Creating System Users And Groups

Often one wants to create a user and/or group on a UNIX(-like) system from a script, for instance to isolate some server. Unfortunately there is no completely portable way to achieve this. This page attempts to capture what you need to know for a number of platforms.

The assumption here is that you want to create a user and/or group for use by a new system service, rather than a login user. Thus having a password or being able to log in with a shell are not particularly wanted.

useradd and groupadd

Many platforms have useradd and groupadd commands; if there were to be a standard then these commands would presumably be it. For instance, Linux, Solaris, OpenBSD, NetBSD and HPUX all have them. NB that at the time of writing I've only personally tested the Linux variant.

Create a group: groupadd GROUP

Create a user: useradd -d DIRECTORY -g GROUP -c 'DESCRIPTION' USER

These tools can choose new GIDs and UIDs for you. The user will have a default shell, which you can override with -s, and an invalid password (so will not be able to log in).

FreeBSD

Here everything is done via the pw command.

Create a group: pw groupadd GROUP

Create a user: pw useradd USER -w no -d DIRECTORY -g GROUP -c 'DESCRIPTION'

The user will have a default shell and (because -w no) won't be able to log in. Note that, oddly, the options come after the name in this command.

Mac OS X

Here the situation is not very good. There is no single command to create a user or group; instead you must use dscl to access a directory service manually, filling in all the right fields manually in consecutive calls. (Formerly you were supposed to use Netinfo directly but the advice is now to use dscl.)

To create a group:

dscl / -create /Groups/GROUP
dscl / -create /Groups/GROUP PrimaryGroupID GID
dscl / -create /Groups/GROUP Password \*

To create a user:

dscl / -create /Users/USER
dscl / -create /Users/USER UniqueID UID
dscl / -create /Users/USER UserShell /usr/bin/false
dscl / -create /Users/USER RealName 'DESCRIPTION'
dscl / -create /Users/USER NFSHomeDirectory DIRECTORY
dscl / -create /Users/USER PrimaryGroupID GID
dscl / -create /Users/USER Password \*

You must pick UID and GID yourself. A command like dscl / -list /Groups PrimaryGroupID will produce a list of groups and their IDs, allowing you to avoid existing ones. UIDs above 500 will appear in the account preferences window; those below 501 will not. I don't know where this is documented, unfortunately.

Worse still, if you don't pick a unique UID, it won't report an error; the 'unique' in UniqueID is just a statement of intent, not a enforced constraint. So for instance, if someone else is trying to pick a new UID in the same time frame, a clash is entirely possible. You could work around this by checking the full list of UIDs after creating your user and deleting and retrying if you find a clash.

If you don't set a password then the default is the empty string (i.e. potentially anyone will be able to log in as this user). If you set a usable login shell (rather than false as above) then it seems there is a gap of a few seconds between setting the Password field and the user not being able to log in any more.

You have to know the right set of fields to fill in (if you get it wrong then the GUI tools may hang). I don't know if they are properly documented anywhere, please let me know if you know better. The example above is copied from the system daemon user on 10.4.

RJK | Contents