T o add a new user to the system, typing the following at a shell prompt as root: useradd [options] username
...where options are command line options as described in T able 3.2, “useradd command line options”.
By default, the useradd command creates a locked user account. T o unlock the account, run the following command as root to assign a password:
passwd username
Optionally, you can set password aging policy.
Table 3.2. useradd command line options
Option Description
-c 'comment' comment can be replaced with any string.This option is generally used to specify the full name of a user.
-d home_directory Home directory to be used instead of default /hom e/username/.
-e date Date for the account to be disabled in the format YYYY-MM-DD.
-f days Number of days after the password expires until the account is disabled. If 0 is specified, the account is disabled immediately after the password expires. If -1 is specified, the account is not be disabled after the password expires.
-g group_name Group name or group number for the user's default group. T he group
must exist prior to being specified here.
-G group_list List of additional (other than default) group names or group numbers, separated by commas, of which the user is a member. T he groups must exist prior to being specified here.
-m Create the home directory if it does not exist.
-M Do not create the home directory.
-N Do not create a user private group for the user.
-p password T he password encrypted with crypt.
-r Create a system account with a UID less than 500 and without a home directory.
-s User's login shell,which defaults to /bin/bash.
-u uid User ID for the user, which must be unique and greater than 499.
Explaining the Process
T he following steps illustrate what happens if the command useradd juan is issued on a system that
has shadow passwords enabled:
1. A new line for juan is created in /etc/passwd:
juan:x:501:501::/home/juan:/bin/bash
T he line has the following characteristics:
- It begins with the username juan.
- T here is an x for the password field indicating that the system is using shadow passwords.
- A UID greater than 499 is created. Under Red Hat Enterprise Linux, UIDs below 500 are reserved for system use and should not be assigned to users.
- A GID greater than 499 is created. Under Red Hat Enterprise Linux, GIDs below 500 are reserved for system use and should not be assigned to users.
- T he optional GECOS information is left blank. T he GECOS field can be used to provide additional information about the user, such as their full name or phone number.
- T he home directory for juan is set to /hom e/juan/.
- T he default shell is set to /bin/bash.
2. A new line for juan is created in /etc/shadow:
juan:!!:14798:0:99999:7:::
T he line has the following characteristics:
- It begins with the username juan.
- T wo exclamation marks (!!) appear in the password field of the /etc/shadow file, which locks the account.
- T he password is set to never expire.
Note If an encrypted password is passed using the -p flag, it is placed in the /etc/shadow file on the new line for the user.
3. A new line for a group named juan is created in /etc/group:
juan:x:501:
A group with the same name as a user is called a user private group. For more information on user private groups, refer to Section 3.1.1, “User Private Groups”.
T he line created in /etc/group has the following characteristics:
- It begins with the group name juan.
- An x appears in the password field indicating that the system is using shadow grouppasswords.
- T he GID matches the one listed for user juan in /etc/passwd.
4. A new line for a group named juan is created in /etc/gshadow:
juan:!::
T he line has the following characteristics:
- It begins with the group name juan.
- An exclamation mark (!) appears in the password field of the /etc/gshadow file, which locks the group.
- All other fields are blank.
5. A directory for user juan is created in the /home/ directory:
~]# ls -l /home
total 4
drwx------. 4 juan juan 4096 Mar 3 18:23 juan
T his directory is owned by user juan and group juan. It has read, write, and execute privileges only for the user juan. All other permissions are denied.
6. T he files within the /etc/skel/ directory (which contain default user settings) are copied into the
new /hom e/juan/ directory:
~]# ls -la /home/juan
total 28
drwx------. 4 juan juan 4096 Mar 3 18:23 .
drwxr-xr-x. 5 root root 4096 Mar 3 18:23 ..
-rw-r--r--. 1 juan juan 18 Jun 22 2010 .bash_logout
-rw-r--r--. 1 juan juan 176 Jun 22 2010 .bash_profile
-rw-r--r--. 1 juan juan 124 Jun 22 2010 .bashrc
drwxr-xr-x. 2 juan juan 4096 Jul 14 2010 .gnome2
drwxr-xr-x. 4 juan juan 4096 Nov 23 15:09 .mozilla
At this point, a locked account called juan exists on the system. T o activate it, the administrator must next assign a password to the account using the passwd command and, optionally, set password aging guidelines.