Managing Users/Groups With pw

General Information

This guide will let you know how to manage FreeBSD accounts using pw, a critical application which can manipulate a lot of things that have to do with the /etc/passwd file and /etc/groups file. It can also set certain things like how long the account can be active, until what date it is active and other cool things. The easiest way to learn how to use pw is to play with it on a test install.

Requirements

  1. Local root access on the box or having your user in the wheel group so you can su to root.
  2. A SSH client like puTTy or SecureCRT (only if not logging on locally).

Installation

There is no installation needed for this. As long as you have a FreeBSD system with version 5.x or 4.x (I don’t doubt it is the same app, which minimally changes from version to version).

pw user help

Usage of pw is really easy, the man page however makes it look like it is the hardest tool ever to use, in fact it comes with its in built in help menu.

# pw

usage:
  pw [user|group|lock|unlock] [add|del|mod|show|next] [help|switches/values]

First off, we will start with how we can manipulate users. This includes adding, modifying and deleting users. With a simple command like the following, we can see what we can do if we want to add a user:

# pw user add help

usage: pw useradd [name] [switches]
        -V etcdir      alternate /etc location
        -C config      configuration file
        -q             quiet operation
  Adding users:
        -n name        login name
        -u uid         user id
        -c comment     user name/comment
        -d directory   home directory
        -e date        account expiry date
        -p date        password expiry date
        -g grp         initial group
        -G grp1,grp2   additional groups
        -m [ -k dir ]  create and set up home
        -s shell       name of login shell
        -o             duplicate uid ok
        -L class       user class
        -h fd          read password on fd
        -Y             update NIS maps
        -N             no update
  Setting defaults:
        -V etcdir      alternate /etc location
        -D             set user defaults
        -b dir         default home root dir
        -e period      default expiry period
        -p period      default password change period
        -g group       default group
        -G grp1,grp2   additional groups
        -L class       default user class
        -k dir         default home skeleton
        -u min,max     set min,max uids
        -i min,max     set min,max gids
        -w method      set default password method
        -s shell       default shell
        -y path        set NIS passwd file path

As you can see there are quite a few options. Let’s say you want to add a user called “myname” with a homedir which is located at /usr/home/special/myname and with a shell of usr/local/bin/bash

# pw user add myname -d /usr/home/special/myname -s /usr/local/bin/bash -m

If all went well, we should now have a user called “myname” with a homedir there where you specified it, and with the bash shell as his default shell.

Now lets say we want to delete this same user, as his term has expired, or just to clean it up as he is not needed anymore, the easiest way to do this is:

# pw user del myname

Of course the del command of pw also has a few options

# pw user del help

usage: pw userdel [uid|name] [switches]
        -V etcdir      alternate /etc location
        -n name        login name
        -u uid         user id
        -Y             update NIS maps
        -r             remove home & contents

So even better to remove the user “myname” would be to use:

# pw user del myname -r

This would remove the users home dir as well as all the content he currently has. I personally don’t suggest this, I make a backup, and or move the files to another space, and just remove the user, so if later someone needs files that user had, I can still retrieve them, and get them to whomever wants them.

Now that we know how to create and delete users; how about being able to modify them? We maybe want to set a new date that this account will last to, or a new date for the password change to occur. pw user mod helps us with that. It has quite a few options as well.

# pw user mod help

usage: pw usermod [uid|name] [switches]
        -V etcdir      alternate /etc location
        -C config      configuration file
        -q             quiet operation
        -F             force add if no user
        -n name        login name
        -u uid         user id
        -c comment     user name/comment
        -d directory   home directory
        -e date        account expiry date
        -p date        password expiry date
        -g grp         initial group
        -G grp1,grp2   additional groups
        -l name        new login name
        -L class       user class
        -m [ -k dir ]  create and set up home
        -s shell       name of login shell
        -w method      set new password using method
        -h fd          read password on fd
        -Y             update NIS maps
        -N             no update

Now let's say we still have our lovely user called "myname" (Quick, re-add the user again, before i notice it was gone ;-P), and we want to add him to another group, the wheel group, so he can use "su" to root.

# pw user mod myname -G wheel

If no output is shown, it all went well. If there is an error it will let you know. Now when you log in with the user "myname" you can su, and become root.

pw group help

Now that we know how to manipulate users, or at least quite a bit, but we also want to be able to manipulate groups. Manipulating groups, is the same as a user, except that instead of pw user help, we type pw group help.

# pw group add help

usage: pw groupadd [group|gid] [switches]
        -V etcdir      alternate /etc location
        -C config      configuration file
        -q             quiet operation
        -n group       group name
        -g gid         group id
        -M usr1,usr2   add users as group members
        -o             duplicate gid ok
        -Y             update NIS maps
        -N             no update

From this we can see that there are a lot less switches we can use to modify how pw acts. Adding a group is as easy as adding a user, or even yet easier. For instance if we want to create a group called "mygroup" and add the user "myname" to that group, we can call pw as follows:

# pw group add mygroup -M myname

Okay, so that's all fine and dandy, but what about deleting a group you have justed added? It's just as easy as removing a user, it has some options, but none of them you will ever use, or its highly unlikely you will.

# pw group del help

usage: pw groupdel [group|gid] [switches]
        -V etcdir      alternate /etc location
        -n name        group name
        -g gid         group id
        -Y             update NIS maps

As you have probably noticed, from the above is that a simple command like below will simply do the job, and its easier to remember.

# pw group del mygroup

Figuring out how to modify groups is something I will leave up to the reader. Remember, you can type just pw to see all the options.

# pw group mod help

Be careful and pw can be a very useful utility in your daily admining.

Speak Your Mind

*