xref: /freebsd/usr.sbin/pw/pw.8 (revision d6f907dc7a4aab1976e3040243e0242717dc13cb) 
1d6f907dcSJoerg Wunsch.\" Copyright (c) 1996
2d6f907dcSJoerg Wunsch.\"	David L. Nugent.
3d6f907dcSJoerg Wunsch.\"	Password Maintenance
4d6f907dcSJoerg Wunsch.\"
5d6f907dcSJoerg Wunsch.\"	$Id: pw.8,v 1.3 1996/11/18 03:09:01 davidn Exp $
6d6f907dcSJoerg Wunsch.\"
7d6f907dcSJoerg Wunsch.Dd November 13, 1996
8d6f907dcSJoerg Wunsch.Dt PW 8
9d6f907dcSJoerg Wunsch.Os
10d6f907dcSJoerg Wunsch.Sh NAME
11d6f907dcSJoerg Wunsch.Nm pw
12d6f907dcSJoerg Wunsch.Nd create, remove and modify system users and groups
13d6f907dcSJoerg Wunsch.Sh SYNOPSIS
14d6f907dcSJoerg Wunsch.Nm pw
15d6f907dcSJoerg Wunsch.Ar useradd
16d6f907dcSJoerg Wunsch.Op name|uid
17d6f907dcSJoerg Wunsch.Op Fl C Ar config
18d6f907dcSJoerg Wunsch.Op Fl q
19d6f907dcSJoerg Wunsch.Op Fl n Ar name
20d6f907dcSJoerg Wunsch.Op Fl u Ar uid
21d6f907dcSJoerg Wunsch.Op Fl c Ar comment
22d6f907dcSJoerg Wunsch.Op Fl d Ar dir
23d6f907dcSJoerg Wunsch.Op Fl e Ar date
24d6f907dcSJoerg Wunsch.Op Fl p Ar date
25d6f907dcSJoerg Wunsch.Op Fl g Ar group
26d6f907dcSJoerg Wunsch.Op Fl G Ar grouplist
27d6f907dcSJoerg Wunsch.Op Fl m
28d6f907dcSJoerg Wunsch.Op Fl k Ar dir
29d6f907dcSJoerg Wunsch.Op Fl s Ar shell
30d6f907dcSJoerg Wunsch.Op Fl o
31d6f907dcSJoerg Wunsch.Op Fl L Ar class
32d6f907dcSJoerg Wunsch.Op Fl h Ar fd
33d6f907dcSJoerg Wunsch.Nm pw
34d6f907dcSJoerg Wunsch.Ar useradd
35d6f907dcSJoerg Wunsch.Op name|uid
36d6f907dcSJoerg Wunsch.Op Fl D
37d6f907dcSJoerg Wunsch.Op Fl C Ar config
38d6f907dcSJoerg Wunsch.Op Fl q
39d6f907dcSJoerg Wunsch.Op Fl b Ar dir
40d6f907dcSJoerg Wunsch.Op Fl e Ar days
41d6f907dcSJoerg Wunsch.Op Fl p Ar days
42d6f907dcSJoerg Wunsch.Op Fl g Ar group
43d6f907dcSJoerg Wunsch.Op Fl G Ar grouplist
44d6f907dcSJoerg Wunsch.Op Fl k Ar dir
45d6f907dcSJoerg Wunsch.Op Fl u Ar min,max
46d6f907dcSJoerg Wunsch.Op Fl i Ar min,max
47d6f907dcSJoerg Wunsch.Op Fl w Ar method
48d6f907dcSJoerg Wunsch.Op Fl s Ar shell
49d6f907dcSJoerg Wunsch.Nm pw
50d6f907dcSJoerg Wunsch.Ar userdel
51d6f907dcSJoerg Wunsch.Op name|uid
52d6f907dcSJoerg Wunsch.Op Fl n Ar name
53d6f907dcSJoerg Wunsch.Op Fl u Ar uid
54d6f907dcSJoerg Wunsch.Op Fl r
55d6f907dcSJoerg Wunsch.Nm pw
56d6f907dcSJoerg Wunsch.Ar usermod
57d6f907dcSJoerg Wunsch.Op name|uid
58d6f907dcSJoerg Wunsch.Op Fl C Ar config
59d6f907dcSJoerg Wunsch.Op Fl q
60d6f907dcSJoerg Wunsch.Op Fl n Ar name
61d6f907dcSJoerg Wunsch.Op Fl u Ar uid
62d6f907dcSJoerg Wunsch.Op Fl c Ar comment
63d6f907dcSJoerg Wunsch.Op Fl d Ar dir
64d6f907dcSJoerg Wunsch.Op Fl e Ar date
65d6f907dcSJoerg Wunsch.Op Fl p Ar date
66d6f907dcSJoerg Wunsch.Op Fl g Ar group
67d6f907dcSJoerg Wunsch.Op Fl G Ar grouplist
68d6f907dcSJoerg Wunsch.Op Fl l Ar name
69d6f907dcSJoerg Wunsch.Op Fl m
70d6f907dcSJoerg Wunsch.Op Fl k Ar dir
71d6f907dcSJoerg Wunsch.Op Fl s Ar shell
72d6f907dcSJoerg Wunsch.Op Fl L Ar class
73d6f907dcSJoerg Wunsch.Op Fl h Ar fd
74d6f907dcSJoerg Wunsch.Nm pw
75d6f907dcSJoerg Wunsch.Ar usershow
76d6f907dcSJoerg Wunsch.Op name|uid
77d6f907dcSJoerg Wunsch.Op Fl n Ar name
78d6f907dcSJoerg Wunsch.Op Fl u Ar uid
79d6f907dcSJoerg Wunsch.Op Fl F
80d6f907dcSJoerg Wunsch.Op Fl p
81d6f907dcSJoerg Wunsch.Op Fl a
82d6f907dcSJoerg Wunsch.Nm pw
83d6f907dcSJoerg Wunsch.Ar groupadd
84d6f907dcSJoerg Wunsch.Op group|gid
85d6f907dcSJoerg Wunsch.Op Fl C Ar config
86d6f907dcSJoerg Wunsch.Op Fl q
87d6f907dcSJoerg Wunsch.Op Fl n Ar group
88d6f907dcSJoerg Wunsch.Op Fl g Ar gid
89d6f907dcSJoerg Wunsch.Op Fl o
90d6f907dcSJoerg Wunsch.Op Fl h Ar fd
91d6f907dcSJoerg Wunsch.Nm pw
92d6f907dcSJoerg Wunsch.Ar groupdel
93d6f907dcSJoerg Wunsch.Op Fl n Ar name
94d6f907dcSJoerg Wunsch.Op Fl g Ar gid
95d6f907dcSJoerg Wunsch.Nm pw
96d6f907dcSJoerg Wunsch.Ar groupmod
97d6f907dcSJoerg Wunsch.Op Fl C Ar config
98d6f907dcSJoerg Wunsch.Op Fl q
99d6f907dcSJoerg Wunsch.Op Fl F
100d6f907dcSJoerg Wunsch.Op Fl n Ar name
101d6f907dcSJoerg Wunsch.Op Fl g Ar gid
102d6f907dcSJoerg Wunsch.Op Fl l Ar name
103d6f907dcSJoerg Wunsch.Op Fl h Ar fd
104d6f907dcSJoerg Wunsch.Nm pw
105d6f907dcSJoerg Wunsch.Ar groupshow
106d6f907dcSJoerg Wunsch.Op Fl n Ar name
107d6f907dcSJoerg Wunsch.Op Fl g Ar gid
108d6f907dcSJoerg Wunsch.Op Fl F
109d6f907dcSJoerg Wunsch.Op Fl p
110d6f907dcSJoerg Wunsch.Op Fl a
111d6f907dcSJoerg Wunsch.Sh DESCRIPTION
112d6f907dcSJoerg Wunsch.Nm pw
113d6f907dcSJoerg Wunschis a command-line based editor for the system
114d6f907dcSJoerg Wunsch.Em user
115d6f907dcSJoerg Wunschand
116d6f907dcSJoerg Wunsch.Em group
117d6f907dcSJoerg Wunschfiles, allowing the superuser and easy to use and standardised way of adding,
118d6f907dcSJoerg Wunschmodifying and removing users and groups.
119d6f907dcSJoerg WunschNote that
120d6f907dcSJoerg Wunsch.Nm pw
121d6f907dcSJoerg Wunschonly operates on the local user and group files; NIS users and groups must be
122d6f907dcSJoerg Wunschmaintained on the NIS server.
123d6f907dcSJoerg Wunsch.Nm pw
124d6f907dcSJoerg Wunschhandles updating the passwd, master.passwd, group and the secure and insecure
125d6f907dcSJoerg Wunschpassword database files, and must be run as root.
126d6f907dcSJoerg Wunsch.Pp
127d6f907dcSJoerg WunschThe first one or two keywords provided on
128d6f907dcSJoerg Wunsch.Xr pw 8 's
129d6f907dcSJoerg Wunschcommand line provide the context for the remainder of the arguments.
130d6f907dcSJoerg WunschOne of the keywords
131d6f907dcSJoerg Wunsch.Ar user
132d6f907dcSJoerg Wunschand
133d6f907dcSJoerg Wunsch.Ar group
134d6f907dcSJoerg Wunschmay be combined or provided separately with
135d6f907dcSJoerg Wunsch.Ar add ,
136d6f907dcSJoerg Wunsch.Ar del ,
137d6f907dcSJoerg Wunsch.Ar mod
138d6f907dcSJoerg Wunschor
139d6f907dcSJoerg Wunsch.Ar show ,
140d6f907dcSJoerg Wunschand may be specified in either order (ie. showuser, usershow, show user and user show
141d6f907dcSJoerg Wunschare all considered to be the same thing).
142d6f907dcSJoerg WunschThis flexiblity is useful for interactive scripts which call
143d6f907dcSJoerg Wunsch.Nm pw
144d6f907dcSJoerg Wunschfor the actual user and group database manipulation.
145d6f907dcSJoerg WunschFollowing these keywords, you may optionally specify the user or group name or numeric
146d6f907dcSJoerg Wunschid as an alternative to using the
147d6f907dcSJoerg Wunsch.Fl n Ar name ,
148d6f907dcSJoerg Wunsch.Fl u Ar uid ,
149d6f907dcSJoerg Wunsch.Fl g Ar gid
150d6f907dcSJoerg Wunschswitches.
151d6f907dcSJoerg Wunsch.Pp
152d6f907dcSJoerg WunschThe following flags are common to most modes of operation:
153d6f907dcSJoerg Wunsch.Pp
154d6f907dcSJoerg Wunsch.Bl -tag -width "-C config"
155d6f907dcSJoerg Wunsch.It Fl C Ar config
156d6f907dcSJoerg WunschBy default,
157d6f907dcSJoerg Wunsch.Nm pw
158d6f907dcSJoerg Wunschreads the file
159d6f907dcSJoerg Wunsch.Pa /etc/pw.conf
160d6f907dcSJoerg Wunschto obtain policy information on how new user accounts and groups are to be created,
161d6f907dcSJoerg Wunschand the
162d6f907dcSJoerg Wunsch.Fl c
163d6f907dcSJoerg Wunschoption overrides this to read a different file.
164d6f907dcSJoerg WunschMost of the contents in the configuration file may be overridden via command line
165d6f907dcSJoerg Wunschoptions, but it may be more useful to set up standard information for addition of
166d6f907dcSJoerg Wunschnew accounts in the configuration
167d6f907dcSJoerg Wunschfile.
168d6f907dcSJoerg Wunsch.It Fl q
169d6f907dcSJoerg WunschUse of this option causes
170d6f907dcSJoerg Wunsch.Nm pw
171d6f907dcSJoerg Wunschto suppress error messages, which may be useful in interactive environments where it
172d6f907dcSJoerg Wunschis preferable to interpret status codes returned by
173d6f907dcSJoerg Wunsch.Nm pw
174d6f907dcSJoerg Wunschrather than messing up a carefully formatted display.
175d6f907dcSJoerg Wunsch.El
176d6f907dcSJoerg Wunsch.Pp
177d6f907dcSJoerg Wunsch.Sh USER OPTIONS
178d6f907dcSJoerg WunschThe following options apply to the
179d6f907dcSJoerg Wunsch.Ar useradd ,
180d6f907dcSJoerg Wunschand
181d6f907dcSJoerg Wunsch.Ar usermod ,
182d6f907dcSJoerg Wunschcommands:
183d6f907dcSJoerg Wunsch.Pp
184d6f907dcSJoerg Wunsch.Bl -tag -width "-C config"
185d6f907dcSJoerg Wunsch.It Fl n Ar name
186d6f907dcSJoerg WunschSpecifies the user/account name.
187d6f907dcSJoerg Wunsch.It Fl u Ar uid
188d6f907dcSJoerg WunschSpecifies the user/account numeric id.
189d6f907dcSJoerg Wunsch.Pp
190d6f907dcSJoerg WunschUsually, you need only to provide one or the other of these options, as the account
191d6f907dcSJoerg Wunschname will imply the uid, and vice verca.
192d6f907dcSJoerg WunschAlso, you may provide either the account or userid immediately after the
193d6f907dcSJoerg Wunsch.Ar useradd ,
194d6f907dcSJoerg Wunsch.Ar userdel ,
195d6f907dcSJoerg Wunsch.Ar usermod
196d6f907dcSJoerg Wunschor
197d6f907dcSJoerg Wunsch.Ar usershow
198d6f907dcSJoerg Wunschkeyword on the command line without the need to use
199d6f907dcSJoerg Wunsch.Ql Fl n
200d6f907dcSJoerg Wunschor
201d6f907dcSJoerg Wunsch.Ql Fl u .
202d6f907dcSJoerg WunschThere are times, however, were you need to provide both.
203d6f907dcSJoerg WunschFor example, when changing the uid of an existing user with
204d6f907dcSJoerg Wunsch.Ar usermod ,
205d6f907dcSJoerg Wunschor overriding the default uid when creating a new account.
206d6f907dcSJoerg WunschIf you wish
207d6f907dcSJoerg Wunsch.Nm pw
208d6f907dcSJoerg Wunschto automatically allocate the uid to a new user on
209d6f907dcSJoerg Wunsch.Ar useradd ,
210d6f907dcSJoerg Wunschthen you should
211d6f907dcSJoerg Wunsch.Em not
212d6f907dcSJoerg Wunschuse the
213d6f907dcSJoerg Wunsch.Ql Fl u
214d6f907dcSJoerg Wunschswitch.
215d6f907dcSJoerg Wunsch.El
216d6f907dcSJoerg Wunsch.Pp
217d6f907dcSJoerg WunschOptions available with both
218d6f907dcSJoerg Wunsch.Ar useradd
219d6f907dcSJoerg Wunschand
220d6f907dcSJoerg Wunsch.Ar usermod
221d6f907dcSJoerg Wunschare:
222d6f907dcSJoerg Wunsch.Bl -tag -width "-G grouplist"
223d6f907dcSJoerg Wunsch.It Fl c Ar comment
224d6f907dcSJoerg WunschThis field sets the contents of the passwd GECOS field, which normally contains up
225d6f907dcSJoerg Wunschto four comma-separated fields containing the user's full name, office or location,
226d6f907dcSJoerg Wunschwork and home phone numbers.
227d6f907dcSJoerg WunschThese sub-fields are used by convention only, however, and are optional.
228d6f907dcSJoerg WunschIf this field is to contain spaces, you need to quote the comment itself with double
229d6f907dcSJoerg Wunschquotes
230d6f907dcSJoerg Wunsch.Ql \&" .
231d6f907dcSJoerg WunschAvoid using commas in this field as these are used as sub-field separators, and the
232d6f907dcSJoerg Wunschcolon
233d6f907dcSJoerg Wunsch.Ql \&:
234d6f907dcSJoerg Wunschcharacter also cannot be used as this is the field separator in the passwd file.
235d6f907dcSJoerg Wunsch.It Fl d Ar dir
236d6f907dcSJoerg WunschThis option sets the account's home directory.
237d6f907dcSJoerg WunschNormally, you will only use this if the home directory is to be different from the
238d6f907dcSJoerg Wunschdefault (which is determined from pw.conf, which specifies the base home directory
239d6f907dcSJoerg Wunsch- normally /home - with the account name as a subdirectory).
240d6f907dcSJoerg Wunsch.It Fl e Ar date
241d6f907dcSJoerg WunschSets the account's expiration date.
242d6f907dcSJoerg WunschFormat of the date is either a UNIX time in decimal, or a date in
243d6f907dcSJoerg Wunsch.Ql \& dd-mmm-yy[yy]
244d6f907dcSJoerg Wunschformat, where dd is the day, mmm is the month, either in numeric or alphabetic format
245d6f907dcSJoerg Wunsch('Jan', 'Feb' etc) and year is either a two or four digit year.
246d6f907dcSJoerg WunschThis option also accepts a relative date in the form
247d6f907dcSJoerg Wunsch.Ql \&+n[mhdwoy]
248d6f907dcSJoerg Wunschwhere
249d6f907dcSJoerg Wunsch.Ql \&n
250d6f907dcSJoerg Wunschis a decimal, octal (leading 0) or hexadecimal (leading 0x) digit followed by the
251d6f907dcSJoerg Wunschnumber of Minutes, Hours, Days, Weeks, mOnths or Years from the current date at
252d6f907dcSJoerg Wunschwhich the expiry date is to be set.
253d6f907dcSJoerg Wunsch.It Fl p Ar date
254d6f907dcSJoerg WunschSets the account's password expiration date.
255d6f907dcSJoerg WunschThis field is identical to the account expiration date option, except that it
256d6f907dcSJoerg Wunschapplies to forced password changes.
257d6f907dcSJoerg WunschThe same formats are accepted as with the account expiratino option.
258d6f907dcSJoerg Wunsch.It Fl g Ar group
259d6f907dcSJoerg WunschSets the account's primary group to the given group.
260d6f907dcSJoerg Wunsch.Ar group
261d6f907dcSJoerg Wunschmay be either the group name or its corresponding group id number.
262d6f907dcSJoerg Wunsch.It Fl G Ar grouplist
263d6f907dcSJoerg WunschSets the additional groups to which an account belongs.
264d6f907dcSJoerg Wunsch.Ar grouplist
265d6f907dcSJoerg Wunschis a comma-separated list or group names or group ids.
266d6f907dcSJoerg WunschWhen adding a user, the user's name is added to the group lists in
267d6f907dcSJoerg Wunsch.Pa /etc/group ,
268d6f907dcSJoerg Wunschand when editing a user, the user's name is also added to the group lists, and
269d6f907dcSJoerg Wunschremoved from any groups not specified in
270d6f907dcSJoerg Wunsch.Ar grouplist .
271d6f907dcSJoerg WunschNote: a user should not be added to their primary group in
272d6f907dcSJoerg Wunsch.Pa /etc/group .
273d6f907dcSJoerg WunschAlso, group membership changes do not take effect immediately for current logins,
274d6f907dcSJoerg Wunschonly logins subsequent to the change.
275d6f907dcSJoerg Wunsch.It Fl m
276d6f907dcSJoerg WunschThis option instructs
277d6f907dcSJoerg Wunsch.Nm pw
278d6f907dcSJoerg Wunschto attempt to create the user's home directory.
279d6f907dcSJoerg WunschWhile primarily useful when adding a new account with
280d6f907dcSJoerg Wunsch.Ar useradd ,
281d6f907dcSJoerg Wunschthis may also be of use when moving an existing user's home directory elsewhere on
282d6f907dcSJoerg Wunschthe filesystem.
283d6f907dcSJoerg WunschThe new home directory is populated with the contents of the
284d6f907dcSJoerg Wunsch.Ar skeleton
285d6f907dcSJoerg Wunschdirectory, which typically contains a set of shell configuration files that the
286d6f907dcSJoerg Wunschuser may personalise to taste.
287d6f907dcSJoerg WunschWhen
288d6f907dcSJoerg Wunsch.Ql Fl m
289d6f907dcSJoerg Wunschis used on an account with
290d6f907dcSJoerg Wunsch.Ar usermod ,
291d6f907dcSJoerg Wunschany existing configuration files in the user's home directory are
292d6f907dcSJoerg Wunsch.Em not
293d6f907dcSJoerg Wunschoverwritten with the prototype files.
294d6f907dcSJoerg Wunsch.Pp
295d6f907dcSJoerg WunschWhen a user's home directory is created, it will be default be as a subdirectory of the
296d6f907dcSJoerg Wunsch.Ar basehome
297d6f907dcSJoerg Wunschdirectory specified with the
298d6f907dcSJoerg Wunsch.Ql Fl b Ar dir
299d6f907dcSJoerg Wunschoption (see below), and will be named the same as the account.
300d6f907dcSJoerg WunschThis may be overridden with the
301d6f907dcSJoerg Wunsch.Ql Fl d Ar dir
302d6f907dcSJoerg Wunschoption on the command line, if desired.
303d6f907dcSJoerg Wunsch.It Fl k Ar dir
304d6f907dcSJoerg WunschSets the
305d6f907dcSJoerg Wunsch.Ar skeleton
306d6f907dcSJoerg Wunschsubdirectory, from which the basic startup and configuration files are copied when
307d6f907dcSJoerg Wunschthe user's home directory is created.
308d6f907dcSJoerg WunschThis option only has meaning when used with
309d6f907dcSJoerg Wunsch.Ql Fl D
310d6f907dcSJoerg Wunsch(see below) or
311d6f907dcSJoerg Wunsch.Ql Fl m .
312d6f907dcSJoerg Wunsch.It Fl s Ar shell
313d6f907dcSJoerg WunschSets or changes the user's login shell to
314d6f907dcSJoerg Wunsch.Ar shell .
315d6f907dcSJoerg WunschIf the path to the shell program is omitted,
316d6f907dcSJoerg Wunsch.Nm pw
317d6f907dcSJoerg Wunschsearches the
318d6f907dcSJoerg Wunsch.Ar shellpath
319d6f907dcSJoerg Wunschspecified in
320d6f907dcSJoerg Wunsch.Pa /etc/pw.conf
321d6f907dcSJoerg Wunschand fills it in as appropriate.
322d6f907dcSJoerg WunschNote that unless you have a specific reason to do so, you should avoid
323d6f907dcSJoerg Wunschspecifying the path - this will allow
324d6f907dcSJoerg Wunsch.Nm pw
325d6f907dcSJoerg Wunschto validate that the program exists and is executable.
326d6f907dcSJoerg WunschSpecifying a full path (or supplying a blank "" shell) avoids this check
327d6f907dcSJoerg Wunschand allows for such entries as
328d6f907dcSJoerg Wunsch.Ql \& /nonexistent
329d6f907dcSJoerg Wunschthat should be set for accounts not intended for interactive login.
330d6f907dcSJoerg Wunsch.It Fl L Ar class
331d6f907dcSJoerg WunschSets the
332d6f907dcSJoerg Wunsch.Em class
333d6f907dcSJoerg Wunschfield in the user's passwd record.
334d6f907dcSJoerg WunschThis field is not currently used, but will be in the future used to specify a
335d6f907dcSJoerg Wunsch.Em termcap
336d6f907dcSJoerg Wunschentry like tag (see
337d6f907dcSJoerg Wunsch.Xr passwd 5
338d6f907dcSJoerg Wunschfor details).
339d6f907dcSJoerg Wunsch.It Fl h Ar fd
340d6f907dcSJoerg WunschThis option provides a special interface by which interactive scripts can
341d6f907dcSJoerg Wunschset an account password using
342d6f907dcSJoerg Wunsch.Nm pw .
343d6f907dcSJoerg WunschBecause the command line and environment are fundamental insecure mechanisms
344d6f907dcSJoerg Wunschby which programs can accept information,
345d6f907dcSJoerg Wunsch.Nm pw
346d6f907dcSJoerg Wunschwill only allow setting of account and group passwords via a file descriptor
347d6f907dcSJoerg Wunsch(usually a pipe between an interactive script and the program).
348d6f907dcSJoerg Wunsch.Ar sh ,
349d6f907dcSJoerg Wunsch.Ar bash ,
350d6f907dcSJoerg Wunsch.Ar ksh
351d6f907dcSJoerg Wunschand
352d6f907dcSJoerg Wunsch.Ar perl
353d6f907dcSJoerg Wunschall posses mechanisms by which this can be done.
354d6f907dcSJoerg WunschAlternatively,
355d6f907dcSJoerg Wunsch.Nm pw
356d6f907dcSJoerg Wunschwill prompt for the user's password if
357d6f907dcSJoerg Wunsch.Ql Fl h Ar 0
358d6f907dcSJoerg Wunschis given, nominating
359d6f907dcSJoerg Wunsch.Em stdin
360d6f907dcSJoerg Wunschas the file descriptor on which to read the password.
361d6f907dcSJoerg WunschNote that this password will be read once and once only and is intended
362d6f907dcSJoerg Wunschfor use by a script or similar rather than interactive use.
363d6f907dcSJoerg WunschIf you wish to have new password confirmation along the lines of
364d6f907dcSJoerg Wunsch.Xr passwd 1 ,
365d6f907dcSJoerg Wunschthis must be implemented as part of the interactive script that calls
366d6f907dcSJoerg Wunsch.Nm pw .
367d6f907dcSJoerg Wunsch.Pp
368d6f907dcSJoerg WunschIf a value of
369d6f907dcSJoerg Wunsch.Ql \&-
370d6f907dcSJoerg Wunschis given as the argument
371d6f907dcSJoerg Wunsch.Ar fd ,
372d6f907dcSJoerg Wunschthen the password will be set to
373d6f907dcSJoerg Wunsch.Ql \&* ,
374d6f907dcSJoerg Wunschrendering the account inaccessible via passworded login.
375d6f907dcSJoerg Wunsch.El
376d6f907dcSJoerg Wunsch.Pp
377d6f907dcSJoerg WunschIt is possible to use
378d6f907dcSJoerg Wunsch.Ar useradd
379d6f907dcSJoerg Wunschto create a new account that duplicates an existing user id.
380d6f907dcSJoerg WunschWhile this is normally considered an error and will be rejected, the
381d6f907dcSJoerg Wunsch.Ql Fl o
382d6f907dcSJoerg Wunschswitch overrides the check for duplicates and allows the duplication of the user id.
383d6f907dcSJoerg WunschThis may be useful if you allow the same user to login under different contexts
384d6f907dcSJoerg Wunsch(different group allocations, different home directory, different shell) while
385d6f907dcSJoerg Wunschproviding basically the same permissions for access to the user's files in each
386d6f907dcSJoerg Wunschaccount.
387d6f907dcSJoerg Wunsch.Pp
388d6f907dcSJoerg WunschThe
389d6f907dcSJoerg Wunsch.Ar useradd
390d6f907dcSJoerg Wunschcommand also has the ability to set new user and group defaults by using the
391d6f907dcSJoerg Wunsch.Ql Fl D
392d6f907dcSJoerg Wunschswitch.
393d6f907dcSJoerg WunschInstead of adding a new user,
394d6f907dcSJoerg Wunsch.Nm pw
395d6f907dcSJoerg Wunschwrites a new set of defaults to its configuration file,
396d6f907dcSJoerg Wunsch.Pa /etc/pw.conf .
397d6f907dcSJoerg WunschWhen using the
398d6f907dcSJoerg Wunsch.Ql Fl D
399d6f907dcSJoerg Wunschswitch, you must not use either
400d6f907dcSJoerg Wunsch.Ql Fl n Ar name
401d6f907dcSJoerg Wunschor
402d6f907dcSJoerg Wunsch.Ql Fl u Ar uid
403d6f907dcSJoerg Wunschor an error will result.
404d6f907dcSJoerg WunschUse of
405d6f907dcSJoerg Wunsch.Ql Fl D
406d6f907dcSJoerg Wunschadds switches and changes the meaning of several command line switches in the
407d6f907dcSJoerg Wunsch.Ar useradd
408d6f907dcSJoerg Wunschcommand.
409d6f907dcSJoerg WunschThese are:
410d6f907dcSJoerg Wunsch.Bl -tag -width "-G grouplist"
411d6f907dcSJoerg Wunsch.It Fl D
412d6f907dcSJoerg WunschSet default values in
413d6f907dcSJoerg Wunsch.Pa /etc/pw.conf
414d6f907dcSJoerg Wunschconfiguration file, or a different named configuration file if the
415d6f907dcSJoerg Wunsch.Ql Fl C Ar config
416d6f907dcSJoerg Wunschswitch is used.
417d6f907dcSJoerg Wunsch.It Fl b Ar dir
418d6f907dcSJoerg WunschSets the root directory in which user home directories are created.
419d6f907dcSJoerg WunschThe default value for this is
420d6f907dcSJoerg Wunsch.Ql \&/home ,
421d6f907dcSJoerg Wunschbut it may be set elsewhere as desired.
422d6f907dcSJoerg Wunsch.It Fl e Ar days
423d6f907dcSJoerg WunschSets the default account expiration period in days.
424d6f907dcSJoerg WunschUnlike use without
425d6f907dcSJoerg Wunsch.Ql Fl D ,
426d6f907dcSJoerg Wunschthe argument must be numeric, which specifies the number of days after creation when
427d6f907dcSJoerg Wunschthe account is to expire.
428d6f907dcSJoerg WunschA value of 0 suppresses automatic calculation of the expiry date.
429d6f907dcSJoerg Wunsch.It Fl p Ar days
430d6f907dcSJoerg WunschSets the default password expiration period in days.
431d6f907dcSJoerg Wunsch.It Fl g Ar group
432d6f907dcSJoerg WunschSets the default group for new users.
433d6f907dcSJoerg WunschIf a blank group is specified using
434d6f907dcSJoerg Wunsch.Ql Fl g Ar \&"" ,
435d6f907dcSJoerg Wunschthen new users will be allocated their own private primary group (a new group created
436d6f907dcSJoerg Wunschwith the same name as their login name).
437d6f907dcSJoerg WunschIf a group is supplied, either its name or uid may be given as an argument.
438d6f907dcSJoerg Wunsch.It Fl G Ar grouplist
439d6f907dcSJoerg WunschSets the default groups in which new users are made members.
440d6f907dcSJoerg WunschThis is a separate set of groups from the primary group, and you should avoid
441d6f907dcSJoerg Wunschnominating the same group as both the primary and in extra groups.
442d6f907dcSJoerg WunschIn other words, these extra groups determine membership in groups
443d6f907dcSJoerg Wunsch.Em other than
444d6f907dcSJoerg Wunschthe primary group.
445d6f907dcSJoerg Wunsch.Ar grouplist
446d6f907dcSJoerg Wunschis a comma-separated list of group names or ids, or a mixture of both, and are always
447d6f907dcSJoerg Wunschstored in
448d6f907dcSJoerg Wunsch.Pa /etc/pw.conf
449d6f907dcSJoerg Wunschby their symbolic names.
450d6f907dcSJoerg Wunsch.It Fl k Ar dir
451d6f907dcSJoerg WunschSets the default
452d6f907dcSJoerg Wunsch.Em skeleton
453d6f907dcSJoerg Wunschdirectory, from which prototype shell and other initialisation files are copied when
454d6f907dcSJoerg Wunsch.Nm pw
455d6f907dcSJoerg Wunschcreates a user's home directory.
456d6f907dcSJoerg Wunsch.It Fl u Ar min,max
457d6f907dcSJoerg Wunsch.It Fl i Ar min,max
458d6f907dcSJoerg WunschThese switches set the minimum and maximum user and group ids allocated for new accounts
459d6f907dcSJoerg Wunschand groups created by
460d6f907dcSJoerg Wunsch.Nm pw .
461d6f907dcSJoerg WunschThe default values for each is 1000 minimum and 32000 maximum.
462d6f907dcSJoerg Wunsch.Ar min
463d6f907dcSJoerg Wunschand
464d6f907dcSJoerg Wunsch.Ar max
465d6f907dcSJoerg Wunschare both numbers, where max must be greater than min, and both must be between 0
466d6f907dcSJoerg Wunschand 32767.
467d6f907dcSJoerg WunschIn general, user and group ids less than 100 are reserved for use by the system,
468d6f907dcSJoerg Wunschand numbers greater than 32000 may also be reserved for special purposes (used by
469d6f907dcSJoerg Wunschsome system daemons).
470d6f907dcSJoerg Wunsch.It Fl w Ar method
471d6f907dcSJoerg WunschThe
472d6f907dcSJoerg Wunsch.Ql Fl w
473d6f907dcSJoerg Wunschswitch sets the default method used to set passwords for newly created user accounts.
474d6f907dcSJoerg Wunsch.Ar method
475d6f907dcSJoerg Wunschis one of:
476d6f907dcSJoerg Wunsch.Pp
477d6f907dcSJoerg Wunsch.Bl -tag -width random -offset indent -compact
478d6f907dcSJoerg Wunsch.It no
479d6f907dcSJoerg Wunschdisables login on newly created accounts
480d6f907dcSJoerg Wunsch.It yes
481d6f907dcSJoerg Wunschforces the password to be the account name
482d6f907dcSJoerg Wunsch.It none
483d6f907dcSJoerg Wunschforces a blank password
484d6f907dcSJoerg Wunsch.It random
485d6f907dcSJoerg WunschGenerates a random password
486d6f907dcSJoerg Wunsch.El
487d6f907dcSJoerg Wunsch.Pp
488d6f907dcSJoerg WunschThe
489d6f907dcSJoerg Wunsch.Ql \&random
490d6f907dcSJoerg Wunschor
491d6f907dcSJoerg Wunsch.Ql \&no
492d6f907dcSJoerg Wunschmethods are the most secure; in the former case,
493d6f907dcSJoerg Wunsch.Nm pw
494d6f907dcSJoerg Wunschgenerates a password and prints it to stdout, which is suitable where you issue
495d6f907dcSJoerg Wunschusers with passwords to access their accounts rather than having the user nominate
496d6f907dcSJoerg Wunschtheir own (possibly poorly chosen) password.
497d6f907dcSJoerg WunschThe
498d6f907dcSJoerg Wunsch.Ql \&no
499d6f907dcSJoerg Wunschmethod requires that the superuser use
500d6f907dcSJoerg Wunsch.Xr passwd 1
501d6f907dcSJoerg Wunschto render the account accessible with a password.
502d6f907dcSJoerg Wunsch.El
503d6f907dcSJoerg Wunsch.Pp
504d6f907dcSJoerg WunschThe
505d6f907dcSJoerg Wunsch.Ar userdel
506d6f907dcSJoerg Wunschcommand has only three valid switches. The
507d6f907dcSJoerg Wunsch.Ql Fl n Ar name
508d6f907dcSJoerg Wunschand
509d6f907dcSJoerg Wunsch.Ql Fl u Ar uid
510d6f907dcSJoerg Wunschswitches have already been covered above.
511d6f907dcSJoerg WunschThe additional switch is:
512d6f907dcSJoerg Wunsch.Bl -tag -width flag
513d6f907dcSJoerg Wunsch.It Fl r
514d6f907dcSJoerg WunschThis tells
515d6f907dcSJoerg Wunsch.Nm pw
516d6f907dcSJoerg Wunschto remove the user's home directory and all of its contents.
517d6f907dcSJoerg Wunsch.Nm pw
518d6f907dcSJoerg Wunscherrs on the side of caution when removing files from the system.
519d6f907dcSJoerg WunschFirstly, it will not do so if the uid of the account being removed is also used by
520d6f907dcSJoerg Wunschanother account on the system, and the 'home' directory in the password file is
521d6f907dcSJoerg Wunscha valid path that commences with the character
522d6f907dcSJoerg Wunsch.Ql \&/ .
523d6f907dcSJoerg WunschSecondly, it will only remove files and directories that are actually owned by
524d6f907dcSJoerg Wunschthe user, or symbolic links owned by anyone under the user's home directory.
525d6f907dcSJoerg WunschFinally, after deleting all contents owned by the user only empty directories
526d6f907dcSJoerg Wunschwill be removed.
527d6f907dcSJoerg WunschIf any additional cleanup work is required, this is left to the adminstrator.
528d6f907dcSJoerg Wunsch.El
529d6f907dcSJoerg Wunsch.Pp
530d6f907dcSJoerg WunschMail spool files and crontabs are always removed when an account is deleted as these
531d6f907dcSJoerg Wunschare unconditionally attached to the user name.
532d6f907dcSJoerg WunschJobs queued for processing by
533d6f907dcSJoerg Wunsch.Ar at
534d6f907dcSJoerg Wunschare also removed if the user's uid is unique (not also used by another account on the
535d6f907dcSJoerg Wunschsystem).
536d6f907dcSJoerg Wunsch.Pp
537d6f907dcSJoerg WunschThe
538d6f907dcSJoerg Wunsch.Ar usershow
539d6f907dcSJoerg Wunschcommand allows viewing of an account in one of two formats.
540d6f907dcSJoerg WunschBy default, the format is identical to the format used in
541d6f907dcSJoerg Wunsch.Pa /etc/master.passwd
542d6f907dcSJoerg Wunschwith the password field replaced with a
543d6f907dcSJoerg Wunsch.Ql \&* .
544d6f907dcSJoerg WunschClass, account and password expiration fields will be blank or zero zero unless the user
545d6f907dcSJoerg Wunschrunning
546d6f907dcSJoerg Wunsch.Nm pw
547d6f907dcSJoerg Wunschhas root priviledges, as the secure password file where these reside is not accessible
548d6f907dcSJoerg Wunschto non-root users.
549d6f907dcSJoerg WunschIf the
550d6f907dcSJoerg Wunsch.Ql Fl p
551d6f907dcSJoerg Wunschswitch is used, then
552d6f907dcSJoerg Wunsch.Nm pw
553d6f907dcSJoerg Wunschoutputs the account details in a more human readable form.
554d6f907dcSJoerg WunschThe
555d6f907dcSJoerg Wunsch.Ql Fl a
556d6f907dcSJoerg Wunschswitch lists all users currently on file.
557d6f907dcSJoerg Wunsch.Pp
558d6f907dcSJoerg Wunsch.Sh GROUP OPTIONS
559d6f907dcSJoerg WunschThe
560d6f907dcSJoerg Wunsch.Ql Fl C Ar config
561d6f907dcSJoerg Wunschand
562d6f907dcSJoerg Wunsch.Ql Fl q
563d6f907dcSJoerg Wunschoptions (explained at the start of the previous section) are available with the
564d6f907dcSJoerg Wunsch.Ar groupadd
565d6f907dcSJoerg Wunschand
566d6f907dcSJoerg Wunsch.Ar groupmod
567d6f907dcSJoerg Wunschcommands.
568d6f907dcSJoerg WunschOther common options to all group-related commands are:
569d6f907dcSJoerg Wunsch.Bl -tag -width "-n name"
570d6f907dcSJoerg Wunsch.It Fl n Ar name
571d6f907dcSJoerg WunschSpecifies the group name.
572d6f907dcSJoerg Wunsch.It Fl g Ar gid
573d6f907dcSJoerg WunschSpecifies the group numeric id.
574d6f907dcSJoerg Wunsch.Pp
575d6f907dcSJoerg WunschAs with the account name and id fields, yo uwill usually only need to supply one of
576d6f907dcSJoerg Wunschthese, as the group name implies the uid and vice versa.
577d6f907dcSJoerg WunschYou will only need to use both when setting a specific group id against a new group
578d6f907dcSJoerg Wunschor when changing the uid of an existing group.
579d6f907dcSJoerg Wunsch.El
580d6f907dcSJoerg Wunsch.Pp
581d6f907dcSJoerg Wunsch.Ar groupadd
582d6f907dcSJoerg Wunschalso has a
583d6f907dcSJoerg Wunsch.Ql Fl o
584d6f907dcSJoerg Wunschoption that allows allocation of an existing group id to new group.
585d6f907dcSJoerg WunschThe default action is to reject an attempt to add a group, and this option overrides
586d6f907dcSJoerg Wunschthe check for duplicate group ids.
587d6f907dcSJoerg WunschThere is rarely any need to duplicate a group id.
588d6f907dcSJoerg Wunsch.Pp
589d6f907dcSJoerg WunschThe
590d6f907dcSJoerg Wunsch.Ar groupmod
591d6f907dcSJoerg Wunschcommand adds one additonal switch:
592d6f907dcSJoerg Wunsch.Pp
593d6f907dcSJoerg Wunsch.Bl -tag -width "-l name"
594d6f907dcSJoerg Wunsch.It Fl l Ar name
595d6f907dcSJoerg WunschThis option allows changing of an existing group name to
596d6f907dcSJoerg Wunsch.Ql \&name .
597d6f907dcSJoerg WunschThe new name must not already exist, and any attempt to duplicate an existing group
598d6f907dcSJoerg Wunschname will be rejected.
599d6f907dcSJoerg Wunsch.El
600d6f907dcSJoerg Wunsch.Pp
601d6f907dcSJoerg WunschOptions for
602d6f907dcSJoerg Wunsch.Ar groupshow
603d6f907dcSJoerg Wunschare the same as for
604d6f907dcSJoerg Wunsch.Ar usershow ,
605d6f907dcSJoerg Wunschwith the
606d6f907dcSJoerg Wunsch.Ql Fl g Ar gid
607d6f907dcSJoerg Wunschreplacing
608d6f907dcSJoerg Wunsch.Ql Fl u Ar uid
609d6f907dcSJoerg Wunschto specify the group id.
610d6f907dcSJoerg Wunsch.Pp
611d6f907dcSJoerg Wunsch.Sh NOTES
612d6f907dcSJoerg WunschFor a summary of options available with each command, you can use
613d6f907dcSJoerg Wunsch.Dl pw [command] help
614d6f907dcSJoerg WunschFor example,
615d6f907dcSJoerg Wunsch.Dl pw useradd help
616d6f907dcSJoerg Wunschlists all available options for the useradd operation.
617d6f907dcSJoerg Wunsch.Sh FILES
618d6f907dcSJoerg Wunsch.Bl -tag -width /etc/master.passwd.new -compact
619d6f907dcSJoerg Wunsch.It Pa /etc/master.passwd
620d6f907dcSJoerg WunschThe user database
621d6f907dcSJoerg Wunsch.It Pa /etc/passwd
622d6f907dcSJoerg WunschA Version 7 format password file
623d6f907dcSJoerg Wunsch.It Pa /etc/group
624d6f907dcSJoerg WunschThe group database
625d6f907dcSJoerg Wunsch.It Pa /etc/master.passwd.new
626d6f907dcSJoerg WunschTemporary copy of the master password file
627d6f907dcSJoerg Wunsch.It Pa /etc/passwd.new
628d6f907dcSJoerg WunschTemporary copy of the Version 7 password file
629d6f907dcSJoerg Wunsch.It Pa /etc/group.new
630d6f907dcSJoerg WunschTemporary copy of the group file
631d6f907dcSJoerg Wunsch.It Pa /etc/pw.conf
632d6f907dcSJoerg WunschPw default options file
633d6f907dcSJoerg Wunsch.El
634d6f907dcSJoerg Wunsch.Sh SEE ALSO
635d6f907dcSJoerg Wunsch.Xr pw.conf 5 ,
636d6f907dcSJoerg Wunsch.Xr passwd 1 ,
637d6f907dcSJoerg Wunsch.Xr chpass 1 ,
638d6f907dcSJoerg Wunsch.Xr passwd 5 ,
639d6f907dcSJoerg Wunsch.Xr group 5 ,
640d6f907dcSJoerg Wunsch.Xr pwd_mkdb 8 ,
641d6f907dcSJoerg Wunsch.Xr vipw 5
642d6f907dcSJoerg Wunsch.Sh HISTORY
643d6f907dcSJoerg Wunsch.Nm pw
644d6f907dcSJoerg Wunschwas written to mimick many of the options used in the Linux
645d6f907dcSJoerg Wunsch.Em shadow
646d6f907dcSJoerg Wunschsuite, but is modified for passwd and group fields specific to
647d6f907dcSJoerg Wunschthe BSD 4.4 operating system.
648d6f907dcSJoerg Wunsch
649