mkhomedir_helper

Create a home directory for a user based on /etc/skel with umask 022

$ sudo mkhomedir_helper [username]

$ sudo mkhomedir_helper [username] [037]

$ sudo mkhomedir_helper [username] [umask] [path/to/skeleton_directory]

mkhomedir_helper username [umask]

username
    The name of the user for whom the home directory will be created. This is a mandatory positional argument passed by the invoking PAM module.

umask
    (Optional) An octal value specifying the umask to be applied when creating the new home directory and its initial files. If not provided, the system's default umask (e.g., 0022) is used.

mkhomedir_helper is a crucial utility primarily invoked by the pam_mkhomedir.so Pluggable Authentication Module (PAM). Its core function is to automatically create a new user's home directory upon their first login to a system, if that directory does not already exist. This automation is vital for a seamless user experience, as it ensures that new users have a properly structured and initialized environment immediately available.

The helper copies initial configuration files and directories from a designated skeletal directory, typically /etc/skel, to the newly created home directory. It meticulously handles setting the correct ownership, permissions, and SELinux contexts for the home directory and its contents, aligning them with the user's UID, GID, and the system's security policies. While mkhomedir_helper is rarely executed directly by end-users, it forms an integral part of the PAM authentication and session management process, ensuring consistency and security in user environment provisioning. Its integration within PAM configurations, often found in files like /etc/pam.d/common-session, underscores its role in system-wide user management.

Root Privileges: This command typically requires root privileges to execute, as it creates directories and sets ownership for other users. It is usually invoked by PAM, which runs with elevated privileges.

Not User-Facing: mkhomedir_helper is a backend utility and is not designed for direct interactive use by regular users. Incorrect direct invocation can lead to permission issues or security vulnerabilities.

Skeletal Directory Dependency: Its functionality heavily relies on the existence and proper population of the skeletal directory (e.g., /etc/skel). If this directory is missing or empty, newly created home directories may lack essential default configuration files.

SELinux Considerations: On systems with SELinux enabled, mkhomedir_helper must correctly label the new home directory and its contents with appropriate SELinux contexts. Failure to do so can lead to permission denied errors for the user, even if standard file permissions appear correct.

The /etc/skel directory serves as a template for new user home directories. When mkhomedir_helper creates a home directory, it copies all files and subdirectories from /etc/skel into the new user's home directory. This allows administrators to provide default configuration files, shell startup scripts, and other initial settings for all new users.

The primary way mkhomedir_helper is utilized is through the pam_mkhomedir.so module. This module is typically configured in PAM service files (e.g., /etc/pam.d/system-auth or /etc/pam.d/login) as a 'session' type module. When a user successfully authenticates and their session begins, pam_mkhomedir.so checks if the user's home directory exists. If not, it invokes mkhomedir_helper to create it, ensuring a consistent setup across the system.

On systems employing SELinux (Security-Enhanced Linux), mkhomedir_helper plays a critical role in ensuring that newly created home directories and their contents are correctly labeled with the appropriate SELinux contexts. This is vital for maintaining system security and preventing access control violations. Incorrect labeling can lead to applications or user processes being denied access to their own home directory files, even with correct traditional file permissions.

mkhomedir_helper emerged as part of the Linux-PAM (Pluggable Authentication Modules) project. Its development aimed to provide a standardized, secure, and automated mechanism for provisioning user home directories upon their initial login. Prior to such helper utilities, administrators often had to manually create home directories or rely on less flexible scripts. The integration with PAM ensures that home directory creation is an integral part of the authentication and session setup process, making it consistent across various login services that utilize PAM. Over time, its functionality has evolved to incorporate modern Linux security features, particularly correct SELinux context labeling, which is crucial for secure multi-user environments.

pam_mkhomedir(8), pam(8), login(1), useradd(8), skel(7)