Home > Articles > Operating Systems, Server > Solaris

This chapter is from the book

This chapter is from the book

Sun Certified System Administrator for Solaris 8 Study GuideSun Certified System Administrator for Solaris 8 Study Guide

Learn More Buy

This chapter is from the book

This chapter is from the book

Sun Certified System Administrator for Solaris 8 Study GuideSun Certified System Administrator for Solaris 8 Study Guide

Learn More Buy

5.3 User Administration Shell Commands

In addition to the Admintool GUI program, there are also several shell commands that can be used to administer user and group accounts. The commands are useradd, usermod, groupadd, and groupmod.

These commands let you administer user and group accounts. Let's explore each of these in greater detail.

useradd Command

The useradd command is used to add a user account to the system. The syntax of the useradd command is useradd [options] userid where options is one or more useradd options, and userid is the name of an account to create. With no options specified, useradd will create an account with useradd defaults.

A second form of the command is useradd –D [options]. This form lets you view and, optionally, modify defaults.

The options for useradd are:

  • -A authorization. One or more comma-separated authorizations defined in the /etc/security/auth_attrauth_attr file. Only a user or role who has grant rights to the authorization can assign it to an account.

  • -b base_dir. The default directory for the system if -d dir is not specified. base_dir is concatenated with the userid to define the user's home directory. If the -m option is not used, base_dir must exist. For example, base_dir would typically be something like /export/home. If the account jeffg were being created, then the user's home directory would be /export/home/jeffg.

  • -c comment. This is generally a short description of the user account, and is currently used as the field for the user's full name. This information is stored in the user's /etc/passwd comment (name) field.

  • -d dir. The home directory. The default is base_dir/account_name, where base_dir is the directory for new login home directories, and account_name is the new login name.

  • -D. Display the default values for group, base_dir, skel_dir, shell, inactive, and expire. When used with the -g, -b, -f, -e, -A, -P, or -R options, the -D option sets the default values for the specified fields. When used with no other options, the –D option displays all current defaults. The defaults are:

    • group=other (GID of 1)

    base_dir=/home

    skel_dir=/etc/skel

    shell=/bin/sh

    inactive=0

    expire=Null

    auths=Null

    profiles=Null

    roles=Null

  • -e expire. Set the expiration date for the userid. The user cannot log in after this date. The expire option argument is a date entered using one of the date formats included in the template file /etc/datemsk. Permissible formats include "10/5/2001" and "October 5, 2001" (dates including spaces must be quoted). A null value ("") defeats the status of the expired date. The -e option is useful for creating temporary logins.

  • -f inactive. The maximum number of days allowed between uses of a login ID before that ID is declared invalid. Normal values are positive integers. A value of 0 defeats the status.

  • -g group. An existing group's integer ID or character-string name. Without the -D option, it defines the new user's primary group membership and defaults to the default group. You can reset this default value by invoking useradd -D -g group.

  • -G group. An existing group's numeric or character-string name. It defines the new user's supplementary group membership. Duplicates between group with the -g and -G options are ignored. No more than NGROUPS_MAX (a value defined in /usr/include/limits.h, usually 16) groups can be specified. Multiple group names or numbers are separated by commas.

  • -k skel_dir. A directory that contains skeleton information (such as .profile) that can be copied into a new user's home directory. This directory must already exist. The system provides the /etc/skel directory that can be used for this purpose. Files such as .profile that are found in skel_dir will be copied into the user's home directory when the account is created.

  • -m. Create the new user's home directory if it does not already exist. If the directory already exists, it must have read, write, and execute permissions by group, where group is the user's primary group.

  • -o. This option allows a UID to be duplicated (nonunique). This will create an additional account with the same numeric UID as one that already exists. Normally, an error message will be generated advising that the new account cannot be created because of the duplicate.

  • -P profile. One or more comma-separated execution profiles defined in the /etc/security/prof_attr profiles configuration file.

  • -R role. One or more comma-separated execution profiles defined in the /etc/user_attr profiles configuration file. Roles cannot be assigned to other roles.

  • -s shell. Full pathname of the program used as the user's shell. Its default is an empty field, causing the system to use /bin/sh. The value of shell must be a valid executable file. Setting the shell to /bin/echo will effectively prohibit the user from being able to log in to the account.

  • -u uid. The numeric UID of the new user. This UID must be a non-negative decimal integer below MAXUID as defined in <sys/param.h>. The UID defaults to the next available (unique) number above the highest number currently assigned. For example, if UID's 100, 105, and 200 are assigned, the next default UID number will be 201. (UIDs from 0–99 are reserved for possible use in future applications.)

Some examples of useradd are shown here.

# useradd -D
group=other,1  basedir=/home  skel=/etc/skel
shell=/bin/sh  inactive=0  expire=  auths=
profiles=  roles=
#
# useradd –D –b /d1/export/home
#
# useradd jeffg
#
# useradd –s /bin/csh –u 14002 –c "Paul Graham" paulg
#

In the first example, useradd –D is used to display defaults. In the second example, the default home directory base directory has been changed to /d1/export/home. In the third example, username jeffg has been created with all defaults. In the fourth example, the username paulg has been created; this user has the nondefault shell /bin/sh, will be assigned UID 14002 (unless it exists already), and the string "Paul Graham" will appear in the account's comment field in /etc/passwd.

Exam Notes

Think About It . . .

You import many files onto your system (perhaps from another system's backup tape); these files are owned by a nonexistent user, and you decide that it is easier to create a new userid associated with the files than to change the ownership of the files. How would this be done?

This is solved by creating a userid with a specific UID. For example,

# useradd engrtools –u 10082 –c "Engineering Tools"
#

Exam Notes

Think About It . . .

Your site adds its user accounts with useradd as part of a larger automated process. Different classes of users require different environments and, consequently, different initialization files (i.e., .profile, .login, etc.). How could you handle this easily with useradd?

You could create different "skeleton" directories, similar to the default /etc/skel. Each of these skeleton directories would contain .profile, .login., .cshrc (and others as applicable) files, each tailored for the specific class of user. Then, the -k option in useradd would be chosen as appropriate for each user added.

usermod Command

The usermod command is used to modify the account settings for existing userids on the system. The syntax of the usermod command is usermod [options] userid, where options is one or more usermod options, and userid is the name of an account to modify.

The options for usermod are:

  • -A authorization. One or more comma-separated authorizations as defined in the /etc/security/auth_attr file. Only a user or role who has grant rights to the authorization can assign it to an account. This replaces any existing authorization setting.

  • -c comment. Specifies a comment string. comment can be any text string, generally a short description of the login, and is currently used as the field for the user's full name. This information is stored in the user's /etc/passwd entry.

  • -d dir. The new home directory of the user. It defaults to base_dir/login, where base_dir is the base directory for new login home directories, and login is the account name.

  • -e expire. Specifies the expiration date for a login. After this date, no user will be able to access this login. The expire option argument is a date entered using one of the date formats included in the template file /etc/datemsk. Permissible formats include "10/5/2001" and "October 5, 2001" (dates including spaces must be quoted). A null value ("") defeats the status of the expired date. The -e option is useful for creating temporary logins.

  • -f inactive. Specifies the maximum number of days allowed between uses of a login ID before that login ID is declared invalid. Normal values are positive integers. A value of 0 defeats the status.

  • -g group. Assigns an existing group's numeric or character name. It redefines the user's primary group membership.

  • -G grouplist. Specifies an existing group's integer number or character string name. This redefines the user's supplementary group membership. Duplicates between group with the -g and -G options are ignored. No more than NGROUPS_UMAX groups may be specified as defined in /usr/include/param.h. Multiple group names or numbers are separated by commas.

  • -l new_logname. Specifies the new login name for the user. The new_logname argument must be a string no more than eight characters consisting of characters from the set of alphabetic characters, numeric characters, period (.), underline (_), and hyphen (-). The first character should be alphabetic and the field should contain at least one lowercase alphabetic character. A warning message will be written if these rules are not met. The new_logname argument must contain at least one character and must not contain a colon (:) or newline (\n).

  • -m. Moves the user's home directory to the new directory specified with the -d option. If the directory already exists, it must have permission to read/write/execute by group, where group is the user's primary group.

  • -o. This option allows a UID to be duplicated (nonunique). This will create an additional account with the same numeric UID as one that already exists. Normally, an error message will be generated advising that the account cannot be accessed because of the duplicate.

  • -P profile. One or more comma-separated execution profiles defined in /etc/security/auth_attr. This replaces any existing profile setting.

  • -R role. One or more comma-separated execution profiles de-fined in the /etc/user_attr profiles configuration file. Roles cannot be assigned to other roles.

  • -s shell. Full pathname of the program used as the user's shell. It defaults to an empty field causing the system to use /bin/sh as the default. The value of shell must be a valid executable file.

  • -u uid. Specifies a new UID for the user. It must be a non-negative decimal integer less than MAXUID as defined in /usr/include/param.h. The UID associated with the user's home directory is not modified with this option; a user may not have access to his or her home directory until the UID is manually reassigned using the chown command.

Some examples of usermod are shown here.

# usermod –s /bin/tcsh hamidf
#
# usermod –l shammer sgilbery
#
# usermod –G admins,backups jeffg
#

In the first example, the shell for userid hamidf is changed to /bin/tcsh. In the second example, the userid is changed from sgilbery to shammer. In the last example, the user jeffg is added to the secondary groups admins and backups.

Exam Notes

Think About It . . .

What command would you use to change a user's home directory? Would any follow-up tasks be necessary?

Use the usermod -m command to change a user's home directory. You will also have to move the contents of the user's home directory to the new location and check to make sure that the permissions of the new home directory are correct.

Exam Notes

Think About It . . .

A group of people shares the same UID and account (they have different passwords since their usernames are different), and they work on files in the same home directory. One person in the group is given an additional role of occasionally working on confidential materials that the others in the group are not allowed to access. What change could be made to allow this person to continue working on the pool of files, but at the same time prevent others in the group from viewing the confidential files?

One way to solve this is to change the one person's UID to a new number, and change his or her groupid, but then to add those IDs to the group shared by the others. The command is:

# usermod –u 102 –g conf –G pool pbrown
#

In this example, the user's name is pbrown. Pbrown is given a new UID (102), a new group name (conf), and is added as a secondary member to the group pool.

userdel Command

The userdel command is used to remove a userid from the system. The syntax for userdel is userdel [-r] userid, where userid is the name of an account to be removed. The –r option, if specified, will remove the user's home directory from the system.

groupadd Command

The groupadd command is used to add groups to the system. The syntax for the groupadd command is groupadd [options] groupid, where options is one or more groupadd options, and groupid is the name of a group to add.

The options for groupadd are:

  • -g gid. Assigns the group number for the new group. This groupid must be a non-negative decimal integer below MAXUID as defined in /usr/include/sys/param.h. The groupid defaults to the next available (unique) number above the highest number currently assigned. For example, if groups 100, 105, and 200 are assigned as groups, the next default group number will be 201. Groupids from 0–99 are reserved by Solaris for future applications.

  • -o. Permits duplicate group number.

Some examples of groupadd are:

# groupadd admins
#
# groupadd –g 300 backupadmins
#

In the first example, the group admins is created. In the second example, the group backupadmins is created as group number 300.

Exam Notes

Think About It . . .

After a disaster, you recover files from tape. Many files, however, are recovered with their old groupids. People cannot access these files because the groupid's have changed. You decide that it is easier to create a new group corresponding to the groupid on the recovered files than it would be to change the groupid of all of the recovered files. How would this be done?

Create a new group with groupadd, specifying the desired groupid. Then, add the required users to the new group with usermod -G. For example:

# groupadd –g 108 dbadmins
# usermod –G dbadmins paul
# usermod –G dbadmins mbowman
# usermod –G dbadmins sghani
#

groupmod Command

The groupmod command is used to modify existing groups. The syntax for groupmod is groupmod [options] groupid, where options is one or more groupmod options, and groupid is the name of a group to modify.

The options for groupmod are:

  • -ggid. Specify the new numeric groupid for the group. This groupid must be a non-negative decimal integer less than MAXUID, as defined in /usr/include/sys/param.h.

  • -o. Allow the GID to be duplicated (nonunique).

  • -nname. Specify the new name for the group. The name argument is a string of no more than eight bytes consisting of characters from the set of lowercase alphabetic characters and numeric characters. A warning message will be written if these rules are not met. The name argument must contain at least one character and must not include a colon (:) or newline (\n).

Some groupmod examples are shown here.

# groupmod –nsysadmins admins
#
# groupmod –g201 admins
#

In the first example, the group admins is renamed to sysadmins. In the second example, the group number for the group admins is changed to 201.

Exam Notes

Think About It . . .

You have upgraded an application that now expects its primary groupid to be a different value. The impact of changing the groupids on all of the associated files would be too great; instead, you want to change the number of the existing group. How would you do this?

Use the groupmod –g command to change the group number of an existing group. For example:

# groupmod –g420 finance
#

groupdel  Command

The groupdel command is used to remove a group from the system. The syntax for groupdel is groupdel group, where group is the existing group name to be deleted. An example is shown here.

# groupdel admins
#

In this example, the group admins is removed from the system.

Exam Notes

Think About It . . .

What are some of the advantages of using the user and group commands rather than Admintool?

You have more control with the user and group commands than with Admintool. Further, the user and group commands can be made part of shell scripts or custom programs, which can help to automate the process of adding, changing, and removing users. Also, repetitive changes can be put into a script (e.g., if the path to everyone's home directory has changed, then it would be easy to write a shell script to modify everyone's account very quickly; this would be very time consuming using Admintool).

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020