User and rights management

There are three account types, each of which is subject to different restrictions and is fundamental for account management under TwinCAT/BSD. The following account types are available under TwinCAT/BSD:

• Superuser account
• User accounts
• System user

The superuser account, also called root, can operate without restrictions. Unlike normal user accounts, root has absolute control over TwinCAT/BSD. To ensure system integrity and security, root is disabled by default. This means it is not possible to log in directly as root.

User accounts are available for normal users who require access to TwinCAT/BSD. They are assigned a unique user name and a home directory and can customize their own user environment. The user Administrator is created by default. This user does not have conventional administrator rights like under Windows systems but has the authority to obtain root rights for certain purposes.

The system users can start services and programs such as mail or web servers. This makes it possible to restrict programs or services or to enable access rights for certain tasks.

Root rights

Since it is not possible to log in as root, users can be assigned root rights in order to operate without restrictions under TwinCAT/BSD. Use the doas command to obtain root rights. doas corresponds to the command sudo, a command known from other Unix-like operating systems.

Groups

TwinCAT/BSD allows user accounts to be grouped together so that their permissions for using individual functions or software can be managed centrally. Instead of assigning the same individual rights to many user accounts, a user role is defined that contains the rights to be assigned. The groups are identified by the group name and the group ID (gid). The TwinCAT/BSD kernel decides on the basis of the user ID (uid) and the group membership of a process whether or not it gives permission to the process.

The file group contains all group information, such as group name, group password, group ID and a list of members of the respective group. Call up the file with cat /etc/group:

wheel:*:0:root,Administrator

This excerpt shows the first line of the file group. The file is divided into four fields, separated by colons. The first field contains the group name (wheel), the second field contains an encrypted password (*), the third field contains the group ID (0) and the fourth field contains a list with the associated members (root, administrator).

Each user can determine their group affiliation with id. Here is an example for the user Administrator, who belongs to the groups 1001 Administrator and 0 wheel:

uid=1001(Administrator) gid=1001(Administrator) groups=1001(Administrator),0(wheel)

Use doas pw groupadd <groupname> to create a new group. Use pw groupshow <groupname> to display a group. Use the command doas pw groupmod <groupname> -M <username> to add a user to a group.

Administrator@CX-3B151A:~ % pw groupshow AI
AI:*:1007:Skynet,DeepThought,Ava,HAL