Home > Articles > Operating Systems, Server > Solaris

  • Print
  • + Share This
This chapter is from the book

5.3 User Administration Shell Commands

In addition to the Admintool GUI program, there are also several shell commands that can be used to administer user and group accounts. The commands are useradd, usermod, groupadd, and groupmod.

These commands let you administer user and group accounts. Let's explore each of these in greater detail.

useradd Command

The useradd command is used to add a user account to the system. The syntax of the useradd command is useradd [options] userid where options is one or more useradd options, and userid is the name of an account to create. With no options specified, useradd will create an account with useradd defaults.

A second form of the command is useradd –D [options]. This form lets you view and, optionally, modify defaults.

The options for useradd are:

  • -A authorization. One or more comma-separated authorizations defined in the /etc/security/auth_attrauth_attr file. Only a user or role who has grant rights to the authorization can assign it to an account.

  • -b base_dir. The default directory for the system if -d dir is not specified. base_dir is concatenated with the userid to define the user's home directory. If the -m option is not used, base_dir must exist. For example, base_dir would typically be something like /export/home. If the account jeffg were being created, then the user's home directory would be /export/home/jeffg.

  • -c comment. This is generally a short description of the user account, and is currently used as the field for the user's full name. This information is stored in the user's /etc/passwd comment (name) field.

  • -d dir. The home directory. The default is base_dir/account_name, where base_dir is the directory for new login home directories, and account_name is the new login name.

  • -D. Display the default values for group, base_dir, skel_dir, shell, inactive, and expire. When used with the -g, -b, -f, -e, -A, -P, or -R options, the -D option sets the default values for the specified fields. When used with no other options, the –D option displays all current defaults. The defaults are:
  • group=other (GID of 1)

    base_dir=/home

    skel_dir=/etc/skel

    shell=/bin/sh

    inactive=0

    expire=Null

    auths=Null

    profiles=Null

    roles=Null

  • -e expire. Set the expiration date for the userid. The user cannot log in after this date. The expire option argument is a date entered using one of the date formats included in the template file /etc/datemsk. Permissible formats include "10/5/2001" and "October 5, 2001" (dates including spaces must be quoted). A null value ("") defeats the status of the expired date. The -e option is useful for creating temporary logins.

  • -f inactive. The maximum number of days allowed between uses of a login ID before that ID is declared invalid. Normal values are positive integers. A value of 0 defeats the status.

  • -g group. An existing group's integer ID or character-string name. Without the -D option, it defines the new user's primary group membership and defaults to the default group. You can reset this default value by invoking useradd -D -g group.

  • -G group. An existing group's numeric or character-string name. It defines the new user's supplementary group membership. Duplicates between group with the -g and -G options are ignored. No more than NGROUPS_MAX (a value defined in /usr/include/limits.h, usually 16) groups can be specified. Multiple group names or numbers are separated by commas.

  • -k skel_dir. A directory that contains skeleton information (such as .profile) that can be copied into a new user's home directory. This directory must already exist. The system provides the /etc/skel directory that can be used for this purpose. Files such as .profile that are found in skel_dir will be copied into the user's home directory when the account is created.

  • -m. Create the new user's home directory if it does not already exist. If the directory already exists, it must have read, write, and execute permissions by group, where group is the user's primary group.

  • -o. This option allows a UID to be duplicated (nonunique). This will create an additional account with the same numeric UID as one that already exists. Normally, an error message will be generated advising that the new account cannot be created because of the duplicate.

  • -P profile. One or more comma-separated execution profiles defined in the /etc/security/prof_attr profiles configuration file.

  • -R role. One or more comma-separated execution profiles defined in the /etc/user_attr profiles configuration file. Roles cannot be assigned to other roles.

  • -s shell. Full pathname of the program used as the user's shell. Its default is an empty field, causing the system to use /bin/sh. The value of shell must be a valid executable file. Setting the shell to /bin/echo will effectively prohibit the user from being able to log in to the account.

  • -u uid. The numeric UID of the new user. This UID must be a non-negative decimal integer below MAXUID as defined in <sys/param.h>. The UID defaults to the next available (unique) number above the highest number currently assigned. For example, if UID's 100, 105, and 200 are assigned, the next default UID number will be 201. (UIDs from 0–99 are reserved for possible use in future applications.)

Some examples of useradd are shown here.

# useradd -D
group=other,1  basedir=/home  skel=/etc/skel
shell=/bin/sh  inactive=0  expire=  auths=
profiles=  roles=
#
# useradd –D –b /d1/export/home
#
# useradd jeffg
#
# useradd –s /bin/csh –u 14002 –c "Paul Graham" paulg
#

In the first example, useradd –D is used to display defaults. In the second example, the default home directory base directory has been changed to /d1/export/home. In the third example, username jeffg has been created with all defaults. In the fourth example, the username paulg has been created; this user has the nondefault shell /bin/sh, will be assigned UID 14002 (unless it exists already), and the string "Paul Graham" will appear in the account's comment field in /etc/passwd.

Exam Notes

Think About It . . .

You import many files onto your system (perhaps from another system's backup tape); these files are owned by a nonexistent user, and you decide that it is easier to create a new userid associated with the files than to change the ownership of the files. How would this be done?

This is solved by creating a userid with a specific UID. For example,

# useradd engrtools –u 10082 –c "Engineering Tools"
#

Exam Notes

Think About It . . .

Your site adds its user accounts with useradd as part of a larger automated process. Different classes of users require different environments and, consequently, different initialization files (i.e., .profile, .login, etc.). How could you handle this easily with useradd?

You could create different "skeleton" directories, similar to the default /etc/skel. Each of these skeleton directories would contain .profile, .login., .cshrc (and others as applicable) files, each tailored for the specific class of user. Then, the -k option in useradd would be chosen as appropriate for each user added.

usermod Command

The usermod command is used to modify the account settings for existing userids on the system. The syntax of the usermod command is usermod [options] userid, where options is one or more usermod options, and userid is the name of an account to modify.

The options for usermod are:

  • -A authorization. One or more comma-separated authorizations as defined in the /etc/security/auth_attr file. Only a user or role who has grant rights to the authorization can assign it to an account. This replaces any existing authorization setting.

  • -c comment. Specifies a comment string. comment can be any text string, generally a short description of the login, and is currently used as the field for the user's full name. This information is stored in the user's /etc/passwd entry.

  • -d dir. The new home directory of the user. It defaults to base_dir/login, where base_dir is the base directory for new login home directories, and login is the account name.

  • -e expire. Specifies the expiration date for a login. After this date, no user will be able to access this login. The expire option argument is a date entered using one of the date formats included in the template file /etc/datemsk. Permissible formats include "10/5/2001" and "October 5, 2001" (dates including spaces must be quoted). A null value ("") defeats the status of the expired date. The -e option is useful for creating temporary logins.

  • -f inactive. Specifies the maximum number of days allowed between uses of a login ID before that login ID is declared invalid. Normal values are positive integers. A value of 0 defeats the status.

  • -g group. Assigns an existing group's numeric or character name. It redefines the user's primary group membership.

  • -G grouplist. Specifies an existing group's integer number or character string name. This redefines the user's supplementary group membership. Duplicates between group with the -g and -G options are ignored. No more than NGROUPS_UMAX groups may be specified as defined in /usr/include/param.h. Multiple group names or numbers are separated by commas.

  • -l new_logname. Specifies the new login name for the user. The new_logname argument must be a string no more than eight characters consisting of characters from the set of alphabetic characters, numeric characters, period (.), underline (_), and hyphen (-). The first character should be alphabetic and the field should contain at least one lowercase alphabetic character. A warning message will be written if these rules are not met. The new_logname argument must contain at least one character and must not contain a colon (:) or newline (\n).

  • -m. Moves the user's home directory to the new directory specified with the -d option. If the directory already exists, it must have permission to read/write/execute by group, where group is the user's primary group.

  • -o. This option allows a UID to be duplicated (nonunique). This will create an additional account with the same numeric UID as one that already exists. Normally, an error message will be generated advising that the account cannot be accessed because of the duplicate.

  • -P profile. One or more comma-separated execution profiles defined in /etc/security/auth_attr. This replaces any existing profile setting.

  • -R role. One or more comma-separated execution profiles de-fined in the /etc/user_attr profiles configuration file. Roles cannot be assigned to other roles.

  • -s shell. Full pathname of the program used as the user's shell. It defaults to an empty field causing the system to use /bin/sh as the default. The value of shell must be a valid executable file.

  • -u uid. Specifies a new UID for the user. It must be a non-negative decimal integer less than MAXUID as defined in /usr/include/param.h. The UID associated with the user's home directory is not modified with this option; a user may not have access to his or her home directory until the UID is manually reassigned using the chown command.

Some examples of usermod are shown here.

# usermod –s /bin/tcsh hamidf
#
# usermod –l shammer sgilbery
#
# usermod –G admins,backups jeffg
#

In the first example, the shell for userid hamidf is changed to /bin/tcsh. In the second example, the userid is changed from sgilbery to shammer. In the last example, the user jeffg is added to the secondary groups admins and backups.

Exam Notes

Think About It . . .

What command would you use to change a user's home directory? Would any follow-up tasks be necessary?

Use the usermod -m command to change a user's home directory. You will also have to move the contents of the user's home directory to the new location and check to make sure that the permissions of the new home directory are correct.

Exam Notes

Think About It . . .

A group of people shares the same UID and account (they have different passwords since their usernames are different), and they work on files in the same home directory. One person in the group is given an additional role of occasionally working on confidential materials that the others in the group are not allowed to access. What change could be made to allow this person to continue working on the pool of files, but at the same time prevent others in the group from viewing the confidential files?

One way to solve this is to change the one person's UID to a new number, and change his or her groupid, but then to add those IDs to the group shared by the others. The command is:

# usermod –u 102 –g conf –G pool pbrown
#

In this example, the user's name is pbrown. Pbrown is given a new UID (102), a new group name (conf), and is added as a secondary member to the group pool.

userdel Command

The userdel command is used to remove a userid from the system. The syntax for userdel is userdel [-r] userid, where userid is the name of an account to be removed. The –r option, if specified, will remove the user's home directory from the system.

groupadd Command

The groupadd command is used to add groups to the system. The syntax for the groupadd command is groupadd [options] groupid, where options is one or more groupadd options, and groupid is the name of a group to add.

The options for groupadd are:

  • -g gid. Assigns the group number for the new group. This groupid must be a non-negative decimal integer below MAXUID as defined in /usr/include/sys/param.h. The groupid defaults to the next available (unique) number above the highest number currently assigned. For example, if groups 100, 105, and 200 are assigned as groups, the next default group number will be 201. Groupids from 0–99 are reserved by Solaris for future applications.

  • -o. Permits duplicate group number.

Some examples of groupadd are:

# groupadd admins
#
# groupadd –g 300 backupadmins
#

In the first example, the group admins is created. In the second example, the group backupadmins is created as group number 300.

Exam Notes

Think About It . . .

After a disaster, you recover files from tape. Many files, however, are recovered with their old groupids. People cannot access these files because the groupid's have changed. You decide that it is easier to create a new group corresponding to the groupid on the recovered files than it would be to change the groupid of all of the recovered files. How would this be done?

Create a new group with groupadd, specifying the desired groupid. Then, add the required users to the new group with usermod -G. For example:

# groupadd –g 108 dbadmins
# usermod –G dbadmins paul
# usermod –G dbadmins mbowman
# usermod –G dbadmins sghani
#

groupmod Command

The groupmod command is used to modify existing groups. The syntax for groupmod is groupmod [options] groupid, where options is one or more groupmod options, and groupid is the name of a group to modify.

The options for groupmod are:

  • -ggid. Specify the new numeric groupid for the group. This groupid must be a non-negative decimal integer less than MAXUID, as defined in /usr/include/sys/param.h.

  • -o. Allow the GID to be duplicated (nonunique).

  • -nname. Specify the new name for the group. The name argument is a string of no more than eight bytes consisting of characters from the set of lowercase alphabetic characters and numeric characters. A warning message will be written if these rules are not met. The name argument must contain at least one character and must not include a colon (:) or newline (\n).

Some groupmod examples are shown here.

# groupmod –nsysadmins admins
#
# groupmod –g201 admins
#

In the first example, the group admins is renamed to sysadmins. In the second example, the group number for the group admins is changed to 201.

Exam Notes

Think About It . . .

You have upgraded an application that now expects its primary groupid to be a different value. The impact of changing the groupids on all of the associated files would be too great; instead, you want to change the number of the existing group. How would you do this?

Use the groupmod –g command to change the group number of an existing group. For example:

# groupmod –g420 finance
#

groupdel  Command

The groupdel command is used to remove a group from the system. The syntax for groupdel is groupdel group, where group is the existing group name to be deleted. An example is shown here.

# groupdel admins
#

In this example, the group admins is removed from the system.

Exam Notes

Think About It . . .

What are some of the advantages of using the user and group commands rather than Admintool?

You have more control with the user and group commands than with Admintool. Further, the user and group commands can be made part of shell scripts or custom programs, which can help to automate the process of adding, changing, and removing users. Also, repetitive changes can be put into a script (e.g., if the path to everyone's home directory has changed, then it would be easy to write a shell script to modify everyone's account very quickly; this would be very time consuming using Admintool).

  • + Share This
  • 🔖 Save To Your Account