man/systemd-sysusers.xml

   1 <?xml version='1.0'?> <!--*-nxml-*-->
   2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   3   "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
   5
   6 <refentry id="systemd-sysusers"
   7     xmlns:xi="http://www.w3.org/2001/XInclude">
   8
   9   <refentryinfo>
  10     <title>systemd-sysusers</title>
  11     <productname>systemd</productname>
  12   </refentryinfo>
  13
  14   <refmeta>
  15     <refentrytitle>systemd-sysusers</refentrytitle>
  16     <manvolnum>8</manvolnum>
  17   </refmeta>
  18
  19   <refnamediv>
  20     <refname>systemd-sysusers</refname>
  21     <refname>systemd-sysusers.service</refname>
  22     <refpurpose>Allocate system users and groups</refpurpose>
  23   </refnamediv>
  24
  25   <refsynopsisdiv>
  26     <cmdsynopsis>
  27       <command>systemd-sysusers</command>
  28       <arg choice="opt" rep="repeat">OPTIONS</arg>
  29       <arg choice="opt" rep="repeat"><replaceable>CONFIGFILE</replaceable></arg>
  30     </cmdsynopsis>
  31
  32     <para><filename>systemd-sysusers.service</filename></para>
  33   </refsynopsisdiv>
  34
  35   <refsect1>
  36     <title>Description</title>
  37
  38     <para><command>systemd-sysusers</command> creates system users and groups, based on files in the format
  39     described in
  40     <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
  41     </para>
  42
  43     <para>If invoked with no arguments, it applies all directives from all files found in the directories
  44     specified by
  45     <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. When
  46     invoked with positional arguments, if option <option>--replace=<replaceable>PATH</replaceable></option>
  47     is specified, arguments specified on the command line are used instead of the configuration file
  48     <replaceable>PATH</replaceable>. Otherwise, just the configuration specified by the command line
  49     arguments is executed. The string <literal>-</literal> may be specified instead of a filename to instruct
  50     <command>systemd-sysusers</command> to read the configuration from standard input. If the argument is a
  51     relative path, all configuration directories are searched for a matching file and the file found that has
  52     the highest priority is executed. If the argument is an absolute path, that file is used directly without
  53     searching of the configuration directories.</para>
  54   </refsect1>
  55
  56   <refsect1>
  57     <title>Options</title>
  58
  59     <para>The following options are understood:</para>
  60
  61     <variablelist>
  62       <varlistentry>
  63         <term><option>--root=<replaceable>root</replaceable></option></term>
  64         <listitem><para>Takes a directory path as an argument. All
  65         paths will be prefixed with the given alternate
  66         <replaceable>root</replaceable> path, including config search
  67         paths. </para></listitem>
  68       </varlistentry>
  69
  70       <varlistentry>
  71         <term><option>--image=<replaceable>image</replaceable></option></term>
  72
  73         <listitem><para>Takes a path to a disk image file or block device node. If specified all operations
  74         are applied to file system in the indicated disk image. This is similar to <option>--root=</option>
  75         but operates on file systems stored in disk images or block devices. The disk image should either
  76         contain just a file system or a set of file systems within a GPT partition table, following the
  77         <ulink url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable Partitions
  78         Specification</ulink>. For further information on supported disk images, see
  79         <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
  80         switch of the same name.</para></listitem>
  81       </varlistentry>
  82
  83       <varlistentry>
  84         <term><option>--replace=<replaceable>PATH</replaceable></option></term>
  85         <listitem><para>When this option is given, one or more positional arguments
  86         must be specified. All configuration files found in the directories listed in
  87         <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
  88         will be read, and the configuration given on the command line will be
  89         handled instead of and with the same priority as the configuration file
  90         <replaceable>PATH</replaceable>.</para>
  91
  92         <para>This option is intended to be used when package installation scripts
  93         are running and files belonging to that package are not yet available on
  94         disk, so their contents must be given on the command line, but the admin
  95         configuration might already exist and should be given higher priority.
  96         </para>
  97
  98         <example>
  99           <title>RPM installation script for radvd</title>
 100
 101           <programlisting>echo 'u radvd - "radvd daemon"' | \
 102           systemd-sysusers --replace=/usr/lib/sysusers.d/radvd.conf -</programlisting>
 103
 104           <para>This will create the radvd user as if
 105           <filename>/usr/lib/sysusers.d/radvd.conf</filename> was already on disk.
 106           An admin might override the configuration specified on the command line by
 107           placing <filename>/etc/sysusers.d/radvd.conf</filename> or even
 108           <filename>/etc/sysusers.d/00-overrides.conf</filename>.</para>
 109
 110           <para>Note that this is the expanded form, and when used in a package, this
 111           would be written using a macro with "radvd" and a file containing the
 112           configuration line as arguments.</para>
 113         </example>
 114         </listitem>
 115       </varlistentry>
 116
 117       <varlistentry>
 118         <term><option>--dry-run</option></term>
 119         <listitem><para>Process the configuration and figure out what entries would be created, but don't
 120         actually write anything.</para></listitem>
 121       </varlistentry>
 122
 123       <varlistentry>
 124         <term><option>--inline</option></term>
 125         <listitem><para>Treat each positional argument as a separate configuration
 126         line instead of a file name.</para></listitem>
 127       </varlistentry>
 128
 129       <xi:include href="standard-options.xml" xpointer="cat-config" />
 130       <xi:include href="standard-options.xml" xpointer="no-pager" />
 131       <xi:include href="standard-options.xml" xpointer="help" />
 132       <xi:include href="standard-options.xml" xpointer="version" />
 133     </variablelist>
 134   </refsect1>
 135
 136   <refsect1>
 137     <title>Credentials</title>
 138
 139     <para><command>systemd-sysusers</command> supports the service credentials logic as implemented by
 140     <varname>LoadCredential=</varname>/<varname>SetCredential=</varname> (see
 141     <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
 142     details). The following credentials are used when passed in:</para>
 143
 144     <variablelist>
 145       <varlistentry>
 146         <term><literal>passwd.hashed-password.<replaceable>user</replaceable></literal></term>
 147         <listitem><para>A UNIX hashed password string to use for the specified user, when creating an entry
 148         for it. This is particularly useful for the <literal>root</literal> user as it allows provisioning
 149         the default root password to use via a unit file drop-in or from a container manager passing in this
 150         credential. Note that setting this credential has no effect if the specified user account already
 151         exists. This credential is hence primarily useful in first boot scenarios or systems that are fully
 152         stateless and come up with an empty <filename>/etc/</filename> on every boot.</para></listitem>
 153       </varlistentry>
 154
 155       <varlistentry>
 156         <term><literal>passwd.plaintext-password.<replaceable>user</replaceable></literal></term>
 157
 158         <listitem><para>Similar to <literal>passwd.hashed-password.<replaceable>user</replaceable></literal>
 159         but expect a literal, plaintext password, which is then automatically hashed before used for the user
 160         account. If both the hashed and the plaintext credential are specified for the same user the
 161         former takes precedence. It's generally recommended to specify the hashed version; however in test
 162         environments with weaker requirements on security it might be easier to pass passwords in plaintext
 163         instead.</para></listitem>
 164       </varlistentry>
 165
 166       <varlistentry>
 167         <term><literal>passwd.shell.<replaceable>user</replaceable></literal></term>
 168
 169         <listitem><para>Specifies the shell binary to use for the specified account when creating it.</para></listitem>
 170       </varlistentry>
 171
 172       <varlistentry>
 173         <term><literal>sysusers.extra</literal></term>
 174
 175         <listitem><para>The contents of this credential may contain additional lines to operate on. The
 176         credential contents should follow the same format as any other <filename>sysusers.d/</filename>
 177         drop-in. If this credential is passed it is processed after all of the drop-in files read from the
 178         file system.</para></listitem>
 179       </varlistentry>
 180     </variablelist>
 181
 182     <para>Note that by default the <filename>systemd-sysusers.service</filename> unit file is set up to
 183     inherit the <literal>passwd.hashed-password.root</literal>,
 184     <literal>passwd.plaintext-password.root</literal>, <literal>passwd.shell.root</literal> and
 185     <literal>sysusers.extra</literal> credentials from the service manager. Thus, when invoking a container
 186     with an unpopulated <filename>/etc/</filename> for the first time it is possible to configure the root
 187     user's password to be <literal>systemd</literal> like this:</para>
 188
 189     <para><programlisting># systemd-nspawn --image=… --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' …</programlisting></para>
 190
 191     <para>Note again that the data specified in this credential is consulted only when creating an account
 192     for the first time, it may not be used for changing the password or shell of an account that already
 193     exists.</para>
 194
 195     <para>Use <citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
 196     for generating UNIX password hashes from the command line.</para>
 197   </refsect1>
 198
 199   <refsect1>
 200     <title>Exit status</title>
 201
 202     <para>On success, 0 is returned, a non-zero failure code
 203     otherwise.</para>
 204   </refsect1>
 205
 206   <refsect1>
 207     <title>See Also</title>
 208     <para>
 209       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 210       <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 211       <ulink url="https://systemd.io/UIDS-GIDS">Users, Groups, UIDs and GIDs on systemd systems</ulink>,
 212       <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 213       <citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
 214     </para>
 215   </refsect1>
 216
 217 </refentry>