ROLEADD(8) Maintenance Procedures ROLEADD(8)
NAME
roleadd - administer a new role account on the system
SYNOPSIS
roleadd [
-A authorization[,
authorization]...]
[
-b base_dir] [
-c comment] [
-d dir] [
-e expire]
[
-f inactive] [
-g group] [
-G group[,
group]...]
[
-K key=value] [
-m [
-z|-Z] [
-k skel_dir]] [
-p projname]
[
-P profile[,
profile]...] [
-s shell] [
-u uid [
-o]]
role roleadd -D [
-A authorization[,
authorization]...]
[
-b base_dir] [
-e expire] [
-f inactive] [
-g group]
[
-k skel_dir] [
-K key=value] [
-p projname]
[
-P profile[,
profile]...] [
-s shell]
DESCRIPTION
roleadd adds a role entry to the
/etc/passwd and
/etc/shadow and
/etc/user_attr files. The
-A and
-P options respectively assign
authorizations and profiles to the role. The
-p option associates a
project with the role. The
-K option adds a
key=value pair to
/etc/user_attr for the role. Multiple
key=value pairs can be added with
multiple
-K options.
roleadd also creates supplementary group memberships for the role (
-G option) and creates the home directory (
-m option) for the role if
requested. The new role account remains locked until the
passwd(1) command is executed.
Specifying
roleadd -D with the
-A,
-b,
-e,
-f,
-g,
-k,
-K,
-p,
-P, or
-s option (or any combination of these options) sets the default values for
the respective fields. See the
-D option. Subsequent
roleadd commands
without the
-D option use these arguments.
The system file entries created with this command have a limit of 512
characters per line. Specifying long arguments to several options can
exceed this limit.
roleadd requires that usernames be in the format described in
passwd(5).
A warning message is displayed if these restrictions are not met. See
passwd(5) for the requirements for usernames.
To change the action of
roleadd when the traditional login name length
limit of eight characters is exceeded, edit the file
/etc/default/useradd by removing the
# (pound sign) before the appropriate
EXCEED_TRAD= entry,
and adding it before the others.
OPTIONS
The following options are supported:
-A authorization One or more comma separated authorizations defined in
auth_attr(5).
Only a user or role who has
grant rights to the authorization can
assign it to a role.
-b base_dir The base directory for new role home directories (see the
-d option
below). The directory named by
base_dir must already exist and be an
absolute path.
-c comment A text string. It is generally a short description of the role. This
information is stored in the role's
/etc/passwd entry.
-d dir The home directory of the new role. If not supplied, it defaults to
base_dir/
account_name, where
base_dir is the base directory for new
login home directories and
account_name is the new role name.
-D Display the default values for
group,
base_dir,
skel_dir,
shell,
inactive,
expire,
proj,
projname and
key=value pairs. When used with
the
-A,
-b,
-e,
-f,
-g,
-P,
-p, or
-K, options, the
-D option sets
the default values for the specified fields. The default values are:
group other (
GID of 1)
base_dir /home skel_dir /etc/skel shell /bin/pfsh inactive 0 expire Null
auths Null
profiles Null
proj 3 projname default key=value (pairs defined in
user_attr(5))
not present
-e expire Specify the expiration date for a role. After this date, no user is
able to access this role. The expire option argument is a date
entered using one of the date formats included in the template file
/etc/datemsk. See
getdate(3C).
If the date format that you choose includes spaces, it must be
quoted. For example, you can enter
10/6/90 or
October 6, 1990. A null
value (
" ") defeats the status of the expired date. This option is
useful for creating temporary roles.
-f inactive The maximum number of days allowed between uses of a role ID before
that
ID is declared invalid. Normal values are positive integers. A
value of
0 defeats the status.
-g group An existing group's integer
ID or character-string name. Without the
-D option, it defines the new role's primary group membership and
defaults to the default group. You can reset this default value by
invoking
roleadd -D -g group. GIDs 0-99 are reserved for allocation
by the Operating System.
-G group One or more comma-separated existing groups, specified by integer
ID or character-string name. It defines the new role's supplementary
group membership. Any duplicate groups between the
-g and
-G options
are ignored. No more than
NGROUPS_MAX groups can be specified. GIDs
0-99 are reserved for allocation by the Operating System.
-k skel_dir A directory that contains skeleton information (such as
.profile)
that can be copied into a new role's home directory. This directory
must already exist. The system provides the
/etc/skel directory that
can be used for this purpose.
-K key=value A
key=value pair to add to the role's attributes. Multiple
-K options
may be used to add multiple
key=value pairs. The generic
-K option
with the appropriate key may be used instead of the specific implied
key options (
-A,
-p,
-P). See
user_attr(5) for a list of valid
key=value pairs. The "type" key is not a valid key for this option.
Keys cannot be repeated.
-m [
-z|-Z]
Create the new role's home directory if it does not already exist. If
the directory already exists, it must have read, write, and execute
permissions by
group, where
group is the role's primary group.
If the parent directory of the role's home directory is located on a
separate
ZFS file system and the
/etc/default/useradd file contains
the parameter
MANAGE_ZFS set to the value
YES, a new
ZFS file system
will be created for the role.
If the
-z option is specified,
roleadd will always try to create a
new file system for the home directory.
If the
-Z option is specified, a new file system will never be
created.
-o This option allows a
UID to be duplicated (non-unique).
-p projname Name of the project with which the added role is associated. See the
projname field as defined in
project(5).
-P profile One or more comma-separated execution profiles defined in
prof_attr(5).
-s shell Full pathname of the program used as the role's shell on login. It
defaults to an empty field causing the system to use
/bin/pfsh as the
default. The value of
shell must be a valid executable file.
-u uid The
UID of the new role. This
UID must be a non-negative decimal
integer below
MAXUID as defined in
<sys/param.h>. The
UID defaults to
the next available (unique) number above the highest number currently
assigned. For example, if
UIDs 100, 105, and 200 are assigned, the
next default
UID number will be 201.
UIDs
0-
99 are reserved for
allocation by the Operating System.
FILES
/etc/default/useradd /etc/datemsk /etc/passwd /etc/shadow /etc/group /etc/skel /usr/include/limits.h /etc/user_attrATTRIBUTES
See
attributes(7) for descriptions of the following attributes:
+--------------------+-----------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+--------------------+-----------------+
|Interface Stability | Evolving |
+--------------------+-----------------+
SEE ALSO
passwd(1),
pfsh(1),
profiles(1),
roles(1),
getdate(3C),
auth_attr(5),
passwd(5),
prof_attr(5),
user_attr(5),
attributes(7),
groupadd(8),
groupdel(8),
groupmod(8),
grpck(8),
logins(8),
pwck(8),
userdel(8),
usermod(8),
zfs(8)DIAGNOSTICS
In case of an error,
roleadd prints an error message and exits with a
non-zero status.
The following indicates that
login specified is already in use:
UX: roleadd: ERROR: login is already in use. Choose another.
The following indicates that the
uid specified with the
-u option is not
unique:
UX: roleadd: ERROR: uid
uid is already in use. Choose another.
The following indicates that the
group specified with the
-g option is
already in use:
UX: roleadd: ERROR: group
group does not exist. Choose another.
The following indicates that the
uid specified with the
-u option is in
the range of reserved
UIDs (from
0-
99):
UX: roleadd: WARNING: uid
uid is reserved.
The following indicates that the
uid specified with the
-u option exceeds
MAXUID as defined in
<sys/param.h>:
UX: roleadd: ERROR: uid
uid is too big. Choose another.
The following indicates that the
/etc/passwd or
/etc/shadow files do not
exist:
UX: roleadd: ERROR: Cannot update system files - login cannot be created.
NOTES
If a network nameservice is being used to supplement the local
/etc/passwd file with additional entries,
roleadd cannot change
information supplied by the network nameservice.
January 7, 2018
ROLEADD(8)