1 .\" Copyright (c) 1995-1996 Wolfram Schneider <wosch@FreeBSD.org>. Berlin.
2 .\" All rights reserved.
3 .\" Copyright (c) 2002-2004 Michael Telahun Makonnen <mtm@FreeBSD.org>
4 .\" All rights reserved.
6 .\" Redistribution and use in source and binary forms, with or without
7 .\" modification, are permitted provided that the following conditions
9 .\" 1. Redistributions of source code must retain the above copyright
10 .\" notice, this list of conditions and the following disclaimer.
11 .\" 2. Redistributions in binary form must reproduce the above copyright
12 .\" notice, this list of conditions and the following disclaimer in the
13 .\" documentation and/or other materials provided with the distribution.
15 .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
16 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
17 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
18 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
19 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
20 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
21 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
22 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
23 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
24 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 .\" $FreeBSD: src/usr.sbin/adduser/adduser.8,v 1.62 2008/03/16 21:36:05 brueffer Exp $
29 .Dd September 10, 2019
34 .Nd command for adding new users
39 .Op Fl L Ar login_class
43 .Op Fl g Ar login_group
45 .Op Fl m Ar message_file
52 utility is a shell script, implemented around the
54 command, for adding new users.
55 It creates passwd/group entries, a home directory,
56 copies dotfiles and sends the new user a welcome message.
57 It supports two modes of operation.
58 It may be used interactively
59 at the command line to add one user at a time, or it may be directed
60 to get the list of new users from a file and operate in batch mode
61 without requiring any user interaction.
63 .Bl -tag -width indent
66 The user name is restricted to whatever
69 Generally this means it
70 may contain only lowercase characters or digits but cannot begin with the
75 The reasons for this limit are historical.
76 Given that people have traditionally wanted to break this
77 limit for aesthetic reasons, it has never been of great importance to break
78 such a basic fundamental parameter in
80 The NIS protocol mandates an 8-character username.
81 If you need a longer login name for e-mail addresses,
82 you can define an alias in
83 .Pa /etc/mail/aliases .
85 This is typically known as the gecos field and usually contains
87 Additionally, it may contain a comma separated
88 list of values such as office number and work and home phones.
90 name contains an ampersand it will be replaced by the capitalized
91 login name when displayed by other programs.
94 character is not allowed.
98 argument is supplied only valid shells from the shell database
102 either the base name or the full path of the shell may be supplied.
104 Automatically generated or your choice.
105 It must be less than 32000.
106 .It "GID/login group"
107 Automatically generated or your choice.
108 It must be less than 32000.
110 You may choose an empty password, disable the password, use a
111 randomly generated password or specify your own plaintext password,
112 which will be encrypted before being stored in the user database.
115 Perhaps you are missing what
117 be done with this scheme that falls apart
118 with most other schemes.
119 With each user in their own group,
120 they can safely run with a umask of 002 instead of the usual 022
121 and create files in their home directory
122 without worrying about others being able to change them.
124 For a shared area you create a separate UID/GID (like cvs or ncvs on freefall),
125 you place each person that should be able to access this area into that new
128 This model of UID/GID administration allows far greater flexibility than lumping
129 users into groups and having to muck with the umask when working in a shared
132 I have been using this model for almost 10 years and found that it works
133 for most situations, and has never gotten in the way.
138 utility reads its configuration information from
139 .Pa /etc/adduser.conf .
140 If this file does not exist, it will use predefined defaults.
141 While this file may be edited by hand,
142 the safer option is to use the
144 command line argument.
147 will start interactive input, save the answers to its prompts in
148 .Pa /etc/adduser.conf ,
149 and promptly exit without modifying the user
151 Options specified on the command line will take precedence over
152 any values saved in this file.
154 .Bl -tag -width indent
156 Create new configuration file and exit.
157 This option is mutually exclusive with the
160 .It Fl d Ar partition
162 Default partition, under which all user directories
166 partition is considered special.
169 script will not create and populate a home directory by that name.
171 by default it attempts to create a home directory.
173 Do not attempt to create the home directory.
176 This option will lock the account by prepending the string
178 to the password field.
179 The account may be unlocked
180 by the super-user with the
184 .D1 Nm pw Cm unlock Op Ar name | uid
186 Get the list of accounts to create from
192 then get the list from standard input.
193 If this option is specified,
195 will operate in batch mode and will not seek any user input.
196 If an error is encountered while processing an account, it will write a
197 message to standard error and move to the next account.
199 of the input file is described below.
200 .It Fl g Ar login_group
202 if no login group is specified,
203 it is assumed to be the same as the username.
208 Space-separated list of additional groups.
209 This option allows the user to specify additional groups to add users to.
210 The user is a member of these groups in addition to their login group.
212 Print a summary of options and exit.
213 .It Fl k Ar directory
217 directory of new users;
221 .It Fl L Ar login_class
222 Set default login class.
224 Send new users a welcome message from
226 Specifying a value of
230 causes no message to be sent to new users.
231 Please note that the message
232 file can reference the internal variables of the
236 Create the home directory with permissions set to
239 Do not read the default configuration file.
241 Minimal user feedback.
242 In particular, the random password will not be echoed to
245 Default shell for new users.
248 argument may be the base name of the shell or the full path.
251 argument is supplied the shell must exist in
253 or be the special shell
255 to be considered a valid shell.
257 The existence or validity of the specified shell will not be checked.
266 utility allows the user to specify what type of password to create.
269 argument may have one of the following values:
270 .Bl -tag -width ".Cm random"
272 Disable the password.
273 Instead of an encrypted string, the password field will contain a single
276 The user may not log in until the super-user
277 manually enables the password.
279 Use an empty string as the password.
281 Use a user-supplied string as the password.
283 the user will be prompted for the password.
285 last (10th) field in the line is assumed to be the password.
287 Generate a random string and use it as a password.
288 The password will be echoed to standard output.
289 In addition, it will be available for inclusion in the message file in the
297 option is used, the account information must be stored in a specific
299 All empty lines or lines beginning with a
302 All other lines must contain ten colon
304 separated fields as described below.
305 Command line options do not take precedence
306 over values in the fields.
307 Only the password field may contain a
309 character as part of the string.
312 .D1 Ar name : uid : gid : class : change : expire : gecos : home_dir : shell : password
314 .Bl -tag -width ".Ar password"
317 This field may not be empty.
319 Numeric login user ID.
320 If this field is left empty, it will be automatically generated.
322 Numeric primary group ID.
323 If this field is left empty, a group with the
324 same name as the user name will be created and its GID will be used
328 This field may be left empty.
331 This field denotes the password change date for the account.
332 The format of this field is the same as the format of the
337 .Ar dd Ns - Ns Ar mmm Ns - Ns Ar yy Ns Op Ar yy ,
342 is for the month in numeric or alphabetical format:
348 is the four or two digit year.
349 To denote a time relative to the current date the format is:
350 .No + Ns Ar n Ns Op Ar mhdwoy ,
353 denotes a number, followed by the minutes, hours, days, weeks,
354 months or years after which the password must be changed.
355 This field may be left empty to turn it off.
358 This field denotes the expiry date of the account.
359 The account may not be used after the specified date.
360 The format of this field is the same as that for password ageing.
361 This field may be left empty to turn it off.
363 Full name and other extra information about the user.
366 If this field is left empty, it will be automatically
367 created by appending the username to the home partition.
370 home directory is considered special and
371 is understood to mean that no home directory is to be
372 created for the user.
375 This field should contain either the base name or
376 the full path to a valid login shell.
379 This field should contain a plaintext string, which will
380 be encrypted before being placed in the user database.
381 If the password type is
383 and this field is empty, it is assumed the account will have an empty password.
384 If the password type is
388 empty, its contents will be used
390 This field will be ignored if the
392 option is used with a
397 Be careful not to terminate this field with a closing
399 because it will be treated as part of the password.
402 .Bl -tag -width ".Pa /etc/adduser.message" -compact
403 .It Pa /etc/master.passwd
409 .It Pa /etc/login.conf
410 login classes database
411 .It Pa /etc/adduser.conf
412 configuration file for
414 .It Pa /etc/adduser.message
417 .It Pa /usr/share/skel
418 skeletal login directory
419 .It Pa /var/log/adduser
444 This manual page and the original script, in Perl, were written by
445 .An Wolfram Schneider Aq Mt wosch@FreeBSD.org .
446 The replacement script, written as a Bourne
447 shell script with some enhancements, and the man page modification that
448 came with it were done by
449 .An Mike Makonnen Aq Mt mtm@identd.net .
453 to correctly expand variables such as
457 in the message sent to new users, it must let the shell evaluate
458 each line of the message file.
459 This means that shell commands can also be embedded in the message file.
462 utility attempts to mitigate the possibility of an attacker using this
463 feature by refusing to evaluate the file if it is not owned and writable
464 only by the root user.
465 In addition, shell special characters and operators will have to be
466 escaped when used in the message file.
468 Also, password ageing and account expiry times are currently settable
469 only in batch mode or when specified in
470 .Pa /etc/adduser.conf .
471 The user should be able to set them in interactive mode as well.