xref: /freebsd/usr.sbin/pw/pw.conf.5 (revision 397e83df75e0fcd0d3fcb95ae4d794cb7600fc89)
1.\" Copyright (C) 1996
2.\" David L. Nugent.  All rights reserved.
3.\"
4.\" Redistribution and use in source and binary forms, with or without
5.\" modification, are permitted provided that the following conditions
6.\" are met:
7.\" 1. Redistributions of source code must retain the above copyright
8.\"    notice, this list of conditions and the following disclaimer.
9.\" 2. Redistributions in binary form must reproduce the above copyright
10.\"    notice, this list of conditions and the following disclaimer in the
11.\"    documentation and/or other materials provided with the distribution.
12.\"
13.\" THIS SOFTWARE IS PROVIDED BY DAVID L. NUGENT AND CONTRIBUTORS ``AS IS'' AND
14.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
15.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
16.\" ARE DISCLAIMED.  IN NO EVENT SHALL DAVID L. NUGENT OR CONTRIBUTORS BE LIABLE
17.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
18.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
19.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
20.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
21.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
22.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
23.\" SUCH DAMAGE.
24.\"
25.Dd March 30, 2007
26.Dt PW.CONF 5
27.Os
28.Sh NAME
29.Nm pw.conf
30.Nd format of the pw.conf configuration file
31.Sh DESCRIPTION
32The file
33.Pa /etc/pw.conf
34contains configuration data for the
35.Xr pw 8
36utility.
37The
38.Xr pw 8
39utility is used for maintenance of the system password and group
40files, allowing users and groups to be added, deleted and changed.
41This file may be modified via the
42.Xr pw 8
43command using the
44.Ar useradd
45command and the
46.Fl D
47option, or by editing it directly with a text editor.
48.Pp
49Each line in
50.Pa /etc/pw.conf
51is treated either a comment or as configuration data;
52blank lines and lines commencing with a
53.Ql \&#
54character are considered comments, and any remaining lines are
55examined for a leading keyword, followed by corresponding data.
56.Pp
57Keywords recognized by
58.Xr pw 8
59are:
60.Bl -tag -width password_days -offset indent -compact
61.It defaultpasswd
62affect passwords generated for new users
63.It reuseuids
64reuse gaps in uid sequences
65.It reusegids
66reuse gaps in gid sequences
67.It nispasswd
68path to the
69.Tn NIS
70passwd database
71.It skeleton
72where to obtain default home contents
73.It newmail
74mail to send to new users
75.It logfile
76log user/group modifications to this file
77.It home
78root directory for home directories
79.It homemode
80permissions for home directory
81.It shellpath
82paths in which to locate shell programs
83.It shells
84list of valid shells (without path)
85.It defaultshell
86default shell (without path)
87.It defaultgroup
88default group
89.It extragroups
90add new users to this groups
91.It defaultclass
92place new users in this login class
93.It minuid
94.It maxuid
95range of valid default user ids
96.It mingid
97.It maxgid
98range of valid default group ids
99.It expire_days
100days after which account expires
101.It password_days
102days after which password expires
103.El
104.Pp
105Valid values for
106.Ar defaultpasswd
107are:
108.Bl -tag -width password_days -offset indent -compact
109.It no
110disable login on newly created accounts
111.It yes
112force the password to be the account name
113.It none
114force a blank password
115.It random
116generate a random password
117.El
118.Pp
119The second and third options are insecure and should be avoided if
120possible on a publicly accessible system.
121The first option requires that the superuser run
122.Xr passwd 1
123to set a password before the account may be used.
124This may also be useful for creating administrative accounts.
125The final option causes
126.Xr pw 8
127to respond by printing a randomly generated password on stdout.
128This is the preferred and most secure option.
129The
130.Xr pw 8
131utility also provides a method of setting a specific password for the new
132user via a filehandle (command lines are not secure).
133.Pp
134Both
135.Ar reuseuids
136and
137.Ar reusegids
138determine the method by which new user and group id numbers are
139generated.
140A
141.Ql \&yes
142in this field will cause
143.Xr pw 8
144to search for the first unused user or group id within the allowed
145range, whereas a
146.Ql \&no
147will ensure that no other existing user or group id within the range
148is numerically lower than the new one generated, and therefore avoids
149reusing gaps in the user or group id sequence that are caused by
150previous user or group deletions.
151Note that if the default group is not specified using the
152.Ar defaultgroup
153keyword,
154.Xr pw 8
155will create a new group for the user and attempt to keep the new
156user's uid and gid the same.
157If the new user's uid is currently in use as a group id, then the next
158available group id is chosen instead.
159.Pp
160On
161.Tn NIS
162servers which maintain a separate passwd database to
163.Pa /etc/master.passwd ,
164this option allows the additional file to be concurrently updated
165as user records are added, modified or removed.
166If blank or set to 'no', no additional database is updated.
167An absolute pathname must be used.
168.Pp
169The
170.Ar skeleton
171keyword nominates a directory from which the contents of a user's
172new home directory is constructed.
173This is
174.Pa /usr/share/skel
175by default.
176The
177.Xr pw 8 Ns 's
178.Fl m
179option causes the user's home directory to be created and populated
180using the files contained in the
181.Ar skeleton
182directory.
183.Pp
184To send an initial email to new users, the
185.Ar newmail
186keyword may be used to specify a path name to a file containing
187the message body of the message to be sent.
188To avoid sending mail when accounts are created, leave this entry
189blank or specify
190.Ql \&no .
191.Pp
192The
193.Ar logfile
194option allows logging of password file modifications into the
195nominated log file.
196To avoid creating or adding to such a logfile, then leave this
197field blank or specify
198.Ql \&no .
199.Pp
200The
201.Ar home
202keyword is mandatory.
203This specifies the location of the directory in which all new user
204home directories are created.
205.Pp
206The
207.Ar homemode
208keyword is optional.
209It specifies the creation mask of the user's home directory and is modified by
210.Xr umask 2 .
211.Pp
212The
213.Ar shellpath
214keyword specifies a list of directories - separated by colons
215.Ql \&:
216- which contain the programs used by the login shells.
217.Pp
218The
219.Ar shells
220keyword specifies a list of programs available for use as login
221shells.
222This list is a comma-separated list of shell names which should
223not contain a path.
224These shells must exist in one of the directories nominated by
225.Ar shellpath .
226.Pp
227The
228.Ar defaultshell
229keyword nominates which shell program to use for new users when
230none is specified on the
231.Xr pw 8
232command line.
233.Pp
234The
235.Ar defaultgroup
236keyword defines the primary group (the group id number in the
237password file) used for new accounts.
238If left blank, or the word
239.Ql \&no
240is used, then each new user will have a corresponding group of
241their own created automatically.
242This is the recommended procedure for new users as it best secures each
243user's files against interference by other users of the system
244irrespective of the
245.Em umask
246normally used by the user.
247.Pp
248The
249.Ar extragroups
250keyword provides an automatic means of placing new users into groups within
251the
252.Pa /etc/groups
253file.
254This is useful where all users share some resources, and is preferable
255to placing users into the same primary group.
256The effect of this keyword can be overridden using the
257.Fl G
258option on the
259.Xr pw 8
260command line.
261.Pp
262The
263.Ar defaultclass
264field determines the login class (See
265.Xr login.conf 5 )
266that new users will be allocated unless overwritten by
267.Xr pw 8 .
268.Pp
269The
270.Ar minuid ,
271.Ar maxuid ,
272.Ar mingid ,
273.Ar maxgid
274keywords determine the allowed ranges of automatically allocated user
275and group id numbers.
276The default values for both user and group ids are 1000 and 32000 as
277minimum and maximum respectively.
278The user and group id's actually used when creating an account with
279.Xr pw 8
280may be overridden using the
281.Fl u
282and
283.Fl g
284command line options.
285.Pp
286The
287.Ar expire_days
288and
289.Ar password_days
290are used to automatically calculate the number of days from the date
291on which an account is created when the account will expire or the
292user will be forced to change the account's password.
293A value of
294.Ql \&0
295in either field will disable the corresponding (account or password)
296expiration date.
297.Sh LIMITS
298The maximum line length of
299.Pa /etc/pw.conf
300is 1024 characters.
301Longer lines will be skipped and treated
302as comments.
303.Sh FILES
304.Bl -tag -width /etc/master.passwd -compact
305.It Pa /etc/pw.conf
306.It Pa /etc/passwd
307.It Pa /etc/master.passwd
308.It Pa /etc/group
309.El
310.Sh SEE ALSO
311.Xr passwd 1 ,
312.Xr umask 2 ,
313.Xr group 5 ,
314.Xr login.conf 5 ,
315.Xr passwd 5 ,
316.Xr pw 8
317