1 .\" Copyright (c) 1995-1996 Wolfram Schneider <wosch@FreeBSD.org>. Berlin.
2 .\" All rights reserved.
3 .\" Copyright (c) 2002-2004 Michael Telahun Makonnen <mtm@FreeBSD.org>
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 .Nd command for adding new users
37 .Op Fl L Ar login_class
41 .Op Fl g Ar login_group
43 .Op Fl m Ar message_file
50 utility is a shell script, implemented around the
52 command, for adding new users.
53 It creates passwd/group entries, a home directory,
54 copies dotfiles and sends the new user a welcome message.
55 On systems where the parent of home directory is a ZFS dataset,
57 will create the home directory as a ZFS dataset by default,
58 unless the system administrator specified otherwise.
59 It supports two modes of operation.
60 It may be used interactively
61 at the command line to add one user at a time, or it may be directed
62 to get the list of new users from a file and operate in batch mode
63 without requiring any user interaction.
65 .Bl -tag -width indent
68 The user name is restricted to whatever
71 Generally this means it
72 may contain only lowercase characters or digits but cannot begin with the
77 The reasons for this limit are historical.
78 Given that people have traditionally wanted to break this
79 limit for aesthetic reasons, it has never been of great importance to break
80 such a basic fundamental parameter in
87 world; people have done this and it works, but you will have problems
88 with any precompiled programs, or source that assumes the 8-character
89 name limit, such as NIS.
90 The NIS protocol mandates an 8-character username.
91 If you need a longer login name for e-mail addresses,
92 you can define an alias in
93 .Pa /etc/mail/aliases .
95 This is typically known as the gecos field and usually contains
97 Additionally, it may contain a comma separated
98 list of values such as office number and work and home phones.
100 name contains an ampersand it will be replaced by the capitalized
101 login name when displayed by other programs.
104 character is not allowed.
108 argument is supplied only valid shells from the shell database
112 either the base name or the full path of the shell may be supplied.
114 Automatically generated or your choice.
115 It must be less than 32000.
116 .It "GID/login group"
117 Automatically generated or your choice.
118 It must be less than 32000.
120 You may choose an empty password, disable the password, use a
121 randomly generated password or specify your own plaintext password,
122 which will be encrypted before being stored in the user database.
125 Perhaps you are missing what
127 be done with this scheme that falls apart
128 with most other schemes.
129 With each user in their own group,
130 they can safely run with a umask of 002 instead of the usual 022
131 and create files in their home directory
132 without worrying about others being able to change them.
134 For a shared area you create a separate UID/GID, you place each person
135 that should be able to access this area into that new group.
137 This model of UID/GID administration allows far greater flexibility than lumping
138 users into groups and having to muck with the umask when working in a shared
141 I have been using this model for almost 10 years and found that it works
142 for most situations, and has never gotten in the way.
147 utility reads its configuration information from
148 .Pa /etc/adduser.conf .
149 If this file does not exist, it will use predefined defaults.
150 While this file may be edited by hand,
151 the safer option is to use the
153 command line argument.
156 will start interactive input, save the answers to its prompts in
157 .Pa /etc/adduser.conf ,
158 and promptly exit without modifying the user
160 Options specified on the command line will take precedence over
161 any values saved in this file.
163 .Bl -tag -width indent
165 Create new configuration file and exit.
166 This option is mutually exclusive with the
169 .It Fl d Ar partition
171 Default partition, under which all user directories
175 partition is considered special.
178 script will not create and populate a home directory by that name.
180 by default it attempts to create a home directory.
182 Do not attempt to create the home directory.
185 This option will lock the account by prepending the string
187 to the password field.
188 The account may be unlocked
189 by the super-user with the
193 .D1 Nm pw Cm unlock Op Ar name | uid
195 Get the list of accounts to create from
201 then get the list from standard input.
202 If this option is specified,
204 will operate in batch mode and will not seek any user input.
205 If an error is encountered while processing an account, it will write a
206 message to standard error and move to the next account.
208 of the input file is described below.
209 .It Fl g Ar login_group
211 if no login group is specified,
212 it is assumed to be the same as the username.
217 Space-separated list of additional groups.
218 This option allows the user to specify additional groups to add users to.
219 The user is a member of these groups in addition to their login group.
221 Print a summary of options and exit.
222 .It Fl k Ar directory
226 directory of new users;
230 .It Fl L Ar login_class
231 Set default login class.
233 Send new users a welcome message from
235 Specifying a value of
239 causes no message to be sent to new users.
240 Please note that the message
241 file can reference the internal variables of the
245 Create the home directory with permissions set to
248 Do not read the default configuration file.
250 Minimal user feedback.
251 In particular, the random password will not be echoed to
254 Default shell for new users.
257 argument may be the base name of the shell or the full path.
260 argument is supplied the shell must exist in
262 or be the special shell
264 to be considered a valid shell.
266 The existence or validity of the specified shell will not be checked.
275 utility allows the user to specify what type of password to create.
278 argument may have one of the following values:
279 .Bl -tag -width ".Cm random"
281 Disable the password.
282 Instead of an encrypted string, the password field will contain a single
285 The user may not log in until the super-user
286 manually enables the password.
288 Use an empty string as the password.
290 Use a user-supplied string as the password.
292 the user will be prompted for the password.
294 last (10th) field in the line is assumed to be the password.
296 Generate a random string and use it as a password.
297 The password will be echoed to standard output.
298 In addition, it will be available for inclusion in the message file in the
303 Do not attempt to create ZFS home dataset.
308 option is used, the account information must be stored in a specific
310 All empty lines or lines beginning with a
313 All other lines must contain ten colon
315 separated fields as described below.
316 Command line options do not take precedence
317 over values in the fields.
318 Only the password field may contain a
320 character as part of the string.
323 .D1 Ar name : uid : gid : class : change : expire : gecos : home_dir : shell : password
325 .Bl -tag -width ".Ar password"
328 This field may not be empty.
330 Numeric login user ID.
331 If this field is left empty, it will be automatically generated.
333 Numeric primary group ID.
334 If this field is left empty, a group with the
335 same name as the user name will be created and its GID will be used
339 This field may be left empty.
342 This field denotes the password change date for the account.
343 The format of this field is the same as the format of the
348 .Ar dd Ns - Ns Ar mmm Ns - Ns Ar yy Ns Op Ar yy ,
353 is for the month in numeric or alphabetical format:
359 is the four or two digit year.
360 To denote a time relative to the current date the format is:
361 .No + Ns Ar n Ns Op Ar mhdwoy ,
364 denotes a number, followed by the minutes, hours, days, weeks,
365 months or years after which the password must be changed.
366 This field may be left empty to turn it off.
369 This field denotes the expiry date of the account.
370 The account may not be used after the specified date.
371 The format of this field is the same as that for password ageing.
372 This field may be left empty to turn it off.
374 Full name and other extra information about the user.
377 If this field is left empty, it will be automatically
378 created by appending the username to the home partition.
381 home directory is considered special and
382 is understood to mean that no home directory is to be
383 created for the user.
386 This field should contain either the base name or
387 the full path to a valid login shell.
390 This field should contain a plaintext string, which will
391 be encrypted before being placed in the user database.
392 If the password type is
394 and this field is empty, it is assumed the account will have an empty password.
395 If the password type is
399 empty, its contents will be used
401 This field will be ignored if the
403 option is used with a
408 Be careful not to terminate this field with a closing
410 because it will be treated as part of the password.
413 .Bl -tag -width ".Pa /etc/adduser.message" -compact
414 .It Pa /etc/master.passwd
420 .It Pa /etc/login.conf
421 login classes database
422 .It Pa /etc/adduser.conf
423 configuration file for
425 .It Pa /etc/adduser.message
428 .It Pa /usr/share/skel
429 skeletal login directory
430 .It Pa /var/log/adduser
455 This manual page and the original script, in Perl, was written by
456 .An Wolfram Schneider Aq Mt wosch@FreeBSD.org .
457 The replacement script, written as a Bourne
458 shell script with some enhancements, and the man page modification that
459 came with it were done by
460 .An Mike Makonnen Aq Mt mtm@identd.net .
464 to correctly expand variables such as
468 in the message sent to new users, it must let the shell evaluate
469 each line of the message file.
470 This means that shell commands can also be embedded in the message file.
473 utility attempts to mitigate the possibility of an attacker using this
474 feature by refusing to evaluate the file if it is not owned and writable
475 only by the root user.
476 In addition, shell special characters and operators will have to be
477 escaped when used in the message file.
479 Also, password ageing and account expiry times are currently settable
480 only in batch mode or when specified in
481 .Pa /etc/adduser.conf .
482 The user should be able to set them in interactive mode as well.