[ Bottom of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]

Commands Reference, Volume 3

mkuser Command

Purpose

Creates a new user account.

Syntax

mkuser [ -R load_module ] [ -a ] [ Attribute=Value ... ] Name

Description

The mkuser command creates a new user account. The Name parameter must be a unique 8-byte or less string. You cannot use the ALL or default keywords in the user name. By default, the mkuser command creates a standard user account. To create an administrative user account, specify the -a flag.

To create a user with an alternate Identification and Authentication (I&A) mechanism, the -R flag can be used to specify the I&A load module used to create the user. Users created without the -R flag are created locally. Load modules are defined in the /usr/lib/security/method.cfg file.

The mkuser command does not create password information for a user. It initializes the password field with an * (asterisk). Later, this field is set with the passwd or pwdadm command. New accounts are disabled until the passwd or pwdadm commands are used to add authentication information to the /etc/security/passwd file.

You can use the Users application in Web-based System Manager to change user characteristics. You could also use the System Management Interface Tool (SMIT) smit mkuser fast path to run this command.

Restrictions on Creating User Names

To prevent login inconsistencies, you should avoid composing user names entirely of uppercase alphabetic characters. While the mkuser command supports multi-byte user names, it is recommended that you restrict user names to characters with the POSIX portable filename character set.

To ensure that your user database remains uncorrupted, you must be careful when naming users. User names must not begin with a - (dash), + (plus sign), @ (at sign), or ~ (tilde). You cannot use the keywords ALL or default in a user name. Additionally, do not use any of the following characters within a user-name string:

: Colon
" Double quote
# Pound sign
, Comma
= Equal sign
\ Back slash
/ Slash
? Question mark
' Single quote
` Back quote

Finally, the Name parameter cannot contain any space, tab, or new-line characters.

Flags

-a Specifies that the user is an administrator. Only the root user can use this flag or alter the attributes of an administrative user.
-R load_module Specifies the loadable I&A module used to create the user.

Parameters

Attribute=Value Initializes a user attribute. Refer to the chuser command for the valid attributes and values.
Name Specifies a unique 8-byte or less string.

Security

Access Control: This command should grant execute (x) access only to the root user and members of the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.

Files Accessed:

Mode File
rw /etc/passwd
rw /etc/security/user
rw /etc/security/user.roles
rw /etc/security/limits
rw /etc/security/environ
rw /etc/group
rw /etc/security/group
r /usr/lib/security/mkuser.default
x /usr/lib/security/mkuser.sys

Auditing Events:

Event Information
USER_Create user

Limitations

Creating a user may not be supported by all loadable I&A modules. If the loadable I&A module does not support creating a user, an error is reported.

Examples

  1. To create the davis user account with the default values in the /usr/lib/security/mkuser.default file, type:

    mkuser davis
  2. To create the davis account with davis as an administrator, type:

    mkuser -a davis

    Only the root user or users with the UserAdmin authorization can create davis as an administrative user.

  3. To create the davis user account and set the su attribute to a value of false, type:

    mkuser su=false davis
  4. To create the davis user account that is identified and authenticated through the LDAP load module, type:

    mkuser -R LDAP davis

Files

/usr/bin/mkuser Contains the mkuser command.
/usr/lib/security/mkuser.default Contains the default values for new users.
/etc/passwd Contains the basic attributes of users.
/etc/security/user Contains the extended attributes of users.
/etc/security/user.roles Contains the administrative role attributes of users.
/etc/security/passwd Contains password information.
/etc/security/limits Defines resource quotas and limits for each user.
/etc/security/environ Contains the environment attributes of users.
/etc/group Contains the basic attributes of groups.
/etc/security/group Contains the extended attributes of groups.
/etc/security/.ids Contains standard and administrative user IDs and group IDs.

Related Information

The chfn command, chgroup command, chgrpmem command, chsh command, chuser command, lsgroup command, lsuser command, mkgroup command, mkuser.sys command, passwd command, pwdadm command, rmgroup command, rmuser command, setgroups command, setsenv command.

For more information about the identification and authentication of users, discretionary access control, the trusted computing base, and auditing, refer to the AIX 5L Version 5.2 Security Guide.

For information on installing the Web-based System Manager, see Chapter 2: Installation and System Requirements in AIX 5L Version 5.2 Web-based System Manager Administration Guide.

For more information about administrative roles, refer to Administrative Roles Overview in AIX 5L Version 5.2 Security Guide.

[ Top of Page | Previous Page | Next Page | Contents | Index | Library Home | Legal | Search ]