Skip to end of metadata
Go to start of metadata

4.1.1 Introduction

OpenIndiana allows multiple users to work on the same computer at the same time. Only one person can sit in front of the monitor and keyboard. However, many can be remotely logged into machine and work on it. If a user wants to use the system, he needs an account.

4.1.1.1 Account attributes

Every account has some attributes associated with it:

  • username - name of the account, which is typed at the login screen. Username format is briefly described in passwd(4)
  • password - password account owner needs to type in order to log into the system. Every account should have password and should have some level of security.

    Accounts without password should not exist on the system as they could put the system at the security risk!

  • uid - unique numerical user ID of the account in the system. The maximum value for uid is 2147483647. However, for compatibility reasons one should not use numbers over 60000.
  • gid - unique numerical ID of the account's primary group.
  • comment - also referred to as gecos. This field can carry account description.
  • home directory - a path where user will be after he logs into the system.
  • login shell - user's initial shell program.
  • password last change time - this field stores information when was the password lastly changed.
  • password aging - consists of minimum number of days required between password changes (min), maximum number of days password is valid (max) and number of days user is warned about password expiration (warn).

4.1.2 Roles

A role is a basic unit of Role-Based access control (RBAC) or set of privileges one can assume. Roles are not a login account. Roles will be explained in the RBAC section of this handbook.

4.1.3 Superuser account

Every UNIX-like system has an administration account, named root, used for system administrative tasks. This account has UID 0.

Using this account for everyday usage like web browsing, email reading or movie watching is not recommended as root account can operate without any restrictions or limits and could cause serious damage to the system.

OpenIndiana comes with root account disabled and instead root role is assigned to the user created during the installation. This means that the root account is not possible to login. One has to log in as the created user and switch to root role. However, if the user was not created during the installation process, then the root is able to log in via login screen.

4.1.4 Service accounts

Service (system) accounts are used by applications, which are running on the system and are providing some services to the network such as DNS, SMTP or WWW. For security reasons these services are ran under non-privileged accounts.

OpenIndiana comes with several service accounts such as webservd for web servers, pkg5srv for pkg(5) server or nobody. "*nobody" is a system account for services needing unprivileged user. However, the more services are ran under this account, the more privileged is becomes as it gains access to service processes and files.

4.1.5 User accounts

User accounts are primarily used for day-to-day tasks. Every user should have his own unique account with its own directory, so he could not change other users' data or environment in any way. This also makes finding out who is doing what much easier for the administrator of the system, allows him to set different access rights for each user separately.

OpenIndiana will ask you during the installation process questions about your desired username and shell of your choice and will setup an account for you. You can add more accounts after the installation is finished.

Every user can change his own environment to his liking by using different applications such as shell, editors, mail clients or file managers. He can also customize his key bindings and language.

4.1.6 Account manipulation

Account management is done with several command-line applications, which are listed in the table below:

useradd(1M)

create new account on the system

userdel(1M)

delete account from the system

usermod(1M)

modify account information in the system

groupadd(1M)

create group on the system

groupdel(1M)

delete group from the system

groupmod(1M)

modify group information on the system

roleadd(1M)

create new role on the system

roledel(1M)

delete role from the system

rolemod(1M)

modify role information in the system

passwd(1)

change login password and password properties

4.1.6.1 useradd

useradd is a program to create user accounts on the system. When creating account one can set some attributes of the newly created account such as comment, group membership, home directory path, UID number of the account or login shell.

4.1.6.2 userdel

One can use userdel to remove the account from the system.

4.1.6.3 usermod

usermod is used, when the account is created and the superuser needs to modify user account information.

4.1.6.4 groupadd

groupadd creates the group and adds the corresponding entry to the /etc/group file.

4.1.6.5 groupdel

groupdel is same as userdel, but is used for group deletion.

4.1.6.6 groupmod

When one needs to modify group attributes, groupmod should be used.

4.1.6.7 roleadd

roleadd is used create roles in the system.

4.1.6.8 roledel

roledel deletes selected role from the system.

4.1.6.9 rolemod

rolemod modifies role's information on the system.

4.1.6.10 passwd

passwd changes password for user when issued by him. Privileged account can change login password attributes such as expiration date or lock the account.

For more options of above mentioned tools look into corresponding man pages.