PW(8)
NAME
- pw - create, remove, modify & display system users and
- groups
SYNOPSIS
pw [-V etcdir] useradd [name|uid] [-C config] [-q] [-n name]
[-u uid]
[-c comment] [-d dir] [-e date] [-p date] [-g group] [-G
grouplist]
[-m] [-k dir] [-w method] [-s shell] [-o] [-L class] [-h
fd | -H fd]
[-N] [-P] [-Y]
pw [-V etcdir] useradd [name|uid] -D [-C config] [-q] [-b
dir] [-e days]
[-p days] [-g group] [-G grouplist] [-k dir] [-u min,max]
[-i min,max]
[-w method] [-s shell] [-y path]
pw [-V etcdir] userdel [name|uid] [-n name] [-u uid] [-r]
[-Y]
pw [-V etcdir] usermod [name|uid] [-C config] [-q] [-n name]
[-u uid]
[-c comment] [-d dir] [-e date] [-p date] [-g group] [-G
grouplist]
[-l name] [-m] [-k dir] [-w method] [-s shell] [-L class]
[-h fd | -H fd] [-N] [-P] [-Y]
pw [-V etcdir] usershow [name|uid] [-n name] [-u uid] [-F]
[-P] [-7] [-a]
pw [-V etcdir] usernext [-C config] [-q]
pw [-V etcdir] groupadd [group|gid] [-C config] [-q] [-n
group] [-g gid]
[-M members] [-o] [-h fd | -H fd] [-N] [-P] [-Y]
pw [-V etcdir] groupdel [group|gid] [-n name] [-g gid] [-Y]
pw [-V etcdir] groupmod [group|gid] [-C config] [-q] [-n
name] [-g gid]
[-l name] [-M members] [-m newmembers] [-h fd | -H fd]
[-N] [-P] [-Y]
pw [-V etcdir] groupshow [group|gid] [-n name] [-g gid] [-F]
[-P] [-a]
pw [-V etcdir] groupnext [-C config] [-q]
pw [-V etcdir] lock [name|uid] [-C config] [-q]
pw [-V etcdir] unlock [name|uid] [-C config] [-q]
DESCRIPTION
- The pw utility is a command-line based editor for the system
- user and
group files, allowing the superuser an easy to use and stan
- dardized way
of adding, modifying and removing users and groups. Note
- that pw only
operates on the local user and group files. NIS users and
- groups must be
maintained on the NIS server. The pw utility handles updat
- ing the
passwd, master.passwd, group and the secure and insecure
- password
database files, and must be run as root.
- The first one or two keywords provided to pw on the command
- line provide
the context for the remainder of the arguments. The key
- words user and
group may be combined with add, del, mod, show, or next in
- any order.
(For example, showuser, usershow, show user, and user show
- all mean the
same thing.) This flexibility is useful for interactive
- scripts calling
pw for user and group database manipulation. Following
- these keywords,
you may optionally specify the user or group name or numeric
- id as an
alternative to using the -n name, -u uid, -g gid options.
- The following flags are common to most or all modes of oper
- ation:
- -V etcdir This flag sets an alternate location for the
- password,
- group and configuration files, and may be used
- to maintain
a user/group database in an alternate loca
- tion. If this
switch is specified, the system /etc/pw.conf
- will not be
sourced for default configuration data, but
- the file
pw.conf in the specified directory will be
- used instead (or
none, if it does not exist). The -C flag may
- be used to
override this behaviour. As an exception to
- the general
rule where options must follow the operation
- type, the -V
flag may be used on the command line before
- the operation
keyword.
- -C config By default, pw reads the file /etc/pw.conf to
- obtain policy
- information on how new user accounts and
- groups are to be
created. The -C option specifies a different
- configuration
file. While most of the contents of the con
- figuration file
may be overridden via command-line options, it
- may be more
convenient to keep standard information in a
- configuration
file.
- -q Use of this option causes pw to suppress error
- messages,
- which may be useful in interactive environ
- ments where it is
preferable to interpret status codes returned
- by pw rather
than messing up a carefully formatted display.
- -N This option is available in add and modify op
- erations, and
- tells pw to output the result of the operation
- without
updating the user or group databases. You may
- use the -P
option to switch between standard passwd and
- readable formats.
- -Y Using this option with any of the update modes
- causes pw to
- run make(1) after changing to the directory
- /var/yp. This
is intended to allow automatic updating of NIS
- database
files. If separate passwd and group files are
- being used
by NIS, then use the -y path option to specify
- the location
of the NIS passwd database so that pw will
- concurrently
update it with the system password databases.
USER OPTIONS
- The following options apply to the useradd and usermod com
- mands:
- -n name Specify the user/account name.
- -u uid Specify the user/account numeric id.
Usually, you only need to provide one or the- other of these
options, as the account name will imply the
- uid, or vice
versa. However, there are times when you need
- to provide
both. For example, when changing the uid of
- an existing
user with usermod, or overriding the default
- uid when creating a new account. If you wish pw to auto
- matically allocate the uid to a new user with useradd, then
- you should
not use the -u option. You may also provide
- either the
account or userid immediately after the
- useradd, userdel,
usermod or usershow keywords on the command
- line without
using the -n or -u options.
- -c comment This field sets the contents of the passwd
- GECOS field,
- which normally contains up to four comma-sepa
- rated fields
containing the user's full name, office or lo
- cation, and
work and home phone numbers. These sub-fields
- are used by
convention only, however, and are optional.
- If this field
is to contain spaces, you need to quote the
- comment itself
with double quotes `"'. Avoid using commas in
- this field
as these are used as sub-field separators, and
- the colon
`:' character also cannot be used as this is
- the field separator for the passwd file itself.
- -d dir This option sets the account's home directory.
- Normally,
- you will only use this if the home directory
- is to be different from the default determined from
- /etc/pw.conf - normally /home with the account name as a subdi
- rectory.
- -e date Set the account's expiration date. Format of
- the date is
- either a UNIX time in decimal, or a date in
- `dd-mmm-yy[yy]'
format, where dd is the day, mmm is the month,
- either in
numeric or alphabetic format ('Jan', 'Feb',
- etc) and year
is either a two or four digit year. This op
- tion also
accepts a relative date in the form `+n[mhd
- woy]' where `n'
is a decimal, octal (leading 0) or hexadecimal
- (leading 0x)
digit followed by the number of Minutes,
- Hours, Days,
Weeks, Months or Years from the current date
- at which the
expiration date is to be set.
- -p date Set the account's password expiration date.
- This field is
- similar to the account expiration date option,
- except that
it applies to forced password changes. This
- is set in the
same manner as the -e option.
- -g group Set the account's primary group to the given
- group. group
- may be defined by either its name or group
- number.
- -G grouplist Set additional group memberships for an ac
- count. grouplist
- is a comma-separated list of group names or
- group numbers.
The user's name is added to the group lists in
- /etc/group,
and removed from any groups not specified in
- grouplist.
Note: a user should not be added to their pri
- mary group
with grouplist. Also, group membership
- changes do not take
effect for current user login sessions, re
- quiring the user
to reconnect to be affected by the changes.
- -L class This option sets the login class for the user
- being cre
- ated. See login.conf(5) and passwd(5) for
- more information
on user login classes.
- -m This option instructs pw to attempt to create
- the user's
- home directory. While primarily useful when
- adding a new
account with useradd, this may also be of use
- when moving
an existing user's home directory elsewhere on
- the file
system. The new home directory is populated
- with the contents of the skeleton directory, which typi
- cally contains a
set of shell configuration files that the user
- may personalize to taste. When -m is used on an account
- with
usermod, existing configuration files in the
- user's home
directory are not overwritten from the skele
- ton files.
- When a user's home directory is created, it
- will by default
be a subdirectory of the basehome directory as
- specified by
the -b option (see below), bearing the name of
- the new
account. This can be overridden by the -d op
- tion on the
command line, if desired.
- -k dir Set the skeleton directory, from which basic
- startup and
- configuration files are copied when the user's
- home directory is created. This option only has meaning
- when used
with the -d or -m flags.
- -s shell Set or changes the user's login shell to
- shell. If the
- path to the shell program is omitted, pw
- searches the
shellpath specified in /etc/pw.conf and fills
- it in as
appropriate. Note that unless you have a spe
- cific reason
to do so, you should avoid specifying the path
- - this will
allow pw to validate that the program exists
- and is executable. Specifying a full path (or supplying
- a blank ""
shell) avoids this check and allows for such
- entries as
/nonexistent that should be set for accounts
- not intended
for interactive login.
- -h fd This option provides a special interface by
- which interac
- tive scripts can set an account password using
- pw. Because
the command line and environment are fundamen
- tally insecure
mechanisms by which programs can accept infor
- mation, pw
will only allow setting of account and group
- passwords via
a file descriptor (usually a pipe between an
- interactive
script and the program). sh, bash, ksh and
- perl all possess mechanisms by which this can be done.
- Alternatively,
pw will prompt for the user's password if -h 0
- is given,
nominating stdin as the file descriptor on
- which to read
the password. Note that this password will be
- read only
once and is intended for use by a script
- rather than for
interactive use. If you wish to have new
- password confirmation along the lines of passwd(1), this must
- be implemented as part of an interactive script that
- calls pw.
- If a value of `-' is given as the argument fd,
- then the
password will be set to `*', rendering the ac
- count inaccessible via password-based login.
- -H fd Read an encrypted password string from the
- specified file
- descriptor. This is like -h, but the password
- should be
supplied already encrypted in a form suitable
- for writing
directly to the password database.
- It is possible to use useradd to create a new account that
- duplicates an
existing user id. While this is normally considered an er
- ror and will be
rejected, the -o option overrides the check for duplicates
- and allows the
duplication of the user id. This may be useful if you allow
- the same
user to login under different contexts (different group al
- locations, different home directory, different shell) while providing ba
- sically the
same permissions for access to the user's files in each ac
- count.
- The useradd command also has the ability to set new user and
- group
defaults by using the -D option. Instead of adding a new
- user, pw writes
a new set of defaults to its configuration file,
- /etc/pw.conf. When
using the -D option, you must not use either -n name or -u
- uid or an
error will result. Use of -D changes the meaning of several
- command line
switches in the useradd command. These are:
- -D Set default values in /etc/pw.conf configura
- tion file, or a
- different named configuration file if the -C
- config option
is used.
- -b dir Set the root directory in which user home di
- rectories are
- created. The default value for this is /home,
- but it may
be set elsewhere as desired.
- -e days Set the default account expiration period in
- days. Unlike
- use without -D, the argument must be numeric,
- which specifies the number of days after creation when
- the account is
to expire. A value of 0 suppresses automatic
- calculation
of the expiry date.
- -p days Set the default password expiration period in
- days.
- -g group Set the default group for new users. If a
- blank group is
- specified using -g "", then new users will be
- allocated
their own private primary group with the same
- name as their
login name. If a group is supplied, either
- its name or uid
may be given as an argument.
- -G grouplist Set the default groups in which new users are
- granted mem
- bership. This is a separate set of groups
- from the primary
group, and you should avoid nominating the
- same group as
both primary and extra groups. In other
- words, these extra
groups determine membership in groups other
- than the primary group. grouplist is a comma-separated
- list of group
names or ids, and are always stored in
- /etc/pw.conf by
their symbolic names.
- -L class This option sets the default login class for
- new users.
- -k dir Set the default skeleton directory, from which
- prototype
- shell and other initialization files are
- copied when pw
creates a user's home directory.
- -u min,max, -i min,max
- These options set the minimum and maximum user
- and group
ids allocated for new accounts and groups cre
- ated by pw.
The default values for each is 1000 minimum
- and 32000 maximum. min and max are both numbers, where max
- must be
greater than min, and both must be between 0
- and 32767. In
general, user and group ids less than 100 are
- reserved for
use by the system, and numbers greater than
- 32000 may also
be reserved for special purposes (used by some
- system daemons).
- -w method The -w option sets the default method used to
- set passwords
- for newly created user accounts. method is
- one of:
no disable login on newly created
accounts
yes force the password to be the ac
count name
none force a blank password
random generate a random password
- The `random' or `no' methods are the most se
- cure; in the
former case, pw generates a password and
- prints it to stdout, which is suitable where you issue users
- with passwords
to access their accounts rather than having
- the user nominate their own (possibly poorly chosen) pass
- word. The `no'
method requires that the superuser use pass
- wd(1) to render
the account accessible with a password.
- -y path This sets the pathname of the database used by
- NIS if you
- are not sharing the information from
- /etc/master.passwd
directly with NIS. You should only set this
- option for NIS
servers.
- The userdel command has only three valid options. The -n
- name and -u uid
options have already been covered above. The additional op
- tion is:
- -r This tells pw to remove the user's home direc
- tory and all
- of its contents. The pw utility errs on the
- side of caution when removing files from the system.
- Firstly, it will
not do so if the uid of the account being re
- moved is also
used by another account on the system, and the
directory in the password file is a valid path
- that commences with the character `/'. Secondly, it
- will only
remove files and directories that are actually
- owned by the
user, or symbolic links owned by anyone under
- the user's
home directory. Finally, after deleting all
- contents owned
by the user only empty directories will be re
- moved. If any
additional cleanup work is required, this is
- left to the
administrator.
- Mail spool files and crontabs are always removed when an ac
- count is
deleted as these are unconditionally attached to the user
- name. Jobs
queued for processing by at are also removed if the user's
- uid is unique
and not also used by another account on the system.
- The usershow command allows viewing of an account in one of
- two formats.
By default, the format is identical to the format used in
/etc/master.passwd with the password field replaced with a
- `*'. If the
-P option is used, then pw outputs the account details in a
- more human
readable form. If the -7 option is used, the account de
- tails are shown
in v7 format. The -a option lists all users currently on
- file. Using -F
forces pw to print the details of an account even if it does
- not exist.
- The command usernext returns the next available user and
- group ids separated by a colon. This is normally of interest only to in
- teractive
scripts or front-ends that use pw.
GROUP OPTIONS
- The -C and -q options (explained at the start of the previ
- ous section)
are available with the group manipulation commands. Other
- common options
to all group-related commands are:
- -n name Specify the group name.
- -g gid Specify the group numeric id.
As with the account name and id fields, you- will usually
only need to supply one of these, as the
- group name
implies the uid and vice versa. You will on
- ly need to use
both when setting a specific group id against
- a new group
or when changing the uid of an existing
- group.
- -M memberlist This option provides an alternative way to
- add existing
- users to a new group (in groupadd) or replace
- an existing
membership list (in groupmod). memberlist is
- a comma separated list of valid and existing user names
- or uids.
- -m newmembers Similar to -M, this option allows the
- addition of existing
- users to a group without replacing the exist
- ing list of
members. Login names or user ids may be
- used, and duplicate users are silently eliminated.
- groupadd also has a -o option that allows allocation of an
- existing group
id to a new group. The default action is to reject an at
- tempt to add a
group, and this option overrides the check for duplicate
- group ids.
There is rarely any need to duplicate a group id.
- The groupmod command adds one additional option:
- -l name This option allows changing of an existing
- group name to
- `name'. The new name must not already exist,
- and any
attempt to duplicate an existing group name
- will be
rejected.
- Options for groupshow are the same as for usershow, with the
- -g gid
replacing -u uid to specify the group id. The -7 option
- does not apply
to the groupshow command.
- The command groupnext returns the next available group id on
- standard
output.
USER LOCKING
- The pw utility supports a simple password locking mechanism
- for users; it
works by prepending the string `*LOCKED*' to the beginning
- of the password field in master.passwd to prevent successful authenti
- cation.
- The lock and unlock commands take a user name or uid of the
- account to
lock or unlock, respectively. The -V, -C, and -q options as
- described
above are accepted by these commands.
NOTES
- For a summary of options available with each command, you
- can use
- pw [command] help
- For example,
- pw useradd help
- lists all available options for the useradd operation.
- The pw utility allows 8-bit characters in the passwd GECOS
- field (user's
full name, office, work and home phone number subfields),
- but disallows
them in user login and group names. Use 8-bit characters
- with caution,
as connection to the Internet will require that your mail
- transport program supports 8BITMIME, and will convert headers containing
- 8-bit characters to 7-bit quoted-printable format. sendmail(8) does
- support this.
Use of 8-bit characters in the GECOS field should be used in
- conjunction
with the user's default locale and character set and should
- not be implemented without their use. Using 8-bit characters may also
- affect other
programs that transmit the contents of the GECOS field over
- the Internet,
such as fingerd(8), and a small number of TCP/IP clients,
- such as IRC,
where full names specified in the passwd file may be used by
- default.
- The pw utility writes a log to the /var/log/userlog file
- when actions
such as user or group additions or deletions occur. The lo
- cation of this
logfile can be changed in pw.conf(5).
FILES
- /etc/master.passwd The user database
/etc/passwd A Version 7 format password file
/etc/login.conf The user capabilities database
/etc/group The group database
/etc/master.passwd.new Temporary copy of the master pass
- word file
/etc/passwd.new Temporary copy of the Version 7
- password file
/etc/group.new Temporary copy of the group file
/etc/pw.conf Pw default options file
/var/log/userlog User/group modification logfile
EXIT STATUS
- The pw utility returns EXIT_SUCCESS on successful operation,
- otherwise pw
returns one of the following exit codes defined by sysex
- its(3) as follows:
- EX_USAGE
- +o Command line syntax errors (invalid keyword, un
- known option).
- EX_NOPERM
- +o Attempting to run one of the update modes as non
- root.
- EX_OSERR
- +o Memory allocation error.
+o Read error from password file descriptor.
- EX_DATAERR
- +o Bad or invalid data provided or missing on the
- command line or
via the password file descriptor.
- +o Attempted to remove, rename root account or change
- its uid.
- EX_OSFILE
- +o Skeleton directory is invalid or does not exist.
+o Base home directory is invalid or does not exist.
+o Invalid or non-existent shell specified.
- EX_NOUSER
- +o User, user id, group or group id specified does
- not exist.
+o User or group recorded, added, or modified unex
- pectedly disap
peared.
- EX_SOFTWARE
- +o No more group or user ids available within speci
- fied range.
- EX_IOERR
- +o Unable to rewrite configuration file.
+o Error updating group or user database files.
+o Update error for passwd or group database files.
- EX_CONFIG
- +o No base home directory configured.
SEE ALSO
- chpass(1), passwd(1), group(5), login.conf(5), passwd(5),
- pw.conf(5),
pwd_mkdb(8), vipw(8)
HISTORY
- The pw utility was written to mimic many of the options used
- in the SYSV
shadow support suite, but is modified for passwd and group
- fields specific to the 4.4BSD operating system, and combines all of
- the major elements into a single command.
- BSD January 11, 2004