Module Name: src Committed By: riastradh Date: Wed Feb 26 07:31:51 UTC 2020
Modified Files: src/distrib/sets/lists/man: mi src/share/man/man7: Makefile intro.7 Added Files: src/share/man/man7: groups.7 users.7 Log Message: Draft man pages for the standard users and groups. These are currently listed in order of uid because I went through src/etc/group and src/etc/master.passwd line by line, and sorting any other way after the fact -- like lexicographically, how it should be -- was kinda inconvenient. Feel free to sort, add information, add historical references, correct any mistakes, &c., so that these remain living documents describing NetBSD's standard users and groups and practices around them. To generate a diff of this commit: cvs rdiff -u -r1.1680 -r1.1681 src/distrib/sets/lists/man/mi cvs rdiff -u -r1.33 -r1.34 src/share/man/man7/Makefile cvs rdiff -u -r0 -r1.1 src/share/man/man7/groups.7 src/share/man/man7/users.7 cvs rdiff -u -r1.26 -r1.27 src/share/man/man7/intro.7 Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: src/distrib/sets/lists/man/mi diff -u src/distrib/sets/lists/man/mi:1.1680 src/distrib/sets/lists/man/mi:1.1681 --- src/distrib/sets/lists/man/mi:1.1680 Sun Feb 9 16:06:17 2020 +++ src/distrib/sets/lists/man/mi Wed Feb 26 07:31:51 2020 @@ -1,4 +1,4 @@ -# $NetBSD: mi,v 1.1680 2020/02/09 16:06:17 jmcneill Exp $ +# $NetBSD: mi,v 1.1681 2020/02/26 07:31:51 riastradh Exp $ # # Note: don't delete entries from here - mark them as "obsolete" instead. # @@ -5403,6 +5403,7 @@ ./usr/share/man/html7/editline.html man-sys-htmlman html ./usr/share/man/html7/environ.html man-reference-htmlman html ./usr/share/man/html7/glob.html man-reference-htmlman html +./usr/share/man/html7/groups.html man-reference-htmlman html ./usr/share/man/html7/hier.html man-reference-htmlman html ./usr/share/man/html7/hostname.html man-reference-htmlman html ./usr/share/man/html7/intro.html man-reference-htmlman html @@ -5436,6 +5437,7 @@ ./usr/share/man/html7/symlink.html man-reference-htmlman html ./usr/share/man/html7/sysctl.html man-reference-htmlman html ./usr/share/man/html7/tests.html man-reference-htmlman html +./usr/share/man/html7/users.html man-reference-htmlman html ./usr/share/man/html7/zpool-features.html man-zfs-htmlman zfs,html ./usr/share/man/html8/MAKEDEV.html man-sysutil-htmlman html ./usr/share/man/html8/MAKEDEV.local.html man-sysutil-htmlman html @@ -8460,6 +8462,7 @@ ./usr/share/man/man7/editline.7 man-sys-man .man ./usr/share/man/man7/environ.7 man-reference-man .man ./usr/share/man/man7/glob.7 man-reference-man .man +./usr/share/man/man7/groups.7 man-reference-man .man ./usr/share/man/man7/hier.7 man-reference-man .man ./usr/share/man/man7/hostname.7 man-reference-man .man ./usr/share/man/man7/intro.7 man-reference-man .man @@ -8496,6 +8499,7 @@ ./usr/share/man/man7/symlink.7 man-reference-man .man ./usr/share/man/man7/sysctl.7 man-reference-man .man ./usr/share/man/man7/tests.7 man-reference-man .man +./usr/share/man/man7/users.7 man-reference-man .man ./usr/share/man/man7/zpool-features.7 man-zfs-man zfs,.man ./usr/share/man/man8/MAKEDEV.8 man-sysutil-man .man ./usr/share/man/man8/MAKEDEV.local.8 man-sysutil-man .man Index: src/share/man/man7/Makefile diff -u src/share/man/man7/Makefile:1.33 src/share/man/man7/Makefile:1.34 --- src/share/man/man7/Makefile:1.33 Mon May 28 00:18:06 2018 +++ src/share/man/man7/Makefile Wed Feb 26 07:31:51 2020 @@ -1,14 +1,14 @@ -# $NetBSD: Makefile,v 1.33 2018/05/28 00:18:06 nat Exp $ +# $NetBSD: Makefile,v 1.34 2020/02/26 07:31:51 riastradh Exp $ # @(#)Makefile 8.1 (Berkeley) 6/5/93 .include <bsd.init.mk> # missing: eqnchar.7 man.7 ms.7 term.7 -MAN= ascii.7 c.7 environ.7 glob.7 hier.7 hostname.7 intro.7 mailaddr.7 \ - module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7 rfc6056.7 \ - security.7 script.7 setuid.7 signal.7 src.7 sticky.7 symlink.7 \ - sysctl.7 tests.7 +MAN= ascii.7 c.7 environ.7 glob.7 groups.7 hier.7 hostname.7 intro.7 \ + mailaddr.7 module.7 nls.7 operator.7 orders.7 pkgsrc.7 release.7 \ + rfc6056.7 security.7 script.7 setuid.7 signal.7 src.7 sticky.7 \ + symlink.7 sysctl.7 tests.7 users.7 CLEANFILES= tests.7 .if ${MKKYUA} != "no" Index: src/share/man/man7/intro.7 diff -u src/share/man/man7/intro.7:1.26 src/share/man/man7/intro.7:1.27 --- src/share/man/man7/intro.7:1.26 Mon May 28 00:18:06 2018 +++ src/share/man/man7/intro.7 Wed Feb 26 07:31:51 2020 @@ -1,4 +1,4 @@ -.\" $NetBSD: intro.7,v 1.26 2018/05/28 00:18:06 nat Exp $ +.\" $NetBSD: intro.7,v 1.27 2020/02/26 07:31:51 riastradh Exp $ .\" .\" Copyright (c) 1983, 1990, 1993 .\" The Regents of the University of California. All rights reserved. @@ -48,6 +48,10 @@ user environment shell-style pattern matching .\" .It Sy eqnchar .\" special character definitions for eqn +.It Xr groups 7 +standard +.Nx +group names .It Xr hier 7 file system hierarchy in .Nx @@ -110,6 +114,10 @@ system information variables in test suite .\" .It Sy term .\" conventional names for terminals +.It Xr users 7 +standard +.Nx +user account names .El .Sh HISTORY The Added files: Index: src/share/man/man7/groups.7 diff -u /dev/null src/share/man/man7/groups.7:1.1 --- /dev/null Wed Feb 26 07:31:51 2020 +++ src/share/man/man7/groups.7 Wed Feb 26 07:31:51 2020 @@ -0,0 +1,325 @@ +.\" $NetBSD: groups.7,v 1.1 2020/02/26 07:31:51 riastradh Exp $ +.\" +.\" Copyright (c) 2020 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd February 25, 2020 +.Dt GROUPS 5 +.Os +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh NAME +.Nm groups +.Nd standard group names +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh DESCRIPTION +A standard +.Nx +installation has the following user group names: +.\" These are currently sorted by gid; perhaps they should be sorted +.\" lexicographically by name instead. +.Bl -tag -width "_tcpdump" +.It Em wheel +Users authorized to elevate themselves to the super-user privileges of +the root user, meaning uid 0. +Normally the +.Em wheel +group has gid 0. +.Pp +Users who are not in the group +.Em wheel +are never allowed by +.Xr su 8 +to gain root privileges. +.It Em daemon +Used by the set-group-id +.Pq Xr setuid 7 +programs +.Xr lpq 8 , +.Xr lpr 8 , +and +.Xr lprm 8 . +.\" Unclear why. Maybe used to be used by uucp stuff too, since +.\" /var/spool/lock ownership is uucp:daemon? +.It Em sys +Historic group. +Unused in modern +.Nx . +.It Em tty +Used by the set-group-id +.Pq Xr setuid 7 +programs +.Xr wall 8 +and +.Xr write 1 +to allow users to send messages to another tty even if they don't own +it. +Static tty device nodes in +.Pa /dev +are all in the group +.Em tty , +and the +.Xr mount_ptyfs 8 +program passes the gid of the +.Em tty +group to the kernel so that all nodes in +.Pa /dev/pts +or equivalent are in the group too. +.It Em operator +Users authorized to take backups of disk devices and shut down the +machine. +.Pp +The disk device nodes in +.Pa /dev +such as +.Pa /dev/rwd0a +are in the group +.Em operator +and group-readable so users in the group can read from disk devices, +for example with +.Xr dump 8 . +The tape device nodes in +.Pa /dev +such as +.Pa /dev/rst0 +are in the group +.Em operator +and are both group-readable and group-writable so users in the group +can write to tape devices. +.Pp +The +.Xr shutdown 8 +program is executable only by root and members of the +.Em operator +group. +.It Em mail +Historic group. +Unused in modern +.Nx . +.\" Is this true? Hard to grep for this in src... +.It Em bin +Historic group. +Unused in modern +.Nx . +.It Em wsrc +Historic group. +Unused in modern +.Nx . +.\" Actually it seems to be used in the set lists somehow, but it's + \" unclear to me how what the significance is. +.It Em maildrop +Used by the set-group-id +.Pq Xr setuid 7 +programs +.Xr postdrop 8 +and +.Xr postqueue 8 +to submit to and examine the +.Xr postfix 8 +mail queue at +.Pa /var/spool/postfix/maildrop +and +.Pa /var/spool/postfix/public . +.It Em postfix +Primary group for the +.Em postfix +pseudo-user used by the +.Xr postfix 8 +mail transfer agent. +.\" Why are various subdirectories of /var/spool/postfix owned by +.\" postfix:wheel and not postfix:postfix? +.It Em games +Used by various set-group-id +.Pq Xr setuid 7 +games to maintain high-scores files and other common files in +.Pa /var/games . +.It Em named +Primary group for the +.Em named +pseudo-user used by the +.Xr named 8 +DNS nameserver daemon. +.It Em ntpd +Primary group for the +.Em named +pseudo-user used by the +.Xr ntpd 8 +network time protocol daemon. +.It Em sshd +Primary group for the +.Em sshd +pseudo-user used by the +.Xr sshd 8 +secure shell daemon. +.It Em _pflogd +Primary group for the +.Em _pflogd +pseudo-user used by the +.Xr pflogd 8 +log daemon with the +.Xr pf 4 +packet filter. +.It Em _rwhod +Primary group for the +.Em _rwhod +pseudo-user used by the +.Xr rwhod 8 +system status daemon. +.It Em staff +Staff users, in contrast to regular or guest users. +Not used by +.Nx ; +available for the administrator's interpretation. +.It Em _proxy +Primary group for the +.Em _proxy +pseudo-user used by the +.Xr ftp-proxy 8 +and +.Xr tftp-proxy 8 +proxy daemons with packet filters such as +.Xr pf 4 +or +.Xr ipnat 4 . +.It Em _timedc +Primary group for the +.Em _timedc +pseudo-user used by the +.Xr timedc 8 +tool to communicate with the +.Xr timed 8 +time server daemon. +.It Em _sdpd +Primary group for the +.Em _sdpd +pseudo-user used by the +.Xr sdpd 8 +Bluetooth service discovery protocol daemon. +.It Em _httpd +Primary group for the +.Em _httpd +pseudo-user used by the +.Xr httpd 8 Pq bozohttpd +web server. +.It Em _mdnsd +Primary group for the +.Em _mdnsd +pseudo-user used by the +.Xr mdnsd 8 +multicast DNS and DNS service discovery daemon. +.It Em _tests +Primary group for the +.Em _tests +pseudo-user used by +.Xr atf 7 +automatic tests that request to run unprivileged. +.It Em _tcpdump +Primary group for the +.Em _tcpdump +pseudo-user used by the +.Xr tcpdump 8 +network traffic dumper and analyzer. +.It Em _tss +Primary group for the +.Em _tss +pseudo-user used by the +.Xr tcsd 8 +.Sq Trusted Computing +daemon TPM to manage a TPM. +.It Em _gpio +Users authorized to read and write GPIO pins; see +.Xr gpio 4 +and +.Xr gpioctl 8 . +.It Em _rtadvd +Primary group for the +.Em _rtadvd +pseudo-user used by the +.Xr rtadvd 8 +IPv6 network router advertisement daemon. +.It Em guest +Guest users, in contrast to staff or regular users. +Not used by +.Nx ; +available for the administrator's interpretation. +.It Em _unbound +Primary group for the +.Em _unbound +pseudo-user used by the +.Xr unbound 8 +recursive DNS resolver. +.It Em _nsd +Primary group for the +.Em _nsd +pseudo-user used by the +.Xr nsd 8 +authoritative DNS nameserver. +.It Em nvmm +Users authorized to use the +.Xr nvmm 8 +.Nx +Virtual Machine Monitor. +.It Em nobody +Primary group for the traditional +.Em nobody +pseudo-user. +Modern practice is to assign to each different daemon its own separate +pseudo-user account and group so that if one daemon is compromised it +does not compromise all the other daemons. +.It Em utmp +Group of +.Xr utmp 5 +login records. +.\" Why? +.It Em authpf +Used by the set-group-id +.Pq Xr setuid 7 +program +.Xr authpf 8 +to configure authenticated gateways. +.\" Does it actually use the sgid bit? It's also suid root... +.It Em users +Regular users, in contrast to staff or guest users. +.Pp +Default primary group for new users, as set in the default +.Xr usermgmt.conf 5 +file. +Some administrators may instead prefer to assign to each user a unique +group with the same name as the user by passing the +.So +.Fl g +.Ar "=uid" +.Sc +option to +.Xr useradd 8 . +.It Em dialer +Users authorized to make outgoing modem calls. +Unused in modern +.Nx . +.It Em nogroup +Pseudo-group. +.\" For...? +.El +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh SEE ALSO +.Xr users 7 Index: src/share/man/man7/users.7 diff -u /dev/null src/share/man/man7/users.7:1.1 --- /dev/null Wed Feb 26 07:31:51 2020 +++ src/share/man/man7/users.7 Wed Feb 26 07:31:51 2020 @@ -0,0 +1,202 @@ +.\" $NetBSD: users.7,v 1.1 2020/02/26 07:31:51 riastradh Exp $ +.\" +.\" Copyright (c) 2020 The NetBSD Foundation, Inc. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS +.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED +.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS +.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR +.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF +.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN +.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd February 25, 2020 +.Dt USERS 5 +.Os +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh NAME +.Nm users +.Nd standard user account names +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh DESCRIPTION +A standard +.Nx +installation has the following user account names: +.\" These are currently sorted by uid; perhaps they should be sorted +.\" lexicographically by name instead. +.Bl -tag -width "_tcpdump" +.It Em root +The super-user, uid 0, with the highest administrative privileges. +Normally not used for login directly, only via +.Xr su 8 +or equivalent by users in the +.Em wheel +group; see +.Xr groups 7 . +.Pp +Secondary groups: +.Em guest , +.Em kmem , +.Em nvmm , +.Em operator , +.Em staff , +.Em sys , +.Em tty . +.It Em toor +Like +.Em root , +this is the super-user with uid 0, but with no secondary group +memberships. +.Pp +Historically, +.Em root +had a login shell of +.Pa /bin/csh +while +.Em toor +had a login shell of +.Pa /bin/sh . +However, today both default to +.Pa /bin/sh . +This user account name is not used for anything in +.Nx ; +it is purely a convenience for actual users. +.\" Maybe we should just remove this. +.It Em daemon +Historic user for general daemonic activity. +.Pp +Owner of +.Pa /var/msgs ; +see +.Xr msgs 1 . +Used only by +.Xr rpcbind 8 , +with the +.Fl s +flag. +.It Em operator +Historic user. +Unused in modern +.Nx . +.It Em bin +Historic user. +Unused in modern +.Nx . +.It Em games +Owner of high-score files and other shared files for games. +.It Em postfix +Pseudo-user for use by the +.Xr postfix 8 +mail transfer agent. +.It Em named +Pseudo-user for use by the +.Xr named 8 +DNS nameserver daemon. +.It Em ntpd +Pseudo-user for use by the +.Xr ntpd 8 +network time protocol daemon. +.It Em sshd +Pseudo-user for use by the +.Xr sshd 8 +secure shell daemon. +.It Em _pflogd +Pseudo-user for use by the +.Xr pflogd 8 +log daemon with the +.Xr pf 4 +packet filter. +.It Em _rwhod +Pseudo-user for use by the +.Xr rwhod 8 +system status daemon. +.It Em _proxy +Pseudo-user for use by the +.Xr ftp-proxy 8 +and +.Xr tftp-proxy 8 +proxy daemons with packet filters such as +.Xr pf 4 +or +.Xr ipnat 4 . +.It Em _timedc +Pseudo-user for use by the +.Xr timedc 8 +tool to communicate with the +.Xr timed 8 +time server daemon. +.It Em _sdpd +Pseudo-user for use by the +.Xr sdpd 8 +Bluetooth service discovery protocol daemon. +.It Em _httpd +Pseudo-user for use by the +.Xr httpd 8 Pq bozohttpd +web server. +.It Em _mdnsd +Pseudo-user for use by the +.Xr mdnsd 8 +multicast DNS and DNS service discovery daemon. +.It Em _tests +Pseudo-user for use by +.Xr atf 7 +automatic tests that request to run unprivileged. +Default value for the +.Sq unprivileged-user +configuration variable; see +.Xr tests 7 . +.It Em _tcpdump +Pseudo-user for use by the +.Xr tcpdump 8 +network traffic dumper and analyzer. +.It Em _tss +Pseudo-user for use by the +.Xr tcsd 8 +.Sq Trusted Computing +daemon TPM to manage a TPM. +.It Em _rtadvd +Pseudo-user for use by the +.Xr rtadvd 8 +IPv6 network router advertisement daemon. +.It Em _unbound +Pseudo-user for the +.Xr unbound 8 +recursive DNS resolver. +.It Em _nsd +Pseudo-user for the +.Xr nsd 8 +authoritative DNS nameserver. +.It Em uucp +Pseudo-user for use by historic UUCP software, available now in +.Xr pkgsrc 7 . +.It Em nobody +Traditional pseudo-user used for dropping privileges. +Modern practice is to assign to each different daemon its own separate +pseudo-user account and group so that if one daemon is compromised it +does not compromise all the other daemons. +.El +.Pp +All new standard +.Nx +pseudo-user account names should begin with an underscore +.Sq "_" +to distinguish them from accounts that real users might add, and should +have a primary group of the same name; real users should accordingly +avoid such account names. +.\""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" +.Sh SEE ALSO +.Xr groups 7