1USERADD(8) System Management Commands USERADD(8)
2
3
4
6 useradd - create a new user or update default new user information
7
9 useradd [options] LOGIN
10
11 useradd -D
12
13 useradd -D [options]
14
16 When invoked without the -D option, the useradd command creates a new
17 user account using the values specified on the command line plus the
18 default values from the system. Depending on command line options, the
19 useradd command will update system files and may also create the new
20 user's home directory and copy initial files.
21
22 By default, a group will also be created for the new user (see -g, -N,
23 -U, and USERGROUPS_ENAB).
24
26 The options which apply to the useradd command are:
27
28 --badname
29 Allow names that do not conform to standards.
30
31 -b, --base-dir BASE_DIR
32 The default base directory for the system if -d HOME_DIR is not
33 specified. BASE_DIR is concatenated with the account name to
34 define the home directory. If the -m option is not used, BASE_DIR
35 must exist.
36
37 If this option is not specified, useradd will use the base
38 directory specified by the HOME variable in /etc/default/useradd,
39 or /home by default.
40
41 -c, --comment COMMENT
42 Any text string. It is generally a short description of the login,
43 and is currently used as the field for the user's full name.
44
45 -d, --home-dir HOME_DIR
46 The new user will be created using HOME_DIR as the value for the
47 user's login directory. The default is to append the LOGIN name to
48 BASE_DIR and use that as the login directory name. If the directory
49 HOME_DIR does not exist, then it will be created unless the -M
50 option is specified.
51
52 -D, --defaults
53 See below, the subsection "Changing the default values".
54
55 -e, --expiredate EXPIRE_DATE
56 The date on which the user account will be disabled. The date is
57 specified in the format YYYY-MM-DD.
58
59 If not specified, useradd will use the default expiry date
60 specified by the EXPIRE variable in /etc/default/useradd, or an
61 empty string (no expiry) by default.
62
63 -f, --inactive INACTIVE
64 The number of days after a password expires until the account is
65 permanently disabled. A value of 0 disables the account as soon as
66 the password has expired, and a value of -1 disables the feature.
67
68 If not specified, useradd will use the default inactivity period
69 specified by the INACTIVE variable in /etc/default/useradd, or -1
70 by default.
71
72 -g, --gid GROUP
73 The group name or number of the user's initial login group. The
74 group name must exist. A group number must refer to an already
75 existing group.
76
77 If not specified, the behavior of useradd will depend on the
78 USERGROUPS_ENAB variable in /etc/login.defs. If this variable is
79 set to yes (or -U/--user-group is specified on the command line), a
80 group will be created for the user, with the same name as her
81 loginname. If the variable is set to no (or -N/--no-user-group is
82 specified on the command line), useradd will set the primary group
83 of the new user to the value specified by the GROUP variable in
84 /etc/default/useradd, or 100 by default.
85
86 -G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
87 A list of supplementary groups which the user is also a member of.
88 Each group is separated from the next by a comma, with no
89 intervening whitespace. The groups are subject to the same
90 restrictions as the group given with the -g option. The default is
91 for the user to belong only to the initial group.
92
93 -h, --help
94 Display help message and exit.
95
96 -k, --skel SKEL_DIR
97 The skeleton directory, which contains files and directories to be
98 copied in the user's home directory, when the home directory is
99 created by useradd.
100
101 This option is only valid if the -m (or --create-home) option is
102 specified.
103
104 If this option is not set, the skeleton directory is defined by the
105 SKEL variable in /etc/default/useradd or, by default, /etc/skel.
106
107 If possible, the ACLs and extended attributes are copied.
108
109 -K, --key KEY=VALUE
110 Overrides /etc/login.defs defaults (UID_MIN, UID_MAX, UMASK,
111 PASS_MAX_DAYS and others).
112
113 Example: -K PASS_MAX_DAYS=-1 can be used when creating system
114 account to turn off password aging, even though system account has
115 no password at all. Multiple -K options can be specified, e.g.:
116 -K UID_MIN=100 -K UID_MAX=499
117
118 -l, --no-log-init
119 Do not add the user to the lastlog and faillog databases.
120
121 By default, the user's entries in the lastlog and faillog databases
122 are reset to avoid reusing the entry from a previously deleted
123 user.
124
125 -m, --create-home
126 Create the user's home directory if it does not exist. The files
127 and directories contained in the skeleton directory (which can be
128 defined with the -k option) will be copied to the home directory.
129
130 By default, if this option is not specified and CREATE_HOME is not
131 enabled, no home directories are created.
132
133 The directory where the user's home directory is created must exist
134 and have proper SELinux context and permissions. Otherwise the
135 user's home directory cannot be created or accessed.
136
137 -M, --no-create-home
138 Do no create the user's home directory, even if the system wide
139 setting from /etc/login.defs (CREATE_HOME) is set to yes.
140
141 -N, --no-user-group
142 Do not create a group with the same name as the user, but add the
143 user to the group specified by the -g option or by the GROUP
144 variable in /etc/default/useradd.
145
146 The default behavior (if the -g, -N, and -U options are not
147 specified) is defined by the USERGROUPS_ENAB variable in
148 /etc/login.defs.
149
150 -o, --non-unique
151 Allow the creation of a user account with a duplicate (non-unique)
152 UID.
153
154 This option is only valid in combination with the -u option.
155
156 -p, --password PASSWORD
157 The encrypted password, as returned by crypt(3). The default is to
158 disable the password.
159
160 Note: This option is not recommended because the password (or
161 encrypted password) will be visible by users listing the processes.
162
163 You should make sure the password respects the system's password
164 policy.
165
166 -r, --system
167 Create a system account.
168
169 System users will be created with no aging information in
170 /etc/shadow, and their numeric identifiers are chosen in the
171 SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead
172 of UID_MIN-UID_MAX (and their GID counterparts for the creation of
173 groups).
174
175 Note that useradd will not create a home directory for such a user,
176 regardless of the default setting in /etc/login.defs (CREATE_HOME).
177 You have to specify the -m options if you want a home directory for
178 a system account to be created.
179
180 -R, --root CHROOT_DIR
181 Apply changes in the CHROOT_DIR directory and use the configuration
182 files from the CHROOT_DIR directory.
183
184 -P, --prefix PREFIX_DIR
185 Apply changes in the PREFIX_DIR directory and use the configuration
186 files from the PREFIX_DIR directory. This option does not chroot
187 and is intended for preparing a cross-compilation target. Some
188 limitations: NIS and LDAP users/groups are not verified. PAM
189 authentication is using the host files. No SELINUX support.
190
191 -s, --shell SHELL
192 The name of the user's login shell. The default is to leave this
193 field blank, which causes the system to select the default login
194 shell specified by the SHELL variable in /etc/default/useradd, or
195 an empty string by default.
196
197 -u, --uid UID
198 The numerical value of the user's ID. This value must be unique,
199 unless the -o option is used. The value must be non-negative. The
200 default is to use the smallest ID value greater than or equal to
201 UID_MIN and greater than every other user.
202
203 See also the -r option and the UID_MAX description.
204
205 -U, --user-group
206 Create a group with the same name as the user, and add the user to
207 this group.
208
209 The default behavior (if the -g, -N, and -U options are not
210 specified) is defined by the USERGROUPS_ENAB variable in
211 /etc/login.defs.
212
213 -Z, --selinux-user SEUSER
214 The SELinux user for the user's login. The default is to leave this
215 field blank, which causes the system to select the default SELinux
216 user.
217
218 Changing the default values
219 When invoked with only the -D option, useradd will display the current
220 default values. When invoked with -D plus other options, useradd will
221 update the default values for the specified options. Valid
222 default-changing options are:
223
224 -b, --base-dir BASE_DIR
225 The path prefix for a new user's home directory. The user's name
226 will be affixed to the end of BASE_DIR to form the new user's home
227 directory name, if the -d option is not used when creating a new
228 account.
229
230 This option sets the HOME variable in /etc/default/useradd.
231
232 -e, --expiredate EXPIRE_DATE
233 The date on which the user account is disabled.
234
235 This option sets the EXPIRE variable in /etc/default/useradd.
236
237 -f, --inactive INACTIVE
238 The number of days after a password has expired before the account
239 will be disabled.
240
241 This option sets the INACTIVE variable in /etc/default/useradd.
242
243 -g, --gid GROUP
244 The group name or ID for a new user's initial group (when the
245 -N/--no-user-group is used or when the USERGROUPS_ENAB variable is
246 set to no in /etc/login.defs). The named group must exist, and a
247 numerical group ID must have an existing entry.
248
249 This option sets the GROUP variable in /etc/default/useradd.
250
251 -s, --shell SHELL
252 The name of a new user's login shell.
253
254 This option sets the SHELL variable in /etc/default/useradd.
255
257 The system administrator is responsible for placing the default user
258 files in the /etc/skel/ directory (or any other skeleton directory
259 specified in /etc/default/useradd or on the command line).
260
262 You may not add a user to a NIS or LDAP group. This must be performed
263 on the corresponding server.
264
265 Similarly, if the username already exists in an external user database
266 such as NIS or LDAP, useradd will deny the user account creation
267 request.
268
269 Usernames may contain only lower and upper case letters, digits,
270 underscores, or dashes. They can end with a dollar sign. Dashes are not
271 allowed at the beginning of the username. Fully numeric usernames and
272 usernames . or .. are also disallowed. It is not recommended to use
273 usernames beginning with . character as their home directories will be
274 hidden in the ls output.
275
276 Usernames may only be up to 32 characters long.
277
279 The following configuration variables in /etc/login.defs change the
280 behavior of this tool:
281
282 CREATE_HOME (boolean)
283 Indicate if a home directory should be created by default for new
284 users.
285
286 This setting does not apply to system users, and can be overridden
287 on the command line.
288
289 GID_MAX (number), GID_MIN (number)
290 Range of group IDs used for the creation of regular groups by
291 useradd, groupadd, or newusers.
292
293 The default value for GID_MIN (resp. GID_MAX) is 1000 (resp.
294 60000).
295
296 HOME_MODE (number)
297 The mode for new home directories. If not specified, the UMASK is
298 used to create the mode.
299
300 useradd and newusers use this to set the mode of the home directory
301 they create.
302
303 LASTLOG_UID_MAX (number)
304 Highest user ID number for which the lastlog entries should be
305 updated. As higher user IDs are usually tracked by remote user
306 identity and authentication services there is no need to create a
307 huge sparse lastlog file for them.
308
309 No LASTLOG_UID_MAX option present in the configuration means that
310 there is no user ID limit for writing lastlog entries.
311
312 MAIL_DIR (string)
313 The mail spool directory. This is needed to manipulate the mailbox
314 when its corresponding user account is modified or deleted. If not
315 specified, a compile-time default is used.
316
317 MAIL_FILE (string)
318 Defines the location of the users mail spool files relatively to
319 their home directory.
320
321 The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod, and
322 userdel to create, move, or delete the user's mail spool.
323
324 If MAIL_CHECK_ENAB is set to yes, they are also used to define the MAIL
325 environment variable.
326
327 MAX_MEMBERS_PER_GROUP (number)
328 Maximum members per group entry. When the maximum is reached, a new
329 group entry (line) is started in /etc/group (with the same name,
330 same password, and same GID).
331
332 The default value is 0, meaning that there are no limits in the
333 number of members in a group.
334
335 This feature (split group) permits to limit the length of lines in
336 the group file. This is useful to make sure that lines for NIS
337 groups are not larger than 1024 characters.
338
339 If you need to enforce such limit, you can use 25.
340
341 Note: split groups may not be supported by all tools (even in the
342 Shadow toolsuite). You should not use this variable unless you
343 really need it.
344
345 PASS_MAX_DAYS (number)
346 The maximum number of days a password may be used. If the password
347 is older than this, a password change will be forced. If not
348 specified, -1 will be assumed (which disables the restriction).
349
350 PASS_MIN_DAYS (number)
351 The minimum number of days allowed between password changes. Any
352 password changes attempted sooner than this will be rejected. If
353 not specified, -1 will be assumed (which disables the restriction).
354
355 PASS_WARN_AGE (number)
356 The number of days warning given before a password expires. A zero
357 means warning is given only upon the day of expiration, a negative
358 value means no warning is given. If not specified, no warning will
359 be provided.
360
361 SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)
362 If /etc/subuid exists, the commands useradd and newusers (unless
363 the user already have subordinate group IDs) allocate SUB_GID_COUNT
364 unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each
365 new user.
366
367 The default values for SUB_GID_MIN, SUB_GID_MAX, SUB_GID_COUNT are
368 respectively 100000, 600100000 and 65536.
369
370 SUB_UID_MIN (number), SUB_UID_MAX (number), SUB_UID_COUNT (number)
371 If /etc/subuid exists, the commands useradd and newusers (unless
372 the user already have subordinate user IDs) allocate SUB_UID_COUNT
373 unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each
374 new user.
375
376 The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are
377 respectively 100000, 600100000 and 65536.
378
379 SYS_GID_MAX (number), SYS_GID_MIN (number)
380 Range of group IDs used for the creation of system groups by
381 useradd, groupadd, or newusers.
382
383 The default value for SYS_GID_MIN (resp. SYS_GID_MAX) is 101
384 (resp. GID_MIN-1).
385
386 SYS_UID_MAX (number), SYS_UID_MIN (number)
387 Range of user IDs used for the creation of system users by useradd
388 or newusers.
389
390 The default value for SYS_UID_MIN (resp. SYS_UID_MAX) is 101
391 (resp. UID_MIN-1).
392
393 UID_MAX (number), UID_MIN (number)
394 Range of user IDs used for the creation of regular users by useradd
395 or newusers.
396
397 The default value for UID_MIN (resp. UID_MAX) is 1000 (resp.
398 60000).
399
400 UMASK (number)
401 The file mode creation mask is initialized to this value. If not
402 specified, the mask will be initialized to 022.
403
404 useradd and newusers use this mask to set the mode of the home
405 directory they create if HOME_MODE is not set.
406
407 It is also used by login to define users' initial umask. Note that
408 this mask can be overridden by the user's GECOS line (if
409 QUOTAS_ENAB is set) or by the specification of a limit with the K
410 identifier in limits(5).
411
412 USERGROUPS_ENAB (boolean)
413 Enable setting of the umask group bits to be the same as owner bits
414 (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid
415 is the same as gid, and username is the same as the primary group
416 name.
417
418 If set to yes, userdel will remove the user's group if it contains
419 no more members, and useradd will create by default a group with
420 the name of the user.
421
423 /etc/passwd
424 User account information.
425
426 /etc/shadow
427 Secure user account information.
428
429 /etc/group
430 Group account information.
431
432 /etc/gshadow
433 Secure group account information.
434
435 /etc/default/useradd
436 Default values for account creation.
437
438 /etc/skel/
439 Directory containing default files.
440
441 /etc/subgid
442 Per user subordinate group IDs.
443
444 /etc/subuid
445 Per user subordinate user IDs.
446
447 /etc/login.defs
448 Shadow password suite configuration.
449
451 The useradd command exits with the following values:
452
453 0
454 success
455
456 1
457 can't update password file
458
459 2
460 invalid command syntax
461
462 3
463 invalid argument to option
464
465 4
466 UID already in use (and no -o)
467
468 6
469 specified group doesn't exist
470
471 9
472 username already in use
473
474 10
475 can't update group file
476
477 12
478 can't create home directory
479
480 14
481 can't update SELinux user mapping
482
484 chfn(1), chsh(1), passwd(1), crypt(3), groupadd(8), groupdel(8),
485 groupmod(8), login.defs(5), newusers(8), subgid(5), subuid(5),
486 userdel(8), usermod(8).
487
488
489
490shadow-utils 4.8.1 03/29/2021 USERADD(8)