{"id":5857,"date":"2024-06-18T01:52:00","date_gmt":"2024-06-18T05:52:00","guid":{"rendered":"https:\/\/www.both.org\/?p=5857"},"modified":"2024-06-14T16:30:18","modified_gmt":"2024-06-14T20:30:18","slug":"intro-to-the-linux-useradd-command","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=5857","title":{"rendered":"Intro to the Linux useradd command"},"content":{"rendered":"
\r\n
\r\n \r\n <\/i>\r\n <\/a>\r\n 1 <\/span>\r\n<\/div><\/div>\n

Adding a user is one of the most fundamental exercises on any computer system; this article focuses on how to do it on a Linux system.<\/p>\n\n\n\n

Before getting started, I want to mention three fundamentals to keep in mind. First, most operating system users need an account to be able to log in, Linux is no exception. This article only covers local accounts, not network accounts such as LDAP or AD. Second, accounts have both a nameand a number; referred to as username and user ID (UID). Third, users are typically placed into a group. Groups also have a name and group ID (GID).<\/p>\n\n\n\n

As you’d expect, Linux includes a command-line utility for adding users called useradd. You may also find the command adduser on some systems. Many distributions have added this symbolic link to the useradd command as a matter of convenience.<\/p>\n\n\n\n

$ file $(which adduser)\n\/usr\/sbin\/adduser: symbolic link to useradd<\/code><\/pre>\n\n\n\n
Let’s take a look at useradd<\/strong><\/p>\n\n\n\n
Note: <\/strong>The defaults described in this article reflect those in Red Hat Enterprise Linux 8.0 and Fedora 40. You may find subtle differences in these files and certain defaults on other Linux distributions or other Unix operating systems such as FreeBSD or Solaris.<\/p>\n\n\n\n
Default behavior<\/h2>\n\n\n\n
The basic usage of useradd<\/strong> is quite simple: A user can be added just by providing their username.<\/p>\n\n\n\n
$ sudo useradd herb<\/code><\/pre>\n\n\n\n
In this example, the useradd<\/strong> command creates an account called herb<\/em>. A group with the same name is also created, and herb<\/em> is placed into this group to be used as the primary group. There are other parameters, such as language and shell, that are applied according to defaults and values set in the configuration files \/etc\/default\/useradd<\/strong> and \/etc\/login.defs<\/strong>. This is generally sufficient for a single, personal-use system or even a small, one-server business environment.<\/p>\n\n\n\n
While the two files above govern the behavior of useradd<\/strong>, user information is stored in other files found in the \/etc<\/strong> directory, which we’ll examine throughout this article.<\/p>\n\n\n\n
File<\/strong><\/td>Description<\/strong><\/td>Fields (bold – set by useradd)<\/strong><\/td><\/tr>
passwd<\/td>stores user account details<\/td>username<\/strong>:unused:uid<\/strong>:gid<\/strong>:comment<\/strong>:homedir<\/strong>:shell<\/strong><\/td><\/tr>
shadow<\/td>stores user account security details<\/td>username<\/strong>:password:lastchange:minimum:maximum:warn:inactive<\/strong>:expire<\/strong>:unused<\/td><\/tr>
group<\/td>stores group details<\/td>groupname<\/strong>:unused:gid<\/strong>:members<\/strong><\/td><\/tr><\/tbody><\/table>
Description and Fields of user files<\/figcaption><\/figure>\n\n\n\n
Customizable behavior<\/h2>\n\n\n\n
The command line allows customization for times when an administrator needs finer control, such as to specify a user’s ID number.<\/p>\n\n\n\n
User and group ID numbers<\/h2>\n\n\n\n
By default, useradd<\/strong> tries to use the same number for the user ID (UID) and primary group ID (GID), but there are no guarantees. Although it’s not necessary for the UID and GID to match, it’s easier for administrators to manage them when they do.<\/p>\n\n\n\n
I have just the scenario to explain. Suppose I add another account, this time for Timmy. Comparing the two users, herb<\/em> and timmy<\/em>, shows that both users and their respective primary groups were created by using the getent<\/strong> command.<\/p>\n\n\n\n
$ getent passwd herb timmy\nsonny:x:1001:1002:Herb:\/home\/herb:\/bin\/bash\ntimmy:x:1002:1003::\/home\/timmy:\/bin\/bash\n\n$ getent group herb timmy\nherb:x:1002:\ntimmy:x:1003:<\/code><\/pre>\n\n\n\n
Unfortunately, neither users’ UID nor primary GID match. This is because the default behavior is to assign the next available UID to the user and then attempt to assign the same number to the primary group. However, if that number is already used, the next available GID is assigned to the group. To explain what happened, I hypothesize that a group with GID 1001 already exists and enter a command to confirm.<\/p>\n\n\n\n
$ getent group 1001\nbook:x:1001:charles<\/code><\/pre>\n\n\n\n
The group book<\/em> with the ID 1001<\/em> has caused the GIDs to be off by one. This is an example where a system administrator would need to take more control of the user-creation process. To resolve this issue, I must first determine the next available user and group ID that will match. The commands getent group<\/strong> and getent passwd<\/strong> will be helpful in determining the next available number. This number can be passed with the -u<\/strong> argument.<\/p>\n\n\n\n
$ sudo useradd -u 1004 bobby\n\n$ getent passwd bobby; getent group bobby\nbobby:x:1004:1004::\/home\/bobby:\/bin\/bash\nbobby:x:1004:<\/code><\/pre>\n\n\n\n
Another good reason to specify the ID is for users that will be accessing files on a remote system using the Network File System (NFS). NFS is easier to administer when all client and server systems have the same ID configured for a given user.<\/p>\n\n\n\n
More customization<\/h2>\n\n\n\n
Very often though, other account parameters need to be specified for a user. Here are brief examples of the most common customizations you may need to use.<\/p>\n\n\n\n
The comment option is a plain-text field for providing a short description or other information using the -c<\/strong> argument.<\/p>\n\n\n\n
$ sudo useradd -c \"Bailey is cool\" bailey\n$ getent passwd bailey\nbailey:x:1011:1011:Bailey is cool:\/home\/bailey:\/bin\/bash<\/code><\/pre>\n\n\n\n
Groups<\/h2>\n\n\n\n
A user can be assigned one primary group and multiple secondary groups. The -g<\/strong> argument specifies the name or GID of the primary group. If it’s not specified, useradd<\/strong> creates a primary group with the user’s same name (as demonstrated above). The -G<\/strong> (uppercase) argument is used to pass a comma-separated list of groups that the user will be placed into; these are known as secondary groups.<\/p>\n\n\n\n
$ sudo useradd -G tgroup,fgroup,libvirt milly \n$ id milly\nuid=1012(milly) gid=1012(milly) groups=1012(milly),981(libvirt),4000(fgroup),3000(tgroup)<\/code><\/pre>\n\n\n\n
Home directory<\/h2>\n\n\n\n
The default behavior of useradd<\/strong> is to create the user’s home directory in \/home<\/strong>. However, different aspects of the home directory can be overridden with the following arguments. The -b<\/strong> sets another directory where user homes can be placed. For example, \/home2<\/strong> instead of the default \/home<\/strong>.<\/p>\n\n\n\n
$ sudo useradd -b \/home2 vicky\n$ getent passwd vicky\nvicky:x:1013:1013::\/home2\/vicky:\/bin\/bash<\/code><\/pre>\n\n\n\n
The -d<\/strong> lets you specify a home directory with a different name from the user.<\/p>\n\n\n\n
$ sudo useradd -d \/home\/ben jerry\n$ getent passwd jerry\njerry:x:1014:1014::\/home\/ben:\/bin\/bash<\/code><\/pre>\n\n\n\n
The skeleton directory<\/h2>\n\n\n\n
The -k<\/strong> instructs the new user’s new home directory to be populated with any files in the \/etc\/skel<\/strong> directory. These are usually shell configuration files, but they can be anything that a system administrator would like to make available to all new users.<\/p>\n\n\n\n
Shell<\/h2>\n\n\n\n
The -s<\/strong> argument can be used to specify the shell. The default is used if nothing else is specified. For example, in the following, shell bash<\/strong> is defined in the default configuration file, but Wally has requested zsh<\/strong>.<\/p>\n\n\n\n
$ grep SHELL \/etc\/default\/useradd \nSHELL=\/bin\/bash\n\n$ sudo useradd -s \/usr\/bin\/zsh wally\n$ getent passwd wally\nwally:x:1004:1004::\/home\/wally:\/usr\/bin\/zsh<\/code><\/pre>\n\n\n\n
Security<\/h2>\n\n\n\n
Security is an essential part of user management, so there are several options available with the useradd<\/strong> command. A user account can be given an expiration date, in the form YYYY-MM-DD, using the -e<\/strong> argument.<\/p>\n\n\n\n
$ sudo useradd -e 20191231 sammy\n$ sudo getent shadow sammy\nsammy:!!:18171:0:99999:7::20191231:<\/code><\/pre>\n\n\n\n
An account can also be disabled automatically if the password expires. The -f<\/strong> argument will set the number of days after the password expires before the account is disabled. Zero is immediate.<\/p>\n\n\n\n
A real-world example<\/h2>\n\n\n\n
In practice, several of these arguments may be used when creating a new user account. For example, if I need to create an account for Perry, I might use the following command:<\/p>\n\n\n\n
$ sudo useradd -u 1020 -c \"Perry Example\" \\\n-G tgroup -b \/home2 \\\n-s \/usr\/bin\/zsh \\\n-e 20201201 -f 5 perry<\/code><\/pre>\n\n\n\n
Refer to the sections above to understand each option. Verify the results with:<\/p>\n\n\n\n
$ getent passwd perry; getent group perry; getent shadow perry; id perry\nperry:x:1020:1020:Perry Example:\/home2\/perry:\/usr\/bin\/zsh\nperry:x:1020:\nperry:!!:18171:0:99999:7:5:20201201:\nuid=1020(perry) gid=1020(perry) groups=1020(perry),3000(tgroup)<\/code><\/pre>\n\n\n\n
Some final advice<\/h2>\n\n\n\n
The useradd<\/strong> command is a “must-know” for the Linux administrator. It is important to understand all of its options since user creation is something that you want to get right the first time. This means having a well-thought-out naming convention that includes a dedicated UID\/GID range reserved for your users across your enterprise, not just on a single system\u2014particularly when you’re working in a growing organization.<\/p>\n","protected":false},"excerpt":{"rendered":"
Adding a user is one of the most fundamental exercises on any computer system; this article focuses on how to do it on a Linux system.<\/p>\n","protected":false},"author":429,"featured_media":4636,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_lmt_disableupdate":"","_lmt_disable":"","footnotes":""},"categories":[100,90,5,89],"tags":[441,440],"class_list":["post-5857","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-command-line","category-in-depth","category-linux","category-system-administration","tag-adding-a-new-user","tag-useradd"],"modified_by":"David Both","_links":{"self":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/5857","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/users\/429"}],"replies":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5857"}],"version-history":[{"count":11,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/5857\/revisions"}],"predecessor-version":[{"id":5890,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/posts\/5857\/revisions\/5890"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=\/wp\/v2\/media\/4636"}],"wp:attachment":[{"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5857"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5857"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.both.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5857"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}