Adding New Users
6.7 M ANAGING ACCOUNTS
The useraddcommand adds users to thepasswdfile (and to theshadowfile if ap-plicable). It provides a command-line-driven interface that is easy to run by hand or to call from a home-grownadduserscript. Theusermodcommand changes the passwdentries of existing users. Theuserdelcommand removes a user from the system, optionally deleting the user’s home directory. The groupadd,groupmod, and groupdel commands operate on the /etc/group file.
Adding New Users
6.7 Managing accounts 109
For example, to create a new user “hilbert” withuseradd (using the system defaults), you could simply run:
#useradd hilbert
This command would create the following entry in /etc/passwd. Note that useradd puts a star in the password field, effectively disabling the account until you assign a real password.
hilbert:*:105:20::/home/hilbert:/bin/bash
For some reason, SUSE uses a similar but independently developed set of user and group manipulation commands. The commands have the same names, but there are subtle differences in the meanings of some options and in the default behaviors. For example, most distributions create a dedicated personal group for new users if you do not specify otherwise on the command line. SUSE’s useradd puts new users in group 100. (In the default configuration, it also adds them to the groups “video” and
“dialout.” Hmm.)
useraddis generally more useful when given additional arguments. In the next ex-ample, we specify that hilbert’s primary group should be “faculty” and that he should also be added to the “famous” group. We also override the default home directory location and askuseradd to create the home directory if it does not already exist:
#useradd -c "David Hilbert" -d /home/math/hilbert -g faculty -G famous -m -s /bin/sh hilbert
This command creates the following passwd entry:
hilbert:x:1005:30:David Hilbert:/home/math/hilbert:/bin/sh
(the assigned UID is one higher than the highest UID on the system) and the corre-sponding shadow entry:
hilbert:!:11508:0:99999:7:0::
It also adds hilbert to the “faculty” and “famous” groups in /etc/group, creates the directory /home/math/hilbert, and populates it in accordance with the contents of the /etc/skel directory.
On all of our example distributions except SUSE, you can determine the default set-tings for useradd by running useradd -D. You can also use the -D flag in combina-tion with other arguments to set those defaults.
Even on SUSE, the defaults are stored in /etc/default/useradd and can be edited directly if you prefer.
usermod modifies an account that already exists and takes many of the same flags as useradd. For example, we could use the following command to set an expiration date of July 4, 2007, on hilbert’s account:
#usermod -e 2007-07-04 hilbert
The userdelcommand deletes user accounts, effectively undoing all the changes made by useradd. To remove hilbert, we would use the following command:
#userdel hilbert
This command removes references to hilbert in the passwd,shadow, and group files. By default, it would not remove hilbert’s home directory.10 The -r option makes userdel remove the user’s home directory as well, but even at its most aggressive, userdel still performs only the last three tasks from the “user deletion chores” list.
Although the useradd and userdel commands are convenient, they are usually not sufficient to implement all of a site’s local policies. Don’t hesitate to write your own adduser and rmuser scripts; most larger sites do. (Perl is generally the appropriate tool for this task.) Your homebrew scripts can call the standard utilities to accomplish part of their work.
6.8 E
XERCISESE6.1 How is a user’s default group determined? How would you change it?
E6.2 Explain the differences among the following umask values: 077, 027, 022, and 755. How would you implement one of these values as a site-wide default for new users? Can you impose a umask standard on your users?
E6.3 What is the purpose of the shadow password file?
E6.4 List the steps needed to add a user to a system without using the useradd program. What extra steps are needed for your local environment?
E6.5 Determine the naming convention for new users at your site. What are the rules? How is uniqueness preserved? Can you think of any drawbacks?
How are users removed?
E6.6 Find a list of names (from a local on-line telephone directory, perhaps) and use it as the input to a script that forms login names according to the naming convention at your site. How many users can you accommodate before you have a collision? How many collisions are there overall? Use the data to evaluate your site’s naming convention, and suggest improvements.
E6.7 Write a script to help monitor the health of your /etc/passwd file. (Parts b and e require root access unless you’re clever.)
a) Find any entries that have UID 0.
b) Find any entries that have no password (needs /etc/shadow).
c) Find any sets of entries that have duplicate UIDs.
d) Find any entries that have duplicate login names.
e) Find any entries that have no expiration date (needs /etc/shadow).
10. At our site, we generally preserve deleted users’ home directories for a few weeks. This policy mini-mizes the need to restore data from backup tapes if a deleted user should return or if other users need access to the deleted user’s work files.
111
Adding a Disk