xref: /freebsd/usr.sbin/pw/pw.8 (revision 62ff619dcc3540659a319be71c9a489f1659e14a)
1.\" Copyright (C) 1996
2.\" David L. Nugent.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY DAVID L. NUGENT AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL DAVID L. NUGENT OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.\" $FreeBSD$
26.\"
27.Dd April 3, 2022
28.Dt PW 8
29.Os
30.Sh NAME
31.Nm pw
32.Nd create, remove, modify & display system users and groups
33.Sh SYNOPSIS
34.Nm
35.Op Fl R Ar rootdir
36.Op Fl V Ar etcdir
37.Cm useradd
38.Oo Fl n Oc Ar name
39.Op Fl mNoPq
40.Op Fl C Ar config
41.Op Fl c Ar comment
42.Op Fl d Ar homedir
43.Op Fl e Ar accexpdate
44.Op Fl G Ar grouplist
45.Op Fl g Ar group
46.Op Fl H Ar fd
47.Op Fl h Ar fd
48.Op Fl k Ar skeldir
49.Op Fl L Ar class
50.Op Fl M Ar mode
51.Op Fl p Ar passexpdate
52.Op Fl s Ar shell
53.Op Fl u Ar uid
54.Op Fl w Ar passmethod
55.Op Fl Y Op Fl y Ar nispasswd
56.Nm
57.Op Fl R Ar rootdir
58.Op Fl V Ar etcdir
59.Cm useradd
60.Fl D
61.Op Fl q
62.Op Fl b Ar basehome
63.Op Fl C Ar config
64.Op Fl e Ar accexpdays
65.Op Fl G Ar grouplist
66.Op Fl g Ar group
67.Op Fl i Ar mingid , Ns Ar maxgid
68.Op Fl k Ar skeldir
69.Op Fl M Ar mode
70.Op Fl p Ar passexpdays
71.Op Fl s Ar shell
72.Op Fl u Ar minuid , Ns Ar maxuid
73.Op Fl w Ar passmethod
74.Op Fl Y Op Fl y Ar nispasswd
75.Nm
76.Op Fl R Ar rootdir
77.Op Fl V Ar etcdir
78.Cm userdel
79.Oo Fl n Oc Ar name Ns | Ns Oo Fl u Oc Ar uid
80.Op Fl r
81.Op Fl Y Op Fl y Ar nispasswd
82.Nm
83.Op Fl R Ar rootdir
84.Op Fl V Ar etcdir
85.Cm usermod
86.Oo Fl n Oc Ar name Ns | Ns Ar uid Oo Fl u Ar newuid Oc | Fl u Ar uid
87.Op Fl mNPq
88.Op Fl C Ar config
89.Op Fl c Ar comment
90.Op Fl d Ar homedir
91.Op Fl e Ar accexpdate
92.Op Fl k Ar skeldir
93.Op Fl G Ar grouplist
94.Op Fl g Ar group
95.Op Fl H Ar fd
96.Op Fl h Ar fd
97.Op Fl L Ar class
98.Op Fl l Ar newname
99.Op Fl M Ar mode
100.Op Fl p Ar passexpdate
101.Op Fl s Ar shell
102.Op Fl w Ar passmethod
103.Op Fl Y Op Fl y Ar nispasswd
104.Nm
105.Op Fl R Ar rootdir
106.Op Fl V Ar etcdir
107.Cm usershow
108.Oo Fl n Oc Ar name Ns | Ns Oo Fl u Oc Ar uid
109.Op Fl 7aFP
110.Nm
111.Op Fl R Ar rootdir
112.Op Fl V Ar etcdir
113.Cm usernext
114.Op Fl q
115.Op Fl C Ar config
116.Nm
117.Op Fl R Ar rootdir
118.Op Fl V Ar etcdir
119.Cm groupadd
120.Oo Fl n Oc Ar name
121.Op Fl oNPqY
122.Op Fl C Ar config
123.Op Fl g Ar gid
124.Op Fl H Ar fd
125.Op Fl h Ar fd
126.Op Fl M Ar members
127.Nm
128.Op Fl R Ar rootdir
129.Op Fl V Ar etcdir
130.Cm groupdel
131.Oo Fl n Oc Ar name Ns | Ns Oo Fl g Oc Ar gid
132.Op Fl Y
133.Nm
134.Op Fl R Ar rootdir
135.Op Fl V Ar etcdir
136.Cm groupmod
137.Oo Fl n Oc Ar name Ns | Ns Ar gid Oo Fl g Ar newgid Oc | Fl g Ar gid
138.Op Fl NPqY
139.Op Fl C Ar config
140.Op Fl d Ar oldmembers
141.Op Fl H Ar fd
142.Op Fl h Ar fd
143.Op Fl l Ar newname
144.Op Fl M Ar members
145.Op Fl m Ar newmembers
146.Nm
147.Op Fl R Ar rootdir
148.Op Fl V Ar etcdir
149.Cm groupshow
150.Oo Fl n Oc Ar name Ns | Ns Oo Fl g Oc Ar gid
151.Op Fl aFP
152.Nm
153.Op Fl R Ar rootdir
154.Op Fl V Ar etcdir
155.Cm groupnext
156.Op Fl C Ar config
157.Op Fl q
158.Nm
159.Op Fl R Ar rootdir
160.Op Fl V Ar etcdir
161.Cm lock
162.Oo Fl n Oc Ar name Ns | Ns Oo Fl u Oc Ar uid
163.Op Fl q
164.Op Fl C Ar config
165.Nm
166.Op Fl R Ar rootdir
167.Op Fl V Ar etcdir
168.Cm unlock
169.Oo Fl n Oc Ar name Ns | Ns Oo Fl u Oc Ar uid
170.Op Fl q
171.Op Fl C Ar config
172.Sh DESCRIPTION
173The
174.Nm
175utility is a command-line based editor for the system
176.Ar user
177and
178.Ar group
179files, allowing the superuser an easy to use and standardized way of adding,
180modifying and removing users and groups.
181Note that
182.Nm
183only operates on the local user and group files.
184.Tn NIS
185users and groups must be
186maintained on the
187.Tn NIS
188server.
189The
190.Nm
191utility handles updating the
192.Xr passwd 5 ,
193.Xr master.passwd 5 ,
194.Xr group 5
195and the secure and insecure
196password database files, and must be run as root.
197.Pp
198The first one or two keywords provided to
199.Nm
200on the command line provide the context for the remainder of the arguments.
201The keywords
202.Cm user
203and
204.Cm group
205may be combined with
206.Cm add ,
207.Cm del ,
208.Cm mod ,
209.Cm show ,
210or
211.Cm next
212in any order.
213(For example,
214.Cm showuser ,
215.Cm usershow ,
216.Cm show user ,
217and
218.Cm user show
219all mean the same thing.)
220This flexibility is useful for interactive scripts calling
221.Nm
222for user and group database manipulation.
223Following these keywords,
224the user or group name or numeric id may be optionally specified as an
225alternative to using the
226.Fl n Ar name ,
227.Fl u Ar uid ,
228.Fl g Ar gid
229options.
230.Pp
231The following flags are common to most or all modes of operation:
232.Bl -tag -width "-G grouplist"
233.It Fl R Ar rootdir
234Specifies an alternate root directory within which
235.Nm
236will operate.
237Any paths specified will be relative to
238.Va rootdir .
239.It Fl V Ar etcdir
240Set an alternate location for the password, group, and configuration files.
241Can be used to maintain a user/group database in an alternate location.
242If this switch is specified, the system
243.Pa /etc/pw.conf
244will not be sourced for default configuration data,
245but the file
246.Pa pw.conf
247in the specified directory will be used instead
248.Pq or none, if it does not exist .
249The
250.Fl C
251flag may be used to override this behaviour.
252As an exception to the general rule where options must follow the operation
253type, the
254.Fl V
255flag must be used on the command line before the operation keyword.
256.It Fl C Ar config
257By default,
258.Nm
259reads the file
260.Pa /etc/pw.conf
261to obtain policy information on how new user accounts and groups are to be created.
262The
263.Fl C
264option specifies a different configuration file.
265While most of the contents of the configuration file may be overridden via
266command-line options, it may be more convenient to keep standard information in a
267configuration file.
268.It Fl q
269Use of this option causes
270.Nm
271to suppress error messages,
272which may be useful in interactive environments where it
273is preferable to interpret status codes returned by
274.Nm
275rather than messing up a carefully formatted display.
276.It Fl N
277This option is available in
278.Cm add
279and
280.Cm modify
281operations, and tells
282.Nm
283to output the result of the operation without updating the user or group
284databases.
285You may use the
286.Fl P
287option to switch between standard passwd and readable formats.
288.It Fl Y
289Using this option with any of the update modes causes
290.Nm
291to run
292.Xr make 1
293after changing to the directory
294.Pa /var/yp .
295This is intended to allow automatic updating of
296.Tn NIS
297database files.
298If separate passwd and group files are being used by
299.Tn NIS ,
300then use the
301.Fl y Ar nispasswd
302option to specify the location of the
303.Tn NIS
304passwd database so that
305.Nm
306will concurrently update it with the system password
307databases.
308.El
309.Sh USER OPTIONS
310The following options apply to the
311.Cm useradd
312and
313.Cm usermod
314commands:
315.Bl -tag -width "-G grouplist"
316.It Oo Fl n Oc Ar name
317Required unless
318.Fl u Ar uid
319is given.
320Specify the user/account name.
321In the case of
322.Cm usermod
323can be a
324.Ar uid .
325.It Fl u Ar uid
326Required if
327.Ar name
328is not given.
329Specify the user/account numeric id.
330In the case of
331.Cm usermod
332if paired with
333.Ar name ,
334changes the numeric id of the named user/account.
335.Pp
336Usually, only one of these options is required,
337as the account name will imply the uid, or vice versa.
338However, there are times when both are needed.
339For example, when changing the uid of an existing user with
340.Cm usermod ,
341or overriding the default uid when creating a new account with
342.Cm useradd .
343To automatically allocate the uid to a new user with
344.Cm useradd ,
345then do
346.Em not
347use the
348.Fl u
349option.
350Either the account or userid can also be provided immediately after the
351.Cm useradd ,
352.Cm userdel ,
353.Cm usermod ,
354or
355.Cm usershow
356keywords on the command line without using the
357.Fl n
358or
359.Fl u
360options.
361.El
362.Bl -tag -width "-G grouplist"
363.It Fl c Ar comment
364This field sets the contents of the passwd GECOS field,
365which normally contains up to four comma-separated fields containing the
366user's full name, office or location,
367and work and home phone numbers.
368These sub-fields are used by convention only, however, and are optional.
369If this field is to contain spaces,
370the comment must be enclosed in double quotes
371.Ql \&" .
372Avoid using commas in this field as these are used as sub-field separators,
373and the colon
374.Ql \&:
375character also cannot be used as this is the field separator for the passwd
376file itself.
377.It Fl d Ar homedir
378This option sets the account's home directory.
379Normally,
380this is only used if the home directory is to be different from the
381default determined from
382.Pa /etc/pw.conf
383- normally
384.Pa /home
385with the account name as a subdirectory.
386.It Fl e Ar accexpdate
387Set the account's expiration date.
388Format of the date is either a UNIX time in decimal, or a date in
389.Ql dd-mmm-yy[yy]
390format, where dd is the day,
391mmm is the month, either in numeric or alphabetic format
392('Jan', 'Feb', etc) and year is either a two or four digit year.
393This option also accepts a relative date in the form
394.Ql \&+n[mhdwoy]
395where
396.Ql \&n
397is a decimal,
398octal (leading 0) or hexadecimal (leading 0x) digit followed by the
399number of Minutes, Hours, Days, Weeks, Months or Years from the current date at
400which the expiration date is to be set.
401.It Fl p Ar passexpdate
402Set the account's password expiration date.
403This field is similar to the account expiration date option, except that it
404applies to forced password changes.
405This is set in the same manner as the
406.Fl e
407option.
408.It Fl g Ar group
409Set the account's primary group to the given group.
410.Ar group
411may be defined by either its name or group number.
412.It Fl G Ar grouplist
413Set secondary group memberships for an account.
414.Ar grouplist
415is a comma, space, or tab-separated list of group names or group numbers.
416The user is added to the groups specified in
417.Ar grouplist ,
418and removed from all groups not specified.
419The current login session is not affected by group membership changes,
420which only take effect when the user reconnects.
421Note: do not add a user to their primary group with
422.Ar grouplist .
423.It Fl L Ar class
424This option sets the login class for the user being created.
425See
426.Xr login.conf 5
427and
428.Xr passwd 5
429for more information on user login classes.
430.It Fl m
431This option instructs
432.Nm
433to attempt to create the user's home directory.
434While primarily useful when adding a new account with
435.Cm useradd ,
436this may also be of use when moving an existing user's home directory elsewhere
437on the file system.
438The new home directory is populated with the contents of the
439.Ar skeleton
440directory, which typically contains a set of shell configuration files that the
441user may personalize to taste.
442Files in this directory are usually named
443.Pa dot . Ns Aq Ar config
444where the
445.Pa dot
446prefix will be stripped.
447When
448.Fl m
449is used on an account with
450.Cm usermod ,
451existing configuration files in the user's home directory are
452.Em not
453overwritten from the skeleton files.
454.Pp
455When a user's home directory is created,
456it will by default be a subdirectory of the
457.Ar basehome
458directory as specified by the
459.Fl b
460option, bearing the name of the new account.
461This can be overridden by the
462.Fl d
463option on the command line, if desired.
464.It Fl M Ar mode
465Create the user's home directory with the specified
466.Ar mode ,
467modified by the current
468.Xr umask 2 .
469If omitted, it is derived from the parent process'
470.Xr umask 2 .
471This option is only useful in combination with the
472.Fl m
473flag.
474.It Fl k Ar skeldir
475Set the
476.Ar skeleton
477directory, from which basic startup and configuration files are copied when
478the user's home directory is created.
479This option only has meaning when used with the
480.Fl d
481or
482.Fl m
483flags.
484.It Fl s Ar shell
485Set or changes the user's login shell to
486.Ar shell .
487If the path to the shell program is omitted,
488.Nm
489searches the
490.Ar shellpath
491specified in
492.Pa /etc/pw.conf
493and fills it in as appropriate.
494Note that unless you have a specific reason to do so, you should avoid
495specifying the path - this will allow
496.Nm
497to validate that the program exists and is executable.
498Specifying a full path (or supplying a blank "" shell) avoids this check
499and allows for such entries as
500.Pa /nonexistent
501that should be set for accounts not intended for interactive login.
502.It Fl h Ar fd
503This option provides a special interface by which interactive scripts can
504set an account password using
505.Nm .
506Because the command line and environment are fundamentally insecure mechanisms
507by which programs can accept information,
508.Nm
509will only allow setting of account and group passwords via a file descriptor
510(usually a pipe between an interactive script and the program).
511.Ar sh ,
512.Ar bash ,
513.Ar ksh
514and
515.Ar perl
516all possess mechanisms by which this can be done.
517Alternatively,
518.Nm
519will prompt for the user's password if
520.Fl h Ar 0
521is given, nominating
522.Em stdin
523as the file descriptor on which to read the password.
524Note that this password will be read only once and is intended
525for use by a script rather than for interactive use.
526If you wish to have new password confirmation along the lines of
527.Xr passwd 1 ,
528this must be implemented as part of an interactive script that calls
529.Nm .
530.Pp
531If a value of
532.Ql \&-
533is given as the argument
534.Ar fd ,
535then the password will be set to
536.Ql \&* ,
537rendering the account inaccessible via password-based login.
538.It Fl H Ar fd
539Read an encrypted password string from the specified file descriptor.
540This is like
541.Fl h ,
542but the password should be supplied already encrypted in a form
543suitable for writing directly to the password database.
544.El
545.Pp
546It is possible to use
547.Cm useradd
548to create a new account that duplicates an existing user id.
549While this is normally considered an error and will be rejected, the
550.Fl o
551option overrides the check for duplicates and allows the duplication of
552the user id.
553This may be useful if you allow the same user to login under
554different contexts (different group allocations, different home
555directory, different shell) while providing basically the same
556permissions for access to the user's files in each account.
557.Pp
558The
559.Cm useradd
560command also has the ability to set new user and group defaults by using the
561.Fl D
562option.
563Instead of adding a new user,
564.Nm
565writes a new set of defaults to its configuration file,
566.Pa /etc/pw.conf .
567When using the
568.Fl D
569option, you must not use either
570.Fl n Ar name
571or
572.Fl u Ar uid
573or an error will result.
574Use of
575.Fl D
576changes the meaning of several command line switches in the
577.Ar useradd
578command.
579These are:
580.Bl -tag -width "-G grouplist"
581.It Fl D
582Set default values in
583.Pa /etc/pw.conf
584configuration file, or a different named configuration file if the
585.Fl C Ar config
586option is used.
587.It Fl b Ar basehome
588Set the root directory in which user home directories are created.
589The default value for this is
590.Pa /home ,
591but it may be set elsewhere as desired.
592.It Fl e Ar accexpdays
593Set the default account expiration period in days.
594When
595.Fl D
596is used, the
597.Ar accexpdays
598argument is interpreted differently.
599It must be numeric and represents the number of days after creation
600that the account expires.
601A value of 0 suppresses automatic calculation of the expiry date.
602.It Fl p Ar passexpdays
603Set the default password expiration period in days.
604When
605.Fl D
606is used, the
607.Ar passexpdays
608argument is interpreted differently.
609It must be numeric and represents the number of days after creation
610that the account expires.
611A value of 0 suppresses automatic calculation of the expiry date.
612.It Fl g Ar group
613Set the default group for new users.
614If a blank group is specified using
615.Fl g Ar \&"" ,
616then new users will be allocated their own private primary group
617with the same name as their login name.
618If a group is supplied, either its name or uid may be given as an argument.
619.It Fl G Ar grouplist
620Set the default groups in which new users are granted membership.
621This is a separate set of groups from the primary group.
622Avoid nominating the same group as both primary and extra groups.
623In other words, these extra groups determine membership in groups
624.Em other than
625the primary group.
626.Ar grouplist
627is a comma-separated list of group names or ids, and are always
628stored in
629.Pa /etc/pw.conf
630by their symbolic names.
631.It Fl L Ar class
632This option sets the default login class for new users.
633.It Fl k Ar skeldir
634Set the default
635.Em skeleton
636directory,
637from which prototype shell and other initialization files are copied when
638.Nm
639creates a user's home directory.
640See description of
641.Fl k
642for naming conventions of these files.
643.It Xo
644.Fl u Ar minuid Ns Cm \&, Ns Ar maxuid ,
645.Fl i Ar mingid Ns Cm \&, Ns Ar maxgid
646.Xc
647Set the minimum and maximum user and group ids allocated for new
648accounts and groups created by
649.Nm .
650The default values for each is 1000 minimum and 32000 maximum.
651.Ar minuid
652and
653.Ar maxuid
654are both numbers, where max must be greater than min,
655and both must be between 0 and 32767
656.Po the same applies to
657.Ar mingid
658and
659.Ar maxgid
660.Pc .
661In general,
662user and group ids less than 100 are reserved for use by the system,
663and numbers greater than 32000 may also be reserved for special purposes
664.Pq used by some system daemons .
665.It Fl w Ar passmethod
666The
667.Fl w
668option selects the default method used to set passwords for newly created user
669accounts.
670.Ar passmethod
671is one of:
672.Pp
673.Bl -tag -width random -offset indent -compact
674.It Cm no
675disable login on newly created accounts
676.It Cm yes
677force the password to be the account name
678.It Cm none
679force a blank password
680.It Cm random
681generate a random password
682.El
683.Pp
684The
685.Cm random
686or
687.Cm no
688methods are the most secure; in the former case,
689.Nm
690generates a password and prints it to stdout,
691which is suitable when users are issued passwords rather than being allowed
692to select their own
693.Pq possibly poorly chosen
694password.
695The
696.Cm no
697method requires that the superuser use
698.Xr passwd 1
699to render the account accessible with a password.
700.It Fl y Ar path
701This sets the pathname of the database used by
702.Tn NIS
703if you are not sharing
704the information from
705.Pa /etc/master.passwd
706directly with
707.Tn NIS .
708You should only set this option for
709.Tn NIS
710servers.
711.El
712.Pp
713The
714.Cm userdel
715command has three distinct options.
716The
717.Fl n Ar name
718and
719.Fl u Ar uid
720options have already been covered above.
721The additional option is:
722.Bl -tag -width "-G grouplist"
723.It Fl r
724This tells
725.Nm
726to remove the user's home directory and all of its contents.
727The
728.Nm
729utility errs on the side of caution when removing files from the system.
730Firstly,
731it will not do so if the uid of the account being removed is also used by
732another account on the system, and the
733.Dq home
734directory in the password file is
735a valid path that commences with the character
736.Ql \&/ .
737Secondly, it will only remove files and directories that are actually owned by
738the user, or symbolic links owned by anyone under the user's home directory.
739Finally, after deleting all contents owned by the user only empty directories
740will be removed.
741If any additional cleanup work is required, this is left to the administrator.
742.El
743.Pp
744Mail spool files and
745.Xr crontab 5
746files are always removed when an account is deleted as
747these are unconditionally attached to the user name.
748Jobs queued for processing by
749.Xr at 1
750are also removed if the user's uid is unique and not also used by another
751account on the system.
752.Pp
753The
754.Cm usermod
755command adds one additional option:
756.Bl -tag -width "-G grouplist"
757.It Fl l Ar newname
758This option allows changing of an existing account name to
759.Ar newname .
760The new name must not already exist, and any attempt to duplicate an
761existing account name will be rejected.
762.El
763.Pp
764The
765.Cm usershow
766command allows viewing of an account in one of two formats.
767By default, the format is identical to the format used in
768.Pa /etc/master.passwd
769with the password field replaced with a
770.Ql \&* .
771If the
772.Fl P
773option is used, then
774.Nm
775outputs the account details in a more human readable form.
776If the
777.Fl 7
778option is used, the account details are shown in v7 format.
779The
780.Fl a
781option lists all users currently on file.
782Using
783.Fl F
784forces
785.Nm
786to print the details of an account even if it does not exist.
787.Pp
788The command
789.Cm usernext
790returns the next available user and group ids separated by a colon.
791This is normally of interest only to interactive scripts or front-ends
792that use
793.Nm .
794.Sh GROUP OPTIONS
795The
796.Fl C
797and
798.Fl q
799options (explained at the start of the previous section) are available
800with the group manipulation commands.
801Other common options to all group-related commands are:
802.Bl -tag -width "-m newmembers"
803.It Oo Fl n Oc Ar name
804Required unless
805.Fl g Ar gid
806is given.
807Specify the group name.
808In the case of
809.Cm groupmod
810can be a gid.
811.It Fl g Ar gid
812Required if
813.Ar name
814is not given.
815Specify the group numeric id.
816In the case of
817.Cm groupmod
818if paired with
819.Ar name ,
820changes the numeric id of the named group.
821.Pp
822As with the account name and id fields, you will usually only need
823to supply one of these, as the group name implies the uid and vice
824versa.
825You will only need to use both when setting a specific group id
826against a new group or when changing the uid of an existing group.
827.It Fl M Ar memberlist
828This option provides an alternative way to add existing users to a
829new group
830.Pq in Cm groupadd
831or replace an existing membership list
832.Pq in Cm groupmod .
833.Ar memberlist
834is a comma separated list of valid and existing user names or uids.
835.It Fl m Ar newmembers
836Similar to
837.Fl M ,
838this option allows the
839.Em addition
840of existing users to a group without replacing the existing list of
841members.
842Login names or user ids may be used, and duplicate users are
843silently eliminated.
844.It Fl d Ar oldmembers
845Similar to
846.Fl M ,
847this option allows the
848.Em deletion
849of existing users from a group without replacing the existing list of
850members.
851Login names or user ids may be used, and duplicate users are
852silently eliminated.
853.El
854.Pp
855.Cm groupadd
856also has a
857.Fl o
858option that allows allocation of an existing group id to a new group.
859The default action is to reject an attempt to add a group,
860and this option overrides the check for duplicate group ids.
861There is rarely any need to duplicate a group id.
862.Pp
863The
864.Cm groupmod
865command adds one additional option:
866.Bl -tag -width "-m newmembers"
867.It Fl l Ar newname
868This option allows changing of an existing group name to
869.Ar newname .
870The new name must not already exist,
871and any attempt to duplicate an existing group
872name will be rejected.
873.El
874.Pp
875Options for
876.Cm groupshow
877are the same as for
878.Cm usershow ,
879with the
880.Fl g Ar gid
881replacing
882.Fl u Ar uid
883to specify the group id.
884The
885.Fl 7
886option does not apply to the
887.Cm groupshow
888command.
889.Pp
890The command
891.Cm groupnext
892returns the next available group id on standard output.
893.Sh USER LOCKING
894The
895.Nm
896utility
897supports a simple password locking mechanism for users; it works by
898prepending the string
899.Ql *LOCKED*
900to the beginning of the password field in
901.Xr master.passwd 5
902to prevent successful authentication.
903.Pp
904The
905.Cm lock
906and
907.Cm unlock
908commands take a user name or uid of the account to lock or unlock,
909respectively.
910The
911.Fl V ,
912.Fl C ,
913and
914.Fl q
915options as described above are accepted by these commands.
916.Sh NOTES
917For a summary of options available with each command, you can use
918.Dl pw [command] help
919For example,
920.Dl pw useradd help
921lists all available options for the
922.Cm useradd
923operation.
924.Pp
925The
926.Nm
927utility allows 8-bit characters in the passwd GECOS field (user's full name,
928office, work and home phone number subfields), but disallows them in
929user login and group names.
930Use 8-bit characters with caution, as connection to the Internet will
931require that your mail transport program supports 8BITMIME, and will
932convert headers containing 8-bit characters to 7-bit quoted-printable
933format.
934.Xr sendmail 8
935does support this.
936Use of 8-bit characters in the GECOS field should be used in
937conjunction with the user's default locale and character set
938and should not be implemented without their use.
939Using 8-bit characters may also affect other
940programs that transmit the contents of the GECOS field over the
941Internet, such as
942.Xr fingerd 8 ,
943and a small number of TCP/IP clients, such as IRC, where full names
944specified in the passwd file may be used by default.
945.Pp
946The
947.Nm
948utility writes a log to the
949.Pa /var/log/userlog
950file when actions such as user or group additions or deletions occur.
951The location of this logfile can be changed in
952.Xr pw.conf 5 .
953.Sh FILES
954.Bl -tag -width /etc/master.passwd.new -compact
955.It Pa /etc/master.passwd
956The user database
957.It Pa /etc/passwd
958A Version 7 format password file
959.It Pa /etc/login.conf
960The user capabilities database
961.It Pa /etc/group
962The group database
963.It Pa /etc/pw.conf
964Pw default options file
965.It Pa /var/log/userlog
966User/group modification logfile
967.El
968.Sh EXAMPLES
969Add new user Glurmo Smith (gsmith).
970A gsmith login group is created if not already present.
971The login shell is set to
972.Xr csh 1 .
973A new home directory at
974.Pa /home/gsmith
975is created if it does not already exist.
976Finally, a random password is generated and displayed:
977.Bd -literal -offset indent
978pw useradd -n gsmith -c "Glurmo Smith" -s csh -m -w random
979.Ed
980.Pp
981Delete the gsmith user and their home directory, including contents.
982.Bd -literal -offset indent
983pw userdel -n gsmith -r
984.Ed
985.Pp
986Add the existing user jsmith to the wheel group,
987in addition to the other groups jsmith is already a member of.
988.Bd -literal -offset indent
989pw groupmod wheel -m jsmith
990.Ed
991.Sh EXIT STATUS
992The
993.Nm
994utility returns EXIT_SUCCESS on successful operation, otherwise
995.Nm
996returns one of the
997following exit codes defined by
998.Xr sysexits 3
999as follows:
1000.Bl -tag -width xxxx
1001.It EX_USAGE
1002.Bl -bullet -compact
1003.It
1004Command line syntax errors (invalid keyword, unknown option).
1005.El
1006.It EX_NOPERM
1007.Bl -bullet -compact
1008.It
1009Attempting to run one of the update modes as non-root.
1010.El
1011.It EX_OSERR
1012.Bl -bullet -compact
1013.It
1014Memory allocation error.
1015.It
1016Read error from password file descriptor.
1017.El
1018.It EX_DATAERR
1019.Bl -bullet -compact
1020.It
1021Bad or invalid data provided or missing on the command line or
1022via the password file descriptor.
1023.It
1024Attempted to remove, rename root account or change its uid.
1025.El
1026.It EX_OSFILE
1027.Bl -bullet -compact
1028.It
1029Skeleton directory is invalid or does not exist.
1030.It
1031Base home directory is invalid or does not exist.
1032.It
1033Invalid or non-existent shell specified.
1034.El
1035.It EX_NOUSER
1036.Bl -bullet -compact
1037.It
1038User, user id, group or group id specified does not exist.
1039.It
1040User or group recorded, added, or modified unexpectedly disappeared.
1041.El
1042.It EX_SOFTWARE
1043.Bl -bullet -compact
1044.It
1045No more group or user ids available within specified range.
1046.El
1047.It EX_IOERR
1048.Bl -bullet -compact
1049.It
1050Unable to rewrite configuration file.
1051.It
1052Error updating group or user database files.
1053.It
1054Update error for passwd or group database files.
1055.El
1056.It EX_CONFIG
1057.Bl -bullet -compact
1058.It
1059No base home directory configured.
1060.El
1061.El
1062.Sh SEE ALSO
1063.Xr chpass 1 ,
1064.Xr passwd 1 ,
1065.Xr umask 2 ,
1066.Xr group 5 ,
1067.Xr login.conf 5 ,
1068.Xr passwd 5 ,
1069.Xr pw.conf 5 ,
1070.Xr pwd_mkdb 8 ,
1071.Xr vipw 8
1072.Sh HISTORY
1073The
1074.Nm
1075utility was written to mimic many of the options used in the SYSV
1076.Em shadow
1077support suite, but is modified for passwd and group fields specific to
1078the
1079.Bx 4.4
1080operating system, and combines all of the major elements
1081into a single command.
1082