Date: Thu, 21 Feb 2013 14:06:06 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r41024 - head/en_US.ISO8859-1/books/handbook/users Message-ID: <201302211406.r1LE66bl041470@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Thu Feb 21 14:06:06 2013 New Revision: 41024 URL: http://svnweb.freebsd.org/changeset/doc/41024 Log: Initial content fix. This patch addresses the following: - &os; - rewording "you" with some tightening and clarifying - fix xref, acronym, and directory tags - changed 14.3-14.5 from sect2 to sect3--this may benefit from a beginning section 2 (e.g. Type of Accounts) to take it out of the intro Approved by: bcr (mentor) Modified: head/en_US.ISO8859-1/books/handbook/users/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/users/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/users/chapter.xml Wed Feb 20 19:00:52 2013 (r41023) +++ head/en_US.ISO8859-1/books/handbook/users/chapter.xml Thu Feb 21 14:06:06 2013 (r41024) @@ -22,39 +22,32 @@ <sect1 id="users-synopsis"> <title>Synopsis</title> - <para>FreeBSD allows multiple users to use the computer at the - same time. Obviously, only one of those users can be sitting in - front of the screen and keyboard at any one time - <footnote><para>Well, unless you hook up multiple terminals, but - we will save that for <xref linkend="serialcomms"/>.</para> - </footnote>, but any number of users can log in through the - network to get their work done. To use the system every user - must have an account.</para> + <para>&os; allows multiple users to use the computer at the same + time. While only one user can sit in front of the screen and + use the keyboard at any one time, any number of users can log + in to the system through the network. To use the system, every + user must have a user account.</para> <para>After reading this chapter, you will know:</para> <itemizedlist> <listitem> <para>The differences between the various user accounts on a - FreeBSD system.</para> + &os; system.</para> </listitem> <listitem> - <para>How to add user accounts.</para> - </listitem> - - <listitem> - <para>How to remove user accounts.</para> + <para>How to add and remove user accounts.</para> </listitem> <listitem> <para>How to change account details, such as the user's full - name, or preferred shell.</para> + name or preferred shell.</para> </listitem> <listitem> - <para>How to set limits on a per-account basis, to control the - resources such as memory and CPU time that accounts and + <para>How to set limits on a per-account basis to control the + resources, such as memory and CPU time, that accounts and groups of accounts are allowed to access.</para> </listitem> @@ -68,8 +61,8 @@ <itemizedlist> <listitem> - <para>Understand the basics of &unix; and FreeBSD (<xref - linkend="basics"/>).</para> + <para>Understand the <link linkend="basics">basics of &unix; + and &os;</link>.</para> </listitem> </itemizedlist> </sect1> @@ -77,11 +70,11 @@ <sect1 id="users-introduction"> <title>Introduction</title> - <para>All access to the system is achieved via accounts, and all - processes are run by users, so user and account management are - of integral importance on FreeBSD systems.</para> + <para>Since all access to the &os; system is achieved via accounts + and all processes are run by users, user and account management + is important.</para> - <para>Every account on a FreeBSD system has certain information + <para>Every account on a &os; system has certain information associated with it to identify the account.</para> <variablelist> @@ -89,13 +82,13 @@ <term>User name</term> <listitem> - <para>The user name as it would be typed at the - <prompt>login:</prompt> prompt. User names must be unique - across the computer; you may not have two users with the - same user name. There are a number of rules for creating - valid user names, documented in &man.passwd.5;; you would - typically use user names that consist of eight or fewer - all lower case characters.</para> + <para>The user name is typed at the <prompt>login:</prompt> + prompt. User names must be unique on the system as no two + users can have the same user name. There are a number of + rules for creating valid user names, documented in + &man.passwd.5;. Typically user names consist of eight or + fewer all lower case characters in order to maintain + backwards compatibility with applications.</para> </listitem> </varlistentry> @@ -103,47 +96,48 @@ <term>Password</term> <listitem> - <para>Each account has a password associated with it. The - password may be blank, in which case no password will be - required to access the system. This is normally a very - bad idea; every account should have a password.</para> + <para>Each account has an associated password. While the + password can be blank, this is highly discouraged and + every account should have a password.</para> </listitem> </varlistentry> <varlistentry> - <term>User ID (UID)</term> + <term>User ID (<acronym>UID</acronym>)</term> <listitem> - <para>The UID is a number, traditionally from 0 to - 65535<footnote id="users-largeuidgid"> - <para>It is possible to use UID/GIDs as large as - 4294967295, but such IDs can cause serious problems - with software that makes assumptions about the values - of IDs.</para> + <para>The User ID (<acronym>UID</acronym>) is a number, + traditionally from 0 to 65535<footnote + id="users-largeuidgid"> + <para>It is possible to use + <acronym>UID</acronym>s/<acronym>GID</acronym>s as + large as 4294967295, but such IDs can cause serious + problems with software that makes assumptions about + the values of IDs.</para> </footnote>, used to uniquely identify the user to the - system. Internally, FreeBSD uses the UID to - identify users—any FreeBSD commands that allow - you to specify a user name will convert it to the UID - before working with it. This means that you can have - several accounts with different user names but the - same UID. As far as FreeBSD is concerned these - accounts are one user. It is unlikely you will ever - need to do this.</para> + system. Internally, &os; uses the + <acronym>UID</acronym> to identify users. Commands that + allow a user name to be specified will first convert it to + the <acronym>UID</acronym>. Though unlikely, it is + possible for several accounts with different user names to + share the same <acronym>UID</acronym>. As far as &os; is + concerned, these accounts are one user.</para> </listitem> </varlistentry> <varlistentry> - <term>Group ID (GID)</term> + <term>Group ID (<acronym>GID</acronym>)</term> <listitem> - <para>The GID is a number, traditionally from 0 to - 65535<footnoteref linkend="users-largeuidgid"/>, used to - uniquely identify the primary group that the user belongs - to. Groups are a mechanism for controlling access to - resources based on a user's GID rather than their UID. - This can significantly reduce the size of some - configuration files. A user may also be in more than one - group.</para> + <para>The Group ID (<acronym>GID</acronym>) is a number, + traditionally from 0 to 65535<footnoteref + linkend="users-largeuidgid"/>, used to uniquely identify + the primary group that the user belongs to. Groups are a + mechanism for controlling access to resources based on a + user's <acronym>GID</acronym> rather than their + <acronym>UID</acronym>. This can significantly reduce the + size of some configuration files. A user may also be a + member of more than one group.</para> </listitem> </varlistentry> @@ -161,10 +155,10 @@ <term>Password change time</term> <listitem> - <para>By default FreeBSD does not force users to change - their passwords periodically. You can enforce this on a - per-user basis, forcing some or all of your users to - change their passwords after a certain amount of time has + <para>By default &os; does not force users to change their + passwords periodically. This can be enforced on a + per-user basis, forcing some or all users to change their + passwords after a certain amount of time has elapsed.</para> </listitem> </varlistentry> @@ -173,11 +167,10 @@ <term>Account expiry time</term> <listitem> - <para>By default FreeBSD does not expire accounts. If you - are creating accounts that you know have a limited - lifespan, for example, in a school where you have accounts - for the students, then you can specify when the account - expires. After the expiry time has elapsed the account + <para>By default &os; does not expire accounts. When + creating accounts that need a limited lifespan, such as + student accounts in a school, specify the account expiry + date. After the expiry time has elapsed, the account cannot be used to log in to the system, although the account's directories and files will remain.</para> </listitem> @@ -187,9 +180,9 @@ <term>User's full name</term> <listitem> - <para>The user name uniquely identifies the account to - FreeBSD, but does not necessarily reflect the user's real - name. This information can be associated with the + <para>The user name uniquely identifies the account to &os;, + but does not necessarily reflect the user's real name. + This information can be associated with the account.</para> </listitem> </varlistentry> @@ -199,15 +192,14 @@ <listitem> <para>The home directory is the full path to a directory on - the system in which the user will start when logging on to - the system. A common convention is to put all user home - directories under - <filename>/home/<replaceable>username</replaceable></filename> - or - <filename>/usr/home/<replaceable>username</replaceable></filename>. - The user would store their personal files in their home - directory, and any directories they may create in - there.</para> + the system. This is the user's starting directory when + the user logs in. A common convention is to put all user + home directories under <filename + class="directory">/home/<replaceable>username</replaceable></filename> + or <filename + class="directory">/usr/home/<replaceable>username</replaceable></filename>. + Each user stores their personal files and subdirectories + in their own home directory.</para> </listitem> </varlistentry> @@ -225,105 +217,105 @@ </variablelist> <para>There are three main types of accounts: the <link - linkend="users-superuser">Superuser</link>, <link - linkend="users-system">system users</link>, and <link - linkend="users-user">user accounts</link>. The Superuser + linkend="users-superuser">superuser</link>, <link + linkend="users-system">system accounts</link>, and <link + linkend="users-user">user accounts</link>. The superuser account, usually called <username>root</username>, is used to manage the system with no limitations on privileges. System - users run services. Finally, user accounts are used by real - people, who log on, read mail, and so forth.</para> - </sect1> + accounts are used to run services. User accounts are + assigned to real people and are used to log in and use the + system.</para> - <sect1 id="users-superuser"> - <title>The Superuser Account</title> + <sect2 id="users-superuser"> + <title>The Superuser Account</title> - <indexterm> - <primary>accounts</primary> - <secondary>superuser (root)</secondary> - </indexterm> - <para>The superuser account, usually called - <username>root</username>, comes preconfigured to facilitate - system administration, and should not be used for day-to-day - tasks like sending and receiving mail, general exploration of - the system, or programming.</para> - - <para>This is because the superuser, unlike normal user accounts, - can operate without limits, and misuse of the superuser account - may result in spectacular disasters. User accounts are unable - to destroy the system by mistake, so it is generally best to use - normal user accounts whenever possible, unless you especially - need the extra privilege.</para> - - <para>You should always double and triple-check commands you issue - as the superuser, since an extra space or missing character can - mean irreparable data loss.</para> - - <para>So, the first thing you should do after reading this - chapter is to create an unprivileged user account for yourself - for general usage if you have not already. This applies equally - whether you are running a multi-user or single-user machine. - Later in this chapter, we discuss how to create additional - accounts, and how to change between the normal user and - superuser.</para> - </sect1> + <indexterm> + <primary>accounts</primary> + <secondary>superuser (root)</secondary> + </indexterm> + <para>The superuser account, usually called + <username>root</username>, is used to perform system + administration tasks and should not be used for day-to-day + tasks like sending and receiving mail, general exploration of + the system, or programming.</para> + + <para>This is because the superuser, unlike normal user + accounts, can operate without limits, and misuse of the + superuser account may result in spectacular disasters. User + accounts are unable to destroy the system by mistake, so it is + generally best to use normal user accounts whenever possible, + unless extra privilege is required.</para> + + <para>Always double and triple-check any commands issued as the + superuser, since an extra space or missing character can mean + irreparable data loss.</para> + + <para>Always create a user account for the system administrator + and use this account to log in to the system for general + usage. This applies equally to multi-user or single-user + systems. Later sections will discuss how to create additional + accounts and how to change between the normal user and + superuser.</para> + </sect2> - <sect1 id="users-system"> - <title>System Accounts</title> + <sect2 id="users-system"> + <title>System Accounts</title> - <indexterm> - <primary>accounts</primary> - <secondary>system</secondary> - </indexterm> - <para>System users are those used to run services such as DNS, - mail, web servers, and so forth. The reason for this is - security; if all services ran as the superuser, they could - act without restriction.</para> + <indexterm> + <primary>accounts</primary> + <secondary>system</secondary> + </indexterm> + <para>System accounts are used to run services such as DNS, + mail, and web servers. The reason for this is security; if + all services ran as the superuser, they could act without + restriction.</para> - <indexterm> - <primary>accounts</primary> - <secondary><username>daemon</username></secondary> - </indexterm> - <indexterm> - <primary>accounts</primary> - <secondary><username>operator</username></secondary> - </indexterm> - <para>Examples of system users are <username>daemon</username>, - <username>operator</username>, <username>bind</username> (for - the Domain Name Service), <username>news</username>, and - <username>www</username>.</para> + <indexterm> + <primary>accounts</primary> + <secondary><username>daemon</username></secondary> + </indexterm> + <indexterm> + <primary>accounts</primary> + <secondary><username>operator</username></secondary> + </indexterm> + <para>Examples of system accounts are + <username>daemon</username>, <username>operator</username>, + <username>bind</username>, <username>news</username>, and + <username>www</username>.</para> - <indexterm> - <primary>accounts</primary> - <secondary><username>nobody</username></secondary> - </indexterm> - <para><username>nobody</username> is the generic unprivileged - system user. However, it is important to keep in mind that the - more services that use <username>nobody</username>, the more - files and processes that user will become associated with, and - hence the more privileged that user becomes.</para> - </sect1> + <indexterm> + <primary>accounts</primary> + <secondary><username>nobody</username></secondary> + </indexterm> + <para><username>nobody</username> is the generic unprivileged + system account. However, the more services that use + <username>nobody</username>, the more files and processes that + user will become associated with, and hence the more + privileged that user becomes.</para> + </sect2> - <sect1 id="users-user"> - <title>User Accounts</title> + <sect2 id="users-user"> + <title>User Accounts</title> - <indexterm> - <primary>accounts</primary> - <secondary>user</secondary> - </indexterm> - <para>User accounts are the primary means of access for real - people to the system, and these accounts insulate the user and - the environment, preventing the users from damaging the system - or other users, and allowing users to customize their - environment without affecting others.</para> - - <para>Every person accessing your system should have a unique user - account. This allows you to find out who is doing what, prevent - people from clobbering each others' settings or reading each - others' mail, and so forth.</para> - - <para>Each user can set up their own environment to accommodate - their use of the system, by using alternate shells, editors, key - bindings, and language.</para> + <indexterm> + <primary>accounts</primary> + <secondary>user</secondary> + </indexterm> + <para>User accounts are the primary means of access for real + people to the system. User accounts insulate the user and + the environment, preventing users from damaging the system + or other users, and allowing users to customize their + environment without affecting others.</para> + + <para>Every person accessing the system should have a unique + user account. This allows the administrator to find out who + is doing what, prevents users from clobbering each others' + settings or reading each others' mail, and so forth.</para> + + <para>Each user can set up their own environment to accommodate + their use of the system, by using alternate shells, editors, + key bindings, and language.</para> + </sect2> </sect1> <sect1 id="users-modifying"> @@ -334,10 +326,9 @@ <secondary>modifying</secondary> </indexterm> - <para>There are a variety of different commands available in the - &unix; environment to manipulate user accounts. The most common - commands are summarized below, followed by more detailed - examples of their usage.</para> + <para>&os; provides a variety of different commands to manage + user accounts. The most common commands are summarized below, + followed by more detailed examples of their usage.</para> <informaltable frame="none" pgwide="1"> <tgroup cols="2"> @@ -365,7 +356,7 @@ <row> <entry>&man.chpass.1;</entry> - <entry>A flexible tool to change user database + <entry>A flexible tool for changing user database information.</entry> </row> @@ -377,8 +368,8 @@ <row> <entry>&man.pw.8;</entry> - <entry>A powerful and flexible tool to modify all aspects - of user accounts.</entry> + <entry>A powerful and flexible tool for modifying all + aspects of user accounts.</entry> </row> </tbody> </tgroup> @@ -399,14 +390,14 @@ class="directory">/usr/share/skel</filename></primary> </indexterm> <indexterm><primary>skeleton directory</primary></indexterm> - <para>&man.adduser.8; is a simple program for - adding new users. It creates entries in the system - <filename>passwd</filename> and <filename>group</filename> - files. It will also create a home directory for the new user, - copy in the default configuration files - (<quote>dotfiles</quote>) from - <filename>/usr/share/skel</filename>, and can optionally mail - the new user a welcome message.</para> + <para>&man.adduser.8; is a simple program for adding new users + When a new user is added, this program automatically updates + <filename>/etc/passwd</filename> and + <filename>/etc/group</filename>. It also creates a home + directory for the new user, copies in the default + configuration files from <filename + class="directory">/usr/share/skel</filename>, and can + optionally mail the new user a welcome message.</para> <example> <title>Adding a User on &os;</title> @@ -444,9 +435,9 @@ Goodbye! </example> <note> - <para>The password you type in is not echoed, nor are - asterisks displayed. Make sure that you do not mistype the - password.</para> + <para>Since the password is not echoed when typed, be careful + to not mistype the password when creating the user + account.</para> </note> </sect2> @@ -459,14 +450,14 @@ Goodbye! <secondary>removing</secondary> </indexterm> - <para>You can use &man.rmuser.8; to completely remove a user - from the system. &man.rmuser.8; performs the following + <para>To completely remove a user from the system use + &man.rmuser.8;. This command performs the following steps:</para> <procedure> <step> - <para>Removes the user's &man.crontab.1; entry (if - any).</para> + <para>Removes the user's &man.crontab.1; entry if one + exists.</para> </step> <step> @@ -484,19 +475,20 @@ Goodbye! </step> <step> - <para>Removes the user's home directory (if it is owned by - the user).</para> + <para>Removes the user's home directory, if it is owned by + the user.</para> </step> <step> <para>Removes the incoming mail files belonging to the user - from <filename>/var/mail</filename>.</para> + from <filename + class="directory">/var/mail</filename>.</para> </step> <step> <para>Removes all files owned by the user from temporary - file storage areas such as - <filename>/tmp</filename>.</para> + file storage areas such as <filename + class="directory">/tmp</filename>.</para> </step> <step> @@ -505,7 +497,7 @@ Goodbye! <note> <para>If a group becomes empty and the group name is the - same as the username, the group is removed; this + same as the username, the group is removed. This complements the per-user unique groups created by &man.adduser.8;.</para> </note> @@ -513,11 +505,11 @@ Goodbye! </procedure> <para>&man.rmuser.8; cannot be used to remove superuser - accounts, since that is almost always an indication of massive + accounts since that is almost always an indication of massive destruction.</para> - <para>By default, an interactive mode is used, which attempts to - make sure you know what you are doing.</para> + <para>By default, an interactive mode is used, as shown + in the following example.</para> <example> <title><command>rmuser</command> Interactive Account @@ -542,24 +534,21 @@ Removing files belonging to jru from /va <title><command>chpass</command></title> <indexterm><primary><command>chpass</command></primary></indexterm> - <para>&man.chpass.1; changes user database + <para>&man.chpass.1; can be used to change user database information such as passwords, shells, and personal information.</para> - <para>Only system administrators, as the superuser, may change - other users' information and passwords with - &man.chpass.1;.</para> + <para>Only the superuser can change other users' information and + passwords with &man.chpass.1;.</para> <para>When passed no options, aside from an optional username, - &man.chpass.1; displays an editor - containing user information. When the user exists from the - editor, the user database is updated with the new - information.</para> + &man.chpass.1; displays an editor containing user information. + When the user exists from the editor, the user database is + updated with the new information.</para> <note> - <para>You will be asked for your password - after exiting the editor if you are not the - superuser.</para> + <para>You will be asked for your password after exiting the + editor if you are not the superuser.</para> </note> <example> @@ -583,8 +572,8 @@ Home Phone: Other information:</screen> </example> - <para>The normal user can change only a small subset of this - information, and only for themselves.</para> + <para>A user can change only a small subset of this + information, and only for their own user account.</para> <example> <title>Interactive <command>chpass</command> by Normal @@ -600,15 +589,12 @@ Other information:</screen> </example> <note> - <para>&man.chfn.1; and &man.chsh.1; are - just links to &man.chpass.1;, as - are &man.ypchpass.1;, - &man.ypchfn.1;, and - &man.ypchsh.1;. NIS support is automatic, so - specifying the <literal>yp</literal> before the command is - not necessary. If this is confusing to you, do not worry, - NIS will be covered in <xref - linkend="network-servers"/>.</para> + <para>&man.chfn.1; and &man.chsh.1; are links to + &man.chpass.1;, as are &man.ypchpass.1;, &man.ypchfn.1;, and + &man.ypchsh.1;. <acronym>NIS</acronym> support is + automatic, so specifying the <literal>yp</literal> before + the command is not necessary. How to configure NIS is + covered in <link linkend="network-servers"></link>.</para> </note> </sect2> <sect2 id="users-passwd"> @@ -619,14 +605,15 @@ Other information:</screen> <primary>accounts</primary> <secondary>changing password</secondary> </indexterm> - <para>&man.passwd.1; is the usual way to - change your own password as a user, or another user's password - as the superuser.</para> + <para>&man.passwd.1; is the usual way to change your own + password as a user, or another user's password as the + superuser.</para> <note> - <para>To prevent accidental or unauthorized changes, the - original password must be entered before a new password can - be set.</para> + <para>To prevent accidental or unauthorized changes, the user + must enter their original password before a new password can + be set. This is not the case when the superuser changes a + user's password.</para> </note> <example> @@ -654,10 +641,8 @@ passwd: done</screen> </example> <note> - <para>As with &man.chpass.1;, - &man.yppasswd.1; is just a link to - &man.passwd.1;, so NIS works with either - command.</para> + <para>As with &man.chpass.1;, &man.yppasswd.1; is a link to + &man.passwd.1;, so NIS works with either command.</para> </note> </sect2> @@ -669,11 +654,11 @@ passwd: done</screen> <para>&man.pw.8; is a command line utility to create, remove, modify, and display users and groups. It functions as a front - end to the system user and group files. &man.pw.8; - has a very powerful set of command line options that make it - suitable for use in shell scripts, but new users may find it - more complicated than the other commands presented - here.</para> + end to the system user and group files. &man.pw.8; has a very + powerful set of command line options that make it suitable for + use in shell scripts, but new users may find it more + complicated than the other commands presented in this + section.</para> </sect2> @@ -687,12 +672,10 @@ passwd: done</screen> <primary>accounts</primary> <secondary>limiting</secondary> </indexterm> - <para>If you have users, the ability to limit their system use may - have come to mind. FreeBSD provides - several ways an administrator can limit the amount of system - resources an individual may use. These limits are - divided into two sections: disk quotas, and other resource - limits.</para> + <para>&os; provides several methods for an administrator to limit + the amount of system resources an individual may use. These + limits are discussed in two sections: disk quotas and other + resource limits.</para> <indexterm><primary>quotas</primary></indexterm> <indexterm> @@ -700,11 +683,9 @@ passwd: done</screen> <secondary>quotas</secondary> </indexterm> <indexterm><primary>disk quotas</primary></indexterm> - <para>Disk quotas limit disk usage to users, and - they - provide a way to quickly check that usage without - calculating it every time. Quotas are discussed in <xref - linkend="quotas"/>.</para> + <para>Disk quotas limit disk usage to users and provide a way to + quickly check that usage without calculating it every time. + Quotas are discussed in <link linkend="quotas"></link>.</para> <para>The other resource limits include ways to limit the amount of CPU, memory, and other resources a user may consume. These @@ -714,47 +695,45 @@ passwd: done</screen> <primary><filename>/etc/login.conf</filename></primary> </indexterm> <para>Login classes are defined in - <filename>/etc/login.conf</filename>. The precise semantics are - beyond the scope of this section, but are described in detail in - the &man.login.conf.5; manual page. It is sufficient to say - that each user is assigned to a login class - (<literal>default</literal> by default), and that each login + <filename>/etc/login.conf</filename> and are described in detail + in &man.login.conf.5;. Each user account is assigned to a login + class, <literal>default</literal> by default, and each login class has a set of login capabilities associated with it. A login capability is a <literal><replaceable>name</replaceable>=<replaceable>value</replaceable></literal> pair, where <replaceable>name</replaceable> is a well-known identifier and <replaceable>value</replaceable> is an arbitrary - string processed accordingly depending on the name. Setting up - login classes and capabilities is rather straight-forward and is - also described in &man.login.conf.5;.</para> + string which is processed accordingly depending on the + <replaceable>name</replaceable>. Setting up login classes and + capabilities is rather straight-forward and is also described in + &man.login.conf.5;.</para> <note> - <para>The system does not normally read the configuration in - <filename>/etc/login.conf</filename> directly, but reads the - database file <filename>/etc/login.conf.db</filename> which - provides faster lookups. To generate - <filename>/etc/login.conf.db</filename> from - <filename>/etc/login.conf</filename>, execute the following - command:</para> + <para>&os; does not normally read the configuration in + <filename>/etc/login.conf</filename> directly, but instead + reads the <filename>/etc/login.conf.db</filename> database + which provides faster lookups. Whenever + <filename>/etc/login.conf</filename> is edited, the + <filename>/etc/login.conf.db</filename> must be updated by + executing the following command:</para> <screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen> </note> - <para>Resource limits are different from plain vanilla login - capabilities in two ways. First, for every limit, there is a - soft (current) and hard limit. A soft limit may be adjusted by - the user or application, but may be no higher than the hard - limit. The latter may be lowered by the user, but never raised. - Second, most resource limits apply per process to a specific - user, not the user as a whole. Note, however, that these + <para>Resource limits differ from the default login capabilities + in two ways. First, for every limit, there is a soft (current) + and hard limit. A soft limit may be adjusted by the user or + application, but may not be set higher than the hard limit. The + hard limit may be lowered by the user, but can only be raised + by the superuser. Second, most resource limits apply per + process to a specific user, not to the user as a whole. These differences are mandated by the specific handling of the limits, - not by the implementation of the login capability framework - (i.e., they are not <emphasis>really</emphasis> a special case - of login capabilities).</para> - - <para>And so, without further ado, below are the most commonly - used resource limits (the rest, along with all the other login - capabilities, may be found in &man.login.conf.5;).</para> + not by the implementation of the login capability + framework.</para> + + <para>Below are the most commonly used resource limits. The rest + of the limits, along with all the other login capabilities, can + be found in &man.login.conf.5;.</para> <variablelist> <varlistentry> @@ -766,14 +745,13 @@ passwd: done</screen> <secondary>coredumpsize</secondary> </indexterm> <para>The limit on the size of a core file generated by a - program is, for obvious reasons, subordinate to other - limits on disk usage (e.g., <literal>filesize</literal>, - or disk quotas). Nevertheless, it is often used as a - less-severe method of controlling disk space consumption: - since users do not generate core files themselves, and - often do not delete them, setting this may save them from - running out of disk space should a large program (e.g., - <application>emacs</application>) crash.</para> + program is subordinate to other limits on disk usage, such + as <literal>filesize</literal>, or disk quotas. + This limit is often used as a less-severe method of + controlling disk space consumption. Since users do not + generate core files themselves, and often do not delete + them, setting this may save them from running out of disk + space should a large program crash.</para> </listitem> </varlistentry> @@ -786,18 +764,14 @@ passwd: done</screen> <primary>limiting users</primary> <secondary>cputime</secondary> </indexterm> - <para>This is the maximum amount of CPU time a user's - process may consume. Offending processes will be killed - by the kernel.</para> + <para>The maximum amount of CPU time a user's process may + consume. Offending processes will be killed by the + kernel.</para> <note> <para>This is a limit on CPU <emphasis>time</emphasis> consumed, not percentage of the CPU as displayed in - some fields by &man.top.1; and &man.ps.1;. A limit on - the latter is, at the time of this writing, not - possible, and would be rather useless: a - compiler—probably a legitimate task—can - easily use almost 100% of a CPU for some time.</para> + some fields by &man.top.1; and &man.ps.1;.</para> </note> </listitem> </varlistentry> @@ -811,10 +785,10 @@ passwd: done</screen> <primary>limiting users</primary> <secondary>filesize</secondary> </indexterm> - <para>This is the maximum size of a file the user may - possess. Unlike <link linkend="quotas">disk - quotas</link>, this limit is enforced on individual - files, not the set of all files a user owns.</para> + <para>The maximum size of a file the user may own. Unlike + <link linkend="quotas">disk quotas</link>, this limit is + enforced on individual files, not the set of all files a + user owns.</para> </listitem> </varlistentry> @@ -827,17 +801,15 @@ passwd: done</screen> <primary>limiting users</primary> <secondary>maxproc</secondary> </indexterm> - <para>This is the maximum number of processes a user may be - running. This includes foreground and background - processes alike. For obvious reasons, this may not be - larger than the system limit specified by the - <varname>kern.maxproc</varname> &man.sysctl.8;. Also note - that setting this too small may hinder a user's - productivity: it is often useful to be logged in multiple - times or execute pipelines. Some tasks, such as - compiling a large program, also spawn multiple processes - (e.g., &man.make.1;, &man.cc.1;, and other intermediate - preprocessors).</para> + <para>The maximum number of processes a user can run. This + includes foreground and background processes. This limit + may not be larger than the system limit specified by the + <varname>kern.maxproc</varname> &man.sysctl.8;. Setting + this limit too small may hinder a user's productivity as + it is often useful to be logged in multiple times or to + execute pipelines. Some tasks, such as compiling a large + program, spawn multiple processes and other intermediate + preprocessors.</para> </listitem> </varlistentry> @@ -850,12 +822,11 @@ passwd: done</screen> <primary>limiting users</primary> <secondary>memorylocked</secondary> </indexterm> - <para>This is the maximum amount a memory a process may have - requested to be locked into main memory (e.g., see - &man.mlock.2;). Some system-critical programs, such as - &man.amd.8;, lock into main memory such that in the event - of being swapped out, they do not contribute to - a system's thrashing in time of trouble.</para> + <para>The maximum amount of memory a process may request + to be locked into main memory using &man.mlock.2;. Some + system-critical programs, such as &man.amd.8;, lock into + main memory so that in the event of being swapped out, + they do not contribute to disk thrashing.</para> </listitem> </varlistentry> @@ -865,12 +836,11 @@ passwd: done</screen> <listitem> <indexterm><primary>memoryuse</primary></indexterm> <indexterm><primary>limiting users</primary> - <secondary>memoryuse</secondary> - </indexterm> - <para>This is the maximum amount of memory a process may - consume at any given time. It includes both core memory and - swap usage. This is not a catch-all limit for restricting - memory consumption, but it is a good start.</para> + <secondary>memoryuse</secondary></indexterm> + <para>The maximum amount of memory a process may consume at + any given time. It includes both core memory and swap + usage. This is not a catch-all limit for restricting + memory consumption, but is a good start.</para> </listitem> </varlistentry> @@ -882,10 +852,10 @@ passwd: done</screen> <indexterm><primary>limiting users</primary> <secondary>openfiles</secondary> </indexterm> - <para>This is the maximum amount of files a process may have - open. In FreeBSD, files are also used to represent - sockets and IPC channels; thus, be careful not to set this - too low. The system-wide limit for this is defined by the + <para>The maximum amount of files a process may have open. + In &os;, files are used to represent sockets and IPC + channels, so be careful not to set this too low. The + system-wide limit for this is defined by the <varname>kern.maxfiles</varname> &man.sysctl.8;.</para> </listitem> </varlistentry> @@ -898,10 +868,8 @@ passwd: done</screen> <indexterm><primary>limiting users</primary> <secondary>sbsize</secondary> </indexterm> - <para>This is the limit on the amount of network memory, and - thus mbufs, a user may consume. This originated as a - response to an old DoS attack by creating a lot of - sockets, but can be generally used to limit network + <para>The limit on the amount of network memory, and + thus mbufs, a user may consume in order to limit network communications.</para> </listitem> </varlistentry> @@ -914,10 +882,10 @@ passwd: done</screen> <indexterm><primary>limiting users</primary> <secondary>stacksize</secondary> </indexterm> - <para>This is the maximum size a process' stack may grow to. - This alone is not sufficient to limit the amount of memory - a program may use; consequently, it should be used in - conjunction with other limits.</para> + <para>The maximum size of a process stack. This alone is + not sufficient to limit the amount of memory a program + may use so it should be used in conjunction with other + limits.</para> </listitem> </varlistentry> </variablelist> @@ -936,25 +904,26 @@ passwd: done</screen> <listitem> <para>Although the <filename>/etc/login.conf</filename> that comes with the system is a good source of reasonable values - for most limits, only you, the administrator, can know what - is appropriate for your system. Setting a limit too high - may open your system up to abuse, while setting it too low - may put a strain on productivity.</para> + for most limits, they may not be appropriate for every + system. Setting a limit too high may open the system up to + abuse, while setting it too low may put a strain on + productivity.</para> </listitem> <listitem> - <para>Users of the X Window System (X11) should probably be - granted more resources than other users. X11 by itself - takes a lot of resources, but it also encourages users to - run more programs simultaneously.</para> + <para>Users of <application>&xorg;</application> should + probably be granted more resources than other users. + <application>&xorg;</application> by itself takes a lot of + resources, but it also encourages users to run more programs + simultaneously.</para> </listitem> <listitem> - <para>Remember that many limits apply to individual processes, - not the user as a whole. For example, setting + <para>Many limits apply to individual processes, not the user *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201302211406.r1LE66bl041470>