Updating the system software

Merging the password file

As we saw on page 145, the password file is quite complicated. Depending on how much work you want to do, you have a couple of possibilities:

• You can choose to completely replace the old /etc/master.passwd with the new one. This will cause all added user names and passwords to disappear, so unless this is just a test machine, it's unlikely you'll want to follow this path.
• You can take advantage of the fact that, with the exception of root, the distribution /etc/master.passwd contains no "real" users. You can merge the entries for real users with the entries in the distribution /etc/master.passwd.This works relatively well, but it removes the passwords of the system users, so you have to set them again. We'll look at how to do that below.

The distribution version of /etc/master.passwd looks something like this:

#$FreeBSD: src/etc/master.passwd,v 1.33 2002/06/23 20:46:44 des Exp $
#
root::0:0::0:0:Charlie &:/root:/bin/csh
toor:*:0:0::0:0:Bourne-again Superuser:/root:
...etc

The individual fields are separated by colons (:). We'll look at only the fields that interest us in the following expansion. It's easier to look at if they're separated by spaces; numerically, they're the first, second, eighth, ninth and tenth fields. For a description of the other fields, see the man page master.passwd(4).

User      password  GECOS               home directory           shell
root       *   Charlie &                /root                    /bin/csh
toor       *   Bourne-again Superuser   /root   
daemon     *   Owner of many processes  /root                    /sbin/nologin
operator   *   System &                 /                        /sbin/nologin
bin        *   Binaries Commands        /                        /sbin/nologin
tty        *   Tty Sandbox              /                        /sbin/nologin
kmem       *   KMem Sandbox             /                        /sbin/nologin
games      *   Games pseudo-user        /usr/games               /sbin/nologin
news       *   News Subsystem           /                        /sbin/nologin
man        *   Mister Man Pages         /usr/share/man           /sbin/nologin
sshd       *   Secure Shell Daemon      /var/empty               /sbin/nologin
smmsp      *   Sendmail Submission      /var/spool/clientmqueue  /sbin/nologin
mailnull   *   Sendmail Default User    /var/spool/mqueue        /sbin/nologin
bind       *   Bind Sandbox             /                        /sbin/nologin
xten       *   X-10 daemon              /usr/local/xten          /sbin/nologin
pop        *   Post Office Owner        /nonexistent             /sbin/nologin
www        *   World Wide Web Owner     /nonexistent             /sbin/nologin
nobody     *   Unprivileged user        /nonexistent             /sbin/nologin

The first field is the name of the user. In the course of time, a number of pseudo-users have been added to reduce exposure to security issues. The main issue in merging the files is to add these users. If you don't have the user in your current /etc/master.passwd, you can add the line from the distribution file.

The second field contains the password. In the distribution file, it's usually *, which means it needs to be set before you can log in at all. Only root has no password; you need to be able to log in as root to set passwords. By contrast, in your installed /etc/master.passwd, you will almost certainly have a password, and in general you will want to keep it.

The home directory entry has not changed much. You'll notice directory names like /nonexistent and /var/empty. The former is a fake, the latter a directory that can't be changed. It's possible that this entry will change from one release to another, and it's important to get it correct.

For many accounts, the shell field contains the name /sbin/nologin, which prints the text "This account is currently not available" and exits. Currently only root has a real shell, but that could change.

To update the /etc/master.passwd, you can use the following method:

• Make a copy of your old /etc/master.passwd!
• Maintain a strict separation of the original lines from the distribution file and your own entries. This will help you with the next update.
• Copy the entire distribution /etc/master.passwd to the top of your /etc/master.passwd file. At this point you will have a number of duplicates.
• Check the entries for root. You can probably remove the distribution entry and leave your entry in the file, preserving the password and shell. In this case, you should make an exception to the separation between distribution and local additions: due to the way the name lookups work, if you put user root below user toor ("root" spelt backwards, and the same user with possibly a different shell), all files will appear to belong to toor instead of to root.
• Check what other entries you have for user ids under 1000. You can probably remove them all, but if you have installed ports that require their own user ID, you will need to keep them.
• You should be able to keep all the entries for users with IDs above and including 1000, with the exception of user nobody (ID 65534). Use the entry from the distribution file for nobody.

Once you have merged the files, you need to run pwdmkdb to rebuild the password files /etc/passwd, /etc/pwd.db and /etc/spwd.db. /etc/passwd is gradually going out of use, but you probably have one on your system, and some ports use it, so it's preferable to recreate it. Do this with the -p option to pwd_mkdb:

# pwd_mkdb -p /etc/master.passwd

Merging /etc/group

In addition to /etc/master.passwd, you will probably need to upgrade /etc/group. In this case, the main issue is to add users to the wheel group. The distribution /etc/group looks like this:

#$FreeBSD: src/etc/group,v 1.27 2002/10/14 20:55:49 rwatson Exp $ #
wheel:*:0:root daemon:*:1: kmem:*:2: sys:*:3:
tty:*:4:
operator:*:5:root
mail:*:6:
bin:*:7:
news:*:8:
man:*:9:
games:*:13:
staff:*:20: sshd:*:22:
smmsp:*:25:
mailnull:*:26:
guest:*:31:
bind:*:53:
uucp:*:66:
xten:*:67:
dialer:*:68:
network:*:69:
www:*:80:
nogroup:*:65533:
nobody:*:65534:

Again, new groups have appeared for security reasons. Use a similar method to the one you used for /etc/master.passwd:

• Make a copy of your old /etc/group!
• Maintain a strict separation of the original lines from the distribution file and your own entries. This will help you with the next update.
• Copy the entire distribution /etc/group to the top of your /etc/group file. At this point you will have a number of duplicates.
• Check the entries for wheel .You can probably remove the distribution entry and leave your entry in the file, preserving the users.
• In addition, you may have some users in other groups. For example, installing postfix adds the user postfix to group mail. You need to preserve these users.

You don't need to do anything special after updating /etc/group. You can now continue with mergemaster.