table of contents
- bookworm 1:4.13+dfsg1-1+b1
- testing 1:4.16.0-7
- unstable 1:4.16.0-7
- experimental 1:4.17.0~rc1-2
USERADD(8) | System Management Commands | USERADD(8) |
NAME¶
useradd - create a new user or update default new user information
SYNOPSIS¶
useradd [options] LOGIN
useradd -D
useradd -D [options]
DESCRIPTION¶
useradd is a low level utility for adding users. On Debian, administrators should usually use adduser(8) instead.
When invoked without the -D option, the useradd command creates a new user account using the values specified on the command line plus the default values from the system. Depending on command line options, the useradd command will update system files and may also create the new user's home directory and copy initial files.
By default, a group will also be created for the new user (see -g, -N, -U, and USERGROUPS_ENAB).
OPTIONS¶
The options which apply to the useradd command are:
--badname
-b, --base-dir BASE_DIR
If this option is not specified, useradd will use the base directory specified by the HOME variable in /etc/default/useradd, or /home by default.
-c, --comment COMMENT
-d, --home-dir HOME_DIR
-D, --defaults
-e, --expiredate EXPIRE_DATE
If not specified, useradd will use the default expiry date specified by the EXPIRE variable in /etc/default/useradd, or an empty string (no expiry) by default.
-f, --inactive INACTIVE
If not specified, useradd will use the default inactivity period specified by the INACTIVE variable in /etc/default/useradd, or -1 by default.
-F, --add-subids-for-system
-g, --gid GROUP
If not specified, the behavior of useradd will depend on the USERGROUPS_ENAB variable in /etc/login.defs. If this variable is set to yes (or -U/--user-group is specified on the command line), a group will be created for the user, with the same name as her loginname. If the variable is set to no (or -N/--no-user-group is specified on the command line), useradd will set the primary group of the new user to the value specified by the GROUP variable in /etc/default/useradd, or 100 by default.
-G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
-h, --help
-k, --skel SKEL_DIR
This option is only valid if the -m (or --create-home) option is specified.
If this option is not set, the skeleton directory is defined by the SKEL variable in /etc/default/useradd or, by default, /etc/skel.
If possible, the ACLs and extended attributes are copied.
-K, --key KEY=VALUE
Example: -K PASS_MAX_DAYS =-1 can be used when creating an account to turn off password aging. Multiple -K options can be specified, e.g.: -K UID_MIN =100 -K UID_MAX=499
For the compatibility with previous Debian's useradd, the -O option is also supported.
-l, --no-log-init
By default, the user's entries in the lastlog and faillog databases are reset to avoid reusing the entry from a previously deleted user.
If this option is not specified, useradd will also consult the variable LOG_INIT in the /etc/default/useradd if set to no the user will not be added to the lastlog and faillog databases.
-m, --create-home
By default, if this option is not specified and CREATE_HOME is not enabled, no home directories are created.
The directory where the user's home directory is created must exist and have proper SELinux context and permissions. Otherwise the user's home directory cannot be created or accessed.
-M, --no-create-home
-N, --no-user-group
The default behavior (if the -g, -N, and -U options are not specified) is defined by the USERGROUPS_ENAB variable in /etc/login.defs.
-o, --non-unique
This option is only valid in combination with the -u option. As a user identity serves as key to map between users on one hand and permissions, file ownerships and other aspects that determine the system's behavior on the other hand, more than one login name will access the account of the given UID.
-p, --password PASSWORD
Without this option, the new account will be locked and with no password defined, i.e. a single exclamation mark in the respective field of /etc/shadow. This is a state where the user won't be able to access the account or to define a password himself.
Note:Avoid this option on the command line because the password (or encrypted password) will be visible by users listing the processes.
You should make sure the password respects the system's password policy.
-r, --system
System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups).
Note that useradd will not create a home directory for such a user, regardless of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the -m options if you want a home directory for a system account to be created.
Note that this option will not update /etc/subuid and /etc/subgid. You have to specify the -F options if you want to update the files for a system account to be created.
-R, --root CHROOT_DIR
-P, --prefix PREFIX_DIR
-s, --shell SHELL
-u, --uid UID
See also the -r option and the UID_MAX description.
-U, --user-group
The default behavior (if the -g, -N, and -U options are not specified) is defined by the USERGROUPS_ENAB variable in /etc/login.defs.
-Z, --selinux-user SEUSER
Changing the default values¶
When invoked with only the -D option, useradd will display the current default values. When invoked with -D plus other options, useradd will update the default values for the specified options. Valid default-changing options are:
-b, --base-dir BASE_DIR
This option sets the HOME variable in /etc/default/useradd.
-e, --expiredate EXPIRE_DATE
This option sets the EXPIRE variable in /etc/default/useradd.
-f, --inactive INACTIVE
This option sets the INACTIVE variable in /etc/default/useradd.
-g, --gid GROUP
This option sets the GROUP variable in /etc/default/useradd.
-s, --shell SHELL
This option sets the SHELL variable in /etc/default/useradd.
NOTES¶
The system administrator is responsible for placing the default user files in the /etc/skel/ directory (or any other skeleton directory specified in /etc/default/useradd or on the command line).
CAVEATS¶
You may not add a user to a NIS or LDAP group. This must be performed on the corresponding server.
Similarly, if the username already exists in an external user database such as NIS or LDAP, useradd will deny the user account creation request.
Usernames may contain only lower and upper case letters, digits, underscores, or dashes. They can end with a dollar sign. Dashes are not allowed at the beginning of the username. Fully numeric usernames and usernames . or .. are also disallowed. It is not recommended to use usernames beginning with . character as their home directories will be hidden in the ls output.
On Debian, the only constraints are that usernames must neither start with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a colon (':'), a comma (','), or a whitespace (space: ' ', end of line: '\n', tabulation: '\t', etc.). Note that using a slash ('/') may break the default algorithm for the definition of the user's home directory.
Usernames may only be up to 32 characters long.
CONFIGURATION¶
The following configuration variables in /etc/login.defs change the behavior of this tool:
CREATE_HOME (boolean)
This setting does not apply to system users, and can be overridden on the command line.
GID_MAX (number), GID_MIN (number)
The default value for GID_MIN (resp. GID_MAX) is 1000 (resp. 60000).
HOME_MODE (number)
useradd and newusers use this to set the mode of the home directory they create.
LASTLOG_UID_MAX (number)
No LASTLOG_UID_MAX option present in the configuration means that there is no user ID limit for writing lastlog entries.
MAIL_DIR (string)
MAIL_FILE (string)
The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod, and userdel to create, move, or delete the user's mail spool.
MAX_MEMBERS_PER_GROUP (number)
The default value is 0, meaning that there are no limits in the number of members in a group.
This feature (split group) permits to limit the length of lines in the group file. This is useful to make sure that lines for NIS groups are not larger than 1024 characters.
If you need to enforce such limit, you can use 25.
Note: split groups may not be supported by all tools (even in the Shadow toolsuite). You should not use this variable unless you really need it.
PASS_MAX_DAYS (number)
PASS_MIN_DAYS (number)
PASS_WARN_AGE (number)
SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)
The default values for SUB_GID_MIN, SUB_GID_MAX, SUB_GID_COUNT are respectively 100000, 600100000 and 65536.
SUB_UID_MIN (number), SUB_UID_MAX (number), SUB_UID_COUNT (number)
The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 65536.
SYS_GID_MAX (number), SYS_GID_MIN (number)
The default value for SYS_GID_MIN (resp. SYS_GID_MAX) is 101 (resp. GID_MIN-1).
SYS_UID_MAX (number), SYS_UID_MIN (number)
The default value for SYS_UID_MIN (resp. SYS_UID_MAX) is 101 (resp. UID_MIN-1).
UID_MAX (number), UID_MIN (number)
The default value for UID_MIN (resp. UID_MAX) is 1000 (resp. 60000).
UMASK (number)
useradd and newusers use this mask to set the mode of the home directory they create if HOME_MODE is not set.
It is also used by pam_umask as the default umask value.
USERGROUPS_ENAB (boolean)
FILES¶
/etc/passwd
/etc/shadow
/etc/group
/etc/gshadow
/etc/default/useradd
/etc/shadow-maint/useradd-pre.d/*, /etc/shadow-maint/useradd-post.d/*
/etc/skel/
/etc/subgid
/etc/subuid
/etc/login.defs
EXIT VALUES¶
The useradd command exits with the following values:
0
1
2
3
4
6
9
10
12
14
SEE ALSO¶
chfn(1), chsh(1), passwd(1), crypt(3), groupadd(8), groupdel(8), groupmod(8), login.defs(5), newusers(8), subgid(5), subuid(5), userdel(8), usermod(8).
03/23/2023 | shadow-utils 4.13 |