NetBSD/share/man/man8/adduser.8

.\"	$NetBSD: adduser.8,v 1.6 1999/01/25 03:23:06 erh Exp $
.\"
.\" Copyright (c) 1999 The NetBSD Foundation, Inc.
.\" All rights reserved.
.\"
.\" This code is derived from software contributed to The NetBSD Foundation
.\" by Eric Haszlakiewicz
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\"    must display the following acknowledgement:
.\"	This product includes software developed by the NetBSD
.\"	Foundation, Inc. and its contributors.
.\" 4. Neither the name of The NetBSD Foundation nor the names of its
.\"    contributors may be used to endorse or promote products derived
.\"    from this software without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
.Dd January 23, 1999
.Dt ADDUSER 8
.Os NetBSD
.Sh NAME
.Nm adduser
.Nd procedure for adding new users
.Sh OVERVIEW
Although there exists an
.Nm addnerd
package for adding users (see the
.Nm SEE ALSO
section below), the standard
.Nx
distribution does not include an
adduser command.  This is a brief description of the actions that
should be taken to add a user:

.Bl -bullet -compact
.It
Edit the password file and add an appropriate entry.
.Pq Xr vipw 8 , Xr passwd 5
.It
Edit the group file and add the new user to the appropriate groups.
.Pq Xr group 5
.It
Set a password for the new user with passwd. 
.Pq Xr passwd 1
.It
Create a home directory for this user.
.Pq "see below" , Pa /usr/share/skel
.El

In general, new users should be created with unique user ids and login names.
Home directories should be owned by that user.  Avoid empty passwords and
blank lines in the password file.

.Sh DESCRIPTION
Procedure for adding a new user:

.Ss "Adding a new user to the password file:"
The command to safely modify the password file is
.Ic vipw .
\ When run as root this edits the password file after setting the 
appropriate locks.  Be careful while changing the password file since 
arbitrary changes can easily compromise the security of your system.
A more detailed description can be obtained from the
.Xr vipw 8
manual page.
.Pp
When creating a new user it is probably easiest to copy one of the existing
entries and modify the fields as needed.  For a description of the fields in
the password file see the
.Xr passwd 5
manual page.
Here are some guidelines on how to modify the password entry:
.Bl -tag -compat -width 8n
.It Em name
This must be a unique login name: it must not appear in
.Pa /etc/passwd
or
.Pa /etc/aliases .
It must not begin with the hyphen
.Ql Em -
character.
It is strongly recommended that is be all lower-case, and not contain the dot
.Ql Em \&.
character, as that tends to confuse mailers.
.It Em password
The easiest way to set the password is with the
.Xr passwd 1
program, which is mentioned below.  For now, set this field to the asterisk
.Ql Em *
character to prevent any password from working.
.It Em uid
A new user should be given a user id that is unique across the system, and
often across a group of systems, since user ids are used to control file
access.  One of the simplest way of choosing a user id is to find the 
maximum id used and add one.  For example, if you started adding users at
id 1000, and the highest id so far is 1020, the next user will have 1021
as his id.
.It Em gid
This is where you should set a user's primary group.  Additional group
membership can be granted by editing the
.Pa /etc/group
file
.Pq see below .
Typically, users working on similar projects will be put in the same groups.
For instance, at the University of California, Berkeley, there are groups
for system staff, faculty, graduate students and special groups for large
projects.
.Pp
Group
.Em 0 ,
named
.Em wheel ,
is used to control what users may use su to gain root
privileges.  Often, instead of setting a user's primary group to wheel, the
.Pa /etc/group
file is used to control access to this privilege.  In these cases the primary
group is set to some other group, such as the generic staff or users group.
.It Em class , change , expire
Ignore these field for now.  Make the class field empty, the change set to "0",
and the expire field set to "0".
.It Em gecos
This is where you should place, among other information, the user's name.
For instance, if the user's name is
.Qq John Doe ,
this field would look like this:
.Qq John Doe,,,
.It Em home_dir
This field should be set to the location of the user's home directory.
For instance, assuming home directories are located in
.Pa /home
on your system, this would be set to
.Pa /home/<username> .
You will probably need to create this directory.
See below for a more detailed explanation on how to create a home
directory and what to put in it.
.It Em shell
Set this field to the desired shell.  See
.Xr shells 5
for more information.
.El

.Ss Setting the password:
Once the user exists in the password file you can use the
.Ic passwd
utility to change his password.  Executing 
.Ic passwd Ar <username>
will prompt you for the password.  If you do not wish to use password
authentication for this user then skip this step.  For instance, if you
wanted to only allow logins though ssh RSA authentication then a password
would be undesirable.  If you do skip this step make sure that you have set
the password to the asterisk
.Ql *
character in the password file.  Placing nothing 
.Pq Ql 
in the password field would allow this user to login with
.Em NO
password.  This is probably not what you want.

.Ss The chpass, chfn and chsh utilities:
These utilities allow you to change a single user's infomation in a more
user-friendly fasion than
.Ic vipw .
After creating the user with vipw, you may find it easier to use
these instead.
.Ss Editing /etc/group:
The simplest thing to do here is to add a user onto an already existing
group.  This is done by appending the user's login name to the desired
group line, separated from any other user names with a comma.
.Pp
For example, to add a user named
.Qq Joe
to the
.Qq staff
group you would change the line that looks like this:
.Dl staff:*:20:root
to look like this:
.Dl staff:*:20:root,Joe
.Pp
Be careful of who you add to group 0, since the su utility uses this list
to determine who is allowed to gain root privileges.
.Pp
For more information see
.Xr group 5
and
.Xr su 1 .

.Ss Create the home directory:
After you have created the user in the password file you will probably need
to create a home directory for him.  You will probably want to copy
skeletal configuration files from
.Em /usr/share/skel
to give new users some help getting started.
Finally you want to set the ownership and permissions on the directory
and files.
.Pp
Assuming that you have set the home directory in the password file,
here are the steps you will want to take:

.Bl -item -compact
.It
mkdir ~$username
.It
cp /usr/share/skel/dot.profile ~$username/.profile
.It
cp /usr/share/skel/dot.login ~$username/.login
.It
cp /usr/share/skel/dot.mailrc ~$username/.mailrc
.It
cp /usr/share/skel/dot.cshrc ~$username/.cshrc
.It
cp /usr/share/skel/dot.rhosts ~$username/.rhosts
.It
chown -R $username:$usergroup ~$username
.It
chmod -R 700 ~$username
.It
chmod 755 ~$username
.El
.Pp
(If you set the username and usergroup environment variables you can cut
and paste this list of steps.)
.Pp
See
.Xr cp 1 ,
.Xr chown 8 ,
.Xr chmod 1
and
.Xr mkdir 1
for more information about these commands.

.Sh SEE ALSO
.Bl -item -compact
.It
.Xr vipw 8 ,
.Xr passwd 1 ,
.Xr group 5 ,
.Xr passwd 5 ,
.It
.Xr chpass 1 ,
.Xr chfn 1 ,
.Xr chsh 1 ,
.It
.Xr pwd_mkdb 8 ,
.Xr finger 1 ,
.Xr aliases 5 ,
.It
.Xr chown 8 ,
.Xr chmod 1 ,
.Xr mkdir 1 ,
.Xr cp 1 ,
.Xr man 1
.El
.Pp
For many useful programs, including
.Em ssh
and
.Em addnerd
(a utility for adding users), 
see the
.Nx
packages collection.  Information about packages can be
found at
.Em http://www.netbsd.org/Documentation/software/packages.html

.Sh FILES
.Bl -tag -width 20n -compact
.It Pa /etc/passwd
the system password file
.It Pa /etc/group
the system group file
.It Pa /usr/share/skel/*
skeletal login directory
.El

.Sh BUGS
User information should (and eventually will) be stored elsewhere.