How To Add and Remove Users on FreeBSD
On FreeBSD, like other Unix-like OSes, user accounts can be created to provide interactive access to the system. User accounts, when managed properly, can add a layer of system security by providing a way to limit individual user's access to only the files and directories that it needs to accomplish its tasks.
In this tutorial, we will show you how to perform the following user management tasks on a FreeBSD server:
- Add a user
- Grant superuser privileges
- Remove a user
- Lock a user account
- Unlock a user account
To follow this tutorial, you must have root access to a FreeBSD server. That is, you must be able to log in to the server as root or another user that has superuser privileges via the
sudo command. If you are planning on using root, you may omit the
sudo portion of the example commands.
How To Add a User
The simplest way to add a new user is to use the provided
adduser utility, which is based on the
pw command. The
adduser command adds a user to the system by making the necessary additions to
group files, and creating the new users home directory. It can be run interactively, with prompts to gather information about the new user, or non-interactively, which is better for adding batches of users. We will cover using it in interactive mode.
To add a user with
adduser in interactive mode, which allows you to create one user at a time, simply run the command without arguments like this:
At this point, you must provide information about the new user by responding to the series of prompts. Let's take a look at an example of the prompts now, with example responses shown in red:
Username: sammy Full name: Sammy Shark Uid (Leave empty for default): Login group [sammy]: Login group is sammy. Invite sammy into other groups? : wheel Login class [default]: Shell (sh csh tcsh nologin) [sh]: Home directory [/home/sammy]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: Use an empty password? (yes/no) [no]: Use a random password? (yes/no) [no]: Enter password: password Enter password again: password Lock out the account after creation? [no]:
Many of the prompts can be left empty to select the default responses—the square brackets,
[yes] for example, denote the default values—but there are a couple important prompts that we will explain here:
- Username: This one is pretty self-explanatory. Provide the desired name of the new user
- Login group is <user>. Invite <user> into other groups?: This field will allow you to add the user to additional groups, by providing the desired groups in a space-delimited list. The most common use of this is to grant superuser (sudo) privileges to the new user by adding it to the
wheelgroup—on FreeBSD, members of the
wheelgroup can execute commands with superuser privileges. If you want to create a normal (unprivileged) user, you may leave this blank
All the other prompts up to this point are pretty self-explanatory and, aside from the password prompts, can be left as their defaults. Of course, if you need to change any other details, such as the user's Uid or Home directory, feel free to provide a non-default response. If you are looking for an in-depth description of any of the prompts, run
man adduser for more information.
After answering the prompts, a summary of the new user will be displayed:
Username : sammy Password : ***** Full Name : Sammy Shark Uid : 1002 Class : Groups : sammy wheel Home : /home/sammy Home Mode : Shell : /bin/sh Locked : no OK? (yes/no): yes
After reviewing the user information, respond to the OK? prompt with
no. Your response determines whether the user is created.
If you respond
yes, the user will be created and a confirmation will be provided:
adduser: INFO: Successfully added (sammy) to the user database.
Whether you create the user or not, you will see the following prompt:
Add another user? (yes/no): no Goodbye!
If you are finished, respond with
no. Otherwise, respond with
yes and repeat the process to create an additional new user.
At this point, the user(s) that you created can be used. You may want to set up SSH key authentication for increased security—check out this tutorial to learn how.
How To Grant Sudo Privileges
On FreeBSD, like other Unix-like OSes, you may grant users with the ability to run commands with superuser privileges via the
sudo command. The
sudo command allows a user to run a command as another user. We will show you how to grant a normal user with superuser privileges, effectively allowing them to execute commands as
On FreeBSD, users that are members of the
wheel group are allowed to use
sudo. This is due to the following line in the default sudoers file,
%wheel ALL=(ALL) NOPASSWD: ALL
Therefore, one way to grant a normal user with superuser privileges is to add the user to the
wheel group. To add a user to the
wheel group, use this
pw groupmod command (replace the highlighted username):
sudo pw groupmod wheel -m sammy
This command adds the specified user to the
wheel group in the
/etc/group file, and thus grants the user with the ability to run commands as superuser.
How To Remove a User
An easy way to remove a user from your FreeBSD system is to use the
rmuser command. You may run it with no arguments, or pass the users you want to remove as arguments, and follow the prompts to complete the user removal process:
If you do not provide a user name as an argument, you will be prompted for one or more. Then you will be asked to confirm if you're sure and if the user's home directory should be removed:
Please enter one or more usernames: sammy Matching password entry: sammy:*:1002:1002::0:0:Sammy Shark:/home/sammy:/bin/sh Is this the entry you wish to remove? y Remove user's home directory (/home/sammy)? y Removing user (sammy): mailspool home passwd.
How To Lock a User Account
If you want to disable a user's access to the system but not delete their account records and home directory, you may lock the account. The easiest way to disable a user is to use the
pw lock command, with the user that you want to disable as an argument, like so:
sudo pw lock username
This command works by prepending "*LOCKED*" to the user's entry in the
The user will be unable to log in until the account is unlocked.
How To Unlock a User
If you want to enable a user that was disabled with
pw lock, you can use the
pw unlock command to do so:
sudo pw unlock username
This command works by deleting "*LOCKED*", if present, from the user's entry in the
You should now have a good understanding of basic user management on a FreeBSD server.