The Linux useradd command is one of the most elementary things you need to master to become a Linux and UNIX system administrator.
In this guide, I will walk you step-by-step on how to use the useradd command in Linux, how useradd works, and which files and directors are involved in the user creation process.
The useradd command is typically used by system administrators to add new user accounts to a Linux or Unix system. The process includes assigning usernames, passwords, and account information to the new user.
Think of the useradd command being similar to what an HR manager does when a new employee is hired. Specifically, she or he makes sure the new staff has its name and all the relevant information registered in the company’s database so that in the future it can have proper access to the company’s resources.
In the same way, you as a system administrator use the Linux useradd command to add new users to a system. The useradd command has a dedicated syntax and a set of options [flags] that can be used to define how a user is created. Let’s discuss that first.
Linux useradd command
The Linux useradd utility can be used only with root privileges to create new users and typically has the following syntax on a Linux system:
useradd [options] USERNAME
[options] = a set of arguments available for the useradd command
USERNAME = the actual user name assigned to the account.
The useradd command provides a number of options to specify how a new user is created. The following table provides a summary of all options [flags and arguments] available for useradd as well as the explanation for each.
|–badnames||Instruct useradd to not check for bad names|
|-b||–base-dir BASE_DIR||Specify the base directory for the home directory of the new account|
|–btrfs-subvolume-home||Instruct useradd to use BTRFS subvolume [if available] for home directory|
|-c||–comment COMMENT||Specify the GECOS field [a field of each record in the /etc/passwd file] of the new account|
|-d||–home-dir HOME_DIR||Specify the home directory of the new account|
|-D||–defaults||Change or print the default useradd configuration for the login user|
|-e||–expiredate EXPIRE_DATE||Set the expiration date of the new account|
|-f||–inactiuve INACTIVE||Set password inactivity period of the new account|
|-g||–gid GROUP||Specify the ID or the name of the primary group of the new account|
|-G||–groups GROUPS||Specify the additionally groups the new account should be part of|
|-h||–help||Show the Linux useradd help page|
|-k||–skel SKEL_DIR||Instructs useradd to use a specified skeleton directory|
|-K||–key KEY=VALUE||Instructs useradd to override /etc/login.defs default configuration|
|-l||–no-log-init||Instructs useradd not to add the new account to the faillog and lastlog database|
|-m||–create-home||Instructs useradd to create the home directory for the specified user|
|-M||–no-create-home||Instructs useradd to not create the home directory for the specified user|
|-N||–no-user-group||Instructs useradd to not create a new group with the same name as the user|
|-o||–non-unique||Allows useradd to create users with non-unique [duplicate] UID|
|-p||–password PASSWORD||Specify the password for the specified account|
|-r||–system||Instruct useradd to create a system account|
|-R||–root CHROOT_DIR||Specify the chroot directory for the specified account|
|-P||–prefix PREFIX_DIR||Specify the prefix directory respectively the location of the /etc/* files|
|-s||–shell SHELL||Specify the login shell for the new user|
|-u||–uid UID||Specify the user ID for the new user|
|-U||–user-group||Instructs useradd to create a group with the same name as the user|
|-z||–selinux-user SEUSER||Instructs useradd to use a specified SEUSER for the SELinux user mapping.|
NOTE: use only the flag or the argument in the useradd command and not both.
Before we move to understand what really happens in our system when we create a user with the Linux useradd command let’s have a look at a few practical examples.
Linux useradd Examples
The examples below use “john” as the name for the new user. Feel free to replace “john” with any name you like. Don’t worry, once you finish practicing the examples below, I will show you how to completely remove “john” from your system.
1. Create a new user without any home directory
sudo useradd -M john
This command will create the user “john” without giving it any home folder.
2. Create a new user and give it a home directory in /home folder
sudo useradd -m john
This will create the user “john,” create its home folder at /home/john, and copy the files from /etc/skel directory into john’s home folder.
3. Create a new user and give it a custom home directory
sudo useradd -m -d /opt/john john
This command will create the user “john,” create its home folder at /opt/john, and populate it with the files from /etc/skel directory.
4. Create a new user with a custom user ID (UID).
sudo useradd -u 2222 john
This command will create the user “john” and give it the user ID “2222.” To check if the custom ID was allocated to your new user, use the id -u command in the terminal as follows:
id -u john
5. Create a new user with a custom group ID (GID)
sudo useradd -g 2222 john
This command will create the user “john” and the user group ID “2222.” To check the new user group ID use the id -gn command as shown in the previous example.
id -gn john
6. Create a new user with a short description or comment.
sudo useradd -c “This account belongs to John Smith” john
This command will create the “john” user and add a custom comment to it. To view the description for “john” use the following command:
sudo cat /etc/passwd | grep john
7. Create a user account with a specific expiry date
sudo useradd -e 2022-01-01 john
This command will create the user “john” account with an expiration date of 1st of January 2022. To view the expiration date for “john” account use the following command:
sudo chage -l john
8. Create a system user
sudo useradd -r john
This command will create the system user “john.” Take note that system users have no expiry date specified in /etc/shadow and the numeric ID associated with the system users are picked from a range specified in the /etc/login.defs file.
9. Set a password to a new user.
sudo passwd john
This command will prompt you to assign a password to the “john” user. You should have already created the user “john” using any of the steps above before running the passwd command.
10. Completely remove a user from the system.
userdel -Z -r -f john
-Z remove SELinux user mapping.
-r remove user account and its home directory and mail spool.
-f force remove any user files.
The above command will forcefully delete the user “john” and all its associated files, directories, and mail spool from the system.
Now that we went through some of the most common Linux useradd command applications, let’s have a look at what really happens in the system every time we create or modify a user.
User Configuration Files in Linux
A number of configuration files and directories are involved in the user creation process in Linux. Here is a representation of the process flow and files with their respective paths involved.
You may have noticed that the /etc/skel and /home/userid directories are marked in red in the above diagram. This is because they may or may not be involved in the process of creating a new user depending on the user configuration. It is also important to note that depending on how your Linux distribution handles the user creation process, these directories may have different names or simply not exist.
The /etc/login.defs file
The /etc/login.defs configuration file contains directives for use in various shadow password suite commands and is usually created on most Linux distributions. The shadow password suite is a term associated with commands designed to handle account credentials [e.g., useradd, userdel, and passwd].
For instance, it can define how long the password should be, what type of characters should include or how long until the password expires.
The /etc/login.defs contains a lot of commented lines containing instructions for each parameter. Here is how the /etc/login.defs file for my normal user looks after removing all the comments using the grep command below.
grep -v ^$ /etc/login.defs | grep -v ^\#
In the table below, I included some of the most important directives in the /etc/login.defs file from a Linux administrator perspective.
|UID||User Identification number associated with a user account in Linux.|
|UID_MIN and UID_MAX||Indicates the lowest and highest UID allowed for user accounts. The UID_MIN can vary, on some Linux systems being 500 and other 1000.|
|SYS_UID_MIN and SYS_UID_MAX||Indicates the lowest and highest SYS_UID allowed for system accounts. The system accounts are in charge of running daemons (services) or performing system-related tasks.|
|PASS_MIN_LENGTH||Sets the minimum number of characters for the user password|
|PASS_MAX_DAYS||Sets the password expiration date [number of days] until a user is asked to change its password.|
|PASS_MIN_DAYS||Sets a limit [in days] between two password change events.|
|PASS_WARN_AGE||Sets the number of days for the password change user warning prior to the password expiration.|
|EMCRYPT_METHOD||Sets the method used by the system to encrypt [hash] account passwords.|
|CREATE_HOME||Allows for user account home directory to be created. The default setting is no.|
You can edit the /etc/login.defs file with vi or any other editor of your choice as a root user:
sudo vi /etc/login.defs
The /etc/default/useradd File
The /etc/default/useradd configuration file is typically shorter than the previous one and contains additional directives for the user account creation process. The /etc/default/useradd can be visualized using the cat or unseradd -D commands and usually looks like this:
The table below comprises some of the most important directives in the /etc/default/useradd file:
|HOME||The base directory location for user account directories|
|INACTIVE||Defines the number of days until the account will be deactivated if the password is not changed once expired.|
|SKEL||Defines the skeleton directory|
|SHELL||The default shell application for the user account is typically set to /bin/bash or /bin/sh depending on the Linux distribution. All the processes related to your terminal are run in this folder.|
The /etc/skel/ Directory
The “skel” name stands for “skeleton” and is also referred to as the “hold files.” This directory contains all the files that will be copied into the home directory of every new user created on the system.
On Fedora Workstation, here is how the /etc/skel directory looks like. Take note that all the files contained in this directory are hidden by default. Use the following command to list all the hidden files in this directory:
ls -la /etc/skel
So far we covered the main files involved in the user creation process. Let’s now quickly look into the files and directories that are created or modified during this process.
The /etc/passwd File
The main purpose of the /etc/passwd file is to store the information for all accounts in the system. Each line in this file is dedicated to one account. Therefore, when a new account is created in the system, a new line is generated in this file.
Here is how /etc/passwd file looks like on a Fedora system. Use the following command to view the passwd file on your system:
There are seven fields in total for each account record (line) in this file and each field is separated by a colon “:” The following table summarizes and explains each field.
|1||The username associated with the account (e.g., nudesystems or john in the above example).|
|2||The password field where “x” indicates the password is stored in the /etc/shadow file.|
|3||The user identification number (UID) associated with each account (e.g., 1000 and 1001 in the above example).|
|4||The user identification group (GID) associated with each account.|
|5||The comment field traditionally reserved for the user’s full name.|
|6||The home directory of the user.|
|7||The default shell of the user.|
You would think that a file called passwd contains passwords right? Well, as you can see, it doesn’t. The passwords are stored in a different file which is discussed next.
The /etc/shadow File
This file contains all the user’s password information for the users in the system. This file gets modified each time a new user is added to the system, even if no password was allocated to the user yet.
All user passwords are encrypted using the Data Encryption Standard [DES] so you’re out of luck if hope that you can see a root password in plain text here.
Here is how the /etc/shadow file looks on my system. For security reasons, I blurred a section of the encrypted root password.
sudo cat /etc/shadow
As in the previous example, each record contains a total of nine fields separated by a “:” Table below gives a summary and explanation for each field.
|1||The username associated with the account (e.g., root in the above example). This is the only field shared with the /etc/passwd file.|
|2||The hashed account password.|
|3||The date when the password was changed last time is displayed in POSIX time format.|
|4||The number of days between password change is required.|
|5||The password expiration date is expressed in days left until password change is required.|
|6||The number of days for password change warning before the password expiration date.|
|7||The number of days the account gets deactivated if the account password is not renewed after expiration.|
|8||The date for account expiration in POSIX time format.|
|9||The “special flag” field reserved for future use.|
The last /etc/group is another file that is involved each time a user is created. However, groups and usergroup in Linux are matters that require their own article.
There you go. Everything you need to know about useradd command in Linux: what happens when a new user is created with useradd, which files are created and modified, where and how the user IDs, group IDs, and passwords are stored, etc.
It is important to know that the useradd command is part of a larger ecosystem of Linux commands (e.g., usermod, usergroup, userdel, etc.)
I hope you found this tutorial useful. If so, take a moment and share it around.