser rights through the sudo command. If you want to run commands as root, you may eliminate the sudo component of the examples.
What are the Types of Accounts?
All access to the FreeBSD system is accomplished via user accounts, and all processes are executed by users, hence user and account management is essential. There are three primary account types on FreeBSD:
-
System accounts
-
User accounts
-
Superuser account
What is System Account?
System accounts are used to operate services like email, DNS, and web servers. The main reason for using system accounts is security. all services would be able to operate without limitation if they ran as the superuser. Some examples of system accounts are listed below:
-
daemon
-
operator
-
bind
-
news
-
www
nobody is the general account without privileges. However, the more the number of services that utilize nobody, the greater the number of files and processes that person will be linked with, and hence the greater their privileges.
What is User Account?
User accounts are given to specific individuals and are used for logging in and navigating the system. Every individual that accesses the system must have a unique user account. This enables the administrator to determine who is doing what and prohibits users from tampering with other users' settings.
By changing their default shell, editor, key bindings, and language settings, each user is able to tailor their environment to their own system use.
Every user account on a FreeBSD system is connected with the following data:
-
User name: Each user must have a unique user name and type it at the
login:prompt. To retain backward compatibility with apps, it is advised that user names consist of eight or fewer lowercase letters. -
User's full name: The user name identifies the account to FreeBSD, but is not necessarily the person's actual name. Similar to a comment, this information may include whitespace and capitalization and be longer than 8 characters.
-
User ID (UID): User ID (UID) is a number that uniquely identifies a user on the FreeBSD system. Any command that accepts a user name will first convert it to the UID. It is advised to choose a UID that is less than 65535, since greater numbers may create compatibility difficulties with some applications.
-
Group ID (GID): Group ID (GID) is a number used to uniquely identify the user's main group membership. Groups are a tool for managing resource access based on a user's GID as opposed to their UID. This may considerably decrease the number of setup files and enables users to belong to many groups. It is advised to use a GID of 65535 or less, since greater GIDs may cause the software to malfunction.
-
Password: Each account has a corresponding password.
-
Password Change Time: By default, passwords do not expire. However, password expiry may be configured per user, compelling some or all users to update their passwords after a specified period of time.
-
Login class: Login classes are an extension of the group mechanism that allows for further customization of the system for various users.
-
Account expiration time: By default, FreeBSD does not expire accounts. When establishing accounts with a finite lifetime, such as student accounts at a school, the account expiration date should be specified using
password. After the account's expiration date has passed, it can no longer be used to log in to the system, while the account's folders and files will remain intact. -
Home directory: The home directory is the whole path to a system directory. This is the user's first working directory upon login. All user home directories are often placed under
/home/usernameor/usr/home/username. Each user's own files and subdirectories are stored in their respective home directory. -
User shell: The shell is the user's default interaction environment with the system. There are several types of shells, such as
cshandbash, and advanced users will have preferences that may be expressed in their account settings.
What is Superuser Account?
The root account, often known as the superuser account, is used to govern the system with unlimited rights. Therefore, it should not be used for routine operations such as general system investigation, programming, or sending and receiving emails.
In contrast to ordinary user accounts, the superuser account has no restrictions, and its abuse might result in catastrophic consequences. User accounts cannot accidentally harm the operating system, hence it is advised to login as a user account and only switch to superuser mode when a task needs elevated privileges. Always double- and even triple-check instructions submitted as the superuser, since a single additional space or missing character might result in catastrophic data loss.
There are several methods to get superuser privileges. While it is possible to log in as root, it is strongly discouraged.
You may use su command to become the superuser. If - paramater is given when this command is executed, the user will additionally inherit the environment of the root user. The user that executes this command must be a member of the wheel group, else the command will fail. Additionally, the user must know the password for the root account.
In the following example, the user becomes superuser solely to execute make install, which needs superuser privileges. After the command is executed, the user enters quit to leave the superuser account and return to their user account privileges.
% configure
% make
% su -
Password:
# make install
# exit
%
su utility works best for single systems or small networks with a single system administrator. You may install the security/sudo package or port as an option. This program offers activity logging and enables the administrator to specify which users are authorized to execute specific commands as the superuser.
How to Manage Accounts?
FreeBSD includes an assortment of commands for managing user accounts. The most popular commands are listed below:
-
adduser: The suggested command-line utility for adding new users.
-
rmuser: The suggested application for deleting users through the command line.
-
chpass: A versatile instrument for modifying user database information.
-
passwd: The command-line utility used to modify user passwords.
-
pw: A versatile and effective tool for altering all user account attributes.
-
bsdconfig: A system setup tool that supports account management.
How to Add a User Account?
To add a new user, you may use adduser utility. It may be executed interactively, with prompts to collect information about the new user, or non-interactively, which is preferable for adding several users at once. We will explain the interactive mode.
/etc/passwd, /etc/master.password, and /etc/group files are automatically updated when a new user is added. A home directory for the new user is created and the default configuration files from /usr/share/skel are copied to the user's home directory. adduser utility can optionally mail the new user a welcome message. This tool must be executed as the administrator.
To add a user in interactive mode, which enables you to create one user at a time, run adduser without any arguments:
adduser
The adduser tool is interactive and guides the user through the account creation process. Enter the needed information or click Return to accept the default value displayed between square brackets.
Many of the questions may be left blank to pick the default replies; for instance, the square brackets, [yes], signify the default options. However, there are a few significant prompts that we shall describe below.
-
username: This section is rather self-explanatory. Provide the required user identifier -
Login group is <user>. Invite <user> into other groups?: This option allows you to add the user to other groups by giving a space-separated list of the required groups. This is often used to provide the new user superuser (sudo) access by adding them to thewheelgroup. On FreeBSD, members of the wheel group may execute commands with superuser privileges. If you want to establish a standard (non-privileged) user, leave this field blank. In the following instance, the user has been accepted to join thewheelgroup, enabling them to become the superuser withsuaccess.
Other than the password prompts, the remaining prompts are very self-explanatory and may be left at their defaults. If you need to modify any additional information, such as the user's UID or Home directory, you may submit a non-default answer.
Username: john
Full name: John Valley
Uid (Leave empty for default):
Login group [john]:
Login group is john. Invite john into other groups? []: wheel
Login class [default]:
Shell (sh csh tcsh git-shell bash rbash nologin) [sh]:
Home directory [/home/john]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
After completion, the application will advise the user to either create a new user or quit.
After responding to the questions, a summary of the new user will be presented:
Username : john
Password : *****
Full Name : John Valley
Uid : 1002
Class :
Groups : john wheel
Home : /home/john
Home Mode :
Shell : /bin/sh
Locked : no
OK? (yes/no): yes
After checking the user details, answer with yes or no to the OK? question. Your answer decides the creation of the user.
If you choose yes, the user will be created and the following confirmation message will be displayed:
adduser: INFO: Successfully added (john) to the user database.
Whether you create the user or not, the following prompt will appear:
Add another user? (yes/no): no
Goodbye!
If you're done, you should answer with no. If not, answer with "yes" and repeat the procedure to add a second new user.
At this point, the created user(s) may be used.
How to Remove a User Account?
To delete a user from the system entirely, you may use rmuser command as the superuser. rmuser command executes the following operations:
-
Removes the user's home directory, including handling symbolic links in the path to the real home directory, if it is owned by the user.
-
Removes the user from the local password file of the machine
-
Removes the user's existing crontab entry
-
Removes any
attasks that the user has created -
Sends the SIGKILL signal to all user-owned processes
-
Removes all of the user's message queues, shared memory segments, and semaphores
-
Removes the user's incoming mail files from the
/var/maildirectory -
Removes all user-owned files from the
/tmp,/var/tmp, and/var/tmp/vi.recoverdirectories. -
Removes the user from all group memberships in
/etc/group. When a group becomes empty and its name matches the username, the group gets deleted.
rmuser cannot be used to delete superuser accounts, since doing so nearly often signifies enormous devastation. The default mode is interactive, as seen in the following illustration.
rmuser john
Matching password entry:
john:$6$8.M.bd65ButjBl/g$pYclsxPo9Gc35sGxMFUbW67OHCLU3cT8sFwWxEj9A2bAeRDz83MwCON6A0fJVXzOKXdrGXZsT9RFA6fCJn8yN0:1002:1002::0:0:John Valley:/home/john:/bin/sh
Is this the entry you wish to remove? y
Remove user's home directory (/home/john)? y
Removing user (john): mailspool home passwd.
How to Change User Account Details?
Any user may use chpass to modify their account's default shell and personal information. This tool allows the superuser to modify extra account information for any user.
When supplied no parameters other than an optional username, chpass shows a user information editor. When the user quits the editor, the database of users is updated with the new information.
This tool will request the user's password upon editor exit unless it is executed as the superuser.
The superuser has entered chpass john and is currently seeing the fields that may be modified for this user. The following output will be displayed, when root run the chpass john command:
#Changing user information for john.
Login: john
Password: $6$w0oAB5PyvLqWMWeM$R2R85he9H4KsqpSRLNPyVPr1N.g47y2JRWUEQMJ4P3schCR42CKne8brlxk456rtvCmaJds0ar0SdqbmYoee30
Uid [#]: 1002
Gid [# or name]: 1002
Change [month day year]:
Expire [month day year]:
Class:
Home directory: /home/john
Shell: /bin/sh
Full Name: John Valley
Office Location:
Office Phone:
Home Phone:
Other information:
~
If normal user runs chpass instead, just the final six fields will be shown and editable as given below:
#Changing user information for john.
Shell: /bin/sh
Full Name: john
Office Location:
Office Phone:
Home Phone:
Other information:
~
How to Change User Password?
Using passwd command, any user may quickly change their password. Before a new password may be created, this command will request the user's original password to avoid inadvertent or illegal changes:
% passwd
Changing local password for john.
Old password:
New password:
Retype new password:
passwd: updating the database...
passwd: done
The superuser may change any user's password by executing passwd with the user's username. When executed as the superuser, this program will not request the user's current password. This enables a user to update their password if they have forgotten it.
# passwd john
Changing local password for john.
New password:
Retype new password:
passwd: updating the database...
passwd: done
How to Create, Remove, Modify and Display System Users and Groups?
The pw application allows users and groups to be created, deleted, modified, and shown. It serves as an interface to the system's user and group files.
pw has a fairly robust range of command line parameters that make it appropriate for use in shell scripts, but novice users may find it more difficult to use than the other commands.
# pw
usage:
pw [user|group|lock|unlock] [add|del|mod|show|next] [help|switches/values]
How to Manage Groups?
A group is a list of users. A group is identified by its group name and GID. In FreeBSD, the kernel uses the UID of a process, and the list of groups it belongs to, to determine what the process is allowed to do. Most of the time, the GID of a user or process usually means the first group in the list.
In the /etc/group file, the group name to GID mapping is provided. This is a plain text file with four colon-delimited fields. The first field is the group name, the second is the encrypted password, the third is the GID, and the fourth is the comma-delimited list of members.
The superuser can alter the /etc/group file using a text editor, although editing the group file using vigr is recommended since it can detect frequent errors. Alternatively, the pwmay be used to create and modify groups. To add a group called ourgroup, you may run the next command:
pw groupadd ourgroup
To view the group called ourgroup, you may run the next command:
pw groupshow ourgroup
You may see the output similar to the below:
ourgroup:*:1004:
In this example, 1004 is the GID of ourgroup. Right now, ourgrouphas no members. You may add a user to a new group by using pw command. To add john as a member of ourgroup, run the next command:
pw groupmod ourgroup -M john
The input to -M is a comma-separated list of users to add to a new (empty) group or replace existing group members. This group membership is distinct from the user's main group specified in the password file and is in addition to it. This indicates that the user will not be shown as a member when using groupshow with pw, but will be displayed when the information is retrieved using id or a comparable tool. When pw is used to add a user to a group, it just modifies /etc/group and does not try to read data from file /etc/passwd.
To view the group called ourgroup, you may run the next command:
pw groupshow ourgroup
You should see the output similar to the below:
ourgroup:*:1004:john
In the following example, the argument to -m is a comma-delimited list of users who are to be added to the group. Unlike the previous example, these users are appended to the group and do not replace existing users in the group.
pw groupmod ourgroup -m db
To view the group called ourgroup, you may run the next command:
pw groupshow ourgroup
You should see the output similar to the below:
ourgroup:*:1004:john,db
To determine the group membership of a user account, you may use id command. For example, to learn the group membership of john, run the following command:
id john
You should see the output similar to the below:
uid=1002(john) gid=1002(john) groups=1002(john),0(wheel),1004(ourgroup)
In this example, johnis a member of the groups john, wheel and ourgroup.
How to Add a User to a Group by Replacing Existing Membership?
To add an existing user to a group by replacing the existing membership of the user, you may run the following command:
pw usermod group -G username
The option -G sets the groups to which new users are automatically added. This collection of groups is distinct from the main group, and you should avoid designating the same group as both primary and additional.
For example, type the following command to replace john's group membership:
pw usermod ftpusers -G john
John may be added to the secondary groups ftpusers and wwwusers, by running the following command:
pw usermod john -G ftpusers,wwwusers
How to View Groups?
The /etc/group file contains a list of groups with their respective group IDs. To see a list of groups, use the following command:
less /etc/group
You should see the output similar to the given below:
# $FreeBSD$
#
wheel:*:0:root,alp,john
daemon:*:1:
kmem:*:2:
sys:*:3:
tty:*:4:
operator:*:5:root
mail:*:6:
bin:*:7:
news:*:8:
man:*:9:
games:*:13:
ftp:*:14:
staff:*:20:
sshd:*:22:
smmsp:*:25:
mailnull:*:26:
guest:*:31:
video:*:44:
realtime:*:47:
idletime:*:48:
bind:*:53:
unbound:*:59:
proxy:*:62:
authpf:*:63:
_pflogd:*:64:
_dhcp:*:65:
uucp:*:66:
dialer:*:68:
network:*:69:
audit:*:77:
www:*:80:
ntpd:*:123:
_ypldap:*:160:
hast:*:845:
tests:*:977:
nogroup:*:65533:
nobody:*:65534:
alp:*:1001:
git_daemon:*:964:
cyrus:*:60:
mysql:*:88:
messagebus:*:556:
john:*:1002:
alice:*:1003:
ourgroup:*:1004:john,alp
How to Grant Sudo Privieleges?
Similar to other Unix-like operating systems, the sudo command enables users to execute tasks with superuser privileges in FreeBSD. Using the sudo command, a user may execute a command as another user. We will demonstrate how to provide standard user superuser rights, enabling them to effectively run commands as root.
Users who are members of the wheel group are permitted to use sudo on FreeBSD. This is due to the following line in the /usr/local/etc/sudoers default file:
%wheel ALL=(ALL) NOPASSWD: ALL
Adding a standard user to the wheel group is thus one method of granting them superuser access. Use the following pw groupmod command (change the username, alice) to add a user to the wheel group:
pw groupmod wheel -m alice
This command adds the given user, alice, to the file's wheel group, granting the user the authority to execute commands as the superuser.
How to Disable/Lock a User Account?
You may lock the account if you want to disable a user's access to the system without deleting their account data or home directory. The simplest method for disabling a user is to use the pw lock command with the user's username as an argument:
passwd lock username
This command works by appending "LOCKED" to the end of the user's /etc/master.passwd entry. The user cannot log in until the account has been unlocked.
john:*LOCKED*$6$w0oAB5PyvLqWMWeM$R2R85he9H4KsqpSRLNPyVPr1N.g47y2JRWUEQMJ4P3schCR42CKne8brlxk456rtvCmaJds0ar0SdqbmYoee30:1002:1002::0:0:John Valley:/home/john:/bin/sh
How to Enable/Unlock a User Account?
You may unlock a user accoung using the pw unlock command if you want to enable a user who was disabled by pw lock.
pw unlock username
This command deletes "LOCKED" from the user's entry in the /etc/master.passwd file, if present.