linux中创建新用户useradd
useradd用于创建或者更新用户账号信息,是管理员必备的命令之一。
官方的定义为:
useradd - create a new user or update default new user information
使用的方法为:
1 | $ useradd [options] LOGIN |
在使用 -D 选项的时候,useradd 命令将使用系统默认、用户命令行指定的参数创建一个新的用户账户。依赖于命令行选项,useradd命令会更新系统文件或者创建用户的home目录并拷贝初始文件,这个除非相当专业,慎用。
默认情况下,useradd会创建一个同名的group。
常用的一些选项为:
-c, --comment COMMENT:备注,通常会报错在passwd的备注栏中,一般为用户的全名。-d, --home-dir HOME_DIR:指定用户登陆时候的HOME目录-e, --expiredate EXPIRE_DATE:用户账户被禁用的日期,格式为: YYYY-MM-DD。如果不指定,将使用 /etc/default/useradd的值,或者默认取空不过期-s, --shell SHELL:指定登陆后使用的shell,对于不同于默认设定的shell比较有用
默认添加用户
1 | $ sudo useradd username |
正常情况下,创建用户user,会自动在/home目录创建,通过id命令可以看到有同名的group也创建了。
加上备注
1 | $ sudo useradd username -c "USER NAME" |
通过这个参数可以设置用户的备注名或者昵称,可以在/etc/passwd中看到,这个对于用户管理而言很方便,而GUI登陆来说比较方便,会显示备注名。
设定登陆的目录
默认情况下创建的目录位于/home ,但是如果希望更改到,比如/home1,那么此时使用-d参数即可,如下:
1 | $ sudo useradd -d /home1/ username |
更改默认的SHELL
有些用户可能对csh情有独钟,那么此时可以使用-s来更改,如下:
1 | $ sudo useradd -s /usr/bin/csh username |
目前默认均为bash。
设定失效日期
这个选项通常对于临时账户很有效,比如来了一个实习生,实习一个月就离开,此时2013-03-07,那么一个月以后失效的命令为:
1 | $ sudo useradd username -e 2013-04-07 |
那么一个月以后,该账户将被禁用登陆。
useradd 用户名
- -u 指定用户uid
- -g 指定用户所属主组
- -G 指定用户所属附属组
- 使用useradd时,如果后面不添加任何参数选项,例如: #sudo useradd test创建出来的用户将是默认“三无”用户:一无Home Directory,二无密码,三无系统Shell。
- 使用adduser时,创建用户的过程更像是一种人机对话,系统会提示你输入各种信息,然后会根据这些信息帮你创建新用户。
- 所以,adduser更适合初级使用者,因为不用去记那些繁琐的参数选项,只要跟着系统的提示一步一步进行下去就行,缺点就是整个创建过程比较复杂而漫长;而useradd比较适合有些高阶经验的使用者,往往一行命令加参数就能解决很多问题,所以创建起来十分方便。
例1:
1 | useradd -d /usr/leo -m leo |
此命令创建了一个用户leo -d和-m选项用来为登录名leo产生一个主目录/usr/leo(/usr为默认的用户主目录所在的父目录)。
例2:
1 | useradd -d /home/leo -s /usr/bin/bash -g leo -G admin,root leo |
此命令新建了一个用户leo/bin/sh,他属于group用户组,同时又属于admin和root用户组,其中group用户组是其主组。
这里可能新建组:groupadd group 及 groupadd admin
增加用户账号就是在/etc/passwd文件中为新用户增加一条记录,同时更新其他系统文件,如/etc/shadow,/etc/group等。
Linux提供了集成的系统管理工具userconf,他能用来对用户账号进行统一管理。
注: 用户帐户本身在 /etc/passwd 中定义。Linux 系统包含一个 /etc/passwd 的同伴文件,叫做 /etc/shadow。该文件不像 /etc/passwd,只有对于 root 用户来说是可读的,并且包含加密的密码信息
OPTIONS
The options which apply to the useradd command are:
-b, --base-dir BASE_DIR
The default base directory for the system if -d HOME_DIR is not specified. BASE_DIR is concatenated with the account name to define
the home directory. If the -m option is not used, BASE_DIR must exist.
If this option is not specified, useradd will use the base directory specified by the HOME variable in /etc/default/useradd, or
/home by default.
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
-D, –defaults
See below, the subsection “Changing the default values”.
-f, –inactive INACTIVE
The number of days after a password expires until the account is permanently disabled. A value of 0 disables the account as soon as
the password has expired, and a value of -1 disables the feature.
If not specified, useradd will use the default inactivity period specified by the INACTIVE variable in /etc/default/useradd, or -1
by default.
-g, --gid GROUP
The group name or number of the user's initial login group. The group name must exist. A group number must refer to an already existing group.
If not specified, the behavior of useradd will depend on the USERGROUPS_ENAB variable in /etc/login.defs. If this variable is set to
yes (or -U/--user-group is specified on the command line), a group will be created for the user, with the same name as her
loginname. If the variable is set to no (or -N/--no-user-group is specified on the command line), useradd will set the primary group
of the new user to the value specified by the GROUP variable in /etc/default/useradd, or 100 by default.
-G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
A list of supplementary groups which the user is also a member of. Each group is separated from the next by a comma, with no
intervening whitespace. The groups are subject to the same restrictions as the group given with the -g option. The default is for
the user to belong only to the initial group.
-k, --skel SKEL_DIR
The skeleton directory, which contains files and directories to be copied in the user's home directory, when the home directory is created by useradd.
This option is only valid if the -m (or --create-home) option is specified.
If this option is not set, the skeleton directory is defined by the SKEL variable in /etc/default/useradd or, by default, /etc/skel.
If possible, the ACLs and extended attributes are copied.
-K, --key KEY=VALUE
Overrides /etc/login.defs defaults (UID_MIN, UID_MAX, UMASK, PASS_MAX_DAYS and others).
Example: -K PASS_MAX_DAYS=-1 can be used when creating system account to turn off password aging, even though system account has no
password at all. Multiple -K options can be specified, e.g.: -K UID_MIN=100 -K UID_MAX=499
-l, --no-log-init
Do not add the user to the lastlog and faillog databases.
By default, the user's entries in the lastlog and faillog databases are reset to avoid reusing the entry from a previously deleted user.
-m, --create-home
Create the user's home directory if it does not exist. The files and directories contained in the skeleton directory (which can be defined with the -k option) will be copied to the home directory.
By default, if this option is not specified and CREATE_HOME is not enabled, no home directories are created.
The directory where the user's home directory is created must exist and have proper SELinux context and permissions. Otherwise the
user's home directory cannot be created or accessed.
-M, --no-create-home
Do no create the user's home directory, even if the system wide setting from /etc/login.defs (CREATE_HOME) is set to yes.
-N, --no-user-group
Do not create a group with the same name as the user, but add the user to the group specified by the -g option or by the GROUP variable in /etc/default/useradd.
The default behavior (if the -g, -N, and -U options are not specified) is defined by the USERGROUPS_ENAB variable in /etc/login.defs.
-o, --non-unique
Allow the creation of a user account with a duplicate (non-unique) UID.
This option is only valid in combination with the -u option.
-p, --password PASSWORD
The encrypted password, as returned by crypt(3). The default is to disable the password.
Note: This option is not recommended because the password (or encrypted password) will be visible by users listing the processes.
You should make sure the password respects the system's password policy.
-r, --system
Create a system account.
System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups).
Note that useradd will not create a home directory for such a user, regardless of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the -m options if you want a home directory for a system account to be created.
-R, --root CHROOT_DIR
Apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.
-P, --prefix PREFIX_DIR
Apply changes in the PREFIX_DIR directory and use the configuration files from the PREFIX_DIR directory. This option does not chroot and is intended for preparing a cross-compilation target. Some limitations: NIS and LDAP users/groups are not verified. PAM authentication is using the host files. No SELINUX support.
-u, –uid UID
The numerical value of the user’s ID. This value must be unique, unless the -o option is used. The value must be non-negative. The
default is to use the smallest ID value greater than or equal to UID_MIN and greater than every other user.
See also the -r option and the UID_MAX description.
-U, --user-group
Create a group with the same name as the user, and add the user to this group.
The default behavior (if the -g, -N, and -U options are not specified) is defined by the USERGROUPS_ENAB variable in
/etc/login.defs.
-Z, --selinux-user SEUSER
The SELinux user for the user's login. The default is to leave this field blank, which causes the system to select the default
SELinux user.
Changing the default values
When invoked with only the -D option, useradd will display the current default values. When invoked with -D plus other options, useradd will update the default values for the specified options. Valid default-changing options are:
-b, --base-dir BASE_DIR
The path prefix for a new user's home directory. The user's name will be affixed to the end of BASE_DIR to form the new user's home
directory name, if the -d option is not used when creating a new account.
This option sets the HOME variable in /etc/default/useradd.
-e, --expiredate EXPIRE_DATE
The date on which the user account is disabled.
This option sets the EXPIRE variable in /etc/default/useradd.
-f, --inactive INACTIVE
The number of days after a password has expired before the account will be disabled.
This option sets the INACTIVE variable in /etc/default/useradd.
-g, --gid GROUP
The group name or ID for a new user's initial group (when the -N/--no-user-group is used or when the USERGROUPS_ENAB variable is set
to no in /etc/login.defs). The named group must exist, and a numerical group ID must have an existing entry.
This option sets the GROUP variable in /etc/default/useradd.
-s, --shell SHELL
The name of a new user's login shell.
This option sets the SHELL variable in /etc/default/useradd.
NOTES
The system administrator is responsible for placing the default user files in the /etc/skel/ directory (or any other skeleton directory specified in /etc/default/useradd or on the command line).
CAVEATS
You may not add a user to a NIS or LDAP group. This must be performed on the corresponding server.
Similarly, if the username already exists in an external user database such as NIS or LDAP, useradd will deny the user account creation request.
Usernames may contain only lower and upper case letters, digits, underscores, or dashes. They can end with a dollar sign. Dashes are not allowed at the beginning of the username. Fully numeric usernames and usernames . or .. are also disallowed. It is not recommended to use usernames beginning with . character as their home directories will be hidden in the ls output. In regular expression terms:
[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]?
Usernames may only be up to 32 characters long.
CONFIGURATION
The following configuration variables in /etc/login.defs change the behavior of this tool:
CREATE_HOME (boolean)
Indicate if a home directory should be created by default for new users.
This setting does not apply to system users, and can be overridden on the command line.
GID_MAX (number), GID_MIN (number)
Range of group IDs used for the creation of regular groups by useradd, groupadd, or newusers.
The default value for GID_MIN (resp. GID_MAX) is 1000 (resp. 60000).
MAIL_DIR (string)
The mail spool directory. This is needed to manipulate the mailbox when its corresponding user account is modified or deleted. If
not specified, a compile-time default is used.
MAIL_FILE (string)
Defines the location of the users mail spool files relatively to their home directory.
The MAIL_DIR and MAIL_FILE variables are used by useradd, usermod, and userdel to create, move, or delete the user's mail spool.
If MAIL_CHECK_ENAB is set to yes, they are also used to define the MAIL environment variable.
MAX_MEMBERS_PER_GROUP (number)
Maximum members per group entry. When the maximum is reached, a new group entry (line) is started in /etc/group (with the same name,
same password, and same GID).
The default value is 0, meaning that there are no limits in the number of members in a group.
This feature (split group) permits to limit the length of lines in the group file. This is useful to make sure that lines for NIS
groups are not larger than 1024 characters.
If you need to enforce such limit, you can use 25.
Note: split groups may not be supported by all tools (even in the Shadow toolsuite). You should not use this variable unless you
really need it.
PASS_MAX_DAYS (number)
The maximum number of days a password may be used. If the password is older than this, a password change will be forced. If not
specified, -1 will be assumed (which disables the restriction).
PASS_MIN_DAYS (number)
The minimum number of days allowed between password changes. Any password changes attempted sooner than this will be rejected. If
not specified, -1 will be assumed (which disables the restriction).
PASS_WARN_AGE (number)
The number of days warning given before a password expires. A zero means warning is given only upon the day of expiration, a
negative value means no warning is given. If not specified, no warning will be provided.
SUB_GID_MIN (number), SUB_GID_MAX (number), SUB_GID_COUNT (number)
If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate group IDs) allocate SUB_GID_COUNT
unused group IDs from the range SUB_GID_MIN to SUB_GID_MAX for each new user.
The default values for SUB_GID_MIN, SUB_GID_MAX, SUB_GID_COUNT are respectively 100000, 600100000 and 65536.
SUB_UID_MIN (number), SUB_UID_MAX (number), SUB_UID_COUNT (number)
If /etc/subuid exists, the commands useradd and newusers (unless the user already have subordinate user IDs) allocate SUB_UID_COUNT
unused user IDs from the range SUB_UID_MIN to SUB_UID_MAX for each new user.
The default values for SUB_UID_MIN, SUB_UID_MAX, SUB_UID_COUNT are respectively 100000, 600100000 and 65536.
SYS_GID_MAX (number), SYS_GID_MIN (number)
Range of group IDs used for the creation of system groups by useradd, groupadd, or newusers.
The default value for SYS_GID_MIN (resp. SYS_GID_MAX) is 101 (resp. GID_MIN-1).
SYS_UID_MAX (number), SYS_UID_MIN (number)
Range of user IDs used for the creation of system users by useradd or newusers.
The default value for SYS_UID_MIN (resp. SYS_UID_MAX) is 101 (resp. UID_MIN-1).
UID_MAX (number), UID_MIN (number)
Range of user IDs used for the creation of regular users by useradd or newusers.
The default value for UID_MIN (resp. UID_MAX) is 1000 (resp. 60000).
UMASK (number)
The file mode creation mask is initialized to this value. If not specified, the mask will be initialized to 022.
useradd and newusers use this mask to set the mode of the home directory they create
It is also used by login to define users' initial umask. Note that this mask can be overridden by the user's GECOS line (if
QUOTAS_ENAB is set) or by the specification of a limit with the K identifier in limits(5).
USERGROUPS_ENAB (boolean)
Enable setting of the umask group bits to be the same as owner bits (examples: 022 -> 002, 077 -> 007) for non-root users, if the
uid is the same as gid, and username is the same as the primary group name.
If set to yes, userdel will remove the user's group if it contains no more members, and useradd will create by default a group with
the name of the user.
FILES
/etc/passwd
User account information.
/etc/shadow
Secure user account information.
/etc/group
Group account information.
/etc/gshadow
Secure group account information.
/etc/default/useradd
Default values for account creation.
/etc/skel/
Directory containing default files.
/etc/subgid
Per user subordinate group IDs.
/etc/subuid
Per user subordinate user IDs.
/etc/login.defs
Shadow password suite configuration.
EXIT VALUES
The useradd command exits with the following values:
0
success
1
can't update password file
2
invalid command syntax
3
invalid argument to option
4
UID already in use (and no -o)
6
specified group doesn't exist
9
username already in use
10
can't update group file
12
can't create home directory
14
can't update SELinux user mapping
SEE ALSO
chfn(1), chsh(1), passwd(1), crypt(3), groupadd(8), groupdel(8), groupmod(8), login.defs(5), newusers(8), subgid(5),
subuid(5),userdel(8), usermod(8).
