]>
Commit | Line | Data |
---|---|---|
21236ab5 | 1 | <?xml version='1.0'?> <!--*-nxml-*--> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
db9ecf05 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
21236ab5 LP |
5 | |
6 | <refentry id="systemd-sysusers" | |
798d3a52 ZJS |
7 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
8 | ||
9 | <refentryinfo> | |
10 | <title>systemd-sysusers</title> | |
11 | <productname>systemd</productname> | |
798d3a52 ZJS |
12 | </refentryinfo> |
13 | ||
14 | <refmeta> | |
15 | <refentrytitle>systemd-sysusers</refentrytitle> | |
16 | <manvolnum>8</manvolnum> | |
17 | </refmeta> | |
18 | ||
19 | <refnamediv> | |
20 | <refname>systemd-sysusers</refname> | |
21 | <refname>systemd-sysusers.service</refname> | |
22 | <refpurpose>Allocate system users and groups</refpurpose> | |
23 | </refnamediv> | |
24 | ||
25 | <refsynopsisdiv> | |
26 | <cmdsynopsis> | |
27 | <command>systemd-sysusers</command> | |
28 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
29 | <arg choice="opt" rep="repeat"><replaceable>CONFIGFILE</replaceable></arg> | |
30 | </cmdsynopsis> | |
31 | ||
32 | <para><filename>systemd-sysusers.service</filename></para> | |
33 | </refsynopsisdiv> | |
34 | ||
35 | <refsect1> | |
36 | <title>Description</title> | |
37 | ||
0336c23e ZJS |
38 | <para><command>systemd-sysusers</command> creates system users and groups, based on files in the format |
39 | described in | |
798d3a52 ZJS |
40 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. |
41 | </para> | |
42 | ||
0336c23e ZJS |
43 | <para>If invoked with no arguments, it applies all directives from all files found in the directories |
44 | specified by | |
45 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. When | |
46 | invoked with positional arguments, if option <option>--replace=<replaceable>PATH</replaceable></option> | |
47 | is specified, arguments specified on the command line are used instead of the configuration file | |
48 | <replaceable>PATH</replaceable>. Otherwise, just the configuration specified by the command line | |
49 | arguments is executed. The string <literal>-</literal> may be specified instead of a filename to instruct | |
50 | <command>systemd-sysusers</command> to read the configuration from standard input. If the argument is a | |
51 | relative path, all configuration directories are searched for a matching file and the file found that has | |
52 | the highest priority is executed. If the argument is an absolute path, that file is used directly without | |
53 | searching of the configuration directories.</para> | |
798d3a52 ZJS |
54 | </refsect1> |
55 | ||
56 | <refsect1> | |
57 | <title>Options</title> | |
58 | ||
59 | <para>The following options are understood:</para> | |
60 | ||
61 | <variablelist> | |
62 | <varlistentry> | |
63 | <term><option>--root=<replaceable>root</replaceable></option></term> | |
64 | <listitem><para>Takes a directory path as an argument. All | |
65 | paths will be prefixed with the given alternate | |
66 | <replaceable>root</replaceable> path, including config search | |
67 | paths. </para></listitem> | |
68 | </varlistentry> | |
69 | ||
71b1d2de LP |
70 | <varlistentry> |
71 | <term><option>--image=<replaceable>image</replaceable></option></term> | |
72 | ||
73 | <listitem><para>Takes a path to a disk image file or block device node. If specified all operations | |
74 | are applied to file system in the indicated disk image. This is similar to <option>--root=</option> | |
75 | but operates on file systems stored in disk images or block devices. The disk image should either | |
76 | contain just a file system or a set of file systems within a GPT partition table, following the | |
db811444 | 77 | <ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions |
71b1d2de LP |
78 | Specification</ulink>. For further information on supported disk images, see |
79 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
80 | switch of the same name.</para></listitem> | |
81 | </varlistentry> | |
82 | ||
9ea81191 LP |
83 | <xi:include href="standard-options.xml" xpointer="image-policy-open" /> |
84 | ||
d16a1c1b ZJS |
85 | <varlistentry> |
86 | <term><option>--replace=<replaceable>PATH</replaceable></option></term> | |
ba669952 | 87 | <listitem><para>When this option is given, one or more positional arguments |
d16a1c1b ZJS |
88 | must be specified. All configuration files found in the directories listed in |
89 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
90 | will be read, and the configuration given on the command line will be | |
91 | handled instead of and with the same priority as the configuration file | |
92 | <replaceable>PATH</replaceable>.</para> | |
93 | ||
94 | <para>This option is intended to be used when package installation scripts | |
95 | are running and files belonging to that package are not yet available on | |
96 | disk, so their contents must be given on the command line, but the admin | |
97 | configuration might already exist and should be given higher priority. | |
98 | </para> | |
99 | ||
100 | <example> | |
101 | <title>RPM installation script for radvd</title> | |
102 | ||
103 | <programlisting>echo 'u radvd - "radvd daemon"' | \ | |
104 | systemd-sysusers --replace=/usr/lib/sysusers.d/radvd.conf -</programlisting> | |
105 | ||
106 | <para>This will create the radvd user as if | |
107 | <filename>/usr/lib/sysusers.d/radvd.conf</filename> was already on disk. | |
108 | An admin might override the configuration specified on the command line by | |
109 | placing <filename>/etc/sysusers.d/radvd.conf</filename> or even | |
110 | <filename>/etc/sysusers.d/00-overrides.conf</filename>.</para> | |
111 | ||
82d0776d | 112 | <para>Note that this is the expanded form, and when used in a package, this |
d16a1c1b ZJS |
113 | would be written using a macro with "radvd" and a file containing the |
114 | configuration line as arguments.</para> | |
115 | </example> | |
116 | </listitem> | |
117 | </varlistentry> | |
118 | ||
64fe1095 ZJS |
119 | <varlistentry> |
120 | <term><option>--dry-run</option></term> | |
121 | <listitem><para>Process the configuration and figure out what entries would be created, but don't | |
122 | actually write anything.</para></listitem> | |
123 | </varlistentry> | |
124 | ||
1b600bd5 ZJS |
125 | <varlistentry> |
126 | <term><option>--inline</option></term> | |
127 | <listitem><para>Treat each positional argument as a separate configuration | |
128 | line instead of a file name.</para></listitem> | |
129 | </varlistentry> | |
130 | ||
ec0327d6 | 131 | <xi:include href="standard-options.xml" xpointer="cat-config" /> |
dcd5c891 | 132 | <xi:include href="standard-options.xml" xpointer="no-pager" /> |
798d3a52 ZJS |
133 | <xi:include href="standard-options.xml" xpointer="help" /> |
134 | <xi:include href="standard-options.xml" xpointer="version" /> | |
135 | </variablelist> | |
99e9f896 LP |
136 | </refsect1> |
137 | ||
138 | <refsect1> | |
139 | <title>Credentials</title> | |
140 | ||
141 | <para><command>systemd-sysusers</command> supports the service credentials logic as implemented by | |
bbfb25f4 DDM |
142 | <varname>ImportCredential=</varname><varname>LoadCredential=</varname>/<varname>SetCredential=</varname> |
143 | (see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for | |
99e9f896 LP |
144 | details). The following credentials are used when passed in:</para> |
145 | ||
146 | <variablelist> | |
147 | <varlistentry> | |
148 | <term><literal>passwd.hashed-password.<replaceable>user</replaceable></literal></term> | |
149 | <listitem><para>A UNIX hashed password string to use for the specified user, when creating an entry | |
150 | for it. This is particularly useful for the <literal>root</literal> user as it allows provisioning | |
151 | the default root password to use via a unit file drop-in or from a container manager passing in this | |
152 | credential. Note that setting this credential has no effect if the specified user account already | |
153 | exists. This credential is hence primarily useful in first boot scenarios or systems that are fully | |
154 | stateless and come up with an empty <filename>/etc/</filename> on every boot.</para></listitem> | |
155 | </varlistentry> | |
156 | ||
157 | <varlistentry> | |
158 | <term><literal>passwd.plaintext-password.<replaceable>user</replaceable></literal></term> | |
159 | ||
160 | <listitem><para>Similar to <literal>passwd.hashed-password.<replaceable>user</replaceable></literal> | |
161 | but expect a literal, plaintext password, which is then automatically hashed before used for the user | |
162 | account. If both the hashed and the plaintext credential are specified for the same user the | |
163 | former takes precedence. It's generally recommended to specify the hashed version; however in test | |
164 | environments with weaker requirements on security it might be easier to pass passwords in plaintext | |
165 | instead.</para></listitem> | |
166 | </varlistentry> | |
167 | ||
168 | <varlistentry> | |
169 | <term><literal>passwd.shell.<replaceable>user</replaceable></literal></term> | |
170 | ||
3d62af7d | 171 | <listitem><para>Specifies the shell binary to use for the specified account when creating it.</para></listitem> |
99e9f896 | 172 | </varlistentry> |
3acb6ede LP |
173 | |
174 | <varlistentry> | |
175 | <term><literal>sysusers.extra</literal></term> | |
176 | ||
177 | <listitem><para>The contents of this credential may contain additional lines to operate on. The | |
178 | credential contents should follow the same format as any other <filename>sysusers.d/</filename> | |
179 | drop-in. If this credential is passed it is processed after all of the drop-in files read from the | |
180 | file system.</para></listitem> | |
181 | </varlistentry> | |
99e9f896 LP |
182 | </variablelist> |
183 | ||
184 | <para>Note that by default the <filename>systemd-sysusers.service</filename> unit file is set up to | |
185 | inherit the <literal>passwd.hashed-password.root</literal>, | |
3acb6ede LP |
186 | <literal>passwd.plaintext-password.root</literal>, <literal>passwd.shell.root</literal> and |
187 | <literal>sysusers.extra</literal> credentials from the service manager. Thus, when invoking a container | |
188 | with an unpopulated <filename>/etc/</filename> for the first time it is possible to configure the root | |
189 | user's password to be <literal>systemd</literal> like this:</para> | |
99e9f896 | 190 | |
c5f62204 | 191 | <para><programlisting># systemd-nspawn --image=… --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' …</programlisting></para> |
99e9f896 | 192 | |
3acb6ede | 193 | <para>Note again that the data specified in this credential is consulted only when creating an account |
99e9f896 LP |
194 | for the first time, it may not be used for changing the password or shell of an account that already |
195 | exists.</para> | |
798d3a52 | 196 | |
ff9412c1 | 197 | <para>Use <citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
99e9f896 | 198 | for generating UNIX password hashes from the command line.</para> |
798d3a52 ZJS |
199 | </refsect1> |
200 | ||
201 | <refsect1> | |
202 | <title>Exit status</title> | |
203 | ||
204 | <para>On success, 0 is returned, a non-zero failure code | |
205 | otherwise.</para> | |
206 | </refsect1> | |
207 | ||
208 | <refsect1> | |
209 | <title>See Also</title> | |
210 | <para> | |
211 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
8ce202fa | 212 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
99e9f896 LP |
213 | <ulink url="https://systemd.io/UIDS-GIDS">Users, Groups, UIDs and GIDs on systemd systems</ulink>, |
214 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
ff9412c1 | 215 | <citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
798d3a52 ZJS |
216 | </para> |
217 | </refsect1> | |
21236ab5 LP |
218 | |
219 | </refentry> |