Why can SetUID programs be a bad thing? What happens if you forget to add the home directory for a user? Get answers to these and other questions in this, part 2 of Managing Users from the book Linux Administration, A Beginner's Guide, third edition by Steven Graham and Steve Shah (McGraw-Hill/Osborne, 0072225629, 2002). See this link for Part 1.
The wonderful part about having password database files that have a well-defined format in straight text is that it is easy for anyone to be able to write their own management tools. Indeed, many site administrators have already done this in order to integrate their tools along with the rest of their organizationís infrastructure. They can start a new user from the same form that lets them update the corporate phone and e-mail directory, LDAP servers, Web pages, and so on. Of course, not everyone wants to write their own tools, which is why Linux comes with several prewritten tools that do the job for you.
In this section, we discuss user management tools that work from both the command-line interface and the graphical user interface (GUI). Of course, learning how to use both is the preferred route, for you never know under what circumstances you may one day find yourself adding users.
Command-Line User Management
You can choose from among six command-line tools to perform the same actions performed by the GUI tool: useradd, userdel, usermod, groupadd, groupdel, and groupmod. The obvious advantage to using the GUI tool is ease of use. However, the disadvantage is that actions that can be performed with it cannot be automated. This is where the command-line tools become very handy.
NOTE: Linux distributions other than Red Hat may have slightly different parameters than the tools used here. To see how your particular installation is different, read the man page for the particular program in question.
As the name implies, useradd allows you to add a single user to the system. Unlike the GUI tool, there are no interactive prompts. Instead, all parameters must be specified on the command line. Hereís how you use this tool:
Donít be intimidated by this long list of options! Weíll examine them one at a time and discuss their relevance.
Before you dive into these options, take note that anything in the square brackets is optional. Thus, to add a new user with the login sshah, you could issue a command as simple as this:
[root@ford /root]# useradd sshah
Default values are used for any unspecified values. (To see the default values, simply run useradd -D; we will discuss how to change the defaults shortly.) Table 5-1 shows the command options and their descriptions.
Allows you to set the userís name in the GECOS field. As with any command-line parameter, if the value includes a space, you will need to put quotes around the text. For example, to set the userís name to Steve Shah, you would have to specify -c ďSteve ShahĒ.
By default, the userís home directory is /home/login (for example, if my login is sshah, my home directory would be /home/sshah). When creating a new user, the userís home directory gets created along with the user account. So if you want to change the default to another place, you can specify the new location with this parameterófor example, -d /home/sysadmin/sshah.
It is possible for an account to expire after a certain date. By default, accounts never expire. To specify a date, be sure to place it in YYYY MM DDformat. For example, use -e 2002 10 28 to expire on October 28, 2002.
This option specifies the number of days after a password expires that the account is still usable. A value of 0 (zero) indicates that the account is disabled immediately. A value of -1 will never allow the account to be disabled, even if the password has expired (for example, -f 3 will allow an account to exist for three days after a password has expired). The default value is -1.
Using this option, you can specify the default group the user has in the password file. You can use a number or name of the group; however, if you use a name of a group, the group must exist in the /etc/group file--for example, -g project.
This option allows you to specify additional groups to which the new user will belong. If you use the -G option, you must specify at least one additional group. You can, however, specify additional groups by separating the list with a comma. For example, to add a user to the project and admin groups, you should specify -G project,admin.
-m [-k skel-dir]
By default, the system automatically creates the userís home directory. This option is the explicit command to create the userís home directory. Part of creating the directory is copying default configuration files into it. These files come from the /etc/skel directory by default. You can change this by using the secondary option -k skel dir. (You must specify -m in order to use -k.) For example, to specify the /etc/adminskel directory, you would use -m -k /etc/adminskel.
If you used the -m option, you cannot use -M, and vice versa. This option tells the command not to create the userís home directory.
Red Hat Linux creates a new group with the same name as the new userís login as part of the process of adding a user. You can disable this behavior by using this option.
A userís login shell is the first program that runs when a user logs in to a system. This is usually a command-line environment, unless you are logging in from the X Window System login screen. By default, this is the Bourne Again Shell (/bin/bash), though some folks like other shells such as the Turbo C Shell (/bin/tcsh). This option lets you choose whichever shell you would like to run for the new user upon login. (A list of shells is available in /etc/shells.)
By default, the program will automatically find the next available UID and use it. If for some reason you need to force a new userís UID to be a particular value, you can use this option. Remember that UIDs must be unique for all users.
Finally, the only parameter that isnít optional! You must specify the new userís login name.
Table 5-1useradd Command-Line Options
For example, to create a new user whose name is H.D. Core, who is a member of the admin and support groups (default group admin), and who prefers using the Turbo C Shell and wants the login name hdc, you would use this line:
[root@ford /root]# useradd -c "H. D. Core" -g admin -G support -s /bin/tcsh hdc
This chapter is from Linux Administration, A Beginner's Guide, third edition, by Graham and Shah. (McGraw-Hill/Osborne, 2002, ISBN: 0072225629). Check it out at your favorite bookstore today.