14.2 Introduction

Since all access to the FreeBSD system is achieved via accounts and all processes are run by users, user and account management is important.

Every account on a FreeBSD system has certain information associated with it to identify the account.

User name

The user name is typed at the login: prompt. User names must be unique on the system as no two users can have the same user name. There are a number of rules for creating valid user names, documented in passwd(5). Typically user names consist of eight or fewer all lower case characters in order to maintain backwards compatibility with applications.

Password

Each account has an associated password. While the password can be blank, this is highly discouraged and every account should have a password.

User ID (UID)

The User ID (UID) is a number, traditionally from 0 to 65535[1], used to uniquely identify the user to the system. Internally, FreeBSD uses the UID to identify users. Commands that allow a user name to be specified will first convert it to the UID. Though unlikely, it is possible for several accounts with different user names to share the same UID. As far as FreeBSD is concerned, these accounts are one user.

Group ID (GID)

The Group ID (GID) is a number, traditionally from 0 to 65535[1], used to uniquely identify the primary group that the user belongs to. Groups are a mechanism for controlling access to resources based on a user's GID rather than their UID. This can significantly reduce the size of some configuration files. A user may also be a member of more than one group.

Login class

Login classes are an extension to the group mechanism that provide additional flexibility when tailoring the system to different users.

Password change time

By default FreeBSD does not force users to change their passwords periodically. Password expiration can be enforced on a per-user basis, forcing some or all users to change their passwords after a certain amount of time has elapsed.

Account expiry time

By default FreeBSD does not expire accounts. When creating accounts that need a limited lifespan, such as student accounts in a school, specify the account expiry date. After the expiry time has elapsed, the account cannot be used to log in to the system, although the account's directories and files will remain.

User's full name

The user name uniquely identifies the account to FreeBSD, but does not necessarily reflect the user's real name. This information can be associated with the account.

Home directory

The home directory is the full path to a directory on the system. This is the user's starting directory when the user logs in. A common convention is to put all user home directories under /home/username or /usr/home/username. Each user stores their personal files and subdirectories in their own home directory.

User shell

The shell provides the default environment users use to interact with the system. There are many different kinds of shells, and experienced users will have their own preferences, which can be reflected in their account settings.

There are three main types of accounts: the superuser, system accounts, and user accounts. The superuser account, usually called root, is used to manage the system with no limitations on privileges. System accounts are used to run services. User accounts are assigned to real people and are used to log in and use the system.

14.2.1 The Superuser Account

The superuser account, usually called root, is used to perform system administration tasks and should not be used for day-to-day tasks like sending and receiving mail, general exploration of the system, or programming.

This is because the superuser, unlike normal user accounts, can operate without limits, and misuse of the superuser account may result in spectacular disasters. User accounts are unable to destroy the system by mistake, so it is generally best to use normal user accounts whenever possible, unless extra privilege is required.

Always double and triple-check any commands issued as the superuser, since an extra space or missing character can mean irreparable data loss.

Always create a user account for the system administrator and use this account to log in to the system for general usage. This applies equally to multi-user or single-user systems. Later sections will discuss how to create additional accounts and how to change between the normal user and superuser.

14.2.2 System Accounts

System accounts are used to run services such as DNS, mail, and web servers. The reason for this is security; if all services ran as the superuser, they could act without restriction.

Examples of system accounts are daemon, operator, bind, news, and www.

nobody is the generic unprivileged system account. However, the more services that use nobody, the more files and processes that user will become associated with, and hence the more privileged that user becomes.

14.2.3 User Accounts

User accounts are the primary means of access for real people to the system. User accounts insulate the user and the environment, preventing users from damaging the system or other users, and allowing users to customize their environment without affecting others.

Every person accessing the system should have a unique user account. This allows the administrator to find out who is doing what, prevents users from clobbering each others' settings or reading each others' mail, and so forth.

Each user can set up their own environment to accommodate their use of the system, by using alternate shells, editors, key bindings, and language.

Notes

[1]

It is possible to use UIDs/GIDs as large as 4294967295, but such IDs can cause serious problems with software that makes assumptions about the values of IDs.