Материал из

Перейти к: навигация, поиск

Не указан параметр (1)

PW(8) FreeBSD System Manager's Manual PW(8)


[править] NAME

    pw — create, remove, modify & display system users and groups

[править] SYNOPSIS

    pw [-V etcdir] useradd [name|uid] [-C config] [-q] [-n name] [-u uid]
       [-c comment] [-d dir] [-e date] [-p date] [-g group] [-G grouplist]
       [-m] [-M mode] [-k dir] [-w method] [-s shell] [-o] [-L class]
       [-h fd | -H fd] [-N] [-P] [-Y]
    pw [-V etcdir] useradd [name|uid] -D [-C config] [-q] [-b dir] [-e days]
       [-p days] [-g group] [-G grouplist] [-k dir] [-M mode] [-u min,max]
       [-i min,max] [-w method] [-s shell] [-y path]
    pw [-V etcdir] userdel [name|uid] [-n name] [-u uid] [-r] [-Y]
    pw [-V etcdir] usermod [name|uid] [-C config] [-q] [-n name] [-u uid]
       [-c comment] [-d dir] [-e date] [-p date] [-g group] [-G grouplist]
       [-l name] [-m] [-M mode] [-k dir] [-w method] [-s shell] [-L class]
       [-h fd | -H fd] [-N] [-P] [-Y]
    pw [-V etcdir] usershow [name|uid] [-n name] [-u uid] [-F] [-P] [-7] [-a]
    pw [-V etcdir] usernext [-C config] [-q]
    pw [-V etcdir] groupadd [group|gid] [-C config] [-q] [-n group] [-g gid]
       [-M members] [-o] [-h fd | -H fd] [-N] [-P] [-Y]
    pw [-V etcdir] groupdel [group|gid] [-n name] [-g gid] [-Y]
    pw [-V etcdir] groupmod [group|gid] [-C config] [-q] [-n name] [-g gid]
       [-l name] [-M members] [-m newmembers] [-d oldmembers] [-h fd | -H fd]
       [-N] [-P] [-Y]
    pw [-V etcdir] groupshow [group|gid] [-n name] [-g gid] [-F] [-P] [-a]
    pw [-V etcdir] groupnext [-C config] [-q]
    pw [-V etcdir] lock [name|uid] [-C config] [-q]
    pw [-V etcdir] unlock [name|uid] [-C config] [-q]


    The pw utility is a command-line based editor for the system user and
    group files, allowing the superuser an easy to use and standardized way
    of adding, modifying and removing users and groups.  Note that pw only
    operates on the local user and group files.  NIS users and groups must be
    maintained on the NIS server.  The pw utility handles updating the
    passwd, master.passwd, group and the secure and insecure password data‐
    base files, and must be run as root.
    The first one or two keywords provided to pw on the command line provide
    the context for the remainder of the arguments.  The keywords user and
    group may be combined with add, del, mod, show, or next in any order.
    (For example, showuser, usershow, show user, and user show all mean the
    same thing.)  This flexibility is useful for interactive scripts calling
    pw for user and group database manipulation.  Following these keywords,
    you may optionally specify the user or group name or numeric id as an
    alternative to using the -n name, -u uid, -g gid options.
    The following flags are common to most or all modes of operation:
    -V etcdir     This flag sets an alternate location for the password,
                  group and configuration files, and may be used to maintain
                  a user/group database in an alternate location.  If this
                  switch is specified, the system /etc/pw.conf will not be
                  sourced for default configuration data, but the file
                  pw.conf in the specified directory will be used instead (or
                  none, if it does not exist).  The -C flag may be used to
                  override this behaviour.  As an exception to the general
                  rule where options must follow the operation type, the -V
                  flag may be used on the command line before the operation
    -C config     By default, pw reads the file /etc/pw.conf to obtain policy
                  information on how new user accounts and groups are to be
                  created.  The -C option specifies a different configuration
                  file.  While most of the contents of the configuration file
                  may be overridden via command-line options, it may be more
                  convenient to keep standard information in a configuration
    -q            Use of this option causes pw to suppress error messages,
                  which may be useful in interactive environments where it is
                  preferable to interpret status codes returned by pw rather
                  than messing up a carefully formatted display.
    -N            This option is available in add and modify operations, and
                  tells pw to output the result of the operation without
                  updating the user or group databases.  You may use the -P
                  option to switch between standard passwd and readable for‐
    -Y            Using this option with any of the update modes causes pw to
                  run make(1) after changing to the directory /var/yp.  This
                  is intended to allow automatic updating of NIS database
                  files.  If separate passwd and group files are being used
                  by NIS, then use the -y path option to specify the location
                  of the NIS passwd database so that pw will concurrently
                  update it with the system password databases.

[править] USER OPTIONS

    The following options apply to the useradd and usermod commands:
    -n name       Specify the user/account name.
    -u uid        Specify the user/account numeric id.
                  Usually, you only need to provide one or the other of these
                  options, as the account name will imply the uid, or vice
                  versa.  However, there are times when you need to provide
                  both.  For example, when changing the uid of an existing
                  user with usermod, or overriding the default uid when cre‐
                  ating a new account.  If you wish pw to automatically allo‐
                  cate the uid to a new user with useradd, then you should
                  not use the -u option.  You may also provide either the
                  account or userid immediately after the useradd, userdel,
                  usermod or usershow keywords on the command line without
                  using the -n or -u options.
    -c comment    This field sets the contents of the passwd GECOS field,
                  which normally contains up to four comma-separated fields
                  containing the user's full name, office or location, and
                  work and home phone numbers.  These sub-fields are used by
                  convention only, however, and are optional.  If this field
                  is to contain spaces, you need to quote the comment itself
                  with double quotes ‘"’.  Avoid using commas in this field
                  as these are used as sub-field separators, and the colon
                  ‘:’ character also cannot be used as this is the field sep‐
                  arator for the passwd file itself.
    -d dir        This option sets the account's home directory.  Normally,
                  you will only use this if the home directory is to be dif‐
                  ferent from the default determined from /etc/pw.conf - nor‐
                  mally /home with the account name as a subdirectory.
    -e date       Set the account's expiration date.  Format of the date is
                  either a UNIX time in decimal, or a date in ‘dd-mmm-yy[yy]’
                  format, where dd is the day, mmm is the month, either in
                  numeric or alphabetic format ('Jan', 'Feb', etc) and year
                  is either a two or four digit year.  This option also
                  accepts a relative date in the form ‘+n[mhdwoy]’ where ‘n’
                  is a decimal, octal (leading 0) or hexadecimal (leading 0x)
                  digit followed by the number of Minutes, Hours, Days,
                  Weeks, Months or Years from the current date at which the
                  expiration date is to be set.
    -p date       Set the account's password expiration date.  This field is
                  similar to the account expiration date option, except that
                  it applies to forced password changes.  This is set in the
                  same manner as the -e option.
    -g group      Set the account's primary group to the given group.  group
                  may be defined by either its name or group number.
    -G grouplist  Set additional group memberships for an account.  grouplist
                  is a comma, space or tab-separated list of group names or
                  group numbers.  The user's name is added to the group lists
                  in /etc/group, and removed from any groups not specified in
                  grouplist.  Note: a user should not be added to their pri‐
                  mary group with grouplist.  Also, group membership changes
                  do not take effect for current user login sessions, requir‐
                  ing the user to reconnect to be affected by the changes.
    -L class      This option sets the login class for the user being cre‐
                  ated.  See login.conf(5) and passwd(5) for more information
                  on user login classes.
    -m            This option instructs pw to attempt to create the user's
                  home directory.  While primarily useful when adding a new
                  account with useradd, this may also be of use when moving
                  an existing user's home directory elsewhere on the file
                  system.  The new home directory is populated with the con‐
                  tents of the skeleton directory, which typically contains a
                  set of shell configuration files that the user may person‐
                  alize to taste.  Files in this directory are usually named
                  dot.⟨config⟩ where the dot prefix will be stripped.  When
                  -m is used on an account with usermod, existing configura‐
                  tion files in the user's home directory are not overwritten
                  from the skeleton files.
                  When a user's home directory is created, it will by default
                  be a subdirectory of the basehome directory as specified by
                  the -b option (see below), bearing the name of the new
                  account.  This can be overridden by the -d option on the
                  command line, if desired.
    -M mode       Create the user's home directory with the specified mode,
                  modified by the current umask(2).  If omitted, it is
                  derived from the parent process' umask(2).  This option is
                  only useful in combination with the -m flag.
    -k dir        Set the skeleton directory, from which basic startup and
                  configuration files are copied when the user's home direc‐
                  tory is created.  This option only has meaning when used
                  with the -d or -m flags.
    -s shell      Set or changes the user's login shell to shell.  If the
                  path to the shell program is omitted, pw searches the
                  shellpath specified in /etc/pw.conf and fills it in as
                  appropriate.  Note that unless you have a specific reason
                  to do so, you should avoid specifying the path - this will
                  allow pw to validate that the program exists and is exe‐
                  cutable.  Specifying a full path (or supplying a blank ""
                  shell) avoids this check and allows for such entries as
                  /nonexistent that should be set for accounts not intended
                  for interactive login.
    -h fd         This option provides a special interface by which interac‐
                  tive scripts can set an account password using pw.  Because
                  the command line and environment are fundamentally insecure
                  mechanisms by which programs can accept information, pw
                  will only allow setting of account and group passwords via
                  a file descriptor (usually a pipe between an interactive
                  script and the program).  sh, bash, ksh and perl all pos‐
                  sess mechanisms by which this can be done.  Alternatively,
                  pw will prompt for the user's password if -h 0 is given,
                  nominating stdin as the file descriptor on which to read
                  the password.  Note that this password will be read only
                  once and is intended for use by a script rather than for
                  interactive use.  If you wish to have new password confir‐
                  mation along the lines of passwd(1), this must be imple‐
                  mented as part of an interactive script that calls pw.
                  If a value of ‘-’ is given as the argument fd, then the
                  password will be set to ‘*’, rendering the account inacces‐
                  sible via password-based login.
    -H fd         Read an encrypted password string from the specified file
                  descriptor.  This is like -h, but the password should be
                  supplied already encrypted in a form suitable for writing
                  directly to the password database.
    It is possible to use useradd to create a new account that duplicates an
    existing user id.  While this is normally considered an error and will be
    rejected, the -o option overrides the check for duplicates and allows the
    duplication of the user id.  This may be useful if you allow the same
    user to login under different contexts (different group allocations, dif‐
    ferent home directory, different shell) while providing basically the
    same permissions for access to the user's files in each account.
    The useradd command also has the ability to set new user and group
    defaults by using the -D option.  Instead of adding a new user, pw writes
    a new set of defaults to its configuration file, /etc/pw.conf.  When
    using the -D option, you must not use either -n name or -u uid or an
    error will result.  Use of -D changes the meaning of several command line
    switches in the useradd command.  These are:
    -D            Set default values in /etc/pw.conf configuration file, or a
                  different named configuration file if the -C config option
                  is used.
    -b dir        Set the root directory in which user home directories are
                  created.  The default value for this is /home, but it may
                  be set elsewhere as desired.
    -e days       Set the default account expiration period in days.  Unlike
                  use without -D, the argument must be numeric, which speci‐
                  fies the number of days after creation when the account is
                  to expire.  A value of 0 suppresses automatic calculation
                  of the expiry date.
    -p days       Set the default password expiration period in days.
    -g group      Set the default group for new users.  If a blank group is
                  specified using -g "", then new users will be allocated
                  their own private primary group with the same name as their
                  login name.  If a group is supplied, either its name or uid
                  may be given as an argument.
    -G grouplist  Set the default groups in which new users are granted mem‐
                  bership.  This is a separate set of groups from the primary
                  group, and you should avoid nominating the same group as
                  both primary and extra groups.  In other words, these extra
                  groups determine membership in groups other than the pri‐
                  mary group.  grouplist is a comma-separated list of group
                  names or ids, and are always stored in /etc/pw.conf by
                  their symbolic names.
    -L class      This option sets the default login class for new users.
    -k dir        Set the default skeleton directory, from which prototype
                  shell and other initialization files are copied when pw
                  creates a user's home directory.  See description of -k for
                  naming conventions of these files.
    -u min,max, -i min,max
                  These options set the minimum and maximum user and group
                  ids allocated for new accounts and groups created by pw.
                  The default values for each is 1000 minimum and 32000 maxi‐
                  mum.  min and max are both numbers, where max must be
                  greater than min, and both must be between 0 and 32767.  In
                  general, user and group ids less than 100 are reserved for
                  use by the system, and numbers greater than 32000 may also
                  be reserved for special purposes (used by some system dae‐
    -w method     The -w option sets the default method used to set passwords
                  for newly created user accounts.  method is one of:
                        no      disable login on newly created accounts
                        yes     force the password to be the account name
                        none    force a blank password
                        random  generate a random password
                  The ‘random’ or ‘no’ methods are the most secure; in the
                  former case, pw generates a password and prints it to std‐
                  out, which is suitable where you issue users with passwords
                  to access their accounts rather than having the user nomi‐
                  nate their own (possibly poorly chosen) password.  The ‘no’
                  method requires that the superuser use passwd(1) to render
                  the account accessible with a password.
    -y path       This sets the pathname of the database used by NIS if you
                  are not sharing the information from /etc/master.passwd
                  directly with NIS.  You should only set this option for NIS
    The userdel command has only three valid options.  The -n name and -u uid
    options have already been covered above.  The additional option is:
    -r            This tells pw to remove the user's home directory and all
                  of its contents.  The pw utility errs on the side of cau‐
                  tion when removing files from the system.  Firstly, it will
                  not do so if the uid of the account being removed is also
                  used by another account on the system, and the 'home'
                  directory in the password file is a valid path that com‐
                  mences with the character ‘/’.  Secondly, it will only
                  remove files and directories that are actually owned by the
                  user, or symbolic links owned by anyone under the user's
                  home directory.  Finally, after deleting all contents owned
                  by the user only empty directories will be removed.  If any
                  additional cleanup work is required, this is left to the
    Mail spool files and crontabs are always removed when an account is
    deleted as these are unconditionally attached to the user name.  Jobs
    queued for processing by at are also removed if the user's uid is unique
    and not also used by another account on the system.
    The usermod command adds one additional option:
    -l name       This option allows changing of an existing account name to
                  ‘name’.  The new name must not already exist, and any
                  attempt to duplicate an existing account name will be
    The usershow command allows viewing of an account in one of two formats.
    By default, the format is identical to the format used in
    /etc/master.passwd with the password field replaced with a ‘*’.  If the
    -P option is used, then pw outputs the account details in a more human
    readable form.  If the -7 option is used, the account details are shown
    in v7 format.  The -a option lists all users currently on file.  Using -F
    forces pw to print the details of an account even if it does not exist.
    The command usernext returns the next available user and group ids sepa‐
    rated by a colon.  This is normally of interest only to interactive
    scripts or front-ends that use pw.


    The -C and -q options (explained at the start of the previous section)
    are available with the group manipulation commands.  Other common options
    to all group-related commands are:
    -n name        Specify the group name.
    -g gid         Specify the group numeric id.
                   As with the account name and id fields, you will usually
                   only need to supply one of these, as the group name
                   implies the uid and vice versa.  You will only need to use
                   both when setting a specific group id against a new group
                   or when changing the uid of an existing group.
    -M memberlist  This option provides an alternative way to add existing
                   users to a new group (in groupadd) or replace an existing
                   membership list (in groupmod).  memberlist is a comma sep‐
                   arated list of valid and existing user names or uids.
    -m newmembers  Similar to -M, this option allows the addition of existing
                   users to a group without replacing the existing list of
                   members.  Login names or user ids may be used, and dupli‐
                   cate users are silently eliminated.
    -d oldmembers  Similar to -M, this option allows the deletion of existing
                   users from a group without replacing the existing list of
                   members.  Login names or user ids may be used, and dupli‐
                   cate users are silently eliminated.
    groupadd also has a -o option that allows allocation of an existing group
    id to a new group.  The default action is to reject an attempt to add a
    group, and this option overrides the check for duplicate group ids.
    There is rarely any need to duplicate a group id.
    The groupmod command adds one additional option:
    -l name        This option allows changing of an existing group name to
                   ‘name’.  The new name must not already exist, and any
                   attempt to duplicate an existing group name will be
    Options for groupshow are the same as for usershow, with the -g gid
    replacing -u uid to specify the group id.  The -7 option does not apply
    to the groupshow command.
    The command groupnext returns the next available group id on standard

[править] USER LOCKING

    The pw utility supports a simple password locking mechanism for users; it
    works by prepending the string ‘*LOCKED*’ to the beginning of the pass‐
    word field in master.passwd to prevent successful authentication.
    The lock and unlock commands take a user name or uid of the account to
    lock or unlock, respectively.  The -V, -C, and -q options as described
    above are accepted by these commands.

[править] NOTES

    For a summary of options available with each command, you can use
          pw [command] help
    For example,
          pw useradd help
    lists all available options for the useradd operation.
    The pw utility allows 8-bit characters in the passwd GECOS field (user's
    full name, office, work and home phone number subfields), but disallows
    them in user login and group names.  Use 8-bit characters with caution,
    as connection to the Internet will require that your mail transport pro‐
    gram supports 8BITMIME, and will convert headers containing 8-bit charac‐
    ters to 7-bit quoted-printable format.  sendmail(8) does support this.
    Use of 8-bit characters in the GECOS field should be used in conjunction
    with the user's default locale and character set and should not be imple‐
    mented without their use.  Using 8-bit characters may also affect other
    programs that transmit the contents of the GECOS field over the Internet,
    such as fingerd(8), and a small number of TCP/IP clients, such as IRC,
    where full names specified in the passwd file may be used by default.
    The pw utility writes a log to the /var/log/userlog file when actions
    such as user or group additions or deletions occur.  The location of this
    logfile can be changed in pw.conf(5).

[править] FILES

    /etc/master.passwd      The user database
    /etc/passwd             A Version 7 format password file
    /etc/login.conf         The user capabilities database
    /etc/group              The group database
    /etc/  Temporary copy of the master password file
    /etc/         Temporary copy of the Version 7 password file
    /etc/          Temporary copy of the group file
    /etc/pw.conf            Pw default options file
    /var/log/userlog        User/group modification logfile

[править] EXIT STATUS

    The pw utility returns EXIT_SUCCESS on successful operation, otherwise pw
    returns one of the following exit codes defined by sysexits(3) as fol‐
          ·   Command line syntax errors (invalid keyword, unknown option).
          ·   Attempting to run one of the update modes as non-root.
          ·   Memory allocation error.
          ·   Read error from password file descriptor.
          ·   Bad or invalid data provided or missing on the command line or
              via the password file descriptor.
          ·   Attempted to remove, rename root account or change its uid.
          ·   Skeleton directory is invalid or does not exist.
          ·   Base home directory is invalid or does not exist.
          ·   Invalid or non-existent shell specified.
          ·   User, user id, group or group id specified does not exist.
          ·   User or group recorded, added, or modified unexpectedly disap‐
          ·   No more group or user ids available within specified range.
          ·   Unable to rewrite configuration file.
          ·   Error updating group or user database files.
          ·   Update error for passwd or group database files.
          ·   No base home directory configured.

[править] SEE ALSO

    chpass(1), passwd(1), umask(2), group(5), login.conf(5), passwd(5), pw.conf(5), pwd_mkdb(8), vipw(8)

[править] HISTORY

    The pw utility was written to mimic many of the options used in the SYSV
    shadow support suite, but is modified for passwd and group fields spe‐
    cific to the 4.4BSD operating system, and combines all of the major ele‐
    ments into a single command.

FreeBSD 9.0 December 21, 2011 FreeBSD 9.0

Источник — «»