123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483 |
- .\" Copyright (c) 1995-1996 Wolfram Schneider <wosch@FreeBSD.org>. Berlin.
- .\" All rights reserved.
- .\" Copyright (c) 2002-2004 Michael Telahun Makonnen <mtm@FreeBSD.org>
- .\" All rights reserved.
- .\"
- .\" Redistribution and use in source and binary forms, with or without
- .\" modification, are permitted provided that the following conditions
- .\" are met:
- .\" 1. Redistributions of source code must retain the above copyright
- .\" notice, this list of conditions and the following disclaimer.
- .\" 2. Redistributions in binary form must reproduce the above copyright
- .\" notice, this list of conditions and the following disclaimer in the
- .\" documentation and/or other materials provided with the distribution.
- .\"
- .\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
- .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- .\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- .\" SUCH DAMAGE.
- .\"
- .Dd April 11, 2024
- .Dt ADDUSER 8
- .Os
- .Sh NAME
- .Nm adduser
- .Nd command for adding new users
- .Sh SYNOPSIS
- .Nm
- .Op Fl CDENSZhq
- .Op Fl G Ar groups
- .Op Fl L Ar login_class
- .Op Fl M Ar mode
- .Op Fl d Ar partition
- .Op Fl f Ar file
- .Op Fl g Ar login_group
- .Op Fl k Ar dotdir
- .Op Fl m Ar message_file
- .Op Fl s Ar shell
- .Op Fl u Ar uid_start
- .Op Fl w Ar type
- .Sh DESCRIPTION
- The
- .Nm
- utility is a shell script, implemented around the
- .Xr pw 8
- command, for adding new users.
- It creates passwd/group entries, a home directory,
- copies dotfiles and sends the new user a welcome message.
- On systems where the parent of home directory is a ZFS dataset,
- .Nm
- will create the home directory as a ZFS dataset by default,
- unless the system administrator specified otherwise.
- It supports two modes of operation.
- It may be used interactively
- at the command line to add one user at a time, or it may be directed
- to get the list of new users from a file and operate in batch mode
- without requiring any user interaction.
- .Sh RESTRICTIONS
- .Bl -tag -width indent
- .It username
- Login name.
- The user name is restricted to whatever
- .Xr pw 8
- will accept.
- Generally this means it
- may contain only lowercase characters or digits but cannot begin with the
- .Ql -
- character.
- Maximum length
- is 16 characters.
- The reasons for this limit are historical.
- Given that people have traditionally wanted to break this
- limit for aesthetic reasons, it has never been of great importance to break
- such a basic fundamental parameter in
- .Ux .
- You can change
- .Dv UT_NAMESIZE
- in
- .In utmp.h
- and recompile the
- world; people have done this and it works, but you will have problems
- with any precompiled programs, or source that assumes the 8-character
- name limit, such as NIS.
- The NIS protocol mandates an 8-character username.
- If you need a longer login name for e-mail addresses,
- you can define an alias in
- .Pa /etc/mail/aliases .
- .It "full name"
- This is typically known as the gecos field and usually contains
- the user's full name.
- Additionally, it may contain a comma separated
- list of values such as office number and work and home phones.
- If the
- name contains an ampersand it will be replaced by the capitalized
- login name when displayed by other programs.
- The
- .Ql \&:
- character is not allowed.
- .It shell
- Unless the
- .Fl S
- argument is supplied only valid shells from the shell database
- .Pq Pa /etc/shells
- are allowed.
- In addition,
- either the base name or the full path of the shell may be supplied.
- .It UID
- Automatically generated or your choice.
- It must be less than 32000.
- .It "GID/login group"
- Automatically generated or your choice.
- It must be less than 32000.
- .It password
- You may choose an empty password, disable the password, use a
- randomly generated password or specify your own plaintext password,
- which will be encrypted before being stored in the user database.
- .El
- .Sh UNIQUE GROUPS
- Perhaps you are missing what
- .Em can
- be done with this scheme that falls apart
- with most other schemes.
- With each user in their own group,
- they can safely run with a umask of 002 instead of the usual 022
- and create files in their home directory
- without worrying about others being able to change them.
- .Pp
- For a shared area you create a separate UID/GID, you place each person
- that should be able to access this area into that new group.
- .Pp
- This model of UID/GID administration allows far greater flexibility than lumping
- users into groups and having to muck with the umask when working in a shared
- area.
- .Pp
- I have been using this model for almost 10 years and found that it works
- for most situations, and has never gotten in the way.
- (Rod Grimes)
- .Sh CONFIGURATION
- The
- .Nm
- utility reads its configuration information from
- .Pa /etc/adduser.conf .
- If this file does not exist, it will use predefined defaults.
- While this file may be edited by hand,
- the safer option is to use the
- .Fl C
- command line argument.
- With this argument,
- .Nm
- will start interactive input, save the answers to its prompts in
- .Pa /etc/adduser.conf ,
- and promptly exit without modifying the user
- database.
- Options specified on the command line will take precedence over
- any values saved in this file.
- .Sh OPTIONS
- .Bl -tag -width indent
- .It Fl C
- Create new configuration file and exit.
- This option is mutually exclusive with the
- .Fl f
- option.
- .It Fl d Ar partition
- Home partition.
- Default partition, under which all user directories
- will be located.
- The
- .Pa /nonexistent
- partition is considered special.
- The
- .Nm
- script will not create and populate a home directory by that name.
- Otherwise,
- by default it attempts to create a home directory.
- .It Fl D
- Do not attempt to create the home directory.
- .It Fl E
- Disable the account.
- This option will lock the account by prepending the string
- .Dq Li *LOCKED*
- to the password field.
- The account may be unlocked
- by the super-user with the
- .Xr pw 8
- command:
- .Pp
- .D1 Nm pw Cm unlock Op Ar name | uid
- .It Fl f Ar file
- Get the list of accounts to create from
- .Ar file .
- If
- .Ar file
- is
- .Dq Fl ,
- then get the list from standard input.
- If this option is specified,
- .Nm
- will operate in batch mode and will not seek any user input.
- If an error is encountered while processing an account, it will write a
- message to standard error and move to the next account.
- The format
- of the input file is described below.
- .It Fl g Ar login_group
- Normally,
- if no login group is specified,
- it is assumed to be the same as the username.
- This option makes
- .Ar login_group
- the default.
- .It Fl G Ar groups
- Space-separated list of additional groups.
- This option allows the user to specify additional groups to add users to.
- The user is a member of these groups in addition to their login group.
- .It Fl h
- Print a summary of options and exit.
- .It Fl k Ar directory
- Copy files from
- .Ar directory
- into the home
- directory of new users;
- .Pa dot.foo
- will be renamed to
- .Pa .foo .
- .It Fl L Ar login_class
- Set default login class.
- .It Fl m Ar file
- Send new users a welcome message from
- .Ar file .
- Specifying a value of
- .Cm no
- for
- .Ar file
- causes no message to be sent to new users.
- Please note that the message
- file can reference the internal variables of the
- .Nm
- script.
- .It Fl M Ar mode
- Create the home directory with permissions set to
- .Ar mode .
- .It Fl N
- Do not read the default configuration file.
- .It Fl q
- Minimal user feedback.
- In particular, the random password will not be echoed to
- standard output.
- .It Fl s Ar shell
- Default shell for new users.
- The
- .Ar shell
- argument may be the base name of the shell or the full path.
- Unless the
- .Fl S
- argument is supplied the shell must exist in
- .Pa /etc/shells
- or be the special shell
- .Em nologin
- to be considered a valid shell.
- .It Fl S
- The existence or validity of the specified shell will not be checked.
- .It Fl u Ar uid
- Use UIDs from
- .Ar uid
- on up.
- .It Fl w Ar type
- Password type.
- The
- .Nm
- utility allows the user to specify what type of password to create.
- The
- .Ar type
- argument may have one of the following values:
- .Bl -tag -width ".Cm random"
- .It Cm no
- Disable the password.
- Instead of an encrypted string, the password field will contain a single
- .Ql *
- character.
- The user may not log in until the super-user
- manually enables the password.
- .It Cm none
- Use an empty string as the password.
- .It Cm yes
- Use a user-supplied string as the password.
- In interactive mode,
- the user will be prompted for the password.
- In batch mode, the
- last (10th) field in the line is assumed to be the password.
- .It Cm random
- Generate a random string and use it as a password.
- The password will be echoed to standard output.
- In addition, it will be available for inclusion in the message file in the
- .Va randompass
- variable.
- .El
- .It Fl Z
- Do not attempt to create ZFS home dataset.
- .El
- .Sh FORMAT
- When the
- .Fl f
- option is used, the account information must be stored in a specific
- format.
- All empty lines or lines beginning with a
- .Ql #
- will be ignored.
- All other lines must contain ten colon
- .Pq Ql \&:
- separated fields as described below.
- Command line options do not take precedence
- over values in the fields.
- Only the password field may contain a
- .Ql \&:
- character as part of the string.
- .Pp
- .Sm off
- .D1 Ar name : uid : gid : class : change : expire : gecos : home_dir : shell : password
- .Sm on
- .Bl -tag -width ".Ar password"
- .It Ar name
- Login name.
- This field may not be empty.
- .It Ar uid
- Numeric login user ID.
- If this field is left empty, it will be automatically generated.
- .It Ar gid
- Numeric primary group ID.
- If this field is left empty, a group with the
- same name as the user name will be created and its GID will be used
- instead.
- .It Ar class
- Login class.
- This field may be left empty.
- .It Ar change
- Password ageing.
- This field denotes the password change date for the account.
- The format of this field is the same as the format of the
- .Fl p
- argument to
- .Xr pw 8 .
- It may be
- .Ar dd Ns - Ns Ar mmm Ns - Ns Ar yy Ns Op Ar yy ,
- where
- .Ar dd
- is for the day,
- .Ar mmm
- is for the month in numeric or alphabetical format:
- .Dq Li 10
- or
- .Dq Li Oct ,
- and
- .Ar yy Ns Op Ar yy
- is the four or two digit year.
- To denote a time relative to the current date the format is:
- .No + Ns Ar n Ns Op Ar mhdwoy ,
- where
- .Ar n
- denotes a number, followed by the minutes, hours, days, weeks,
- months or years after which the password must be changed.
- This field may be left empty to turn it off.
- .It Ar expire
- Account expiration.
- This field denotes the expiry date of the account.
- The account may not be used after the specified date.
- The format of this field is the same as that for password ageing.
- This field may be left empty to turn it off.
- .It Ar gecos
- Full name and other extra information about the user.
- .It Ar home_dir
- Home directory.
- If this field is left empty, it will be automatically
- created by appending the username to the home partition.
- The
- .Pa /nonexistent
- home directory is considered special and
- is understood to mean that no home directory is to be
- created for the user.
- .It Ar shell
- Login shell.
- This field should contain either the base name or
- the full path to a valid login shell.
- .It Ar password
- User password.
- This field should contain a plaintext string, which will
- be encrypted before being placed in the user database.
- If the password type is
- .Cm yes
- and this field is empty, it is assumed the account will have an empty password.
- If the password type is
- .Cm random
- and this field is
- .Em not
- empty, its contents will be used
- as a password.
- This field will be ignored if the
- .Fl w
- option is used with a
- .Cm no
- or
- .Cm none
- argument.
- Be careful not to terminate this field with a closing
- .Ql \&:
- because it will be treated as part of the password.
- .El
- .Sh FILES
- .Bl -tag -width ".Pa /etc/adduser.message" -compact
- .It Pa /etc/master.passwd
- user database
- .It Pa /etc/group
- group database
- .It Pa /etc/shells
- shell database
- .It Pa /etc/login.conf
- login classes database
- .It Pa /etc/adduser.conf
- configuration file for
- .Nm
- .It Pa /etc/adduser.message
- message file for
- .Nm
- .It Pa /usr/share/skel
- skeletal login directory
- .It Pa /var/log/adduser
- logfile for
- .Nm
- .El
- .Sh SEE ALSO
- .Xr chpass 1 ,
- .Xr passwd 1 ,
- .Xr adduser.conf 5 ,
- .Xr aliases 5 ,
- .Xr group 5 ,
- .Xr login.conf 5 ,
- .Xr passwd 5 ,
- .Xr shells 5 ,
- .Xr pw 8 ,
- .Xr pwd_mkdb 8 ,
- .Xr rmuser 8 ,
- .Xr vipw 8 ,
- .Xr yp 8
- .Sh HISTORY
- The
- .Nm
- command appeared in
- .Fx 2.1 .
- .Sh AUTHORS
- .An -nosplit
- This manual page and the original script, in Perl, was written by
- .An Wolfram Schneider Aq Mt wosch@FreeBSD.org .
- The replacement script, written as a Bourne
- shell script with some enhancements, and the man page modification that
- came with it were done by
- .An Mike Makonnen Aq Mt mtm@identd.net .
- .Sh BUGS
- In order for
- .Nm
- to correctly expand variables such as
- .Va $username
- and
- .Va $randompass
- in the message sent to new users, it must let the shell evaluate
- each line of the message file.
- This means that shell commands can also be embedded in the message file.
- The
- .Nm
- utility attempts to mitigate the possibility of an attacker using this
- feature by refusing to evaluate the file if it is not owned and writable
- only by the root user.
- In addition, shell special characters and operators will have to be
- escaped when used in the message file.
- .Pp
- Also, password ageing and account expiry times are currently settable
- only in batch mode or when specified in
- .Pa /etc/adduser.conf .
- The user should be able to set them in interactive mode as well.
|