svcadm(8)을 검색하려면 섹션에서 8 을 선택하고, 맨 페이지 이름에 svcadm을 입력하고 검색을 누른다.
useradd(8)
System Administration Commands useradd(8)
NAME
useradd, roleadd, usermod, rolemod - administer an existing or add a
new user or role login to the system
SYNOPSIS
useradd [-A authorization[,authorization...]]
[-b base_dir | -d dir] [-c comment] [-e expire]
[-f inactive] [-g group] [-G group[,group]...]
[-K key=value] [-m [-k skel_dir]] [-p projname]
[-z yes | no | nodelegation]
[-P profile[,profile...]]
[-R role [, role...]]
[-s shell] [-S repository] [-u uid [-o]] username
useradd -D [-A authorization[,authorization...]]
[-b base_dir] [-s shell [-k skel_dir]] [-e expire]
[-f inactive] [-g group] [-K key=value] [-p projname]
[-P profile[,profile...]]
roleadd [-A authorization[,authorization...]]
[-b base_dir | -d dir] [-c comment] [-e expire]
[-f inactive] [-g group] [-G group [,group]...]
[-K key=value] [-m [-k skel_dir]] [-p projname]
[-z yes | no | nodelegation]
[-P profile[,profile...]]
[-s shell] [-S repository] [-u uid [-o]] rolename
roleadd -D [-A authorization[,authorization...]]
[-b base_dir] [-s shell [-k skel_dir]] [-e expire]
[-f inactive] [-g group] [-K key=value] [-p projname]
[-P profile[,profile...]]
usermod [-A authorization[,authorization...]]
[-d dir] [-c comment] [-e expire]
[-f inactive] [-g group] [-G group [,group]...]
[-K key=value] [-m [-k skel_dir]] [-p projname]
[-z yes | no | nodelegation]
[-P profile[,profile...]]
[-R role [, role...]]
[-l new_username]
[-q qualifier]
[-s shell] [-S repository] [-u uid [-o]] username
rolemod [-A authorization[,authorization...]]
[-d dir] [-c comment] [-e expire]
[-f inactive] [-g group] [-G group [,group]...]
[-K key=value] [-m [-k skel_dir]] [-p projname]
[-z yes | no | nodelegation]
[-P profile[,profile...]]
[-l new_rolename]
[-q qualifier]
[-s shell] [-S repository] [-u uid [-o]] rolename
DESCRIPTION
The useradd and roleadd utilities add a new user or role entry to the
passwd(5), shadow(5), and user_attr(5) databases in the files or ldap
repository.
The usermod and rolemod utilities modify a user's or role's login defi‐
nition on the system. They change the definition of the specified login
and make the appropriate login-related changes to the appropriate
repository and corresponding file system changes.
The -A and -P options respectively assign authorizations and profiles
to the user or role. The -R option assigns roles to a user. (Roles can‐
not be assigned to other roles.) The -p option associates a project
with a user or role. The -K option adds a key=value pair to the
user_attr entry for the user or role. Multiple key=value pairs may be
added with multiple -K options.
The -G option creates supplementary group memberships for the user or
role. The -m option creates the home directory for the user or role if
requested. The new login remains locked until the passwd(1) command is
executed.
Specifying the -D to useradd or roleadd with the -s, -k, -g, -b, -f,
-e, -A, -P, -p, -R, or -K option (or any combination of these options)
sets the default values for the respective fields. See the -D option,
below. Subsequent useradd or roleadd commands without the -D option use
these arguments.
Alternatively, default settings may be specified that are applied
dynamically at run time. For accounts that are created using -S ldap,
the default values for any of the -K attributes may be specified using
-S ldap and the special value default@ as the account name. The
default@ account is automatically locked since it is not intended to be
used for logins. Additional default values may be specified in pol‐
icy.conf(5).
useradd and usermod require that usernames be in the format described
in passwd(5). A warning message is displayed if these restrictions are
not met.
roleadd and rolemod require that role names be a string of no more than
eight bytes consisting of characters from the set of alphabetic charac‐
ters, numeric characters, period (.), underscore (_), and hyphen (-).
The first character should be alphabetic and the name should contain at
least one lower case alphabetic character. A warning message is written
if these restrictions are not met. A future Solaris release might
refuse to accept role names that do not meet these requirements. Role
names must contain at least one character and must not contain a colon
(:) or a newline (\n).
When used with usermod or rolemod the -A, -G, -K, -P, and -R options
may take a list of values to add or remove to the granted set using the
[+|-] prefix. A prefix + adds the value to the existing set; a prefix -
removes the value from the existing granted set. To remove all values
an empty list must be specified using '', or any appropriate equivalent
according to the shell in use.
An administrator must be granted the User Management Profile to be able
to create a new user or role. An administrator must be granted the User
Security Profile to modify the security attributes for an existing
user. To be able to modify the non-security attributes of an existing
user requires the User Management Profile. The authorizations required
to set the various fields in passwd, shadow, and user_attr can be found
in passwd(5), shadow(5), and user_attr(5). The authorizations required
to assign groups and projects can be found in group(5) and project(5).
OPTIONS
The following options are supported:
-A [+|-]authorization
One or more comma-separated authorizations defined in auth_attr(5).
Only a user or role who has grant rights to the authorization can
assign it to an account.
-b base_dir
The base directory for new login home directories (see the -d
option below. When a new user account is being created, base_dir
must already exist unless the -m option or the -d option is also
specified.
-c comment
Any text string. It is generally a short description of the login,
and is currently used as the field for the user's full name. This
information is stored in the user's passwd entry.
-d dir | server:dir
Specifies the home directory path for the new user. If no server
name is specified, the specified directory is maintained in the
passwd(5) database.
The optional server name specifies the host on which the home
directory resides. Entries in this form depend on the automounter,
and are maintained in the auto_home map. The path /home/username is
maintained in the passwd(5) database. When the user subsequently
references /home/username, the automounter will mount the specified
directory on /home/username.
-D
Display the default values for group, base_dir, skel_dir, shell,
inactive, expire, proj, projname, zfshome, and key=value pairs.
When used with the -g, -b, -f, -e, -A, -P, -p, -R, or -K options,
the -D option sets the default values for the specified fields. The
default values are:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) FIELDDEFAULT
VALUE _ groupother (GID of 1) _ base_dir/export/home _
skel_dir/etc/skel _ shell/usr/bin/bash _ inactive0 _ expirenull _
authsnull _ profilesnull _ auth_profilesnull _ proj3 _ projnamede‐
fault _ zfshomeyes _ T{ key=value (pairs defined in user_attr(5))
T}not present _ rolesnull
-e expire
Specify the expiration date for a login. After this date, no user
will be able to access this login. The expire option argument is a
date entered using one of the date formats included in the template
file /etc/datemsk. See getdate(3C).
If the date format that you choose includes spaces, it must be
quoted. For example, you can enter 10/6/90 or October 6, 1990. A
null value (" ") defeats the status of the expired date. This
option is useful for creating temporary logins.
-f inactive
The maximum number of days allowed between uses of a login ID
before that ID is declared invalid. Normal values are positive
integers. A value of 0 defeats the status.
-g group
An existing group's integer ID or character-string name. Without
the -D option, it defines the new user's primary group membership
and defaults to the default group. You can reset this default value
by invoking useradd -D -g group. GIDs 0-99 are reserved for
allocation by the Solaris Operating System.
-G [+|-]group
An existing group's integer ID or character-string name. It defines
the new user's supplementary group membership. Duplicates between
group with the -g and -G options are ignored. No more than
NGROUPS_MAX groups can be specified. GIDs 0-99 are reserved for
allocation by the Solaris Operating System.
-K key[+|-]=value
A key=value pair to add to the user's attributes. Multiple -K
options may be used to add multiple key=value pairs. The generic -K
option with the appropriate key may be used instead of the specific
implied key options (-A, -P, -R, -p). See user_attr(5) for a list
of valid key=value pairs. The "type" key is not a valid key for
this option. Keys may not be repeated.
-k skel_dir
A directory that contains skeleton information (such as .profile)
that can be copied into a new user's home directory. This directory
must already exist. The system provides the /etc/skel directory
that can be used for this purpose.
-m
Create the new user's home directory if it does not already exist.
If the directory already exists, it must have read, write, and exe‐
cute permissions by group, where group is the user's primary group.
If the server name specified to the -d option is a remote host then
the system will not attempt to create the home directory.
When the -z option is not passed and if the directory does not
already exist and the parent directory is the mount point of a ZFS
dataset, then a child of that dataset will be created and mounted
at the specified location. The user is delegated permissions to
create ZFS snapshots and promote them. The newly created dataset
will inherit the encryption setting from its parent. If it is
encrypted, the user is granted permission to change its wrapping
key.
The newly created directory is created as multilevel dataset.
-l new_loginname
The new login name for a user or role. Only valid with usermod and
rolemod.
-o
This option allows a UID to be duplicated (non-unique).
-P [+|-]profile
One or more comma-separated execution profiles defined in
prof_attr(5).
-p projname
Name of the project with which the added user is associated. See
the projname field as defined in project(5).
-q qualifier
The name of a host or netgroup which qualifies where the extended
attributes (specified through the -K, -P, -A, and -R options) are
applicable. The prefix @ is required to indicate that the qualifier
is a netgroup name. The -q option is only valid if the login
account is maintained in the LDAP name service.
-R [+|-]role
One or more comma-separated execution profiles defined in
user_attr(5). Roles cannot be assigned to other roles.
-s shell
Full pathname of the program used as the user's shell on login. If
unspecified, it will default to any value previously configured
with the -D -s option. If no default has been set with -D -s,
then /usr/bin/bash will be used. The value of shell must be a valid
executable file.
-z zfshome
Select if a new separate ZFS filesystem is created as the user/role
home directory. The option can be set as the system wide default or
set per user/role.
yes
User has their own ZFS filesystem with the mount, create, and
snapshot zfs allow delegations
nodelegation
User has their own ZFS filesystem but with no delegations
no
Users home is a simple directory
-S repository
The repository specifies which name service will be updated. The
valid repositories are files and ldap. The default repository is
files. When the repository is files, the authorizations, profiles,
and roles can be present in other name service repositories and can
be assigned to a user in the files repository. When the repository
is ldap, all the assignable attributes must be present in the ldap
repository, and both the LDAP server and client must be configured
with enableShadowUpdate. See ldapclient(8) for details.
-u uid
The UID of the new user. This UID must be a non-negative decimal
integer below MAXUID as defined in <sys/param.h>. The UID defaults
to the next available (unique) number above the highest number cur‐
rently assigned. For example, if UIDs 100, 105, and 200 are
assigned, the next default UID number will be 201. UIDs 0-99 are
reserved for allocation by the Solaris Operating System.
EXAMPLES
Example 1 Creating a User
The following command adds adds the user with the default configuration
# useradd jdoe
This results in the system assigning the next available uid, the user
will not have a home directory created for them.
Example 2 Creating a User with a specified uid and create a local home
directory
The following command adds adds the user and creates their home direc‐
tory in the default location
# useradd -u 1001 -m jdoe
Example 3 Creating a User with a local home directory that is not a ZFS
filesystem
The following command adds adds the user and creates their home direc‐
tory in the default location
# useradd -z no -m jdoe
This results in new user with a directory in the default location as
their home directory.
Example 4 Set the system default for the type of home directory
The following command sets the system wide default to be a directory
rather than a per-user ZFS file system as the default home directory
type.
# useradd -D -z no
Example 5 Assigning Privileges to a User
The following command adds the privilege that affects high resolution
times to a user's initial, inheritable set of privileges.
# usermod -K defaultpriv=basic,proc_clock_highres jdoe
This command results in the following entry in user_attr:
jdoe::::type=normal;defaultpriv=basic,proc_clock_highres
Example 6 Removing a Privilege from a User's Limit Set
The following command removes the privilege that allows the specified
user to create hard links to directories and to unlink directories.
# usermod -K limitpriv=all,!sys_linkdir jdoe
This command results in the following entry in user_attr:
jdoe::::type=normal;defaultpriv=basic,limitpriv=all,!sys_linkdir
Example 7 Removing a Privilege from a User's Basic Set
The following command removes the privilege that allows the specified
user to examine processes outside the user's session.
# usermod -K defaultpriv=basic,!proc_session jdoe
This command results in the following entry in user_attr:
jdoe::::type=normal;defaultpriv=basic,!proc_session;limitpriv=all
Example 8 Assigning a Role to a User
The following command assigns a role to a user. The role must have been
created prior to running this command.
# usermod -R mailadm jdoe
This command results in the following entry in user_attr:
jdoe::::type=normal;roles=mailadm;defaultpriv=basic;limitpriv=all
Example 9 Granting Several Rights to a User
The following command grants the solaris.zone.manage authorization,
Project Management rights profile, sets limit privilege to basic and
assigns the mailadm role to the user.
# usermod -A 'solaris.zone.manage' -P 'Project Management' \
-K limitpriv=basic -R mailadm -S files jdoe_ldap
This command results in the following entry in user_attr:
jdoe_ldap::::auths=solaris.zone.manage;profiles=ProjectManagement;
limitpriv=basic;roles=mailadm
Example 10 Granting an Authenticated Rights Profile to a User
The following command adds an authenticated rights profile to a trusted
user.
# usermod -K auth_profiles+="Network Security" jdoe
Example 11 Removing All Profiles from a User
The following command removes all profiles that were granted to a user
directly. The user will still have any rights profiles that are granted
by means of the PROFS_GRANTED key in policy.conf(5).
# usermod -P "" jdoe
Example 12 Set the root account to be a role
Set the root account to be a role and assign the role to a user.
# usermod -K type=role root
# usermod -R +root jdoe
This will change the root account to be a role and add the root role to
any existing role assignments for the user jdoe.
Example 13 Set the root account to be a direct login account
Change the root account from being a role to a direct login account.
# rolemod -K type=normal root
This will change the root account to no longer be a role, so direct
login to it on the console will be allowed.
Example 14 Deleting a User
Delete the user and remove their home directory.
# userdel -r jdoe
This will remove the user entry from the passwd, shadow, group and
user_attr databases, and will delete the users home directory and all
of its content.
EXIT STATUS
In case of an error, these commands print an error message and exit
with one of the following values:
1 No permission for attempted operation.
2 The command syntax was invalid. A usage message for the usermod
command is displayed.
3 An invalid argument was provided to an option.
4 The gid or uid given with the -u option is already in use.
5 The password and shadow files are not consistent with each other.
pwconv(8) might be of use to correct possible errors. See
passwd(5) and shadow(5).
6 The login to be modified does not exist, the gid or the uid does
not exist.
7 The group, passwd, or shadow file is missing.
9 A group or user name is already in use.
10 Cannot update the passwd, shadow, or user_attr file.
11 Insufficient space to move the home directory (-m option).
12 Unable to create, remove, or move the new home directory.
13 Requested login is already in use.
14 Unexpected failure.
16 Unable to update the group database.
17 Unable to update the project database.
18 Insufficient authorization.
19 Does not have role.
20 Does not have profile.
21 Does not have privilege.
22 Does not have label.
23 Does not have group.
24 System not running Trusted Extensions.
25 Does not have project.
26 Unable to update auto_home.
FILES
/etc/datemsk
/etc/passwd
/etc/shadow
/etc/group
/etc/skel
/usr/include/limits.h
/etc/user_attr
ATTRIBUTES
See attributes(7) for descriptions of the following attributes:
tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) ATTRIBUTE TYPEAT‐
TRIBUTE VALUE _ Availabilitysystem/core-os _ Interface StabilityCommit‐
ted
SEE ALSO
auths(1), passwd(1), profiles(1), roles(1), getdate(3C), auth_attr(5),
group(5), passwd(5), prof_attr(5), project(5), shadow(5), user_attr(5),
attributes(7), labels(7), rbac(7), groupadd(8), groupdel(8), group‐
mod(8), grpck(8), logins(8), pwck(8), pwconv(8), roledel(8), userdel(8)
Managing User Accounts and User Environments in Oracle Solaris 11.4
Working With Oracle Solaris 11.4 Directory and Naming Services: LDAP
DIAGNOSTICS
In case of an error, useradd displays an error message and exits with a
non-zero status. If the error occurred because LDAP is misconfigured,
the error message is preceded by "LDAP configuration problem".
The following indicates that login specified is already in use:
UX: useradd: ERROR: login is already in use. Choose another.
The following indicates that the uid specified with the -u option is
not unique:
UX: useradd: ERROR: uid uid is already in use. Choose another.
The following indicates that the group specified with the -g option has
not yet been created:
UX: useradd: ERROR: group group does not exist. Choose another.
The following indicates that the uid specified with the -u option is in
the range of reserved UIDs (from 0-99):
UX: useradd: WARNING: uid uid is reserved.
The following indicates that the uid specified with the -u option
exceeds MAXUID as defined in <sys/param.h>:
UX: useradd: ERROR: uid uid is too big. Choose another.
The following indicates that the /etc/passwd or /etc/shadow files do
not exist:
UX: useradd: ERROR: Cannot update system files - login cannot be created.
The following indicates that the user executing the command does not
have sufficient authorization to perform the operation:
UX: useradd: ERROR: Permission denied.
The following indicates that an invalid directory was specified in a
useradd command:
UX: invalid_directory is not a valid directory. Choose another.
NOTES
These utilities add or modify definitions in the passwd, shadow, group,
project, and user_attr databases in the scope (default or specified).
They will verify the uniqueness of the user name (or role) and user id
and the existence of any group names specified against the external
name service.
Oracle Solaris 11.4 21 Jun 2021 useradd(8)