Ubuntu Manpage: adduser, addgroup - add or manipulate users or groups

NAME

       adduser, addgroup - add or manipulate users or groups

SYNOPSIS

       adduser [--add-extra-groups] [--allow-all-names] [--allow-bad-names] [--comment comment] [--conf file]
               [--debug] [--disabled-login] [--disabled-password] [--encrypt-home] [--firstgid id]
               [--firstuid id] [--gid id] [--home dir] [--ingroup group] [--lastgid id] [--lastuid id]
               [--no-create-home] [--shell shell] [--quiet] [--uid id] [--verbose] [--stdoutmsglevel prio]
               [--stderrmsglevel prio] [--logmsglevel prio] user

       adduser --system [--comment comment] [--conf file] [--debug] [--gid id] [--group] [--home dir]
               [--ingroup group] [--no-create-home] [--shell shell] [--uid id] [--quiet] [--verbose]
               [--stdoutmsglevel prio] [--stderrmsglevel prio] [--logmsglevel prio] user

       adduser --group [--conf file] [--debug] [--firstgid id] [--gid ID] [--lastgid id] [--quiet] [--verbose]
               [--stdoutmsglevel prio] [--stderrmsglevel prio] [--logmsglevel prio] group

       addgroup [--conf file] [--debug] [--firstgid id] [--gid ID] [--lastgid id] [--quiet] [--verbose]
                [--stdoutmsglevel prio] [--stderrmsglevel prio] [--logmsglevel prio] group

       addgroup --system [--gid id] [--conf file] [--quiet] [--verbose] [--stdoutmsglevel prio]
                [--stderrmsglevel prio] [--logmsglevel prio] group

       adduser [--conf file] [--debug] [--quiet] [--verbose] [--stdoutmsglevel prio] [--stderrmsglevel prio]
               [--logmsglevel prio] user group

       adduser --help

       adduser --version

DESCRIPTION

adduser and addgroup add users and groups to the system according to command line options and
configuration information in /etc/adduser.conf. They are more Debian specific front ends to the useradd,
groupadd and usermod programs, which are more distribution agnostic. adduser and addgroup by default
choose Debian policy conformant UID and GID values, create a home directory with skeletal configuration,
run a custom script, and have other features.

adduser and addgroup are intended as a policy layer, making it easier for package maintainers and local
administrators to create local system accounts in the way Debian expects them to be created, taking the
burden to adapt to the probably changing specifications of Debian policy. adduser --system takes special
attention on just needing a single call in the package maintainer scripts without any conditional
wrappers, error suppression or other scaffolding.

adduser honors the distinction between dynamically allocated system users and groups and dynamically
allocated user accounts that is documented in Debian Policy, Chapter 9.2.2.

For a full list and explanations of all options, see the OPTIONS section.

adduser and addgroup can be run in one of five modes:

Add a regular (non-system) user
If called with one non-option argument and without the --system or --group options, adduser will add a
regular user, that means a dynamically allocated user account in the sense of Debian Policy. This is
commonly referred to in adduser as a non-system user.

adduser will choose the first available UID from the range specified by FIRST_UID and LAST_UID in the
configuration file. The range may be overridden with the --firstuid and --lastuid options. Finally, the
UID can be set fully manually with the --uid option.

By default, each user is given a corresponding group with the same name. This is commonly called
Usergroups and allows group writable directories to be easily maintained by placing the appropriate users
in the new group, setting the set-group-ID bit in the directory, and ensuring that all users use a umask
of 002.

For a usergroup, adduser will choose the first available GID from the range specified by FIRST_GID and
LAST_GID in the configuration file. The range may be overridden with the --firstgid and --lastgid
options. Finally, the GID can be set fully manually with the --gid option.

The interaction between USERS_GID, USERS_GROUP, and USERGROUPS is explained in detail in adduser.conf(5).

The new user's primary group can also be overridden from the command line with the --gid or --ingroup
options to set the group by id or name, respectively. Also, users can be added to one or more
supplemental groups defined as EXTRA_GROUPS either by setting ADD_EXTRA_GROUPS to 1 in the configuration
file, or by passing --add-extra-groups on the command line.

adduser will copy files from /etc/skel into the home directory and prompt for the comment field and a
password if those functions have not been turned off / overridden from the command line.

UID, comment, home directory and shell might be pre-determined with the UID_POOL and GID_POOL option,
documented in adduser.conf(5).

To set up an encrypted home directory for the new user, add the --encrypt-home option. For more
information, refer to the -b option of ecryptfs-setup-private(1).

Add a system user
If called with one non-option argument and the --system option, adduser will add a dynamically allocated
system user, often abbreviated as system user in the context of the adduser package.

adduser will choose the first available UID from the range specified by FIRST_SYSTEM_UID and
LAST_SYSTEM_UID in the configuration file. This can be overridden with the --uid option.

By default, system users are assigned nogroup as primary group. To assign an already existing group as
primary group, use the --gid or --ingroup options. If the --group option is given and the identically
named group does not already exist, it is created with the same ID.

If no home directory is specified, the default home directory for a new system user is /nonexistent.
This directory should never exist on any Debian system, and adduser will never create it automatically.

If a home directory is specified with the --home option, and the directory does already exist (for
example, if the package ships with files in that directory), adduser silently does not set the owner of
the directory to the newly created user. Setting the owner might override a decision of the local admin,
and reporting the fact would break adduser's silence during package installation. If you use adduser
--home in your package's maintainer scripts, you might want to issue an explicit recursive chown for the
home directory after the call to adduser.

Unless a shell is explicitly set with the --shell option, the new system user will have the shell set to
/usr/sbin/nologin. adduser --system does not set a password for the new account. Skeletal configuration
files are not copied.

Other options will behave as for the creation of a regular user. The files referenced by UID_POOL and
GID_POOL are also honored.

Add a group
If adduser is called with the --group option and without the --system option, or addgroup is called
respectively, a user group will be added.

A dynamically allocated system group, often abbreviated as system group in the context of the adduser
package, will be created if adduser --group or addgroup are called with the --system option.

A GID will be chosen from the respective range specified for GIDs in the configuration file (FIRST_GID,
LAST_GID, FIRST_SYSTEM_GID, LAST_SYSTEM_GID). To override that mechanism, you can give the GID using the
--gid option.

For non-system groups, the range specified in the configuration file may be overridden with the
--firstgid and --lastgid options.

The group is created with no members.

Add an existing user to an existing group
If called with two non-option arguments, adduser will add an existing user to an existing group.

OPTIONS

Different modes of adduser allow different options. If no valid modes are listed for a option, it is
accepted in all modes.

Short versions for certain options may exist for historical reasons. They are going to stay supported,
but are removed from the documentation. Users are advised to migrate to the long version of options.

--add-extra-groups
Add new user to extra groups defined in the configuration files' EXTRA_GROUPS setting. The old
spelling --add_extra_groups is deprecated and will be supported in Debian bookworm only. Valid
modes: adduser, adduser --system.

--allow-all-names
Allow any user- and groupname which is supported by the underlying useradd(8). See VALID NAMES
below. Valid modes: adduser, adduser --system, addgroup, addgroup --system.

--allow-bad-names
Disable NAME_REGEX and SYS_NAME_REGEX check of names. Only a weaker check for validity of the
name is applied. See VALID NAMES below. Valid modes: adduser, adduser --system, addgroup,
addgroup --system.

--comment comment
Set the comment field for the new entry generated. adduser will not ask for the information if
this option is given. This field is also known under the name GECOS field and contains
information that is used by the finger(1) command. This used to be the --gecos option, which is
deprecated and will be removed after Debian bookworm. Valid modes: adduser, adduser --system.

--conf file
Use file instead of /etc/adduser.conf. Multiple --conf options can be given.

--debug
Synonymous to --stdoutmsglevel=debug. Deprecated.

--disabled-login
--disabled-password
Do not run passwd(1) to set a password. In most situations, logins are still possible though (for
example using SSH keys or through PAM) for reasons that are beyond adduser's scope.
--disabled-login will additionally set the shell to /usr/sbin/nologin. Valid mode: adduser.

--firstuid ID
--lastuid ID
--firstgid ID
--lastgid ID
Override the first UID / last UID / first GID / last GID in the range that the uid is chosen from
(FIRST_UID, LAST_UID, FIRST_GID and LAST_GID, FIRST_SYSTEM_UID, LAST_SYSTEM_UID, FIRST_SYSTEM_GID
and LAST_SYSTEM_GID in the configuration file). If a group is created as a usergroup, --firstgid
and --lastgid are ignored. The group gets the same ID as the user. Valid modes: adduser, adduser
--system, for --firstgid and --lastgid also addgroup.

--force-badname
--allow-badname
These are the deprecated forms of --allow-bad-names. They will be removed during the release
cycle of Debian 13.

--extrausers
Uses extra users as the database.

--gid GID
When creating a group, this option sets the group ID number of the new group to GID. When
creating a user, this option sets the primary group ID number of the new user to GID. Valid
modes: adduser, adduser --system, addgroup, addgroup --system.

--group
Using this option in adduser --system indicates that the new user should get an identically named
group as its primary group. If that identically named group is not already present, it is
created. If not combined with --system, a group with the given name is created. The latter is
the default action if the program is invoked as addgroup. Valid modes: adduser --system,
addgroup, addgroup --system.

--help Display brief instructions.

--home dir
Use dir as the user's home directory, rather than the default specified by the configuration file
(or /nonexistent if adduser --system is used). If the directory does not exist, it is created.
Valid modes: adduser, adduser --system.

--ingroup GROUP
When creating a user, this option sets the primary group ID number of the new user to the GID of
the named group. Unlike with the --gid option, the group is specified here by name rather than by
numeric ID number. The group must already exist. Valid modes: adduser, adduser --system.

--lastuid ID
--lastgid ID
Override the last UID / last GID. See --firstuid.

--no-create-home
Do not create a home directory for the new user. Note that the pathname for the new user's home
directory will still be entered in the appropriate field in the /etc/passwd file. The use of this
option does not imply that this field should be empty. Rather, it indicates to adduser that some
other mechanism will be responsible for initializing the new user's home directory. Valid modes:
adduser, adduser --system.

--quiet
Synonymous to --stdoutmsglevel=warn. Deprecated.

--shell shell
Use shell as the user's login shell, rather than the default specified by the configuration file
(or /usr/sbin/nologin if adduser --system is used). Valid modes: adduser, adduser --system.

--system
Normally, adduser creates dynamically allocated user accounts and groups as defined in Debian
Policy, Chapter 9.2.2. With this option, adduser creates a dynamically allocated system user and
group and changes its mode respectively. Valid modes: adduser, addgroup.

--uid ID
Force the new userid to be the given number. adduser will fail if the userid is already taken.
Valid modes: adduser, adduser --system.

--verbose
Synonymous to --stdoutmsglevel=info. Deprecated.

--stdoutmsglevel prio
--stderrmsglevel prio
--logmsglevel prio
Minimum priority for messages logged to syslog/journal and the console, respectively. Values are
trace, debug, info, warn, err, and fatal. Messages with the priority set here or higher get
printed to the respective medium. Messages printed to stderr are not repeated on stdout. That
allows the local admin to control adduser's chattiness on the console and in the log
independently, keeping probably confusing information to itself while still leaving helpful
information in the log. stdoutmsglevel, stderrmsglevel, and logmsglevel default to warn, warn,
info, respectively.

-v , --version
Display version and copyright information.

VALID NAMES

       Historically,  adduser(8)  and addgroup(8) enforced conformity to IEEE Std 1003.1-2001, which allows only
       the following characters to appear in group- and usernames: letters,  digits,  underscores,  periods,  at
       signs  (@)  and  dashes.  The name may not start with a dash or @.  The "$" sign is allowed at the end of
       usernames to allow typical Samba machine accounts.

       The default settings for NAME_REGEX and SYS_NAME_REGEX allow usernames to  contain  letters  and  digits,
       plus dash (-) and underscore (_); the name must begin with a letter (or an underscore for system users).

       The  least  restrictive  policy,  available  by using the --allow-all-names option, simply makes the same
       checks as useradd(8).  Please note that useradd's checks have become quite  a  bit  more  restrictive  in
       Debian 13.

       Changing the default behavior can be used to create confusing or misleading names; use with caution.

LOGGING

       Adduser  uses  extensive  and  configurable  logging  to  tailor its verbosity to the needs of the system
       administrator.

       Every message that adduser prints has a priority value assigned by the authors.  This priority can not be
       changed at run time.  Available priority values are crit, error, warning, info, debug, and trace.

       If you find that a message has the wrong priority, please file a bug.

       Every time a message is generated, the code decides whether to print  the  message  to  standard  output,
       standard  error,  or  syslog.   This is mainly and independently controlled by the configuration settings
       STDOUTMSGLEVEL, STDERRMSGLEVEL, and LOGMSGLEVEL.  For testing purposes, these settings can be  overridden
       on the command line.

       Only  messages  with  a  priority  higher  or  equal  to  the  respective message level are logged to the
       respective output medium.  A message that was written to standard error is not written a second  time  to
       standard output.

EXIT VALUES

0 Success: The user or group exists as specified. This can have 2 causes: The user or group was
created by this call to adduser or the user or group was already present on the system as
specified before adduser was invoked. If adduser --system is invoked for a user already existing
with the requested or compatible attributes, it will also return 0.

11 The object that adduser was asked to create does already exist.

12 The object that adduser or deluser was asked to operate on does not exist.

13 The object that adduser or deluser was asked to operate on does not have the properties that are
required to complete the operation: A user (a group) that was requested to be created as a system
user (group) does already exist and is not a system user (group), or a user (group) that was
requested to be created with a certain UID (GID) does already exist and has a different UID (GID),
or a system user (group) that was requested to be deleted does exist, but is not a system user
(group).

21 The UID (GID) that was explicitly requested for a new user (group) is already in use.

22 There is no available UID (GID) in the requested range.

23 There is no group with the requested GID for the primary group for a new user.

31 The chosen name for a new user or a new group does not conform to the selected naming rules.

32 The home directory of a new user must be an absolute path.

33 useradd returned exit code 19 "invalid user or group name". That means the user or group name
chosen does not fit useradd's restrictions and adduser cannot create the user.

41 The group that was requested to be deleted is not empty.

42 The user that was requested to be removed from a group is not a member in the first place.

43 It is not possible to remove a user from its primary group, or no primary group selected for a new
user by any method.

51 Incorrect number or order of command line parameters detected.

52 Incompatible options set in configuration file.

53 Mutually incompatible command line options detected.

54 adduser and deluser invoked as non-root and thus cannot work.

55 deluser will refuse to delete the root account.

56 A function was requested that needs more packages to be installed. See Recommends: and Suggests:
of the adduser package.

61 Adduser was aborted for some reason and tried to roll back the changes that were done during
execution.

62 Internal adduser error. This should not happen. Please try to reproduce the issue and file a bug
report.

71 Error creating and handling the lock.

72 Error accessing the configuration file(s).

73 Error accessing a pool file.

74 Error reading a pool file, syntax error in file.

75 Error accessing auxiliary files.

81 An executable that is needed by adduser or deluser cannot be found. Check your installation and
dependencies.

82 Executing an external command returned some unexpected error.

83 An external command was terminated with a signal.

84 A syscall terminated with unexpected error.

Or for many other yet undocumented reasons which are printed to console then. You may then consider to
increase a log level to make adduser more verbose.

SECURITY

       adduser  needs  root  privileges  and  offers,  via  the  --conf  command  line  option  to use different
       configuration files.  Do not use sudo(8) or similar tools to give  partial  privileges  to  adduser  with
       restricted command line parameters.  This is easy to circumvent and might allow users to create arbitrary
       accounts.   If  you  want this, consider writing your own wrapper script and giving privileges to execute
       that script.

FILES

       /etc/adduser.conf
              Default configuration file for adduser(8) and addgroup(8)

       /usr/local/sbin/adduser.local
              Optional custom add-ons, see adduser.local(8)

NOTES

       Unfortunately, the term system account suffers from double use in Debian.  It both means an  account  for
       the actual Debian system, distinguishing itself from an application account which might exist in the user
       database of some application running on Debian.  A system account in this definition has the potential to
       log  in  to  the  actual  system, has a UID, can be member in system groups, can own files and processes.
       Debian Policy, au contraire, in its Chapter 9.2.2,  makes  a  distinguishment  of  dynamically  allocated
       system  users and groups and dynamically allocated user accounts, meaning in both cases special instances
       of system accounts.  Care must be taken to not confuse this terminology.  Since  adduser  and  deluser(8)
       never  address  application  accounts  and  everything in this package concerns system accounts here, the
       usage of the terms user account and system account is actually not  ambiguous  in  the  context  of  this
       package.  For clarity, this document uses the definition local system account or group if the distinction
       to application accounts or accounts managed in a directory service is needed.

       adduser  used  to  have  the  vision  to be the universal front end to the various directory services for
       creation and deletion of regular and system accounts in Debian since the 1990ies.  This vision  has  been
       abandoned as of 2022.  The rationale behind this includes: that in practice, a small server system is not
       going  to  have  write  access  to  an  enterprise-wide  directory service anyway, that locally installed
       packages are hard to manage with centrally controlled system accounts, that enterprise directory services
       have their own management processes anyway and that the personpower of the adduser team is unlikely to be
       ever strong enough to write and maintain support  for  the  plethora  of  directory  services  that  need
       support.

       adduser  will constrict itself to being a policy layer for the management of local system accounts, using
       the tools from the passwd package for the actual work.

BUGS

       Inconsistent use of terminology around the term system account in docs and code is a bug.  Please  report
       this and allow us to improve our docs.

       adduser  takes  special  attention to be directly usable in Debian maintainer scripts without conditional
       wrappers, error suppression and other scaffolding.  The only thing that  the  package  maintainer  should
       need to code is a check for the presence of the executable in the postrm script.  The adduser maintainers
       consider  the need for additional scaffolding a bug and encourage their fellow Debian package maintainers
       to file bugs against the adduser package in this case.