summaryrefslogtreecommitdiff
path: root/usr.sbin/adduser/adduser.8
blob: 8eb7eb52dfcdd5032bccc39b9b100016f7fb7939 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
.\"	$OpenBSD: adduser.8,v 1.43 2014/10/01 09:56:36 mpi Exp $
.\"
.\" Copyright (c) 1995-1996 Wolfram Schneider <wosch@FreeBSD.org>. Berlin.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\"    notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\"    notice, this list of conditions and the following disclaimer in the
.\"    documentation and/or other materials provided with the distribution.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $From: adduser.8,v 1.12 1996/08/28 17:54:13 adam Exp $
.Dd $Mdocdate: October 1 2014 $
.Dt ADDUSER 8
.Os
.Sh NAME
.Nm adduser ,
.Nm rmuser
.Nd add and delete users from the system
.Sh SYNOPSIS
.Nm adduser
.Bk -words
.Oo Fl batch Ar username
.Oo Ar group Ns Op , Ns Ar group
.Ar ...
.Oc
.Op Ar fullname
.Op Ar password
.Oc
.Op Fl check_only
.Op Fl class Ar login_class
.Op Fl config_create
.Op Fl dotdir Ar directory
.Oo
.Fl e
.Ar method | Fl encryption Ar method
.Oc
.Op Fl group Ar login_group
.Op Fl h | help | \&?
.Op Fl home Ar partition
.Op Fl message Ar file
.Op Fl noconfig
.Op Fl shell Ar shell
.Op Fl s | silent | q | quiet
.Op Fl uid_start Ar uid
.Op Fl uid_end Ar uid
.Op Fl v | verbose
.Op Fl unencrypted
.Ek
.Pp
.Nm rmuser
.Op Ar username
.Sh DESCRIPTION
The
.Nm adduser
program adds new users to the system.
The
.Nm rmuser
program removes users from the system.
When not passed any arguments, both
utilities operate in interactive mode and prompt for any required information.
.Pp
The options are as follows:
.Bl -tag -width Ds
.It Xo Fl batch Ar username
.Oo Ar group Ns Op , Ns Ar group
.Ar ... Oc
.Op Ar fullname
.Op Ar password
.Xc
Enter batch mode in which multiple users are specified on the command line
in a compact format.
By default the password is assumed to already be properly encrypted.
.It Fl check_only
Check the passwd, group, and shells databases for consistency and problems
then exit without performing any other operation.
.It Fl class Ar login_class
Use the specified
.Ar login_class
as the default user login class.
See
.Xr login.conf 5
for further details.
.It Fl config_create
Create or edit default configuration information and message file before
proceeding with the normal interactive adduser procedure.
.It Fl dotdir Ar directory
Copy files from
.Ar directory
into the HOME directory of new users.
Files named in the fashion of
.Dq Pa dot.foo
will be renamed to
.Dq Pa .foo .
By default, all files are made writable and readable by
their owner.
.\" don't allow group or world to write files and allow only owner
.\" to read/execute/write .rhost, .Xauthority, .kermrc, .netrc, Mail,
.\" prv, iscreen, term.
.It Fl encryption , e Ar method
Encrypt local passwords using
.Ar method
of encryption as described in
.Xr login.conf 5 .
If
.Ar method
is
.Dq auto ,
the encryption type will be derived from the user's login class.
.It Fl group Ar login_group
Specify the default login group.
A value of
.Ar USER
means that the username is to be used as the login group.
.It Fl help , h , \&?
Print a summary of options and exit.
.It Fl home Ar partition
Specify the default home partition where all users' home directories
are to be located.
.It Fl message Ar file
Send new users a welcome message from
.Ar file .
Specifying a value of
.Dq no
for
.Ar file
causes no message to be sent to new users.
.It Fl noconfig
Do not read the default configuration file.
.It Fl shell Ar shell
Specify the default shell for new users.
.It Xo
.Fl silent , s ,
.Fl quiet , q
.Xc
Causes the program to print fewer warnings, questions, and bug reports.
.It Fl uid_start Ar uid
Use UIDs from
.Ar uid
up when automatically generating UIDs.
.It Fl uid_end Ar uid
Do not use UIDs higher than
.Ar uid
when generating UIDs.
.It Fl unencrypted
Causes the program to assume that the password given in batch mode is
unencrypted.
The password will be encrypted before being added to the password file.
Use of this option is discouraged, as the username and cleartext password
will appear in the process list, which is visible to users.
.It Fl verbose , v
Causes the program to print many warnings and questions.
This option is recommended for novice users.
.El
.Pp
.Nm adduser
first performs consistency checks on the password, group, and shell databases.
This includes finding any duplicate user or group names, illegal shells, or
shells that aren't executable.
Once these tests are passed,
.Nm
performs the following operations for each new user:
.Bl -enum -offset indent
.It
Add the appropriate entries to the password and group files and re-generate
the password database using
.Xr pwd_mkdb 8 .
.It
Create a home directory and copy all files from the skeletal
login directory (normally
.Pa /etc/skel )
to this new directory.
Files named in the fashion of
.Dq Pa dot.foo
will be renamed to
.Dq Pa .foo
in the new directory.
.It
Mails the new user a welcome message at the discretion of the account creator.
.El
.Pp
Similarly, when removing a user,
.Nm rmuser
performs the following operations for the given
.Ar username :
.Bl -enum -offset indent
.It
Removes any
.Xr crontab 1
entries or
.Xr at 1
jobs belonging to the user.
.It
Removes the user from the password database and all groups in the group
database.
If a group becomes empty and its name is the same as the username,
the group is removed (this complements
.Nm adduser Ns 's
unique per-user groups).
.It
Recursively deletes all files in the user's home directory and removes the
directory itself (provided the directory actually belongs to the user).
.Nm rmuser
prompts for confirmation before actually doing this.
.It
Removes the user's incoming mail file if one exists.
.El
.Pp
Understandably,
.Nm rmuser
politely refuses to remove users whose UID is 0 (typically root).
.Sh RESTRICTIONS
.Bl -tag -width Ds
.It Sy username
It is recommended that login names contain only lowercase characters
and digits.
They may also contain uppercase characters, non-leading hyphens,
periods, underscores, and a trailing
.Ql $ .
Login names may not be longer than 31 characters.
.\" The reasons for this limit are "Historical".
.\" Given that people have traditionally wanted to break this
.\" limit for aesthetic reasons, it's never been of great importance to break
.\" such a basic fundamental parameter in UNIX.
.\" You can change UT_NAMESIZE in /usr/include/utmp.h and recompile the
.\" world; people have done this and it works, but you will have problems
.\" with any precompiled programs, or source that assumes the 8-character
.\" name limit and NIS. The NIS protocol mandates an 8-character username.
If you need a longer login name for e-mail addresses,
you can define an alias in
.Pa /etc/mail/aliases .
.It Sy fullname
This should contain the user's first name and surname.
The
.Ql \&:
is not permitted.
.It Sy login_class
The specified user login class
must exist in
.Pa /etc/login.conf .
.It Sy shell
Only valid entries from the
.Xr shells 5
database or entries corresponding to
.Xr pppd 8
are permitted.
.It Sy uid_start
This value is the start of the range where free UID values are
searched for.
This value must be less than the value of uid_end.
The default value is 1000 or as configured in the configuration file.
.It Sy uid_end
This value is the end of the range where free UID values are
searched for.
This value must be more than the value of uid_start.
The default value is 2147483647 or as configured in the configuration file.
.It Sy gid/login group
This value is generated automatically, but can be specified at the
discretion of the person invoking the program.
.It Sy password
If not empty, the password is encrypted according to
.Xr login.conf 5 .
If empty, the account will be automatically disabled to prevent spurious
access to it.
.El
.\" .Sh UNIQUE GROUP
.\" Perhaps you're missing what *can* be done with this scheme that falls apart
.\" with most other schemes.  With each user in his/her own group the user can
.\" safely run with a umask of 002 and have files created in their home
.\" directory and not worry about others being able to read them.
.\"
.\" For a shared area you create a separate uid/gid (like cvs or ncvs on
.\" freefall) you place each person that should be able to access this area
.\" into that new group.
.\"
.\" This model of uid/gid administration allows far greater flexibility than
.\" lumping users into groups and having to muck with the umask when working
.\" in a shared area.
.\"
.\" I have been using this model for almost 10 years and found that it works
.\" for most situations, and has never gotten in the way.  (Rod Grimes)
.Sh CONFIGURATION
.Nm
follows these steps to extract its configuration
information:
.Pp
.Bl -enum -offset indent -compact
.It
Read internal variables.
.It
Read configuration file
.Pq Pa /etc/adduser.conf .
.It
Parse command-line options.
.El
.Pp
The
.Em adduser.conf
format is explained within that file and is quite straightforward.
.\" .Sh FORMAT
.\" .Bl -tag -width Ds -compact
.\" .Ql Pa #
.\" is a comment.
.\" .P
.\" .It Sy config file
.\" .Nm adduser
.\" reads and writes this file.
.\" See /etc/adduser.conf for more details.
.\" .It Sy message file
.\" Eval variables in this file. See /etc/adduser.message for more
.\" details.
.\" .El
.Sh FILES
.Bl -tag -width /etc/adduser.messageX -compact
.It Pa /etc/master.passwd
user database
.It Pa /etc/group
group database
.It Pa /etc/shells
shell database
.It Pa /etc/ptmp
lock file for the passwd database
.It Pa /etc/adduser.conf
configuration file for
.Nm adduser
.It Pa /etc/adduser.message
message file for
.Nm
.It Pa /etc/skel
skeletal login directory
.It Pa /var/log/adduser
log file for
.Nm
.El
.Sh EXAMPLES
Start
.Nm
in interactive mode:
.Pp
.Dl # adduser
.Pp
Create user
.Dq falken
and
login group
.Dq falken .
Invite user
.Dq falken
into groups
.Dq guest ,
.Dq staff ,
and
.Dq beer .
Realname (fullname)
is
.Dq Prof. Falken .
The password has been created using
.Xr encrypt 1 :
.Bd -literal -offset indent
# adduser -batch falken guest,staff,beer 'Prof. Falken' \e
    $2a$06$1Sdjxjoxg4cNmT6zAxriGOLgdLXQ3HdJ2dKBbzEk68jSrO1EtLJ3C
.Ed
.Pp
Create user
.Dq vehlefanz
in login group
.Dq guest .
Start the free UID search at 5000.
No other groups, no realname, no password.
Send a welcome message:
.Bd -literal -offset indent
# adduser -uid_start 5000 -group guest \e
    -message /etc/adduser.message -batch vehlefanz
.Ed
.Pp
Create user
.Dq jsmith
and place in the
.Dq jsmith
login group.
Also add to the
.Dq staff
group.
No password:
.Pp
.Dl "# adduser -group USER -batch jsmith staff"
.Sh SEE ALSO
.Xr chpass 1 ,
.Xr finger 1 ,
.Xr passwd 1 ,
.Xr setlogin 2 ,
.Xr aliases 5 ,
.Xr group 5 ,
.Xr login.conf 5 ,
.Xr passwd 5 ,
.Xr shells 5 ,
.Xr nologin 8 ,
.Xr pwd_mkdb 8 ,
.Xr vipw 8 ,
.Xr yp 8