1USERADD(8) System Management Commands USERADD(8)
2
3
4
6 useradd - create a new user or update default new user information
7
9 useradd [options] LOGIN
10
11 useradd -D
12
13 useradd -D [options]
14
16 When invoked without the -D option, the useradd command creates a new
17 user account using the values specified on the command line plus the
18 default values from the system. Depending on command line options, the
19 useradd command will update system files and may also create the new
20 user's home directory and copy initial files.
21
22 By default, a group will also be created for the new user (see -g, -N,
23 -U, and USERGROUPS_ENAB).
24
26 The options which apply to the useradd command are:
27
28 --badname
29 Allow names that do not conform to standards.
30
31 -b, --base-dir BASE_DIR
32 The default base directory for the system if -d HOME_DIR is not
33 specified. BASE_DIR is concatenated with the account name to
34 define the home directory.
35
36 If this option is not specified, useradd will use the base
37 directory specified by the HOME variable in /etc/default/useradd,
38 or /home by default.
39
40 -c, --comment COMMENT
41 Any text string. It is generally a short description of the
42 account, and is currently used as the field for the user's full
43 name.
44
45 -d, --home-dir HOME_DIR
46 The new user will be created using HOME_DIR as the value for the
47 user's login directory. The default is to append the LOGIN name to
48 BASE_DIR and use that as the login directory name. If the directory
49 HOME_DIR does not exist, then it will be created unless the -M
50 option is specified.
51
52 -D, --defaults
53 See below, the subsection "Changing the default values".
54
55 -e, --expiredate EXPIRE_DATE
56 The date on which the user account will be disabled. The date is
57 specified in the format YYYY-MM-DD.
58
59 If not specified, useradd will use the default expiry date
60 specified by the EXPIRE variable in /etc/default/useradd, or an
61 empty string (no expiry) by default.
62
63 -f, --inactive INACTIVE
64 defines the number of days after the password exceeded its maximum
65 age where the user is expected to replace this password. The value
66 is stored in the shadow password file. An input of 0 will disable
67 an expired password with no delay. An input of -1 will blank the
68 respective field in the shadow password file. See shadow(5)for more
69 information.
70
71 If not specified, useradd will use the default inactivity period
72 specified by the INACTIVE variable in /etc/default/useradd, or -1
73 by default.
74
75 -F, --add-subids-for-system
76 Update /etc/subuid and /etc/subgid even when creating a system
77 account with -r option.
78
79 -g, --gid GROUP
80 The name or the number of the user's primary group. The group name
81 must exist. A group number must refer to an already existing group.
82
83 If not specified, the behavior of useradd will depend on the
84 USERGROUPS_ENAB variable in /etc/login.defs. If this variable is
85 set to yes (or -U/--user-group is specified on the command line), a
86 group will be created for the user, with the same name as her
87 loginname. If the variable is set to no (or -N/--no-user-group is
88 specified on the command line), useradd will set the primary group
89 of the new user to the value specified by the GROUP variable in
90 /etc/default/useradd, or 1000 by default.
91
92 -G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
93 A list of supplementary groups which the user is also a member of.
94 Each group is separated from the next by a comma, with no
95 intervening whitespace. The groups are subject to the same
96 restrictions as the group given with the -g option. The default is
97 for the user to belong only to the initial group. In addition to
98 passing in the -G flag, you can add the option GROUPS to the file
99 /etc/default/useradd which in turn will add all users to those
100 supplementary groups.
101
102 -h, --help
103 Display help message and exit.
104
105 -k, --skel SKEL_DIR
106 The skeleton directory, which contains files and directories to be
107 copied in the user's home directory, when the home directory is
108 created by useradd.
109
110 This option is only valid if the -m (or --create-home) option is
111 specified.
112
113 If this option is not set, the skeleton directory is defined by the
114 SKEL variable in /etc/default/useradd or, by default, /etc/skel.
115
116 If possible, the ACLs and extended attributes are copied.
117
118 -K, --key KEY=VALUE
119 Overrides /etc/login.defs defaults (UID_MIN, UID_MAX, UMASK,
120 PASS_MAX_DAYS and others).
121
122 Example: -K PASS_MAX_DAYS =-1 can be used when creating an account
123 to turn off password aging. Multiple -K options can be specified,
124 e.g.: -K UID_MIN =100 -K UID_MAX=499
125
126 -l, --no-log-init
127 Do not add the user to the lastlog and faillog databases.
128
129 By default, the user's entries in the lastlog and faillog databases
130 are reset to avoid reusing the entry from a previously deleted
131 user.
132
133 If this option is not specified, useradd will also consult the
134 variable LOG_INIT in the /etc/default/useradd if set to no the user
135 will not be added to the lastlog and faillog databases.
136
137 -m, --create-home
138 Create the user's home directory if it does not exist. The files
139 and directories contained in the skeleton directory (which can be
140 defined with the -k option) will be copied to the home directory.
141
142 By default, if this option is not specified and CREATE_HOME is not
143 enabled, no home directories are created.
144
145 The directory where the user's home directory is created must exist
146 and have proper SELinux context and permissions. Otherwise the
147 user's home directory cannot be created or accessed.
148
149 -M, --no-create-home
150 Do not create the user's home directory, even if the system wide
151 setting from /etc/login.defs (CREATE_HOME) is set to yes.
152
153 -N, --no-user-group
154 Do not create a group with the same name as the user, but add the
155 user to the group specified by the -g option or by the GROUP
156 variable in /etc/default/useradd.
157
158 The default behavior (if the -g, -N, and -U options are not
159 specified) is defined by the USERGROUPS_ENAB variable in
160 /etc/login.defs.
161
162 -o, --non-unique
163 allows the creation of an account with an already existing UID.
164
165 This option is only valid in combination with the -u option. As a
166 user identity serves as key to map between users on one hand and
167 permissions, file ownerships and other aspects that determine the
168 system's behavior on the other hand, more than one login name will
169 access the account of the given UID.
170
171 -p, --password PASSWORD
172 defines an initial password for the account. PASSWORD is expected
173 to be encrypted, as returned by crypt (3). Within a shell script,
174 this option allows to create efficiently batches of users.
175
176 Without this option, the new account will be locked and with no
177 password defined, i.e. a single exclamation mark in the respective
178 field of /etc/shadow. This is a state where the user won't be able
179 to access the account or to define a password himself.
180
181 Note:Avoid this option on the command line because the password (or
182 encrypted password) will be visible by users listing the processes.
183
184 You should make sure the password respects the system's password
185 policy.
186
187 -r, --system
188 Create a system account.
189
190 System users will be created with no aging information in
191 /etc/shadow, and their numeric identifiers are chosen in the
192 SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead
193 of UID_MIN-UID_MAX (and their GID counterparts for the creation of
194 groups).
195
196 Note that useradd will not create a home directory for such a user,
197 regardless of the default setting in /etc/login.defs (CREATE_HOME).
198 You have to specify the -m options if you want a home directory for
199 a system account to be created.
200
201 Note that this option will not update /etc/subuid and /etc/subgid.
202 You have to specify the -F options if you want to update the files
203 for a system account to be created.
204
205 -R, --root CHROOT_DIR
206 Apply changes in the CHROOT_DIR directory and use the configuration
207 files from the CHROOT_DIR directory. Only absolute paths are
208 supported.
209
210 -P, --prefix PREFIX_DIR
211 Apply changes to configuration files under the root filesystem
212 found under the directory PREFIX_DIR. This option does not chroot
213 and is intended for preparing a cross-compilation target. Some
214 limitations: NIS and LDAP users/groups are not verified. PAM
215 authentication is using the host files. No SELINUX support.
216
217 -s, --shell SHELL
218 sets the path to the user's login shell. Without this option, the
219 system will use the SHELL variable specified in
220 /etc/default/useradd, or, if that is as well not set, the field for
221 the login shell in /etc/passwd remains empty.
222
223 -u, --uid UID
224 The numerical value of the user's ID. This value must be unique,
225 unless the -o option is used. The value must be non-negative. The
226 default is to use the smallest ID value greater than or equal to
227 UID_MIN and greater than every other user.
228
229 See also the -r option and the UID_MAX description.
230
231 -U, --user-group
232 Create a group with the same name as the user, and add the user to
233 this group.
234
235 The default behavior (if the -g, -N, and -U options are not
236 specified) is defined by the USERGROUPS_ENAB variable in
237 /etc/login.defs.
238
239 -Z, --selinux-user SEUSER
240 defines the SELinux user for the new account. Without this option,
241 SELinux uses the default user. Note that the shadow system doesn't
242 store the selinux-user, it uses semanage(8) for that.
243
244 --selinux-range SERANGE
245 defines the SELinux MLS range for the new account. Without this
246 option, SELinux uses the default range. Note that the shadow system
247 doesn't store the selinux-range, it uses semanage(8) for that.
248
249 This option is only valid if the -Z (or --selinux-user) option is
250 specified.
251
252 Changing the default values
253 When invoked with only the -D option, useradd will display the current
254 default values. When invoked with -D plus other options, useradd will
255 update the default values for the specified options. Valid
256 default-changing options are:
257
258 -b, --base-dir BASE_DIR
259 sets the path prefix for a new user's home directory. The user's
260 name will be affixed to the end of BASE_DIR to form the new user's
261 home directory name, if the -d option is not used when creating a
262 new account.
263
264 This option sets the HOME variable in /etc/default/useradd.
265
266 -e, --expiredate EXPIRE_DATE
267 sets the date on which newly created user accounts are disabled.
268
269 This option sets the EXPIRE variable in /etc/default/useradd.
270
271 -f, --inactive INACTIVE
272 defines the number of days after the password exceeded its maximum
273 age where the user is expected to replace this password. See
274 shadow(5)for more information.
275
276 This option sets the INACTIVE variable in /etc/default/useradd.
277
278 -g, --gid GROUP
279 sets the default primary group for newly created users, accepting
280 group names or a numerical group ID. The named group must exist,
281 and the GID must have an existing entry.
282
283 This option sets the GROUP variable in /etc/default/useradd.
284
285 -s, --shell SHELL
286 defines the default login shell for new users.
287
288 This option sets the SHELL variable in /etc/default/useradd.
289
291 The system administrator is responsible for placing the default user
292 files in the /etc/skel/ directory (or any other skeleton directory
293 specified in /etc/default/useradd or on the command line).
294
296 You may not add a user to a NIS or LDAP group. This must be performed
297 on the corresponding server.
298
299 Similarly, if the username already exists in an external user database
300 such as NIS or LDAP, useradd will deny the user account creation
301 request.
302
303 Usernames may contain only lower and upper case letters, digits,
304 underscores, or dashes. They can end with a dollar sign. Dashes are not
305 allowed at the beginning of the username. Fully numeric usernames and
306 usernames . or .. are also disallowed. It is not recommended to use
307 usernames beginning with . character as their home directories will be
308 hidden in the ls output.
309
310 Usernames may only be up to 32 characters long.
311
313 The following configuration variables in /etc/login.defs change the
314 behavior of this tool:
315
316 CREATE_HOME (boolean)
317 Indicate if a home directory should be created by default for new
318 users.
319
320 This setting does not apply to system users, and can be overridden
321 on the command line.
322
323 GID_MAX (number), GID_MIN (number)
324 Range of group IDs used for the creation of regular groups by
325 useradd, groupadd, or newusers.
326
327 The default value for GID_MIN (resp. GID_MAX) is 1000 (resp.
328 60000).
329
330 HOME_MODE (number)
331 The mode for new home directories. If not specified, the UMASK is
332 used to create the mode.
333
334 useradd and newusers use this to set the mode of the home directory
335 they create.
336
337 LASTLOG_UID_MAX (number)
338 Highest user ID number for which the lastlog entries should be
339 updated. As higher user IDs are usually tracked by remote user
340 identity and authentication services there is no need to create a
341 huge sparse lastlog file for them.
342
343 No LASTLOG_UID_MAX option present in the configuration means that
344 there is no user ID limit for writing lastlog entries.
345
346 MAIL_DIR (string)
347 The mail spool directory. This is needed to manipulate the mailbox
348 when its corresponding user account is modified or deleted. If not
349 specified, a compile-time default is used. The parameter
350 CREATE_MAIL_SPOOL in /etc/default/useradd determines whether the
351 mail spool should be created.
352
353 MAIL_FILE (string)
354 Defines the location of the users mail spool files relatively to
355 their home directory.
356
357 The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod, and
358 userdel to create, move, or delete the user's mail spool.
359
360 If MAIL_CHECK_ENAB is set to yes, they are also used to define the MAIL
361 environment variable.
362
363 MAX_MEMBERS_PER_GROUP (number)
364 Maximum members per group entry. When the maximum is reached, a new
365 group entry (line) is started in /etc/group (with the same name,
366 same password, and same GID).
367
368 The default value is 0, meaning that there are no limits in the
369 number of members in a group.
370
371 This feature (split group) permits to limit the length of lines in
372 the group file. This is useful to make sure that lines for NIS
373 groups are not larger than 1024 characters.
374
375 If you need to enforce such limit, you can use 25.
376
377 Note: split groups may not be supported by all tools (even in the
378 Shadow toolsuite). You should not use this variable unless you
379 really need it.
380
381 PASS_MAX_DAYS (number)
382 The maximum number of days a password may be used. If the password
383 is older than this, a password change will be forced. If not
384 specified, -1 will be assumed (which disables the restriction).
385
386 PASS_MIN_DAYS (number)
387 The minimum number of days allowed between password changes. Any
388 password changes attempted sooner than this will be rejected. If
389 not specified, 0 will be assumed (which disables the restriction).
390
391 PASS_WARN_AGE (number)
392 The number of days warning given before a password expires. A zero
393 means warning is given only upon the day of expiration, a negative
394 value means no warning is given. If not specified, no warning will
395 be provided.
396
397 SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)
398 If /etc/subuid exists, the commands useradd and newusers (unless
399 the user already have subordinate group IDs) allocate SUB_GID_COUNT
400 unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each
401 new user.
402
403 The default values for SUB_GID_MIN, SUB_GID_MAX, SUB_GID_COUNT are
404 respectively 100000, 600100000 and 65536.
405
406 SUB_UID_MIN (number), SUB_UID_MAX (number), SUB_UID_COUNT (number)
407 If /etc/subuid exists, the commands useradd and newusers (unless
408 the user already have subordinate user IDs) allocate SUB_UID_COUNT
409 unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each
410 new user.
411
412 The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are
413 respectively 100000, 600100000 and 65536.
414
415 SYS_GID_MAX (number), SYS_GID_MIN (number)
416 Range of group IDs used for the creation of system groups by
417 useradd, groupadd, or newusers.
418
419 The default value for SYS_GID_MIN (resp. SYS_GID_MAX) is 101
420 (resp. GID_MIN-1).
421
422 SYS_UID_MAX (number), SYS_UID_MIN (number)
423 Range of user IDs used for the creation of system users by useradd
424 or newusers.
425
426 The default value for SYS_UID_MIN (resp. SYS_UID_MAX) is 101
427 (resp. UID_MIN-1).
428
429 UID_MAX (number), UID_MIN (number)
430 Range of user IDs used for the creation of regular users by useradd
431 or newusers.
432
433 The default value for UID_MIN (resp. UID_MAX) is 1000 (resp.
434 60000).
435
436 UMASK (number)
437 The file mode creation mask is initialized to this value. If not
438 specified, the mask will be initialized to 022.
439
440 useradd and newusers use this mask to set the mode of the home
441 directory they create if HOME_MODE is not set.
442
443 It is also used by login to define users' initial umask. Note that
444 this mask can be overridden by the user's GECOS line (if
445 QUOTAS_ENAB is set) or by the specification of a limit with the K
446 identifier in limits(5).
447
448 USERGROUPS_ENAB (boolean)
449 Enable setting of the umask group bits to be the same as owner bits
450 (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid
451 is the same as gid, and username is the same as the primary group
452 name.
453
454 If set to yes, userdel will remove the user's group if it contains
455 no more members, and useradd will create by default a group with
456 the name of the user.
457
459 /etc/passwd
460 User account information.
461
462 /etc/shadow
463 Secure user account information.
464
465 /etc/group
466 Group account information.
467
468 /etc/gshadow
469 Secure group account information.
470
471 /etc/default/useradd
472 Default values for account creation.
473
474 /etc/shadow-maint/useradd-pre.d/*, /etc/shadow-maint/useradd-post.d/*
475 Run-part files to execute during user addition. The environment
476 variable ACTION will be populated with useradd and SUBJECT with the
477 username. useradd-pre.d will be executed prior to any user
478 addition. useradd-post.d will execute after user addition. If a
479 script exits non-zero then execution will terminate.
480
481 /etc/skel/
482 Directory containing default files.
483
484 /etc/subgid
485 Per user subordinate group IDs.
486
487 /etc/subuid
488 Per user subordinate user IDs.
489
490 /etc/login.defs
491 Shadow password suite configuration.
492
494 The useradd command exits with the following values:
495
496 0
497 success
498
499 1
500 can't update password file
501
502 2
503 invalid command syntax
504
505 3
506 invalid argument to option
507
508 4
509 UID already in use (and no -o)
510
511 6
512 specified group doesn't exist
513
514 9
515 username or group name already in use
516
517 10
518 can't update group file
519
520 12
521 can't create home directory
522
523 14
524 can't update SELinux user mapping
525
527 chfn(1), chsh(1), passwd(1), crypt(3), groupadd(8), groupdel(8),
528 groupmod(8), login.defs(5), newusers(8), subgid(5), subuid(5),
529 userdel(8), usermod(8).
530
531
532
533shadow-utils 4.14.0 10/03/2023 USERADD(8)