How (and Why) to Add User(s) to FreeBSD

by tdrss in Circuits > Computers

9160 Views, 8 Favorites, 0 Comments

How (and Why) to Add User(s) to FreeBSD

logo-full.jpg

While most system administrators and power users will roll their eyes at this Instructable, I present it simply to present another way of administering your FreeBSD system. Any novice sysadmin (if they are worth their salt) has done something stupid while logged into the "superuser" root account. I am not discouraging the use of root (when applicable), but allowing you a thin safety-net between any mistakes you might make.

Decide on Your (new) Username and Purpose

I have created user accounts that were compartmentalized. For example, one account was to solely update a webpage and associated database. Another was for my music server. While seemingly cumbersome, the less privileges you give a user account, the less problem you will have if someone breaks into the account and attempts to do harm.

For this Instructable, I am creating an account that will be equal to root (for all intents and purposes), but provide "safeguards" to make you think twice before executing a command. For these examples, I am naming the account knight... as in "protector of the realm."

Use Adduser To...Add User

Being logged in as root (initially), type in:

adduser

A litany of prompts will return, expecting a response:

Username: (This is the name you want for the user account login)

Full Name: (User's full name)

Uid: (A unique number given to every account; leave empty for a default)

Login group: (the command will use the username as a group; optional to change it)

Invite into other groups? (Yes! You want your user in the group known as "wheel")

Login class: (Leave as default)

Shell: (root will use C-shell [csh] as default; your choice what to use.)

Home directory: (leave as default)

Home directory permissions: (leave as default)

Use password-based authentication? (Yes!)

Use an empty password? (No, don't do this... especially with the permissions and abilities you're giving this account)

Use a random password? (Your choice... but ensure you remember it!)

Enter password: (If you didn't choose a random password, type your chosen text here)

Enter password again: (Type in chosen text again to verify)

Lock out the account after creation? (Your choice, but recommend "no" if you are going use it immediately after)

Username : knight

Password : ********

Full Name : Dark Knight

Uid : 1001

Class :

Groups : knight wheel

Home : /home/knight

Shell : /usr/bin/sh

Locked : no

OK? (If everything looks good, type in "yes")

Setting Up Sudo

sudo allows a user to perform "su" (superuser) tasks but without having to log into the root account. Why is this ability important? If you connect to a remote computer and would like to perform root tasks, this is the only way to do so. As a security measure, most systems (by default) do not allow anyone to login as root through telnet or secure shell (ssh). Unless you have the system console in front of you, you are out-of-luck.

To use sudo, it must first be installed.

From ports:

# cd /usr/ports/security/sudo/ && make install clean

From packages:

# pkg add sudo

Once the command is installed, the chosen username (e.g. knight), must be added to the /usr/local/etc/sudoers file:

# visudo

Add the following line, using your chosen username (instead of knight)

knight ALL=(ALL) ALL

%wheel ALL=(ALL) ALL

You should now have "god-like" powers on the system.

Using Sudo

Once your chosen username is installed via visudo, the account can access the sudo command:

% sudo -s

Will allow you to become root, complete with # prompt.

% sudo <cmd>

Will allow you to run a <cmd> as root, while still being logged in as your username/prompt. After pressing "Enter," sudo will prompt you for your password. If another sudo command is issued immediately thereafter, another password entry is not required.

The "Why": ...with Great Power, Comes Great Responsibility...

For anyone who is used to a command-line interface, typing fast often comes at the price of inaccuracy. Being logged in a root can cause a lot of damage; multiply that by a sloppy or careless typist, and there is danger ahead.

The sudo command offers one great thing: pause... literally. When you type sudo and are forced to retype in your password, you have an opportunity to double-check what you typed in to execute. This half-second of verification can save you hours of rebuilding a system.

While the syntax (and intent) behind in this Instructable was meant for FreeBSD, the results listed above are the same for Raspberry Pi, and all Linux-based systems.

Best thing is if you think before you type. Second best, is having to pause before you execute the command.