OpenBSD Basics

Synopsis #

This chapter introduces fundamental concepts and administrative tools in OpenBSD. It explains how to manage users and groups, control file permissions, configure shell environments, manipulate processes, manage services, and handle installed software. The chapter also describes important conventions and outlines key security design principles unique to OpenBSD.

User and Group Management #

User and group accounts in OpenBSD define access control boundaries for system resources and services.

Account Types #

• Root (UID 0): The superuser account with unrestricted access.
• Regular Users: Interactive accounts typically part of groups like users or staff.
• System Accounts: Non-login accounts (e.g., _ntpd, _smtp) with restricted shells like /sbin/nologin, used by daemons and system services.

Creating Users #

To create a user interactively:

# adduser

The adduser(8) script will prompt for login name, full name, shell, groups, and password.

To create a user non-interactively:

# useradd -m -s /bin/ksh -G wheel alice
# passwd alice

• -m: Creates the home directory.
• -s: Sets the shell (/bin/ksh is default).
• -G: Adds the user to supplementary groups (e.g., wheel).

The wheel Group #

Membership in the wheel group is required to perform privileged operations using doas(1) or su(1).

Example /etc/doas.conf entry:

permit persist :wheel

Only users in the wheel group may execute commands as root.

Inspecting User Information #

The following commands show user account data:

$ id
$ whoami
$ groups
$ getent passwd alice

• id: Shows UID and GID info.
• whoami: Displays the current username.
• groups: Lists secondary groups.
• getent: Retrieves account details from the system database.

Modifying Users #

To add supplementary groups:

# usermod -G wheel,staff alice

To change the primary group:

# usermod -g staff alice

To edit user attributes interactively:

# chpass alice

Removing Users #

To remove a user and delete their home directory:

# userdel -r alice

File Permissions and Ownership #

OpenBSD uses traditional UNIX-style file permissions to define access control. Each file and directory has associated permissions for three categories of users:

• Owner (user) — the file’s creator or designated owner
• Group — users belonging to the file’s group
• Others — all remaining users

Each category can have read (r), write (w), and execute (x) permissions.

Viewing Permissions #

Permissions can be viewed with ls -l:

$ ls -l /etc/passwd

Example output:

-rw-r--r--  1 root  wheel  1234 Jul 10 12:00 /etc/passwd

This indicates:

• -: a regular file (directories show d)
• rw-: the owner (root) can read and write
• r--: the group (wheel) can read only
• r--: others can read only

Understanding Numeric and Symbolic Permissions #

Each permission class (user, group, others) is represented by a digit between 0 and 7, based on the sum of:

• 4 = read (r)
• 2 = write (w)
• 1 = execute (x)

The following table shows all possible combinations:

A full permission mode such as 755 breaks down as:

• 7 = rwx for the owner
• 5 = r-x for the group
• 5 = r-x for others

To apply it:

# chmod 755 script.sh

Changing Permissions with Symbolic Mode #

Symbolic mode allows explicit changes to individual permission bits:

# chmod u+x script.sh
# chmod g-w file.txt
# chmod o= file.txt

• u, g, o, a: user, group, others, all
• +, -, =: add, remove, set exactly
• r, w, x: permission types

Use symbolic mode for fine-grained adjustments and numeric mode for explicitly setting all three categories.

Special Permission Bits #

In addition to the standard permission bits, OpenBSD supports three special modes:

setuid Example #

# chmod 4755 /usr/local/bin/somescript

This sets:

• 4 (setuid) + 755 → 4755
• Owner execute becomes s: -rwsr-xr-x

Use ls -l to see the s:

$ ls -l /usr/local/bin/somescript

setgid Example #

# chmod 2755 /usr/local/bin/teamcmd

• Group execute becomes s: -rwxr-sr-x

On directories, setgid causes new files to inherit the directory’s group:

# chmod 2775 /var/shared

sticky Bit Example #

On shared directories like /tmp, the sticky bit prevents users from deleting each other’s files:

# chmod 1777 /tmp

Files in /tmp can only be deleted by their owner or by root, even though the directory is world-writable.

The sticky bit appears as t:

$ ls -ld /tmp

drwxrwxrwt  10 root  wheel  5120 Jul 11 15:10 /tmp

To combine special bits with standard permissions, prefix the numeric mode accordingly:

• chmod 4755 → setuid + 755
• chmod 2755 → setgid + 755
• chmod 1777 → sticky + 777

Use these bits with care: they affect security and process behavior.

Shell Configuration #

The default shell in OpenBSD is ksh(1) (based on the Public Domain Korn Shell).

Shell Profiles #

User shell initialization files include:

• ~/.profile: Executed by login shells
• ~/.kshrc: Used for interactive ksh sessions (referenced in .profile)

A minimal .profile:

export ENV="$HOME/.kshrc"
export PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin"
umask 022

Process Management #

Processes can be listed, controlled, or monitored using standard utilities.

Viewing Processes #

$ ps aux
$ top

• ps aux: Shows all running processes.
• top: Provides an interactive, real-time view.

Controlling Processes #

$ kill -TERM 1234    # Gracefully stop process
$ kill -KILL 1234    # Forcefully terminate
$ pkill httpd        # Terminate by name

Service Management #

OpenBSD services are managed using rcctl(8).

Enabling and Starting Services #

# rcctl enable ntpd
# rcctl start ntpd

Disabling and Stopping Services #

# rcctl stop ntpd
# rcctl disable ntpd

Restarting and Configuring #

# rcctl restart httpd
# rcctl set httpd flags "-d"

To check a service’s status:

# rcctl check ntpd

Installed Software and Version Info #

OpenBSD includes a minimal base system. Additional software is installed using pkg_add(1).

To view system version:

$ uname -a

Example output:

OpenBSD myhost.example.org 7.6 GENERIC.MP#123 amd64