Useradd – What Does `adduser –disabled-login` Do?

useradd

An install document I'm following instructs to add a user like so:

sudo adduser --disabled-login --gecos 'GitLab' git

The --disabled-login flag is absent from most man pages I have searched.

I've made two users, one with the --disabled-login (foo), and one without (git).

As far as I can tell the --disabled-login flag does nothing. I can still su to both users, and both use /bin/bash as their login shell.

The only difference I can see is getent passwd has extra commas before the home folder on the user that has login's disabled. There is no documentation that I can find to indicate what this would mean.

root@gitlab:~# getent passwd git
git:x:998:998:GitLab:/home/git:/bin/bash  

root@gitlab:~# getent passwd foo
foo:x:1001:1002:GitLab,,,:/home/foo:/bin/bash

UPDATE #1

I've found another difference, one user has a * as their password, the other has !:

root@gitlab:~# getent shadow git
git:*:15998::::::
root@gitlab:~# getent shadow foo
foo:!:15998:0:99999:7:::

What exactly does --disabled-login do on Ubuntu?

Best Answer

The explanation is not well documented.

--disabled-login sets the password to !

Password values

NP or null = The account has no password
*  = The account is deactivated & locked
!  = The login is deactivated, user will be unable to login
!!  = The password has expired

Examples

root@gitlab:~# getent shadow vagrant
vagrant:$6$abcdefghijklmnopqrstuvwxyz/:15805:0:99999:7:::

root@gitlab:~# getent shadow foo
foo:!:15998:0:99999:7:::

root@gitlab:~# getent shadow git
git:*:15998::::::

wikipedia briefly covers this. It appears that * and ! effectively do the same thing; prevent the user from logging in (but not from su'ing from a different user)

Related Solutions

Debian – What Does Adduser Do That Useradd Doesn’t

First off, the respective man page snippets highlight the differences between the two commands and give some indication of what is going on. For adduser:

adduser and addgroup add users and groups to the system according to command line options and configuration information in /etc/adduser.conf. They are friendlier front ends to the low level tools like useradd, groupadd and usermod programs, by default choosing Debian policy conformant UID and GID values, creating a home directory with skeletal configuration, running a custom script, and other features.

Then for useradd:

useradd is a low level utility for adding users. On Debian, administrators should usually use adduser(8) instead.

Further investigation of adduser reveals that it is a perl script providing a high level interface to, and thus offering some of the functionality of, the following commands:

useradd
groupadd
passwd - used to add/change users passwords.
gpasswd - used to add/change group passwords.
usermod - used to change various user associated parameters.
chfn - used to add/change additional information held on a user.
chage - used to change password expiry information.
edquota - used to change disk usage quotas.

A basic run of the adduser command is as follows:

adduser username

This simple command will do a number of things:

Create the user named username.
Create the user's home directory (default is /home/username and copy the files from /etc/skel into it.
Create a group with the same name as the user and place the user in it.
Prompt for a password for the user.
Prompt for additional information on the user.

The useradd program can most of accomplish most of this, however it does not do so by default and needs additional options. Some of the information requires more commands:

useradd -m -U username
passwd username
chfn username

Note that adduser ensures that created UIDs and GIDs conform with the Debian policy. Creating normal users with useradd seems to be ok, provided UID_MIN/UID_MAX in /etc/login.defs matches the Debian policy. What is a problem though is that Debian specifies a particular range for system user UIDs which only seems to be supported in /etc/adduser.conf, so naively adding a system user with useradd and not specifying a UID/GUID in the correct range leaves the potential for serious problems.

Another common use for adduser is to simplify the process of adding a user to a group. Here, the following command:

adduser username newgroup

is equivalent to the following usermod command:

usermod -a -G newgroup username

The main drawback from usermod in this case is that forgetting to pass the append option (i.e.: -a) would end up removing the user from all groups before adding them to "newgroup" (i.e.: -G alone means "replace with").

One downside to using adduser here though is that you can only specify one group at a time.

Users – Steps to Add a User Without Using useradd/adduser

The possible way to add an user is more or less similar to what I had put in the question. I got this approach from here.

To create a new account manually, follow these steps:

Edit /etc/passwd with vipw and add a new line for the new account. Be careful with the syntax. Do not edit directly with an editor. vipw locks the file, so that other commands won't try to update it at the same time. You should make the password field be `*', so that it is impossible to log in.

Similarly, edit /etc/group with vigr, if you need to create a new group as well.

Create the home directory of the user with mkdir.

Copy the files from /etc/skel to the new home directory.

Fix ownerships and permissions with chown and chmod. The -R option is most useful. The correct permissions vary a little from one site to another, but usually the following commands do the right thing:

cd /home/newusername
chown -R username.group .
chmod -R go=u,go-w .
chmod go= .

Set the password with passwd.

After you set the password in the last step, the account will work. You shouldn't set it until everything else has been done, otherwise the user may inadvertently log in while you're still copying the files.