BSD DevCenter
oreilly.comSafari Books Online.Conferences.

advertisement


FreeBSD Basics

Adding Users to FreeBSD

01/03/2001

So far in this series, we've looked at the basics of setting up a FreeBSD system, navigating the system, and understanding some of the internal structures of FreeBSD. In the next few articles, I want to concentrate on basic system administration tasks.

FreeBSD is a multiuser environment; one of the main tasks of a system administrator is to create user accounts and provide a secure environment for users to do their work in. To accomplish this effectively requires some pre-planning before any users are created.

Even if you are the only user on your home-based FreeBSD system, you will still need to create at least one user account to do your regular work in. Remember, you only use the superuser account for tasks that require superuser permissions.

It is a good idea to practice planning like an administrator on your own FreeBSD system, as you will gain the skills that will be essential when you begin to administer in a "real" production environment.

Previously in FreeBSD Basics:

Fun with Xorg

Sharing Internet Connections

Building a Desktop Firewall

Using DesktopBSD

Using PC-BSD

A lot of stuff happens in the background when you create a user: Several databases are updated, a mail folder is created, and a home directory for the user is created. When you create the user, you will have to supply a fair amount of information, including the username and password. In this week's article, I want to concentrate on user policies and creating user accounts.

Every user account you create must have a unique name across your FreeBSD system. This is easy to accomplish in a small environment, but a little harder to manage if you have to create dozens, hundreds, or even thousands of users. To help ensure uniqueness, you should have a user naming policy. If there is no existing policy in place and you need to create a naming scheme, keep in mind that there are a few restrictions on user names. First, they are limited to 16 characters, and some protocols, such as NIS, require a user name limit of 8 characters. Second, they cannot begin with the hyphen character "-". And third, you should avoid the use of capital letters and periods as these may confuse some mail programs.

An example policy in a small environment would be to create user names using the first name and last initial of the user. You might have to modify this slightly to avoid conflicts. For example, if you needed to create accounts for Mike Smith and Mike Spencer, you could create "mikes" and "michaels" or "mikesm" and "mikesp."

Another policy would be to create user names using the last name and first initial of the user, with possible modifications to avoid conflicts. If you need to create accounts for Mark Smith and Michelle Smith, you could create "smithma" and "smithmi."

In a larger environment, you might want to use a certain number of characters for the first name and a certain number of characters for the last name. For example, if the policy is the first four characters of the user's first name followed by the first four characters of their last name, Mark Smith would become "marksmit" and Michelle Smith would become "michsmit." You'll still need a backup plan for users whose first or last ames are shorter than the specified amount of characters. For example, if I needed to create an account for My Lee using the above policy, I could create "my_lee".

Unless you are in an extremely small environment, it's wise to avoid non-descriptive nicknames such as the "biko" and "genisis" that I use on my home system.

To summarize, a good user naming policy is aware of the restrictions placed on usernames and has a contingency method to avoid naming conflicts.

Once you've decided on a naming scheme, you can create the user accounts using the adduser utility. This utility has a configuration file called /etc/adduser.conf, and it also reads a message file called /etc/adduser.message. These files aren't actually created until the first time you use the adduser utility. Follow along as I create a user; I'll use the v or verbose switch so we'll see all the possible prompts. You'll note that adduser will first create its configuration file, then it will use it as a template when creating the user.

adduser -v
You are not root!
Oops. Looks like this is an administrative task that requires root permissions. Let's try this again (I'll indent my remarks):
su
Password:

adduser -v
/etc/adduser.conf: No such file or directory
Notice that this is the first time I've run the "adduser" utility on this system; it does not have a configuration file yet.
Use option "-silent" 
if you don't want to see all warnings and questions.
Check /etc/shells
Check /etc/master.passwd
Check /etc/group
Enter your default shell: bash csh date no sh tcsh [sh]: tcsh
The script adduser read a file called /etc/shells which contains the paths to all of the shells installed on the system; it then displayed the possible shells available for the user. Note that the default shell offered to users was the Bourne shell (sh), but I changed it to tcsh.
Your default shell is: tcsh -> /bin/tcsh
Enter your default HOME partition: [/home]: 
Copy dotfiles from: /usr/share/skel no [/usr/share/skel]: 
We'll take a look at the /usr/share/skel directory once we've finished creating the user and see what happened when we accepted the default of copying the dotfiles from this directory.
Send message from file: /etc/adduser.message no 
[/etc/adduser.message]: 
Create "/etc/adduser.message"? (y/n) [y]: 
Use passwords (y/n) [y]: 
Write your configuration to /etc/adduser.conf? (y/n) [y]:
Notice that adduser created the adduser.message and adduser.conf files in the /etc directory. Now it's ready to create our user:
Ok, let's go.
Don't worry about mistakes. 
I will give you the chance later to correct any input.
Enter username [a-z0-9_-]: dlavigne
Enter full name []: Dru Lavigne
Enter shell bash csh date no sh tcsh [tcsh]: 
Enter home directory (full path) [/home/dlavigne]: 
Uid [1000]: 
Enter login class: default []: 
Login group dlavigne [dlavigne]: 
Login group is "dlavigne". 
Invite dlavigne into other groups: guest no 
[no]: 
Enter password []: 
Enter password again []: 

Name:	  dlavigne
Password: ****
Fullname: Dru Lavigne
Uid:	  1000
Gid:	  1000 (dlavigne)
Class:	  
Groups:	  dlavigne 
HOME:     /home/dlavigne
Shell:	  /bin/tcsh
OK? (y/n) [y]: 
Added user "dlavigne"
Send message to "dlavigne" and: no root second_mail_address 
[no]: 

Dru Lavigne,
your account "dlavigne" was created.
Have fun!
See also chpass(1), finger(1), passwd(1)

Add anything to default message (y/n) [n]: 
Send message (y/n) [y]: 
Copy files from /usr/share/skel to /home/dlavigne
Add another user? (y/n) [y]: n
Goodbye!

Now that I've successfully created a user, I'll leave the superuser account. Let's log in as the new user, see what they have, and summarize what happened here:

login: dlavigne
Password:

pwd
/usr/home/dlavigne

ls -la

total 12
drwxr-xr-x 2 dlavigne dlavigne 512 Dec 30 11:21 ./
drwxr-xr-x 4 root     wheel    512 Dec 30 10:44 ../
-rw-r--r-- 1 dlavigne dlavigne 628 Dec 30 10:44 .cshrc
-rw-r--r-- 1 dlavigne dlavigne 299 Dec 30 10:44 .login
-rw-r--r-- 1 dlavigne dlavigne 160 Dec 30 10:44 .login_conf
-rw------- 1 dlavigne dlavigne 371 Dec 30 10:44 .mail_aliases
-rw-r--r-- 1 dlavigne dlavigne 331 Dec 30 10:44 .mailrc
-rw-r--r-- 1 dlavigne dlavigne 722 Dec 30 10:44 .profile
-rw------- 1 dlavigne dlavigne 276 Dec 30 10:44 .rhosts
-rw-r--r-- 1 dlavigne dlavigne 852 Dec 30 10:44 .shrc

You'll note that a home directory was created for the user and that it contains a lot of files that begin with a period or dot. Remember that dot-file directory mentioned when we used the adduser utility? Let's take a look at it now:

ls -l /usr/share/skel

total 10
drwxr-xr-x  2 root wheel 512 Dec  8 11:53 ./
drwxr-xr-x 26 root wheel 512 Nov 20 08:11 ../
-rw-r--r--  1 root wheel 628 Nov 20 07:01 dot.cshrc
-rw-r--r--  1 root wheel 299 Nov 20 07:01 dot.login
-rw-r--r--  1 root wheel 160 Nov 20 07:01 dot.login_conf
-rw-------  1 root wheel 371 Nov 20 07:01 dot.mail_aliases
-rw-r--r--  1 root wheel 331 Nov 20 07:01 dot.mailrc
-rw-r--r--  1 root wheel 722 Nov 20 07:01 dot.profile
-rw-------  1 root wheel 276 Nov 20 07:01 dot.rhosts
-rw-r--r--  1 root wheel 852 Nov 20 07:01 dot.shrc

Note that the eight files created in our new user's home directory were copied from the template files contained in this directory. Also note that only the superuser can edit the files contained in the skel directory. For example, if you wished all users to receive a customized shell prompt, the superuser could modify the usr/share/skel/dot.cshrc file which would then be copied to all users' home directories when you created the users. Also, the superuser can also place any other dotfiles he wishes users to receive in the skel directory; for example, you can create a customized .xinitrc file for users.

Now let's take a look at the /etc/adduser.message file that was created by the adduser utility:

more /etc/adduser.message

#
# Message file for adduser(8)
#   comment: "#"
#   default variables: $name, $fullname, $password
#   other variables:  see /etc/adduser.conf after
#   line  "## DO NOT DELETE THIS LINE!"
#
$fullname,
your account "$name" was created.
Have fun!
See also chpass(1), finger(1), passwd(1)

Let's compare this to the message our new user received; I'll use the mail command to check this user's mail message:

login: dlavigne
Password:
You have mail.

mail
Mail version 8.1 6/6/93.  Type ? for help.
"/var/mail/dlavigne": 1 message 1 new
>N  1 genisis   Sat Dec 30 12:24  20/540   "Welcome"
& 1
Message 1:
From genisis Sat Dec 30 12:24:19 2000
Date: Sat, 30 Dec 2000 12:24:19 -0500 (EST)
From: User Genisis <genisis>
To: dlavigne
Subject: Welcome


Dru Lavigne,
your account "dlavigne" was created.
Have fun!
See also chpass(1), finger(1), passwd(1)

& ^D Saved 1 message in mbox
> ^D exit

You'll note that I was logged on as the user "genisis" before I became the superuser in order to use the adduser command. The message my new user received was the message contained in adduser.message with the actual values for the $fullname and $name variables inserted.

When we created the user, we were given the following option:

Add anything to default message (y/n) [n]:

If I create another user and type in y at this option, I'll receive this prompt:

Use "." or ^D alone on a file to finish your message

Whatever I type will be added to the default message sent to this particular user; however, it will not overwrite the /etc/adduser.message file I originally created. Let's try an example of this; I'll add a user called "test" and show just the output we're concerned with and "snip" the rest:

adduser

<snip>

Add anything to default message (y/n) [n]: y
Use "." or ^D alone on a line to finish your message.
Don't forget that every Friday is pizza day!
.
Send message (y/n) [y]: y

Now let's see what the mail message looks like for the user test:

login: test
Password:
You have mail.

mail
Mail version 8.1 6/6/93.  Type ? for help.
"/var/mail/test": 1 message 1 new
>N  1 genisis   Sat Dec 30 12:47  22/567   "Welcome"
& 1
Message 1:
From genisis Sat Dec 30 12:47:07 2000
Date: Sat, 30 Dec 2000 12:47:07 -0500 (EST)
From: User Genisis <genisis>
To: test
Subject: Welcome


test,
your account "test" was created.
Have fun!
See also chpass(1), finger(1), passwd(1)
Don't forget that every Friday is pizza day!

And let's see if our new message was added to the template file:

more /etc/adduser.message

#
# Message file for adduser(8)
#   comment: "#"
#   default variables: $name, $fullname, $password
#   other variables:  see /etc/adduser.conf after
#		     line  "## DO NOT DELETE THIS LINE!"
#

$fullname,
your account "$name" was created.
Have fun!
See also chpass(1), finger(1), passwd(1)

It looks like only this user received the additional message, as we expected. I want to do one more example before we leave the adduser.message file. Let's say I want users to receive this additional information in their welcoming mail message:

If you have any problems, contact the administrator at admin@thiscompany.com

Try creating a user yourself and add this line to their message; you'll note that when you log in as that user, your additional line will be missing from their mail message. However, if you modify the message so it reads like this:

If you have any problems, contact the administrator at admin\@thiscompany.com

the user will receive the additional information. Notice that we had to escape the @ symbol with a backslash in order for it to be interpreted correctly.

Finally, let's take a look at the adduser.conf file that was created:

more /etc/adduser.conf

# /etc/adduser.conf - automatic generated by adduser(8)
#
# Note: adduser read *and* write this file
# You may change values, but don't add new things before the
# line "## DO NOT DELETE THIS LINE!"
# use password for new users
# defaultpasswd =  yes | no
defaultpasswd = yes

# copy dotfiles from this dir ("/usr/share/skel" or "no")
dotdir = "/usr/share/skel"

# send this file to new user 
# ("/etc/adduser.message" or "no")
send_message = "/etc/adduser.message"

# config file for adduser ("/etc/adduser.conf")
config = "/etc/adduser.conf"

# logfile ("/var/log/adduser" or "no")
logfile = "/var/log/adduser"

# default HOME directory ("/home")
home = "/home"

# List of directories where shells located
# path = ('/bin', '/usr/bin', '/usr/local/bin')
path = ('/bin', '/usr/bin', '/usr/local/bin')

# common shell list, first element has higher priority
# shellpref = ('bash', 'tcsh', 'ksh', 'csh', 'sh')
shellpref = ('csh', 'sh', 'bash', 'tcsh', 'ksh', 'no', 'date')

# defaultshell if not empty ("bash")
defaultshell = "tcsh"

# defaultgroup ('USER' for same as 
# username or any other valid group)
defaultgroup = USER

# defaultclass if not empty
defaultclass = ""

# new users get this uid (1000)
uid_start = "1000"

## DO NOT DELETE THIS LINE!
## your own variables, see /etc/adduser.message
## end

You'll note that this is a straightforward file containing the answers to the questions the adduser utility prompted us for. We'll get into defaultclasses and UIDs next week when we take a closer look at the password databases. The only other new information you'll notice in this file is the location of the logfile for adduser. If I take a quick look at this file, I should see entries for when I created my users:

more /var/log/adduser

2000/12/30 12:24:18 dlavigne:*:1000:1000(dlavigne):Dru Lavigne
2000/12/30 12:47:06 test:*:1001:1001(test):test

Next week, we'll take a look at the format of the databases that get updated when you create a user account.

Dru Lavigne is a network and systems administrator, IT instructor, author and international speaker. She has over a decade of experience administering and teaching Netware, Microsoft, Cisco, Checkpoint, SCO, Solaris, Linux, and BSD systems. A prolific author, she pens the popular FreeBSD Basics column for O'Reilly and is author of BSD Hacks and The Best of FreeBSD Basics.


Read more FreeBSD Basics columns.

Discuss this article in the Operating Systems Forum.

Return to the BSD DevCenter.





Sponsored by: