]> git.ipfire.org Git - thirdparty/systemd.git/blob - man/systemd-sysusers.xml
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
man: fix references to systemd.exec(5)
[thirdparty/systemd.git] / man / systemd-sysusers.xml
1 <?xml version='1.0'?> <!--*-nxml-*-->
2 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
4 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
5
6 <refentry id="systemd-sysusers"
7 xmlns:xi="http://www.w3.org/2001/XInclude">
8
9 <refentryinfo>
10 <title>systemd-sysusers</title>
11 <productname>systemd</productname>
12 </refentryinfo>
13
14 <refmeta>
15 <refentrytitle>systemd-sysusers</refentrytitle>
16 <manvolnum>8</manvolnum>
17 </refmeta>
18
19 <refnamediv>
20 <refname>systemd-sysusers</refname>
21 <refname>systemd-sysusers.service</refname>
22 <refpurpose>Allocate system users and groups</refpurpose>
23 </refnamediv>
24
25 <refsynopsisdiv>
26 <cmdsynopsis>
27 <command>systemd-sysusers</command>
28 <arg choice="opt" rep="repeat">OPTIONS</arg>
29 <arg choice="opt" rep="repeat"><replaceable>CONFIGFILE</replaceable></arg>
30 </cmdsynopsis>
31
32 <para><filename>systemd-sysusers.service</filename></para>
33 </refsynopsisdiv>
34
35 <refsect1>
36 <title>Description</title>
37
38 <para><command>systemd-sysusers</command> creates system users and groups, based on files in the format
39 described in
40 <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
41 </para>
42
43 <para>If invoked with no arguments, it applies all directives from all files found in the directories
44 specified by
45 <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. When
46 invoked with positional arguments, if option <option>--replace=<replaceable>PATH</replaceable></option>
47 is specified, arguments specified on the command line are used instead of the configuration file
48 <replaceable>PATH</replaceable>. Otherwise, just the configuration specified by the command line
49 arguments is executed. The string <literal>-</literal> may be specified instead of a filename to instruct
50 <command>systemd-sysusers</command> to read the configuration from standard input. If the argument is a
51 relative path, all configuration directories are searched for a matching file and the file found that has
52 the highest priority is executed. If the argument is an absolute path, that file is used directly without
53 searching of the configuration directories.</para>
54 </refsect1>
55
56 <refsect1>
57 <title>Options</title>
58
59 <para>The following options are understood:</para>
60
61 <variablelist>
62 <varlistentry>
63 <term><option>--root=<replaceable>root</replaceable></option></term>
64 <listitem><para>Takes a directory path as an argument. All
65 paths will be prefixed with the given alternate
66 <replaceable>root</replaceable> path, including config search
67 paths. </para>
68
69 <xi:include href="version-info.xml" xpointer="v215"/></listitem>
70 </varlistentry>
71
72 <varlistentry>
73 <term><option>--image=<replaceable>image</replaceable></option></term>
74
75 <listitem><para>Takes a path to a disk image file or block device node. If specified all operations
76 are applied to file system in the indicated disk image. This is similar to <option>--root=</option>
77 but operates on file systems stored in disk images or block devices. The disk image should either
78 contain just a file system or a set of file systems within a GPT partition table, following the
79 <ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
80 Specification</ulink>. For further information on supported disk images, see
81 <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
82 switch of the same name.</para>
83
84 <xi:include href="version-info.xml" xpointer="v247"/></listitem>
85 </varlistentry>
86
87 <xi:include href="standard-options.xml" xpointer="image-policy-open" />
88
89 <varlistentry>
90 <term><option>--replace=<replaceable>PATH</replaceable></option></term>
91 <listitem><para>When this option is given, one or more positional arguments
92 must be specified. All configuration files found in the directories listed in
93 <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
94 will be read, and the configuration given on the command line will be
95 handled instead of and with the same priority as the configuration file
96 <replaceable>PATH</replaceable>.</para>
97
98 <para>This option is intended to be used when package installation scripts
99 are running and files belonging to that package are not yet available on
100 disk, so their contents must be given on the command line, but the admin
101 configuration might already exist and should be given higher priority.
102 </para>
103
104 <example>
105 <title>RPM installation script for radvd</title>
106
107 <programlisting>echo 'u radvd - "radvd daemon"' | \
108 systemd-sysusers --replace=/usr/lib/sysusers.d/radvd.conf -</programlisting>
109
110 <para>This will create the radvd user as if
111 <filename>/usr/lib/sysusers.d/radvd.conf</filename> was already on disk.
112 An admin might override the configuration specified on the command line by
113 placing <filename>/etc/sysusers.d/radvd.conf</filename> or even
114 <filename>/etc/sysusers.d/00-overrides.conf</filename>.</para>
115
116 <para>Note that this is the expanded form, and when used in a package, this
117 would be written using a macro with "radvd" and a file containing the
118 configuration line as arguments.</para>
119 </example>
120
121 <xi:include href="version-info.xml" xpointer="v238"/>
122 </listitem>
123 </varlistentry>
124
125 <varlistentry>
126 <term><option>--dry-run</option></term>
127 <listitem><para>Process the configuration and figure out what entries would be created, but don't
128 actually write anything.</para>
129
130 <xi:include href="version-info.xml" xpointer="v250"/></listitem>
131 </varlistentry>
132
133 <varlistentry>
134 <term><option>--inline</option></term>
135 <listitem><para>Treat each positional argument as a separate configuration
136 line instead of a file name.</para>
137
138 <xi:include href="version-info.xml" xpointer="v238"/></listitem>
139 </varlistentry>
140
141 <xi:include href="standard-options.xml" xpointer="cat-config" />
142 <xi:include href="standard-options.xml" xpointer="tldr" />
143 <xi:include href="standard-options.xml" xpointer="no-pager" />
144 <xi:include href="standard-options.xml" xpointer="help" />
145 <xi:include href="standard-options.xml" xpointer="version" />
146 </variablelist>
147 </refsect1>
148
149 <refsect1>
150 <title>Credentials</title>
151
152 <para><command>systemd-sysusers</command> supports the service credentials logic as implemented by
153 <varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
154 (see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for
155 details). The following credentials are used when passed in:</para>
156
157 <variablelist class='system-credentials'>
158 <varlistentry>
159 <term><varname>passwd.hashed-password.<replaceable>user</replaceable></varname></term>
160 <listitem><para>A UNIX hashed password string to use for the specified user, when creating an entry
161 for it. This is particularly useful for the <literal>root</literal> user as it allows provisioning
162 the default root password to use via a unit file drop-in or from a container manager passing in this
163 credential. Note that setting this credential has no effect if the specified user account already
164 exists. This credential is hence primarily useful in first boot scenarios or systems that are fully
165 stateless and come up with an empty <filename>/etc/</filename> on every boot.</para>
166
167 <xi:include href="version-info.xml" xpointer="v249"/></listitem>
168 </varlistentry>
169
170 <varlistentry>
171 <term><varname>passwd.plaintext-password.<replaceable>user</replaceable></varname></term>
172
173 <listitem><para>Similar to <literal>passwd.hashed-password.<replaceable>user</replaceable></literal>
174 but expect a literal, plaintext password, which is then automatically hashed before used for the user
175 account. If both the hashed and the plaintext credential are specified for the same user the
176 former takes precedence. It's generally recommended to specify the hashed version; however in test
177 environments with weaker requirements on security it might be easier to pass passwords in plaintext
178 instead.</para>
179
180 <xi:include href="version-info.xml" xpointer="v249"/></listitem>
181 </varlistentry>
182
183 <varlistentry>
184 <term><varname>passwd.shell.<replaceable>user</replaceable></varname></term>
185
186 <listitem><para>Specifies the shell binary to use for the specified account when creating it.</para>
187
188 <xi:include href="version-info.xml" xpointer="v249"/></listitem>
189 </varlistentry>
190
191 <varlistentry>
192 <term><varname>sysusers.extra</varname></term>
193
194 <listitem><para>The contents of this credential may contain additional lines to operate on. The
195 credential contents should follow the same format as any other <filename>sysusers.d/</filename>
196 drop-in. If this credential is passed it is processed after all of the drop-in files read from the
197 file system.</para>
198
199 <xi:include href="version-info.xml" xpointer="v252"/></listitem>
200 </varlistentry>
201 </variablelist>
202
203 <para>Note that by default the <filename>systemd-sysusers.service</filename> unit file is set up to
204 inherit the <literal>passwd.hashed-password.root</literal>,
205 <literal>passwd.plaintext-password.root</literal>, <literal>passwd.shell.root</literal> and
206 <literal>sysusers.extra</literal> credentials from the service manager. Thus, when invoking a container
207 with an unpopulated <filename>/etc/</filename> for the first time it is possible to configure the root
208 user's password to be <literal>systemd</literal> like this:</para>
209
210 <para><programlisting># systemd-nspawn --image=… --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' …</programlisting></para>
211
212 <para>Note again that the data specified in this credential is consulted only when creating an account
213 for the first time, it may not be used for changing the password or shell of an account that already
214 exists.</para>
215
216 <para>Use <citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
217 for generating UNIX password hashes from the command line.</para>
218 </refsect1>
219
220 <refsect1>
221 <title>Exit status</title>
222
223 <para>On success, 0 is returned, a non-zero failure code
224 otherwise.</para>
225 </refsect1>
226
227 <refsect1>
228 <title>See Also</title>
229 <para><simplelist type="inline">
230 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
231 <member><citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
232 <member><ulink url="https://systemd.io/UIDS-GIDS">Users, Groups, UIDs and GIDs on systemd systems</ulink></member>
233 <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry></member>
234 <member><citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
235 </simplelist></para>
236 </refsect1>
237
238 </refentry>
Unnamed repository; edit this file 'description' to name the repository.