DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

useradd(ADM)


useradd, userdel, usermod -- add, delete, or change a user account

Syntax

/etc/useradd [-c comment] [-d directory] [-g group] [-G group1,group2,...]
[-M] [-m] [-s shell] [-u uid [-o]] [-x "extendedOptionString"] [-X optionsFile]
[hostname:]user

/etc/userdel [-x "extendedOptionString"] [-X optionsFile] [hostname:]user

/etc/usermod -D [-g group_name] [-s shell] [-x "extendedOptionString"]
[-X optionsFile]

/etc/usermod [-c comment] [-d directory [-m]] [-g group]
[-G group1,group2,...] [-l newname] [-s shell] [-u uid [-o]]
[-x " extendedOptionString"] [-X optionsFile] [hostname:]user

Description

With no options specified useradd creates a user account on the local system.

Users can be created in one of three locations:

If a user account already exists locally when an NIS version of that account is created, the local account is removed from the system. If an NIS version of an account already exists when a local version is created, the remote account is not deleted. If you wish to delete the remote account, you must do so before adding the local account of the same name.

userdel deletes the specified user account from the User Account and Group Account databases. userdel is only valid when the Low or Traditional security profiles are configured (or the SECLUID kernel parameter is set to zero). Otherwise, accounts should be retired rather than removed, as described in ``Removing or retiring a user account'' in Administering users and groups.

usermod modifies one or more of the attributes associated with the specified account.

A user name has a limit of 8 lowercase letters or numbers, but must not begin with a number. In addition, user names cannot include colons (:) (aside from the hostname:user syntax used to create a remote account) or newlines.

For distributed accounts, only the user name, comment, password, login shell, home directory, login group, group membership, password, and lock status are valid across the network. For example, you cannot set the maximum number of failed login attempts for a distributed user on a remote system (it only takes effect on the master server).

When adding users to a group that is both local and distributed, users will be placed in the local group. To add users to a distributed group, use groupmod(ADM).

Options

The following options are supported by useradd and usermod:

-c comment
Specify a text string of no more than 512 characters. Must not contain colons (:) or newlines.

-d directory
Specify the new home directory of the user. If the home directory is being changed, the contents of the previous home directory are only modified if -m is specified. Directory names must not contain colons (:) or newlines and must not begin with a period. If the path specifies an existing file that is not a directory, then the -M option must also be specified.

-g group
Specify the primary group membership of a new user in the User Account database and may define the account as a member of the specified group in the Group Account database. The value can be the GID or the group name. If numeric, the group need not yet exist in the Group Account database.

-G groups
Specify a set of existing group names or GIDs, from the Group Account database, contained in a comma-separated character string. This defines the additional groups that a user can access via the sg(C) utility. Duplicates are ignored. An error is displayed for each member of groups that does not exist in the group database.

-M
Allows creation of an account with an existing file specified as a home directory. Must be used with the -d option. This is typically done to provide increased security for logins used by applications (such as Samba) that do not need home directories.

-m
Create the user home directory if it does not already exist. If the directory already exists, it must be accessible by the user. The home directory is populated with the proper shell environment files found in /usr/lib/mkuser. A mailbox file is created and greetings mail is sent to the user. When used on the usermod command line, -m should not be used without -d.

-o
When used in conjunction with -u, allow the use of a UID already assigned to another account. This option is only valid when the Low or Traditional security profiles are configured (specifically, REUSEUID=TRUE must be present in /etc/default/login).

-s shell
Specify the full pathname of the program that will be used as the user's initial shell program. The shell path must not contain colons (:) or newlines.

-u uid
Specify the user ID of the new user. It must be a positive integer less than 60000. The minimum and maxiumum values are defined in /etc/default/accounts.
The following options are supported by usermod only:

-D
Operate on system defaults instead of an individual user account.

-l newname
Specify the new name of the user to be modified. This option is only valid when the Low or Traditional security profiles are configured (specifically, REUSEUID=TRUE must be present in /etc/default/login).
The following options are supported by useradd, userdel, and usermod:

-x "extendedOptionString"
Specify extended account parameters in the form of attribute-value pairs. See the ``Extended options and option files'' section.

-X optionsFile
Specify the file from which a set of account attributes are to be taken.

Extended options and option files

Extended options use the following syntax:

{ attribute value }

Attributes that are associated with a set of values should use nested braces to enclose the values:

{ attribute { value value } }

When used on the command line, the outermost braces ({ }) must be enclosed in double-quotes (") to prevent intrepretation by the shell. Values containing spaces should be further enclosed in single quotes (').


NOTE: Extended options other than distributed and administrativeLockApplied are not valid for distributed accounts. The remaining parameters can be set on the master server, but they will only have effect on the server.

Option files use the same syntax (without the double-quotes).

Certain account status attributes (such as last successful login time and location) are not listed here, but can be queried with userls(ADM).

The following attributes are available (unless noted otherwise, each is valid with or without the -D option):


administrativeLockApplied
When set to 1, the account is locked and prevents a user from logging in. A value of 0 unlocks the account.

auditFlags
A set of flags which indicate which classes of audit event will be collected. The control mask lists the classes of audit records for which the user has non-default behavior. The audit disposition mask lists the classes of audit record for which the user is always audited. When an audit class appears in the control mask and not in the disposition mask it means that the user is never audited for that class. Event values are Default=0, On=1, Off=2.

auditMask
A list of the auditable events for the user's audit mask. See auditevents(M) for a list of valid events to specify with auditMask.

auths
The set of subsystem authorizations available: mem, terminal, lp, backup, auth, audit, cron, root, sysadmin, passwd, audittrail, backup_create, restore, queryspace, printqueue, printerstat, su, shutdown.

authsAvailable
The available subsystem authorizations on the system. This parameter is only valid with the -D option.

baseHome
Default absolute pathname of parent directory of user's home directory. The home directory itself has the same name as the user. This parameter is only valid with the -D option.

distributed
If this attribute is set to 1, then the account is distributed via NIS. If 0, it is not distributed. (NIS must be configured for accounts to be distributed.)

groups
The list of supplemental groups associated with a user.

integrityRequired
Indicates that inconsistencies between the TCB and System V account databases should result in a lockout that prevents users from logging in until the problem is corrected. This parameter is only valid with the -D option.

lastSuccessfulLogoutTime
The time at which a user last logged off the system.

lastSuccessfulLogoutTty
The device from which an account last successfully logged out.

loginGroup
The login group associated with an account.

maxLoginAttempts
The maximum number of consecutive unsuccessful login attempts allowed before an account is locked.

maxSuggestUid
The largest numeric identifier assigned to a new user by default. This parameter is only valid with the -D option.

maxUid
The largest numeric identifier that can be assigned to a user. This parameter is only valid with the -D option.

minSuggestUid
The smallest numeric identifier assigned to a new user by default. This parameter is only valid with the -D option.

minUid
The smallest numeric identifier that can be assigned to a user. This parameter is only valid with the -D option.

mode
The permission bits associated with a home directory.

nextUid
The next available pw_uid in the range of minUid to maxUid. This parameter is only valid with the -D option.

nice
The scheduling priority of user processes (established by login). See nice(C) for more information.

owner
The account name of a user who is held responsible for use of the account. This is only valid for accounts of type pseudo and root.

passwdCheckedForObviousness
If this attribute is set to 1, then a password is verified using the configured password checking. If the password is found to be invalid, it is rejected.

passwdChooseOwn
If this attribute is set to 1, then a user is allowed to choose a password. If set to 0, then a password is supplied by the password generator (or the administrator).

passwdExpirationTime
The interval of time, in days, since a password was last changed until the authentication process requires that a new password be chosen.

passwdGeneratedLength
The length of passwords produced by the password generator.

passwdLifetime
The interval of time, in days, since a password was last changed before the account is locked.

passwdMinChangeTime
The minimum interval of time, in days, which must pass between password changes.

passwdNullAllowed
If this attribute is set to 1, the authentication process does not prompt the user for a password if the password attribute is currently set to NULL. If the attribute is set to 0, then the user is prompted for a password during authentication regardless of the current value of the password attribute. Note that other attributes may still prevent the user from gaining access to an account.

passwdRunGenerator
If this attribute is set to 1, a password can be generated by the user. If set to 0, the user must create their own password.

passwdSignificantSegments
The number of characters (divided by 8) considered significant in password comparisons. For example, if passwdSignificantSegments was set to 1, then 8 characters would be significant, so login would match an entered password of abcd1234 with a stored password of abcd12345. The range is 1 to 10. This parameter is only valid with the -D option.

passwdUser
The account name of a user who may change the password of the account without needing subsystem authorization.

privs
The set of initial kernel privileges set by login. The privileges are: suspendaudit, configaudit, writeaudit, execsuid, setguid, chown.

pw_dir
The home directory of an account.

pw_gid
The group number associated with an account.

pw_shell
The login shell of a user.

pw_uid
The numeric identifier for an account. This parameter is not valid with the -D option.

tcbDatabaseIsMaster
Indicates that values from the Protected Password database and the System default database are used in preference to the value of attributes duplicated in /etc/passwd, /etc/shadow and various /etc/default files when a discrepancy is detected. This parameter is only valid with the -D option.

userType
The user type classification (a non-functional label). The values are: root, operator, sso, administrator, pseudo, general, retired. Normal user accounts are assigned the type general, and system accounts the type pseudo. The label retired is used only for accounts that have been retired.

Exit values

Upon completion, these utilities exit with one of the following values:

0
The action was successful.

>0
An error occurred.

Examples

The following command creates a distributed user account, mavrac, with a UID of 1600, a login group of type41, and a login shell of csh:

useradd -u 1600 -s /bin/csh -g type41 -x "{distributed 1}" mavrac

This command creates a remote user, nathanb, on a remote machine obie:

useradd nathanb:obie

This command changes the maximum number of failed login attempts for user mavrac to eight:

usermod -x "{maxLoginAttempts 8}" mavrac

This command changes the set of default authorizations for users who have not been assigned individual values:

usermod -D -x "{auths {mem lp cron} }"

Notes

The length of shell and home pathnames is limited by the maximum path length supported by the filesystem on which the shell and home directory reside. This is determined by .pathconf(S-osr5)

There is no limit to the comment entry length other than that an /etc/passwd file entry must not exceed 1024 characters in total length.

Files


/etc/passwd
password file

/etc/group
group file

/tcb/files/auth/?/*
Protected Password database

/etc/auth/?/*
Subsystem Authorizations database

/etc/default/accounts
user/group account creation defaults

See also

groupadd(ADM), groupls(ADM), userls(ADM), pathconf(S-osr5)

Standards conformance

useradd is conformant with AT&T SVID Issue 2.


© 2007 The SCO Group, Inc. All rights reserved.
SCO OpenServer Release 6.0.0 -- 05 June 2007