Command Section
PW(8)                   FreeBSD System Manager's Manual                  PW(8)

     pw - create, remove, modify & display system users and groups

     pw [-R rootdir] [-V etcdir] useradd [-n] name [-u uid] [-C config] [-q]
        [-c comment] [-d dir] [-e date] [-p date] [-g group] [-G grouplist]
        [-m] [-M mode] [-k dir] [-w method] [-s shell] [-o] [-L class]
        [-h fd | -H fd] [-N] [-P] [-Y]
     pw [-R rootdir] [-V etcdir] useradd -D [-C config] [-q] [-b dir]
        [-e days] [-p days] [-g group] [-G grouplist] [-k dir] [-M mode]
        [-u min,max] [-i min,max] [-w method] [-s shell] [-y path]
     pw [-R rootdir] [-V etcdir] userdel [-n] name|uid | -u uid [-r] [-Y]
     pw [-R rootdir] [-V etcdir] usermod [-n] name|uid [-u newuid] | -u uid
        [-C config] [-q] [-c comment] [-d dir] [-e date] [-p date] [-g group]
        [-G grouplist] [-l newname] [-m] [-M mode] [-k dir] [-w method]
        [-s shell] [-L class] [-h fd | -H fd] [-N] [-P] [-Y]
     pw [-R rootdir] [-V etcdir] usershow [-n] name|uid | -u uid [-F] [-P]
        [-7] [-a]
     pw [-R rootdir] [-V etcdir] usernext [-C config] [-q]
     pw [-R rootdir] [-V etcdir] groupadd [-n] name [-g gid] [-C config] [-q]
        [-M members] [-o] [-h fd | -H fd] [-N] [-P] [-Y]
     pw [-R rootdir] [-V etcdir] groupdel [-n] name|gid | -g gid [-Y]
     pw [-R rootdir] [-V etcdir] groupmod [-n] name|gid [-g newgid] | -g gid
        [-C config] [-q] [-l newname] [-M members] [-m newmembers]
        [-d oldmembers] [-h fd | -H fd] [-N] [-P] [-Y]
     pw [-R rootdir] [-V etcdir] groupshow [-n] name|gid | -g gid [-F] [-P]
     pw [-R rootdir] [-V etcdir] groupnext [-C config] [-q]
     pw [-R rootdir] [-V etcdir] lock [-n] name|uid | -u uid [-C config] [-q]
     pw [-R rootdir] [-V etcdir] unlock [-n] name|uid | -u uid [-C config]

     The pw utility is a command-line based editor for the system user and
     group files, allowing the superuser an easy to use and standardized way
     of adding, modifying and removing users and groups.  Note that pw only
     operates on the local user and group files.  NIS users and groups must be
     maintained on the NIS server.  The pw utility handles updating the
     passwd, master.passwd, group and the secure and insecure password
     database files, and must be run as root.

     The first one or two keywords provided to pw on the command line provide
     the context for the remainder of the arguments.  The keywords user and
     group may be combined with add, del, mod, show, or next in any order.
     (For example, showuser, usershow, show user, and user show all mean the
     same thing.)  This flexibility is useful for interactive scripts calling
     pw for user and group database manipulation.  Following these keywords,
     the user or group name or numeric id may be optionally specified as an
     alternative to using the -n name, -u uid, -g gid options.

     The following flags are common to most or all modes of operation:

     -R rootdir    Specifies an alternate root directory within which pw will
                   operate.  Any paths specified will be relative to rootdir.

     -V etcdir     Set an alternate location for the password, group, and
                   configuration files.  Can be used to maintain a user/group
                   database in an alternate location.  If this switch is
                   specified, the system /etc/pw.conf will not be sourced for
                   default configuration data, but the file pw.conf in the
                   specified directory will be used instead (or none, if it
                   does not exist).  The -C flag may be used to override this
                   behaviour.  As an exception to the general rule where
                   options must follow the operation type, the -V flag must be
                   used on the command line before the operation keyword.

     -C config     By default, pw reads the file /etc/pw.conf to obtain policy
                   information on how new user accounts and groups are to be
                   created.  The -C option specifies a different configuration
                   file.  While most of the contents of the configuration file
                   may be overridden via command-line options, it may be more
                   convenient to keep standard information in a configuration

     -q            Use of this option causes pw to suppress error messages,
                   which may be useful in interactive environments where it is
                   preferable to interpret status codes returned by pw rather
                   than messing up a carefully formatted display.

     -N            This option is available in add and modify operations, and
                   tells pw to output the result of the operation without
                   updating the user or group databases.  You may use the -P
                   option to switch between standard passwd and readable

     -Y            Using this option with any of the update modes causes pw to
                   run make(1) after changing to the directory /var/yp.  This
                   is intended to allow automatic updating of NIS database
                   files.  If separate passwd and group files are being used
                   by NIS, then use the -y path option to specify the location
                   of the NIS passwd database so that pw will concurrently
                   update it with the system password databases.

     The following options apply to the useradd and usermod commands:

     [-n] name     Required unless -u uid is given.  Specify the user/account
                   name.  In the case of usermod can be a uid.

     -u uid        Required if name is not given.  Specify the user/account
                   numeric id.  In the case of usermod if paired with name,
                   changes the numeric id of the named user/account.

                   Usually, only one of these options is required, as the
                   account name will imply the uid, or vice versa.  However,
                   there are times when both are needed.  For example, when
                   changing the uid of an existing user with usermod, or
                   overriding the default uid when creating a new account with
                   useradd.  To automatically allocate the uid to a new user
                   with useradd, then do not use the -u option.  Either the
                   account or userid can also be provided immediately after
                   the useradd, userdel, usermod or usershow keywords on the
                   command line without using the -n or -u options.

     -c comment    This field sets the contents of the passwd GECOS field,
                   which normally contains up to four comma-separated fields
                   containing the user's full name, office or location, and
                   work and home phone numbers.  These sub-fields are used by
                   convention only, however, and are optional.  If this field
                   is to contain spaces, the comment must be enclosed in
                   double quotes `"'.  Avoid using commas in this field as
                   these are used as sub-field separators, and the colon `:'
                   character also cannot be used as this is the field
                   separator for the passwd file itself.

     -d dir        This option sets the account's home directory.  Normally,
                   this is only used if the home directory is to be different
                   from the default determined from /etc/pw.conf - normally
                   /home with the account name as a subdirectory.

     -e date       Set the account's expiration date.  Format of the date is
                   either a UNIX time in decimal, or a date in `dd-mmm-yy[yy]'
                   format, where dd is the day, mmm is the month, either in
                   numeric or alphabetic format ('Jan', 'Feb', etc) and year
                   is either a two or four digit year.  This option also
                   accepts a relative date in the form `+n[mhdwoy]' where `n'
                   is a decimal, octal (leading 0) or hexadecimal (leading 0x)
                   digit followed by the number of Minutes, Hours, Days,
                   Weeks, Months or Years from the current date at which the
                   expiration date is to be set.

     -p date       Set the account's password expiration date.  This field is
                   similar to the account expiration date option, except that
                   it applies to forced password changes.  This is set in the
                   same manner as the -e option.

     -g group      Set the account's primary group to the given group.  group
                   may be defined by either its name or group number.

     -G grouplist  Set secondary group memberships for an account.  grouplist
                   is a comma, space, or tab-separated list of group names or
                   group numbers.  The user is added to the groups specified
                   in grouplist, and removed from all groups not specified.
                   The current login session is not affected by group
                   membership changes, which only take effect when the user
                   reconnects.  Note: do not add a user to their primary group
                   with grouplist.

     -L class      This option sets the login class for the user being
                   created.  See login.conf(5) and passwd(5) for more
                   information on user login classes.

     -m            This option instructs pw to attempt to create the user's
                   home directory.  While primarily useful when adding a new
                   account with useradd, this may also be of use when moving
                   an existing user's home directory elsewhere on the file
                   system.  The new home directory is populated with the
                   contents of the skeleton directory, which typically
                   contains a set of shell configuration files that the user
                   may personalize to taste.  Files in this directory are
                   usually named dot.<config> where the dot prefix will be
                   stripped.  When -m is used on an account with usermod,
                   existing configuration files in the user's home directory
                   are not overwritten from the skeleton files.

                   When a user's home directory is created, it will by default
                   be a subdirectory of the basehome directory as specified by
                   the -b option (see below), bearing the name of the new
                   account.  This can be overridden by the -d option on the
                   command line, if desired.

     -M mode       Create the user's home directory with the specified mode,
                   modified by the current umask(2).  If omitted, it is
                   derived from the parent process' umask(2).  This option is
                   only useful in combination with the -m flag.

     -k dir        Set the skeleton directory, from which basic startup and
                   configuration files are copied when the user's home
                   directory is created.  This option only has meaning when
                   used with the -d or -m flags.

     -s shell      Set or changes the user's login shell to shell.  If the
                   path to the shell program is omitted, pw searches the
                   shellpath specified in /etc/pw.conf and fills it in as
                   appropriate.  Note that unless you have a specific reason
                   to do so, you should avoid specifying the path - this will
                   allow pw to validate that the program exists and is
                   executable.  Specifying a full path (or supplying a blank
                   "" shell) avoids this check and allows for such entries as
                   /nonexistent that should be set for accounts not intended
                   for interactive login.

     -h fd         This option provides a special interface by which
                   interactive scripts can set an account password using pw.
                   Because the command line and environment are fundamentally
                   insecure mechanisms by which programs can accept
                   information, pw will only allow setting of account and
                   group passwords via a file descriptor (usually a pipe
                   between an interactive script and the program).  sh, bash,
                   ksh and perl all possess mechanisms by which this can be
                   done.  Alternatively, pw will prompt for the user's
                   password if -h 0 is given, nominating stdin as the file
                   descriptor on which to read the password.  Note that this
                   password will be read only once and is intended for use by
                   a script rather than for interactive use.  If you wish to
                   have new password confirmation along the lines of
                   passwd(1), this must be implemented as part of an
                   interactive script that calls pw.

                   If a value of `-' is given as the argument fd, then the
                   password will be set to `*', rendering the account
                   inaccessible via password-based login.

     -H fd         Read an encrypted password string from the specified file
                   descriptor.  This is like -h, but the password should be
                   supplied already encrypted in a form suitable for writing
                   directly to the password database.

     It is possible to use useradd to create a new account that duplicates an
     existing user id.  While this is normally considered an error and will be
     rejected, the -o option overrides the check for duplicates and allows the
     duplication of the user id.  This may be useful if you allow the same
     user to login under different contexts (different group allocations,
     different home directory, different shell) while providing basically the
     same permissions for access to the user's files in each account.

     The useradd command also has the ability to set new user and group
     defaults by using the -D option.  Instead of adding a new user, pw writes
     a new set of defaults to its configuration file, /etc/pw.conf.  When
     using the -D option, you must not use either -n name or -u uid or an
     error will result.  Use of -D changes the meaning of several command line
     switches in the useradd command.  These are:

     -D            Set default values in /etc/pw.conf configuration file, or a
                   different named configuration file if the -C config option
                   is used.

     -b dir        Set the root directory in which user home directories are
                   created.  The default value for this is /home, but it may
                   be set elsewhere as desired.

     -e days       Set the default account expiration period in days.  When -D
                   is used, the days argument is interpreted differently.  It
                   must be numeric and represents the number of days after
                   creation that the account expires.  A value of 0 suppresses
                   automatic calculation of the expiry date.

     -p days       Set the default password expiration period in days.

     -g group      Set the default group for new users.  If a blank group is
                   specified using -g "", then new users will be allocated
                   their own private primary group with the same name as their
                   login name.  If a group is supplied, either its name or uid
                   may be given as an argument.

     -G grouplist  Set the default groups in which new users are granted
                   membership.  This is a separate set of groups from the
                   primary group.  Avoid nominating the same group as both
                   primary and extra groups.  In other words, these extra
                   groups determine membership in groups other than the
                   primary group.  grouplist is a comma-separated list of
                   group names or ids, and are always stored in /etc/pw.conf
                   by their symbolic names.

     -L class      This option sets the default login class for new users.

     -k dir        Set the default skeleton directory, from which prototype
                   shell and other initialization files are copied when pw
                   creates a user's home directory.  See description of -k for
                   naming conventions of these files.

     -u min,max, -i min,max
                   Set the minimum and maximum user and group ids allocated
                   for new accounts and groups created by pw.  The default
                   values for each is 1000 minimum and 32000 maximum.  min and
                   max are both numbers, where max must be greater than min,
                   and both must be between 0 and 32767.  In general, user and
                   group ids less than 100 are reserved for use by the system,
                   and numbers greater than 32000 may also be reserved for
                   special purposes (used by some system daemons).

     -w method     The -w option selects the default method used to set
                   passwords for newly created user accounts.  method is one

                         no      disable login on newly created accounts
                         yes     force the password to be the account name
                         none    force a blank password
                         random  generate a random password

                   The `random' or `no' methods are the most secure; in the
                   former case, pw generates a password and prints it to
                   stdout, which is suitable when users are issued passwords
                   rather than being allowed to select their own (possibly
                   poorly chosen) password.  The `no' method requires that the
                   superuser use passwd(1) to render the account accessible
                   with a password.

     -y path       This sets the pathname of the database used by NIS if you
                   are not sharing the information from /etc/master.passwd
                   directly with NIS.  You should only set this option for NIS

     The userdel command has three distinct options.  The -n name and -u uid
     options have already been covered above.  The additional option is:

     -r            This tells pw to remove the user's home directory and all
                   of its contents.  The pw utility errs on the side of
                   caution when removing files from the system.  Firstly, it
                   will not do so if the uid of the account being removed is
                   also used by another account on the system, and the 'home'
                   directory in the password file is a valid path that
                   commences with the character `/'.  Secondly, it will only
                   remove files and directories that are actually owned by the
                   user, or symbolic links owned by anyone under the user's
                   home directory.  Finally, after deleting all contents owned
                   by the user only empty directories will be removed.  If any
                   additional cleanup work is required, this is left to the

     Mail spool files and crontabs are always removed when an account is
     deleted as these are unconditionally attached to the user name.  Jobs
     queued for processing by at are also removed if the user's uid is unique
     and not also used by another account on the system.

     The usermod command adds one additional option:

     -l newname    This option allows changing of an existing account name to
                   `newname'.  The new name must not already exist, and any
                   attempt to duplicate an existing account name will be

     The usershow command allows viewing of an account in one of two formats.
     By default, the format is identical to the format used in
     /etc/master.passwd with the password field replaced with a `*'.  If the
     -P option is used, then pw outputs the account details in a more human
     readable form.  If the -7 option is used, the account details are shown
     in v7 format.  The -a option lists all users currently on file.  Using -F
     forces pw to print the details of an account even if it does not exist.

     The command usernext returns the next available user and group ids
     separated by a colon.  This is normally of interest only to interactive
     scripts or front-ends that use pw.

     The -C and -q options (explained at the start of the previous section)
     are available with the group manipulation commands.  Other common options
     to all group-related commands are:

     [-n] name      Required unless -g gid is given.  Specify the group name.
                    In the case of groupmod can be a gid.

     -g gid         Required if name is not given.  Specify the group numeric
                    id.  In the case of groupmod if paired with name, changes
                    the numeric id of the named group.

                    As with the account name and id fields, you will usually
                    only need to supply one of these, as the group name
                    implies the uid and vice versa.  You will only need to use
                    both when setting a specific group id against a new group
                    or when changing the uid of an existing group.

     -M memberlist  This option provides an alternative way to add existing
                    users to a new group (in groupadd) or replace an existing
                    membership list (in groupmod).  memberlist is a comma
                    separated list of valid and existing user names or uids.

     -m newmembers  Similar to -M, this option allows the addition of existing
                    users to a group without replacing the existing list of
                    members.  Login names or user ids may be used, and
                    duplicate users are silently eliminated.

     -d oldmembers  Similar to -M, this option allows the deletion of existing
                    users from a group without replacing the existing list of
                    members.  Login names or user ids may be used, and
                    duplicate users are silently eliminated.

     groupadd also has a -o option that allows allocation of an existing group
     id to a new group.  The default action is to reject an attempt to add a
     group, and this option overrides the check for duplicate group ids.
     There is rarely any need to duplicate a group id.

     The groupmod command adds one additional option:

     -l newname     This option allows changing of an existing group name to
                    `newname'.  The new name must not already exist, and any
                    attempt to duplicate an existing group name will be

     Options for groupshow are the same as for usershow, with the -g gid
     replacing -u uid to specify the group id.  The -7 option does not apply
     to the groupshow command.

     The command groupnext returns the next available group id on standard

     The pw utility supports a simple password locking mechanism for users; it
     works by prepending the string `*LOCKED*' to the beginning of the
     password field in master.passwd to prevent successful authentication.

     The lock and unlock commands take a user name or uid of the account to
     lock or unlock, respectively.  The -V, -C, and -q options as described
     above are accepted by these commands.

     For a summary of options available with each command, you can use
           pw [command] help
     For example,
           pw useradd help
     lists all available options for the useradd operation.

     The pw utility allows 8-bit characters in the passwd GECOS field (user's
     full name, office, work and home phone number subfields), but disallows
     them in user login and group names.  Use 8-bit characters with caution,
     as connection to the Internet will require that your mail transport
     program supports 8BITMIME, and will convert headers containing 8-bit
     characters to 7-bit quoted-printable format.  sendmail(8) does support
     this.  Use of 8-bit characters in the GECOS field should be used in
     conjunction with the user's default locale and character set and should
     not be implemented without their use.  Using 8-bit characters may also
     affect other programs that transmit the contents of the GECOS field over
     the Internet, such as fingerd(8), and a small number of TCP/IP clients,
     such as IRC, where full names specified in the passwd file may be used by

     The pw utility writes a log to the /var/log/userlog file when actions
     such as user or group additions or deletions occur.  The location of this
     logfile can be changed in pw.conf(5).

     /etc/master.passwd      The user database
     /etc/passwd             A Version 7 format password file
     /etc/login.conf         The user capabilities database
     /etc/group              The group database
     /etc/pw.conf            Pw default options file
     /var/log/userlog        User/group modification logfile

     Add new user Glurmo Smith (gsmith).  A gsmith login group is created if
     not already present.  The login shell is set to csh(1).  A new home
     directory at /home/gsmith is created if it does not already exist.
     Finally, a random password is generated and displayed:

           pw useradd -n gsmith -c "Glurmo Smith" -s /bin/csh -m -w random

     The pw utility returns EXIT_SUCCESS on successful operation, otherwise pw
     returns one of the following exit codes defined by sysexits(3) as

              Command line syntax errors (invalid keyword, unknown option).

              Attempting to run one of the update modes as non-root.

              Memory allocation error.
              Read error from password file descriptor.

              Bad or invalid data provided or missing on the command line or
               via the password file descriptor.
              Attempted to remove, rename root account or change its uid.

              Skeleton directory is invalid or does not exist.
              Base home directory is invalid or does not exist.
              Invalid or non-existent shell specified.

              User, user id, group or group id specified does not exist.
              User or group recorded, added, or modified unexpectedly

              No more group or user ids available within specified range.

              Unable to rewrite configuration file.
              Error updating group or user database files.
              Update error for passwd or group database files.

              No base home directory configured.

     chpass(1), passwd(1), umask(2), group(5), login.conf(5), passwd(5),
     pw.conf(5), pwd_mkdb(8), vipw(8)

     The pw utility was written to mimic many of the options used in the SYSV
     shadow support suite, but is modified for passwd and group fields
     specific to the 4.4BSD operating system, and combines all of the major
     elements into a single command.

FreeBSD 11.1-RELEASE-p4         April 23, 2016         FreeBSD 11.1-RELEASE-p4
Command Section