Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
roleadd(1M)							   roleadd(1M)

       roleadd - administer a new role account on the system

       roleadd	[-c comment]  [-d dir]	[-e expire] [-f	inactive] [-g group] [
       -G group	[ , group...]] [ -m [-k	skel_dir]] [ -u	uid  [-o]]  [-s	shell]
       [-A authorization  [,authorization...]] [-K key=value] role

       roleadd	-D  [-b	base_dir] [-e expire] [-f inactive] [-g	group] [-A au-
       thorization   [,authorization...]]  [-P	profile	   [,profile...]   [-K

       roleadd	adds  a	 role  entry  to  the  /etc/passwd and /etc/shadow and
       /etc/user_attr files. The -A and	-P options respectively	assign	autho-
       rizations  and  profiles	to the role. Roles cannot be assigned to other
       roles. The -K option adds a key=value  pair  to	/etc/user_attr	for  a
       role. Multiple key=value	pairs can be added with	multiple -K options.

       roleadd	also  creates supplementary group memberships for the role (-G
       option) and creates the home directory (-m option) for the role if  re-
       quested.	 The  new role account remains locked until the	passwd(1) com-
       mand is executed.

       Specifying roleadd -D with the -g, -b, -f, -e, or  -K  option  (or  any
       combination of these option) sets the default values for	the respective
       fields. See the -D option.  Subsequent roleadd commands without the  -D
       option use these	arguments.

       The  system  file entries created with this command have	a limit	of 512
       characters per line. Specifying long arguments to several  options  can
       exceed this limit.

       The role	(role) field accepts a string of no more than eight bytes con-
       sisting of characters from the set of  alphabetic  characters,  numeric
       characters, period (.), underscore (_), and hyphen (-). The first char-
       acter should be alphabetic and the field	should contain	at  least  one
       lower  case alphabetic character. A warning message is written if these
       restrictions are	not met. A future Solaris release might	refuse to  ac-
       cept role fields	that do	not meet these requirements.

       The role	field must contain at least one	character and must not contain
       a colon (:) or a	newline	(\n).

       The following options are supported:

       -A authorizationOne or more comma separated authorizations  defined  in
		       auth_attr(4).  Only a user or role who has grant	rights
		       to the authorization can	assign it to an	account

       -b base_dir     The default base	directory for the system if -d dir  is
		       not  specified.	base_dir  is concatenated with the ac-
		       count name to define the	home directory.	If the -m  op-
		       tion is not used, base_dir must exist.

		       Note -  The  root  file	system of any non-global zones
			       must not	be referenced with the -b option.  Do-
			       ing so might damage the global zone's file sys-
			       tem,  might  compromise	the  security  of  the
			       global  zone,  and  might damage	the non-global
			       zone's file system. See zones(5).

       -c comment      Any text	string.	It is generally	a short	description of
		       the  role.  This	 information  is  stored in the	role's
		       /etc/passwd entry.

       -d dir	       The home	directory of the  new  role.  It  defaults  to
		       base_dir/account_name,  where  base_dir is the base di-
		       rectory for new login home directories and account_name
		       is the new role name.

       -D	       Display	 the   default	values	for  group,  base_dir,
		       skel_dir, shell,	inactive, expire
			and key=value pairs. When used with the	-g, -b,	-f, or
		       -K,  options, the -D option sets	the default values for
		       the specified fields. The default values	are:

		       group	       other (GID of 1)

		       base_dir	       /home

		       skel_dir	       /etc/skel

		       shell	       /bin/pfsh

		       inactive	       0

		       expire	       Null

		       auths	       Null

		       profiles	       Null

		       key=value (pairsndefinedinuser_attr(4)

       -e expire       Specify the expiration date  for	 a  role.  After  this
		       date,  no  user is able to access this role. The	expire
		       option argument is a date entered using one of the date
		       formats included	in the template	file /etc/datemsk. See

		       If the date format that you choose includes spaces,  it
		       must  be	 quoted. For example, you can enter 10/6/90 or
		       "October	6, 1990". A null value (" ") defeats the  sta-
		       tus of the expired date.	This option is useful for cre-
		       ating temporary roles.

       -f inactive     The maximum number of days allowed between  uses	 of  a
		       role ID before that ID is declared invalid. Normal val-
		       ues are positive	integers. A value of   0  defeats  the

       -g group	       An  existing  group's  integer  ID  or character-string
		       name. Without the -D option, it defines the new	role's
		       primary	group  membership  and defaults	to the default
		       group. You can reset this  default  value  by  invoking
		       roleadd -D -g group.

       -G group	       An  existing  group's  integer  ID  or character-string
		       name. It	defines	the  new  role's  supplementary	 group
		       membership. Duplicates between group with the -g	and -G
		       options are ignored. No more  than  NGROUPS_MAX	groups
		       can be specified.

       -k skel_dir     A directory that	contains skeleton information (such as
		       .profile) that can be copied into a new role's home di-
		       rectory.	 This directory	must already exist. The	system
		       provides	the /etc/skel directory	that can be  used  for
		       this purpose.

       -K key=value    A  key=value pair to add	to the role's attributes. Mul-
		       tiple -K	options	can be used to add multiple  key=value
		       pairs.  The  generic -K option with the appropriate key
		       can be used instead of the specific implied key options
		       (-A  and	 -P).  See  user_attr(4)  for  a list of valid
		       key=value pairs.	The "type" key is not a	valid key  for
		       this option. Keys can not be repeated.

       -m	       Create the new role's home directory if it does not al-
		       ready exist. If the directory already exists,  it  must
		       have  read,  write,  and	 execute permissions by	group,
		       where group is the role's primary group.

       -o	       This option allows a UID	to be duplicated (non-unique).

       -P profile      One or more comma-separated execution profiles  defined
		       in prof_attr(4).

       -s shell	       Full  pathname  of the program used as the user's shell
		       on login. It defaults to	an  empty  field  causing  the
		       system  to  use	/bin/pfsh as the default. The value of
		       shell must be a valid executable	file.

       -u uid	       The UID of the new role.	This UID must be  a  non-nega-
		       tive   decimal  integer	below  MAXUID  as  defined  in
		       <sys/param.h>.  The UID defaults	to the next  available
		       (unique)	 number	above the highest number currently as-
		       signed. For example, if UIDs 100, 105, and 200 are  as-
		       signed,	the next default UID number is 201. (UIDs from
		       0-99 are	reserved for possible use in  future  applica-








       See attributes(5) for descriptions of the following attributes:

       |      ATTRIBUTE	TYPE	     |	    ATTRIBUTE VALUE	   |
       |Availability		     |SUNWcsu			   |
       |Interface Stability	     |Evolving			   |

       passwd(1),  pfsh(1),  profiles(1),  roles(1),  users(1B), groupadd(1M),
       groupdel(1M),   groupmod(1M),	grpck(1M),    logins(1M),    pwck(1M),
       userdel(1M),   usermod(1M),   getdate(3C),   auth_attr(4),   passwd(4),
       prof_attr(4), user_attr(4), attributes(5)

       In case of an error, roleadd prints an error message and	exits  with  a
       non-zero	status.

       The following indicates that login specified is already in use:

       UX: roleadd: ERROR: login is already in use. Choose another.

       The  following  indicates  that the uid specified with the -u option is
       not unique:

       UX: roleadd: ERROR: uid uid is already in use. Choose another.

       The following indicates that the	group specified	with the -g option  is
       already in use:

       UX: roleadd: ERROR: group group does not	exist. Choose another.

       The following indicates that the	uid specified with the -u option is in
       the range of reserved UIDs (from	0-99):

       UX: roleadd: WARNING: uid uid is	reserved.

       The following indicates that the	uid specified with the -u  option  ex-
       ceeds MAXUID as defined in <sys/param.h>:

       UX: roleadd: ERROR: uid uid is too big. Choose another.

       The  following  indicates  that the /etc/passwd or /etc/shadow files do
       not exist:

       UX: roleadd: ERROR: Cannot update system	files -	login cannot be	created.

       If a network nameservice	such as	NIS or NIS+ is being used  to  supple-
       ment the	local /etc/passwd file with additional entries,	roleadd	cannot
       change information supplied by the network nameservice.

				  6 Apr	2005			   roleadd(1M)


Want to link to this manual page? Use this URL:

home | help