mkuser Command

Purpose

Creates a new user account.

Syntax

mkuser [ -R load_module ] [-a ] [ Attribute=Value ... ] Name

Description

The mkuser command creates a new user account. The Name parameter must be a unique string (whose length is administrator-configurable using the chdev command) . You cannot use the ALL or default keywords in the user name. By default, the mkuser command creates a standard user account. To create an administrative user account, specify the -a flag.

To create a user with an alternate Identification and Authentication (I&A) mechanism, you can use the -R flag to specify the I&A load module. If you create users without the -R flag, you create the users locally. Load modules are defined in the /usr/lib/security/methods.cfg file.

The mkuser command does not create password information for a user. It initializes the password field with an * (asterisk). Later, this field is set with the passwd or pwdadm command. New accounts are disabled until the passwd or pwdadm commands are used to add authentication information to the /etc/security/passwd file.

You can use the Users application in Web-based System Manager to change user characteristics. You can also use the System Management Interface Tool (SMIT) smit mkuser fast path to run this command.

The mkuser command always checks the target user registry to make sure the ID for the new account is unique to the target registry. You can also configure the mkuser command to check all user registries of the system using the dist_uniqid system attribute. The dist_uniqid system attribute is an attribute of the usw stanza of the /etc/security/login.cfg file, and can be managed using the chsec command.

The dist_uniqid system attribute has the following values:
  • never - Does not check for ID collision against the non-target registries. This is the default setting.
  • always - Checks for ID collision against all other registries. If collision is detected between the target registry and any other registry account creation or modification fails.
  • uniqbyname - Checks for ID collision against all other registries. Collision between registries is allowed only if the account to be created has the same name as the existing account.
Note: ID collision detection in the target registry is always enforced regardless of the dist_uniqid system attribute.

The uniqbyname system attribute setting works well against two registries. With more than two registries, and with ID collision already existing between two registries, the behavior of the mkuser command is unspecified when creating a new account in a third registry using colliding ID values. The new account creation might succeed or fail depending the order in which the registries are checked.

The check for ID collision only enforces ID uniqueness between the local registry and remote registries or between remote registries. There is no guarantee of ID uniqueness between the newly created account on the remote registry and existing local users on other systems that make use of the same remote registry. The mkuser command bypasses a remote registry if the remote registry is not reachable at the time the command is run.

See the section "Administering a PowerHA® cluster" in the PowerHA SystemMirror Administration Guide, 7.1 or later, for a discussion of the behavior of this command in a PowerHA cluster.

Restrictions on Creating User Names

To prevent login inconsistencies, you should avoid composing user names entirely of uppercase alphabetic characters. While the mkuser command supports multi-byte user names, it is recommended that you restrict user names to characters with the POSIX portable filename character set.

To ensure that your user database remains uncorrupted, you must be careful when naming users. User names must not begin with a - (dash), + (plus sign), @ (at sign), or ~ (tilde). You cannot use the keywords ALL or default in a user name. Additionally, do not use any of the following characters within a user-name string:

Item Description
: Colon
" Double quote
# Pound sign
, Comma
= Equal sign
\ Back slash
/ Slash
? Question mark
' Single quote
` Back quote

Finally, the Name parameter cannot contain any space, tab, or new-line characters.

Flags

Item Description
-a Specifies that the user is an administrator. Only the root user can use this flag or alter the attributes of an administrative user.
username Specifies that the user is a new user.
-R load_module Specifies the loadable I&A module used to create the user.

Parameters

Item Description
Attribute=Value Initializes a user attribute. Refer to the chuser command for the valid attributes and values.
Name Specifies a unique string. The length of this string is set by an administrator by using the chdev command.

Exit Status

This command returns the following exit values:
Item Description
0 The command runs successfully and all requested changes are made.
>0 An error occurred. The printed error message lists further details about the type of failure.

Security

Access Control: This command should grant execute (x) access only to the root user and members of the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX® Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.
To get the full functionality of the command, besides the accessauths, the role should also have the following authorizations:
  • aix.security.user.audit
  • aix.security.role.assign
  • aix.security.group.change
  • aix.security.user.change

Files Accessed:

Mode File
rw /etc/passwd
rw /etc/security/user
rw /etc/security/user.roles
rw /etc/security/limits
rw /etc/security/environ
rw /etc/group
rw /etc/security/group
r /usr/lib/security/mkuser.default
x /usr/lib/security/mkuser.sys

Auditing Events:

Event Information
USER_Create user

Limitations

Creating a user may not be supported by all loadable I&A modules. If the loadable I&A module does not support creating a user, an error is reported.

Examples

  1. To create the davis user account with the default values in the /usr/lib/security/mkuser.default file, type:
    mkuser davis
  2. To create the davis account with davis as an administrator, type:
    mkuser -a davis
    Only the root user or users with the UserAdmin authorization can create davis as an administrative user.
  3. To create the davis user account and set the su attribute to a value of false, type:
    mkuser su=false davis
  4. To create the davis user account that is identified and authenticated through the LDAP load module, type:
    mkuser -R LDAP davis

Error Codes

Item Description
0 The command is successful.
EINVAL The username argument is not valid (containing characters not valid).
EACCES The invoker does not have write access to the database files.
EPERM The user identification and authentication fails if the -a flag is specified and the invoker is not root.
EEXIST The user already exists.
ENAMETOOLONG The user name is too long.
other errno There are other system errors.

Files

Item Description
/usr/bin/mkuser Contains the mkuser command.
/usr/lib/security/mkuser.default Contains the default values for new users.
/etc/passwd Contains the basic attributes of users.
/etc/security/user Contains the extended attributes of users.
/etc/security/user.roles Contains the administrative role attributes of users.
/etc/security/passwd Contains password information.
/etc/security/limits Defines resource quotas and limits for each user.
/etc/security/environ Contains the environment attributes of users.
/etc/group Contains the basic attributes of groups.
/etc/security/group Contains the extended attributes of groups.
/etc/security/.ids Contains standard and administrative user IDs and group IDs.