roleadd - administer a new role account on the system
roleadd [-A authorization[,authorization]...]
[-b base_dir] [-c comment] [-d dir] [-e expire]
[-f inactive] [-g group] [-G group[,group]...]
[-K key=value] [-m [-z|-Z] [-k skel_dir]] [-p projname]
[-P profile[,profile]...] [-s shell] [-u uid [-o]] role
roleadd -D [-A authorization[,authorization]...]
[-b base_dir] [-e expire] [-f inactive] [-g group]
[-k skel_dir] [-K key=value] [-p projname]
[-P profile[,profile]...] [-s shell]
roleadd adds a role entry to the /etc/passwd and
/etc/shadow and /etc/user_attr files. The -A and
-P options respectively assign authorizations and profiles to the role.
The -p option associates a project with the role. The -K option
adds a key=value pair to /etc/user_attr for the role. Multiple
key=value pairs can be added with multiple -K options.
roleadd also creates supplementary group memberships for
the role (-G option) and creates the home directory (-m
option) for the role if requested. The new role account remains locked until
the passwd(1) command is executed.
Specifying roleadd -D with the -A, -b,
-e, -f, -g, -k, -K, -p, -P,
or -s option (or any combination of these options) sets the default
values for the respective fields. See the -D option. Subsequent
roleadd commands without the -D option use these
arguments.
The system file entries created with this command have a limit of
512 characters per line. Specifying long arguments to several options can
exceed this limit.
roleadd requires that usernames be in the format described
in passwd(5). A warning message is displayed if these restrictions
are not met. See passwd(5) for the requirements for usernames.
To change the action of roleadd when the traditional login
name length limit of eight characters is exceeded, edit the file
/etc/default/useradd by removing the # (pound sign) before the
appropriate EXCEED_TRAD= entry, and adding it before the others.
The following options are supported:
-A authorization
One or more comma separated authorizations defined in
auth_attr(5). Only a user or role who has
grant rights to the
authorization can assign it to a role.
-b base_dir
The base directory for new role home directories (see the
-d option below). The directory named by base_dir must already
exist and be an absolute path.
-c comment
A text string. It is generally a short description of the
role. This information is stored in the role's /etc/passwd entry.
-d dir
The home directory of the new role. If not supplied, it
defaults to base_dir/account_name, where base_dir is the
base directory for new login home directories and account_name is the
new role name.
-D
Display the default values for
group,
base_dir,
skel_dir,
shell,
inactive,
expire,
proj,
projname and
key=value pairs. When
used with the
-A,
-b,
-e,
-f,
-g,
-P,
-p, or
-K, options, the
-D option sets the
default values for the specified fields. The default values are:
group
other (GID of 1)
base_dir
/home
skel_dir
/etc/skel
shell
/bin/pfsh
inactive
0
expire
Null
auths
Null
profiles
Null
proj
3
projname
default
key=value (pairs defined in user_attr(5))
not present
-e expire
Specify the expiration date for a role. After this date,
no user is able to access this role. The expire option argument is a date
entered using one of the date formats included in the template file
/etc/datemsk. See
getdate(3C).
If the date format that you choose includes spaces, it must be
quoted. For example, you can enter 10/6/90 or October 6, 1990.
A null value (" ") defeats the status of the expired date.
This option is useful for creating temporary roles.
-f inactive
The maximum number of days allowed between uses of a role
ID before that ID is declared invalid. Normal values are positive
integers. A value of 0 defeats the status.
-g group
An existing group's integer ID or character-string
name. Without the -D option, it defines the new role's primary group
membership and defaults to the default group. You can reset this default value
by invoking roleadd -D -g group. GIDs 0-99 are
reserved for allocation by the Operating System.
-G group
One or more comma-separated existing groups, specified by
integer ID or character-string name. It defines the new role's
supplementary group membership. Any duplicate groups between the -g and
-G options are ignored. No more than NGROUPS_MAX groups can be
specified. GIDs 0-99 are reserved for allocation by the Operating
System.
-k skel_dir
A directory that contains skeleton information (such as
.profile) that can be copied into a new role's home directory. This
directory must already exist. The system provides the /etc/skel
directory that can be used for this purpose.
-K key=value
A
key=value pair to add to the role's attributes.
Multiple
-K options may be used to add multiple
key=value pairs.
The generic
-K option with the appropriate key may be used instead of
the specific implied key options (
-A,
-p,
-P). See
user_attr(5) for a list of valid
key=value pairs. The
"type" key is not a valid key for this option. Keys cannot be
repeated.
-m [-z|-Z]
Create the new role's home directory if it does not
already exist. If the directory already exists, it must have read, write, and
execute permissions by
group, where
group is the role's primary
group.
If the parent directory of the role's home directory is located on
a separate ZFS file system and the /etc/default/useradd file
contains the parameter MANAGE_ZFS set to the value YES, a new
ZFS file system will be created for the role.
If the -z option is specified, roleadd will always
try to create a new file system for the home directory.
If the -Z option is specified, a new file system will never
be created.
-o
This option allows a UID to be duplicated
(non-unique).
-p projname
Name of the project with which the added role is
associated. See the
projname field as defined in
project(5).
-P profile
One or more comma-separated execution profiles defined in
prof_attr(5).
-s shell
Full pathname of the program used as the role's shell on
login. It defaults to an empty field causing the system to use
/bin/pfsh as the default. The value of shell must be a valid
executable file.
-u uid
The UID of the new role. This UID must be a
non-negative decimal integer below MAXUID as defined in
<sys/param.h>. The UID defaults to the next available
(unique) number above the highest number currently assigned. For example, if
UIDs 100, 105, and 200 are assigned, the next default UID number
will be 201. UIDs 0-99 are reserved for allocation by the
Operating System.
/etc/default/useradd
/etc/datemsk
/etc/passwd
/etc/shadow
/etc/group
/etc/skel
/usr/include/limits.h
/etc/user_attr
See attributes(7) for descriptions of the following attributes:
ATTRIBUTE
TYPE |
ATTRIBUTE VALUE |
Interface Stability |
Evolving |
passwd(1), pfsh(1), profiles(1), roles(1),
getdate(3C), auth_attr(5), passwd(5),
prof_attr(5), user_attr(5), attributes(7),
groupadd(8), groupdel(8), groupmod(8), grpck(8),
logins(8), pwck(8), userdel(8), usermod(8),
zfs(8)
In case of an error, roleadd prints an error message and exits with a
non-zero status.
The following indicates that login specified is already in
use:
UX: roleadd: ERROR: login is already in use. Choose another.
The following indicates that the uid specified with the
-u option is not unique:
UX: roleadd: ERROR: uid uid is already in use. Choose another.
The following indicates that the group specified with the
-g option is already in use:
UX: roleadd: ERROR: group group does not exist. Choose another.
The following indicates that the uid specified with the
-u option is in the range of reserved UIDs (from
0-99):
UX: roleadd: WARNING: uid uid is reserved.
The following indicates that the uid specified with the
-u option exceeds MAXUID as defined in
<sys/param.h>:
UX: roleadd: ERROR: uid uid is too big. Choose another.
The following indicates that the /etc/passwd or
/etc/shadow files do not exist:
UX: roleadd: ERROR: Cannot update system files - login cannot be created.
If a network nameservice is being used to supplement the local
/etc/passwd file with additional entries, roleadd cannot change
information supplied by the network nameservice.