HardenedBSD/usr.sbin/pw/pw.conf.5

.\" Copyright (c) 1996
.\"	David L. Nugent.
.\"	Password/Group file maintenance suite
.\"
.\"	$Id: pw.conf.5,v 1.2 1996/11/18 03:09:02 davidn Exp $
.\"
.Dd November 13, 1996
.Dt PW.CONF 5
.Os 
.Sh NAME
.Nm pw.conf
.Nd format of the pw.conf configuration file
.Sh DESCRIPTION
The file
.Aq Pa /etc/pw.conf
contains configuration data for the
.Xr pw 8
program.
The
.Xr pw 8
program is used for maintenance of the system password and group
files, allowing users and groups to be added, deleted and changed.
This file may be modified via the
.Xr pw 8
command using the
.Ql \&useradd
command and the
.Ql \&-D
option, or by editing it directly with a text editor.
.Pp
Each line in
.Aq Pa /etc/pw.conf
is treated either a comment or as configuration data;
blank lines and lines commencing with a
.Ql \&#
character are considered comments, and any remaining lines are
examined for a leading keyword, followed by corresponding data.
.Pp
Keywords recognised by 
.Xr pw 8
are:
.Bl -tag -width password_days -offset indent -compact
.It defaultpasswd
affects passwords generated for new users
.It reuseuids
reuse gaps in uid sequences
.It reusegids
reuse gaps in gid sequences
.It skeleton
where to obtain default home contents
.It newmail
mail to send to new users
.It logfile
log user/group modifications to this file
.It home
root directory for home directories
.It shellpath
paths in which to locate shell programs
.It shells
list of valid shells (without path)
.It defaultshell
default shell (without path)
.It defaultgroup
default group
.It extragroups
add new users to this groups
.It loginclass
place new users in this login class
.It minuid
.It maxuid
range of valid default user ids
.It mingid
.It maxgid
range of valid default group ids
.It expire_days
days after which account expires
.It password_days
days after which password expires
.El
.Pp
Valid values for
.Ar defaultpasswd
are
.Bl -tag -width password_days -offset indent -compact
.It no
disables login on newly created accounts
.It yes
forces the password to be the account name
.It none
forces a blank password
.It random
Generates a random password
.El
.Pp
The second and third options are insecure and should be avoided if
possible on a publicly accessible system.
The first option requires that the superuser run
.Xr passwd 1
to set a password before the account may be used.
This may also be useful for creating administrative accounts.
The final option causes
.Xr pw 8
to respond by printing a randomly generated password on stdout.
This is the preferred and most secure option.
.Xr pw 8
also provides a method of setting a specific password for the new
user via a filehandle (command lines are not secure).
.Pp
Both
.Ar reuseuids
and
.Ar reusegids
determine the method by which new user and group id numbers are
generated.
A
.Ql \&yes
in this field will cause
.Xr pw 8
to search for the first unused user or group id within the allowed
range, whereas a
.Ql \&no
will ensure that no other existing user or group id within the range
is numerically lower than the new one generated, and therefore avoids
reusing gaps in the user or group id sequence that are caused by
previous user or group deletions.
Note that if the default group is not specified using the
.Ar defaultgroup
keyword,
.Xr pw 8
will create a new group for the user and attempt to keep the new
user's uid and gid the same.
If the new user's uid is currently in use as a group id, then the next
available group id is chosen instead.
.Pp
The
.Ar skeleton
keyword nominates a directory from which the contents of a user's
new home directory is constructed.
This is
.Pa /usr/share/skel
by default.
.Xr pw 8 's
.Ql \&-m
option causes the user's home directory to be created and populated
using the files contained in the
.Ar skeleton
directory.
.Pp
To send an initial email to new users, the
.Ar newmail
keyword may be used to specify a path name to a file containing
the message body of the message to be sent.
To avoid sending mail when accounts are created, leave this entry
blank or specify
.Ql \&no .
.Pp
The
.Ar logfile
option allows logging of password file modifications into the
nominated log file.
To avoid creating or adding to such a logfile, then leave this
field blank or specify
.Ql \&no .
.Pp
The
.Ar home
keyword is mandatory.
This specifies the location of the directory in which all new user
home directories are created.
.Pp
.Ar shellpath
specifies a list of directories - separated by colons
.Ql \&:
- which contain the programs used by the login shells.
.Pp
The
.Ar shells
keyword specifies a list of programs available for use as login
shells.
This list is a comma-separated list of shell names which should
not contain a path.
These shells must exist in one of the directories nominated by
.Ar shellpath .
.Pp
The
.Ar defaultshell
keyword nominates which shell program to use for new users when
none is specified on the 
.Xr pw 8
command line.
.Pp
The
.Ar defaultgroup
keyword defines the primary group (the group id number in the
password file) used for new accounts.
If left blank, or the word
.Ql \&no
is used, then each new user will have a corresponding group of
their own created automatically.
This is the recommended procedure for new users as it best secures each
user's files against interference by other users of the system
irrespective of the 
.Em umask .
normally used by the user.
.Pp
.Ar extragroups
provides an automatic means of placing new users into groups within
the
.Pa /etc/groups
file.
This is useful where all users share some resources, and is preferable
to placing users into the same primary group.
The effect of this keyword can be overridden using the
.Ql \&-G
option on
.Xr pw 8 's
command line.
.Pp
The
.Ar minuid ,
.Ar maxuid ,
.Ar mingid ,
.Ar maxgid
keywords determines the allowed ranges of automatically allocated user
and group id numbers.
The default values for both user and group ids are 1000 and 32000 as
minimum and maximum respectively.
The user and group id's actually used when creating an account with
.Xr pw 8
may be overridden using the
.Ql \&-u
and
.Ql \&-g
command line options.
.Pp
The
.Ar expire_days
and
.Ar password_days
are used to automatically calculate the number of days from the date
on which an account is created when the account will expire or the
user will be forced to change the account's password.
A value of
.Ql \&0
in either field will disable the corresponding (account or password)
expiration date.
.Pp
.Sh LIMITS
The maximum line length of
.Pa /etc/acct/pw.conf
is 1024 characters. Longer lines will be skipped and treated
as comments.
.Sh FILES
.Bl -tag -width /etc/master.passwd -compact
.It Pa /etc/pw.conf
.It Pa /etc/passwd
.It Pa /etc/master.passwd
.It Pa /etc/group
.El
.Sh SEE ALSO
.Xr pw 8 ,
.Xr passwd 1 ,
.Xr passwd 5 ,
.Xr group 5