Bash Index : U - The 'U' Bash commands : description, flags and examples



  1. updates /etc/ssl/certs/ to hold SSL certificates
  2. generates ca-certificates.crt, a concatenated single-file list of certificates



unset values and attributes of variables and functions


Flag Usage
-v variableName unset variableName and remove it from the environment
read-only variables can not be unset



unmount filesystems


Flag Usage
lazy unmount : detach the filesystem from the file hierarchy now, and clean up all references to this filesystem as soon as it is not busy anymore
  • sounds like a dangerous option if used on a removable media, since you don't know whether it's safe to unplug it or not
  • the purpose of this option would be to unmount a volume while a software is still writing to it then mount another volume at the same mount point (details)


Installed with the Debian package

unrar (non free)
There is also an unrar-free package
  • this article is about the non-free version
  • commands / flags may differ (see man page)


Extract files from .rar archives. TO create .rar archives, you'll need rar.


Flag Usage
e archive.rar extract all files from archive.rar into the current directory.
Files with identical names that belong to different sub-directories inside the archive will collide once extracted (unrar will prompt whether to overwrite / rename / ...). Consider x to avoid this.
l archive.rar list contents of archive.rar (and see if it has sub-directories)
x archive.rar extract archive.rar respecting its internal tree structure


ufw (Uncomplicated FireWall) is not actually a shell built-in but a frontend (available via ufw) for iptables. ufw :

ufw vs iptables : which one should I use ? (source)

  • provided ufw is only a frontend to iptables (and unless you need some advanced features), there's no real gain using one or the other : stick to the one you're comfortable + efficient with
  • if you already know and use iptables, ufw would only be a different tool to do the same thing (so if you're curious and have spare time, go for it)
  • if you know none of these, ufw is a good starting point since it was designed to ease iptables firewall configuration



Set / print the user's file creation mask. This is used to set the initial permissions for new files and directories.

How does it work ?

The man page (or man -P 'less -p "^ *umask"' bash) is not very explicit, so here's the recipe :
  1. there is a "default maximum permissions" value :
    • for regular files : 666
    • for directories : 777
  2. subtract the mask value (often defaults to 022) from this "default maximum permissions" value to get the default permissions :
    • for regular files : 666 - 022 = 644 (i.e. rw-r--r--)
    • for directories : 777 - 022 = 755 (i.e. rwxr-xr-x)

Mask values

Mask value Permissions for ... Who can ... ?
files directories read write
022 rw-r--r-- rwxr-xr-x everybody owner only
077 rw------- rwx------ owner only owner only


You can define the mask value with umask maskValue :
  • for everybody, in :
    • /etc/profile
    • /etc/bashrc
  • for me only, in :
    • ~/.bashrc
Check current definition :
grep umask /etc/profile /etc/bashrc ~/.bashrc 2>/dev/null


cd /run/shm; for value in 022 044 055 077; do echo -e "\numask : $value"; umask "$value"; touch myFile; mkdir myDir; ls -ld my*; rm myFile; rmdir myDir; done
umask : 022
drwxr-xr-x 2 stuart users 1024 Apr 18 10:35 myDir
-rw-r--r-- 1 stuart users    0 Apr 18 10:35 myFile

umask : 044			permissions below don't work in "real life", this example is for demonstration only
drwx-wx-wx 2 stuart users 1024 Apr 18 10:35 myDir
-rw--w--w- 1 stuart users    0 Apr 18 10:35 myFile

umask : 055			same comment as above : for demo only, not for real life
drwx-w--w- 2 stuart users 1024 Apr 18 10:35 myDir
-rw--w--w- 1 stuart users    0 Apr 18 10:35 myFile

umask : 077
drwx------ 2 stuart users 1024 Apr 18 10:35 myDir
-rw------- 1 stuart users    0 Apr 18 10:35 myFile



update-rc.d has been obsoleted by systemctl and systemd.

install and remove System-V style init script links

A common system administration error is to delete the /etc/rcrunlevel.d/[SK]NNname links with the thought that this will "disable" the service, i.e., that this will prevent the service from being started.
However, if all links have been deleted then the next time the package is upgraded, the package's postinst script will run update-rc.d again and this will reinstall links at their factory default locations.

The correct way to disable services is to configure the service as stopped in all runlevels in which it is started by default. In the System-V init system, this means renaming the service's symbolic links from S to K. To do so :

update-rc.d service disable




update-alternatives is used to maintain the symbolic links (found in /etc/alternatives/) determining default commands

It is possible for several programs fulfilling similar functions (e.g. text editors) to be installed on a single system at the same time. This gives choice to the users, allowing each to use a different editor, but makes it difficult for a program to make a good choice of editor to invoke if the user has not specified a particular preference.

The alternatives system aims to solve this problem. A generic name in the filesystem is shared by all files providing interchangeable functionality :

  1. ll /usr/bin/editor
    lrwxrwxrwx 1 root root 24 Oct 11 15:47 /usr/bin/editor -> /etc/alternatives/editor*
  2. ll /etc/alternatives/editor
    lrwxrwxrwx 1 root root 18 Mar 24 15:04 /etc/alternatives/editor -> /usr/bin/vim.basic*

update-alternatives is generally automatically executed when installing / removing software on the system.

alternatives are handled by groups (for instance: for a binary and the associated man pages) known as link groups, so that they can (should!) be updated all at once : updating the master of a link group triggers the update of the slave link(s).

Each link group is, at any given time, in one of two modes :

Link groups are in automatic mode when they are first introduced to the system. If the system administrator makes changes to the system's automatic settings, this will be noticed the next time alternatives is run on the changed link's group, and the group will automatically be switched to manual mode.


Get the value of the current alternatives editor setting :

update-alternatives --display editor
editor - manual mode
	link best version is /usr/bin/vim
	link currently points to /usr/bin/vim.basic			current setting
	link editor is /usr/bin/editor
	slave editor.1.gz is /usr/share/man/man1/editor.1.gz		symlinks /usr/share/man/man1/editor.1.gz -> /etc/alternatives/editor.1.gz -> /usr/share/man/man1/vim.1.gz
	slave is /usr/share/man/fr/man1/editor.1.gz
/bin/nano - priority 40
	slave editor.1.gz: /usr/share/man/man1/nano.1.gz
/usr/bin/emacs24 - priority 0
	slave editor.1.gz: /usr/share/man/man1/emacs.emacs24.1.gz
/usr/bin/vim - priority 50
/usr/bin/vim.basic - priority 30
	slave editor.1.gz: /usr/share/man/man1/vim.1.gz
	slave /usr/share/man/fr/man1/vim.1.gz
/usr/bin/vim.tiny - priority 15
	slave editor.1.gz: /usr/share/man/man1/vim.1.gz
	slave /usr/share/man/fr/man1/vim.1.gz

Toggle the editor setting to automatic :

  1. As root : update-alternatives --auto editor
    update-alternatives: using /usr/bin/vim to provide /usr/bin/editor (editor) in auto mode
  2. update-alternatives --display editor
    editor - auto mode
    	link best version is /usr/bin/vim
    	link currently points to /usr/bin/vim
    	link editor is /usr/bin/editor

Configure the value of editor interactively :

As root : update-alternatives --config editor
There are 5 choices for the alternative editor (providing /usr/bin/editor).

  Selection    Path                Priority   Status
* 0            /usr/bin/vim         50        auto mode
  1            /bin/nano            40        manual mode
  2            /usr/bin/emacs24     0         manual mode
  3            /usr/bin/vim         50        manual mode
  4            /usr/bin/vim.basic   30        manual mode
  5            /usr/bin/vim.tiny    15        manual mode

Press <enter> to keep the current choice[*], or type selection number: 1
update-alternatives: using /bin/nano to provide /usr/bin/editor (editor) in manual mode

Set the value of editor non-interactively :

  1. As root : update-alternatives --set editor /usr/bin/vim.basic
    update-alternatives: using /usr/bin/vim.basic to provide /usr/bin/editor (editor) in manual mode
  2. update-alternatives --display editor
    editor - manual mode
    	link best version is /usr/bin/vim
    	link currently points to /usr/bin/vim.basic
    	link editor is /usr/bin/editor



Update user information
Changes will only be effective after the next login. (or consider newgrp)


Flag Usage
-a (only with -G) append specified group to group list
-e expireDate
--expiredate expireDate
Specify the account expiration date (format : YYYY-MM-DD) : after this date :
  • the account password will be in expired state
  • expired passwords have a grace time (a few days) to be changed before the account is actually locked
  • the account will get a warning at each login
  • source : man -P 'less -p "lock the account"' usermod
Values :
  • an empty date "" disables account expiration (i.e. it never expires)
  • to disable the account, specify 1 as the expiration date : this sets the account's expire date to Jan 2, 1970.
-g change the user's initial group
-G change the user's secondary Group(s)
-L bob
--lock bob
-p encryptedPassword
--password encryptedPassword
store encryptedPassword into /etc/shadow
-s otherShell change the user's shell to otherShell
-U bob
--unlock bob


Change user's primary group :

usermod -g groupName bob
Bob's primary group becomes groupName.

Add user to secondary group(s) :

  • usermod -aG groupName kevin
    groupName is appended to the list of Kevin's secondary groups
  • adduser kevin groupName
    details : man -P 'less -p "Add an existing user to an existing group"' adduser

Remove a user from a group :

read this

Change user's shell :

  • usermod -s /bin/bash stuart
  • usermod -s /usr/sbin/nologin stuart : forbid login to Stuart



Delete user account


Flag Usage
-r delete :
  • user's home directory content
  • user's home directory itself
  • user's mail spool


Delete user account + remove home directory and mail spool :

userdel -r bob

useradd / adduser


Create a new user or update default "new user" information.

What's the difference between useradd and adduser (source) ?

file /usr/sbin/{useradd,adduser}
/usr/sbin/useradd: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/, for GNU/Linux 2.6.32, BuildID[sha1]=493f6bd6c372a7a9a93e26de333ee303d3ed9e53, stripped
/usr/sbin/adduser: Perl script text executable
  • useradd is a native binary compiled with the system
  • adduser is a Perl script which uses useradd binary in back-end. adduser is more user friendly and interactive than its back-end useradd. There's no difference in features provided.
  • On some Red Hatoids (noticed this on a CentOS machine) looks like /usr/sbin/adduser is not on the default path.
  • /usr/sbin/adduser actually symlinks to /usr/sbin/useradd (noticed this on a Red Hat 4.1 machine)


Flag Usage
-d /home/userName
--home /home/userName
The new user will be created using /home/userName as the user's login directory.
-D [options...]
Display Default values of account settings (group, home dir, shell, ...)
update Default value of settings field
--disabled-login The account will be created but will be disabled until a password is set. adduser-only option
--disabled-password Like --disabled-login, but logins are still possible (for example using SSH keys) but not using password authentication since no password is set.
  • adduser-only option
  • The sentence password login is disabled but other means (such as SSH keys) are still possible is tricky. In the context of trying to disable SSH password-based logins in favor of SSH keys, this sentence must be understood as : This option will not block other authentication methods (like SSH keys). This leaves the possibility for this "other authentication method" to fail if misused or misconfigured. Such situation would have nothing to do with the use of the --disabled-password flag.
-g value --gid value
  • set the user's initial group : value can either be the group name or its GID. This group MUST exist.
  • if omitted, the behavior of useradd will depend on the USERGROUPS_ENAB variable in /etc/login.defs :
    • yes (default) : a group will be created for the user, with the same name as her login name
    • no : useradd will set the primary group of the new user to the value specified by the GROUP variable in /etc/default/useradd, or 100 by default
    source : man -P 'less -p "If not specified.*USERGROUPS_ENAB"' useradd
-G group1,group2,,groupn set user's secondary Group(s)
-m create user's home directory if it doesn't exist yet
-o --non-unique
  • allow the creation of a user account with a duplicate (non-unique) UID
  • this option is only valid in combination with -u
  • -r (useradd)
  • --system (adduser)
create a system account
useradd will not create a home directory for such a user (regardless of the default setting in /etc/login.defs), explicitly specify -m to do so.
-s userShell specify the user's shell
  • default value : grep DSHELL /etc/adduser.conf
  • initially set to : /bin/bash
  • should the user not be allowed to log in, use either /sbin/nologin or /bin/false
-u UID --uid UID specify the user's ID (numerical value). This value must be :
  • unique (except with -o)
  • non-negative
  • defaults to the smallest value that is
    • UID_MIN
    • and > every other UID
This value may also become the GID under some special circumstances.


Generic user creation :

useradd -d /home/bob -g primaryGroup -m bob
useradd -d /home/bob -s /bin/bash -m bob
This way, the user account is created as disabled. (shown by the ! right after the login name in /etc/shadow) To enable it, unlock the account (blank password !!!) then login as this new user and set a password. (or, as root : passwd bob)
username='bob'; homeDir="/home/$username"; uid='7807'; gid='7800'; useradd --home "$homeDir" --uid "$uid" --gid "$gid" -m "$username"

Create account for Kevin, and set its primary group to developers :

useradd -g developers kevin

Create account for Stuart, and let him belong to secondary groups admins, ftp, www, developers :

useradd -G admins,ftp,www,developers stuart

groups are comma-separated, without space.

Declare the default shell will be /bin/sh for future account creations :

useradd -D -s /bin/sh

User creation (again) :

Debian style :

username="bob"; homeDir="/home/$username"; sshDirectory="$homeDir/.ssh"; sshKeys="$sshDirectory/authorized_keys"; adduser --home "$homeDir" --shell /bin/bash --disabled-password "$username"; mkdir "$sshDirectory"; touch "$sshKeys"; chmod 700 "$sshDirectory"; chmod 600 "$sshKeys"; chown "$username": "$sshDirectory" "$sshKeys"

Red Hat style :

username="bob"; homeDir="/home/$username"; sshDirectory="$homeDir/.ssh"; sshKeys="$sshDirectory/authorized_keys"; adduser -m --home-dir "$homeDir" --shell /bin/bash "$username"; mkdir "$sshDirectory"; touch "$sshKeys"; chmod 700 "$sshDirectory"; chmod 600 "$sshKeys"; chown "$username": "$sshDirectory" "$sshKeys"

Create a passwordless account : won't get authenticated by password, must use other means such as SSH keys (details) :

  1. adduser [other options] bob
  2. passwd -l bob
See also --disabled-password.

Create an alternate root account (source) :

useradd -om -u 0 -g 0 -s /bin/sh administrator



Report or omit repeated lines.
  • uniq does not detect repeated lines unless they are adjacent. You may want to sort the input first, or use sort -u without uniq.
  • Also, comparisons honor the rules specified by LC_COLLATE.


Flag Usage
-c --count prefix lines with the count of occurrences
-d --repeated only print duplicate lines
-u --unique only print unique lines


Count the number of files from my home directory that where modified the same day

ll ~ | awk '!/^total/ {print $6" "$7}' | uniq -c
  • the ! prefixing the RegExp instructs Awk to apply on lines NOT matching the RegExp (lines not starting with total, here)
  • here, uniq is somewhat equivalent to a SQL select distinct ... ;

Find duplicate lines :

echo -e "aaa\nbbb\naaa\nccc" | uniq -d
Nothing found because duplicates are not adjacent
echo -e "aaa\naaa\nbbb\nccc" | uniq -d
echo -e "aaa\naaa\nbbb\nccc" | sort | uniq -d

Find unique lines :

echo -e "aaa\nbbb\naaa\nccc" | uniq -u
echo -e "aaa\naaa\nbbb\nccc" | uniq -u
echo -e "aaa\naaa\nbbb\nccc" | sort -u



User limits - limit the use of system-wide resources.

ulimit provides control over the resources available to the shell and to processes started by it, on systems that allow such control.
The soft limit is the value that the kernel enforces for the corresponding resource. The hard limit acts as a ceiling for the soft limit.
An unprivileged process may only set its soft limit to a value in the range from 0 up to the hard limit, and (irreversibly) lower its hard limit. A privileged process may make arbitrary changes to either limit value.
If limit is given, it is the new value of the specified resource. Otherwise, the current value of the soft limit for the specified resource is printed, unless the -H option is supplied.

A command returning something like cannot : Resource temporarily unavailable may be the sign of hitting one of these limits.

More about soft limit and hard limit (source) :

A hard limit can only be raised by root (any process can lower it). So it is useful for security: a non-root process cannot overstep a hard limit. But it's inconvenient in that a non-root process can't have a lower limit than its children.

A soft limit can be changed by the process at any time (to the extent permitted by the hard limit unless running as root of course). So it's convenient as long as processes cooperate, but no good for security.


Flag Usage
-a Report all current limits. This can be used to check updating a limit was successful
-Hx value
Report the hard limit associated with the resource x
Set the hard limit associated with the resource x to value
-Sx value
Report the soft limit associated with the resource x
Set the soft limit associated with the resource x to value
-n The maximum number of open file descriptors


Get maximum number of open file descriptors (source) :

  1. (since limits can be set per user) : su - bob
  2. soft limit : ulimit -Sn
  3. hard limit : ulimit -Hn