]>
Commit | Line | Data |
---|---|---|
21236ab5 | 1 | <?xml version='1.0'?> <!--*-nxml-*--> |
3a54a157 | 2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
12b42c76 | 3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
db9ecf05 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
21236ab5 LP |
5 | |
6 | <refentry id="systemd-sysusers" | |
798d3a52 ZJS |
7 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
8 | ||
9 | <refentryinfo> | |
10 | <title>systemd-sysusers</title> | |
11 | <productname>systemd</productname> | |
798d3a52 ZJS |
12 | </refentryinfo> |
13 | ||
14 | <refmeta> | |
15 | <refentrytitle>systemd-sysusers</refentrytitle> | |
16 | <manvolnum>8</manvolnum> | |
17 | </refmeta> | |
18 | ||
19 | <refnamediv> | |
20 | <refname>systemd-sysusers</refname> | |
21 | <refname>systemd-sysusers.service</refname> | |
22 | <refpurpose>Allocate system users and groups</refpurpose> | |
23 | </refnamediv> | |
24 | ||
25 | <refsynopsisdiv> | |
26 | <cmdsynopsis> | |
27 | <command>systemd-sysusers</command> | |
28 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
29 | <arg choice="opt" rep="repeat"><replaceable>CONFIGFILE</replaceable></arg> | |
30 | </cmdsynopsis> | |
31 | ||
32 | <para><filename>systemd-sysusers.service</filename></para> | |
33 | </refsynopsisdiv> | |
34 | ||
35 | <refsect1> | |
36 | <title>Description</title> | |
37 | ||
0336c23e ZJS |
38 | <para><command>systemd-sysusers</command> creates system users and groups, based on files in the format |
39 | described in | |
798d3a52 ZJS |
40 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. |
41 | </para> | |
42 | ||
0336c23e ZJS |
43 | <para>If invoked with no arguments, it applies all directives from all files found in the directories |
44 | specified by | |
45 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. When | |
46 | invoked with positional arguments, if option <option>--replace=<replaceable>PATH</replaceable></option> | |
47 | is specified, arguments specified on the command line are used instead of the configuration file | |
48 | <replaceable>PATH</replaceable>. Otherwise, just the configuration specified by the command line | |
49 | arguments is executed. The string <literal>-</literal> may be specified instead of a filename to instruct | |
50 | <command>systemd-sysusers</command> to read the configuration from standard input. If the argument is a | |
51 | relative path, all configuration directories are searched for a matching file and the file found that has | |
52 | the highest priority is executed. If the argument is an absolute path, that file is used directly without | |
53 | searching of the configuration directories.</para> | |
798d3a52 ZJS |
54 | </refsect1> |
55 | ||
56 | <refsect1> | |
57 | <title>Options</title> | |
58 | ||
59 | <para>The following options are understood:</para> | |
60 | ||
61 | <variablelist> | |
62 | <varlistentry> | |
63 | <term><option>--root=<replaceable>root</replaceable></option></term> | |
64 | <listitem><para>Takes a directory path as an argument. All | |
65 | paths will be prefixed with the given alternate | |
66 | <replaceable>root</replaceable> path, including config search | |
ec07c3c8 AK |
67 | paths. </para> |
68 | ||
69 | <xi:include href="version-info.xml" xpointer="v215"/></listitem> | |
798d3a52 ZJS |
70 | </varlistentry> |
71 | ||
71b1d2de LP |
72 | <varlistentry> |
73 | <term><option>--image=<replaceable>image</replaceable></option></term> | |
74 | ||
75 | <listitem><para>Takes a path to a disk image file or block device node. If specified all operations | |
76 | are applied to file system in the indicated disk image. This is similar to <option>--root=</option> | |
77 | but operates on file systems stored in disk images or block devices. The disk image should either | |
78 | contain just a file system or a set of file systems within a GPT partition table, following the | |
db811444 | 79 | <ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions |
71b1d2de LP |
80 | Specification</ulink>. For further information on supported disk images, see |
81 | <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s | |
ec07c3c8 AK |
82 | switch of the same name.</para> |
83 | ||
84 | <xi:include href="version-info.xml" xpointer="v247"/></listitem> | |
71b1d2de LP |
85 | </varlistentry> |
86 | ||
9ea81191 LP |
87 | <xi:include href="standard-options.xml" xpointer="image-policy-open" /> |
88 | ||
d16a1c1b ZJS |
89 | <varlistentry> |
90 | <term><option>--replace=<replaceable>PATH</replaceable></option></term> | |
ba669952 | 91 | <listitem><para>When this option is given, one or more positional arguments |
d16a1c1b ZJS |
92 | must be specified. All configuration files found in the directories listed in |
93 | <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
94 | will be read, and the configuration given on the command line will be | |
95 | handled instead of and with the same priority as the configuration file | |
96 | <replaceable>PATH</replaceable>.</para> | |
97 | ||
98 | <para>This option is intended to be used when package installation scripts | |
99 | are running and files belonging to that package are not yet available on | |
100 | disk, so their contents must be given on the command line, but the admin | |
101 | configuration might already exist and should be given higher priority. | |
102 | </para> | |
103 | ||
104 | <example> | |
105 | <title>RPM installation script for radvd</title> | |
106 | ||
107 | <programlisting>echo 'u radvd - "radvd daemon"' | \ | |
108 | systemd-sysusers --replace=/usr/lib/sysusers.d/radvd.conf -</programlisting> | |
109 | ||
110 | <para>This will create the radvd user as if | |
111 | <filename>/usr/lib/sysusers.d/radvd.conf</filename> was already on disk. | |
112 | An admin might override the configuration specified on the command line by | |
113 | placing <filename>/etc/sysusers.d/radvd.conf</filename> or even | |
114 | <filename>/etc/sysusers.d/00-overrides.conf</filename>.</para> | |
115 | ||
82d0776d | 116 | <para>Note that this is the expanded form, and when used in a package, this |
d16a1c1b ZJS |
117 | would be written using a macro with "radvd" and a file containing the |
118 | configuration line as arguments.</para> | |
119 | </example> | |
ec07c3c8 AK |
120 | |
121 | <xi:include href="version-info.xml" xpointer="v238"/> | |
d16a1c1b ZJS |
122 | </listitem> |
123 | </varlistentry> | |
124 | ||
64fe1095 ZJS |
125 | <varlistentry> |
126 | <term><option>--dry-run</option></term> | |
127 | <listitem><para>Process the configuration and figure out what entries would be created, but don't | |
ec07c3c8 AK |
128 | actually write anything.</para> |
129 | ||
130 | <xi:include href="version-info.xml" xpointer="v250"/></listitem> | |
64fe1095 ZJS |
131 | </varlistentry> |
132 | ||
1b600bd5 ZJS |
133 | <varlistentry> |
134 | <term><option>--inline</option></term> | |
135 | <listitem><para>Treat each positional argument as a separate configuration | |
ec07c3c8 AK |
136 | line instead of a file name.</para> |
137 | ||
138 | <xi:include href="version-info.xml" xpointer="v238"/></listitem> | |
1b600bd5 ZJS |
139 | </varlistentry> |
140 | ||
ec0327d6 | 141 | <xi:include href="standard-options.xml" xpointer="cat-config" /> |
918560d7 | 142 | <xi:include href="standard-options.xml" xpointer="tldr" /> |
dcd5c891 | 143 | <xi:include href="standard-options.xml" xpointer="no-pager" /> |
798d3a52 ZJS |
144 | <xi:include href="standard-options.xml" xpointer="help" /> |
145 | <xi:include href="standard-options.xml" xpointer="version" /> | |
146 | </variablelist> | |
99e9f896 LP |
147 | </refsect1> |
148 | ||
149 | <refsect1> | |
150 | <title>Credentials</title> | |
151 | ||
152 | <para><command>systemd-sysusers</command> supports the service credentials logic as implemented by | |
bf63dadb | 153 | <varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname> |
bbfb25f4 | 154 | (see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for |
99e9f896 LP |
155 | details). The following credentials are used when passed in:</para> |
156 | ||
8914f7e8 | 157 | <variablelist class='system-credentials'> |
99e9f896 | 158 | <varlistentry> |
8914f7e8 | 159 | <term><varname>passwd.hashed-password.<replaceable>user</replaceable></varname></term> |
99e9f896 LP |
160 | <listitem><para>A UNIX hashed password string to use for the specified user, when creating an entry |
161 | for it. This is particularly useful for the <literal>root</literal> user as it allows provisioning | |
162 | the default root password to use via a unit file drop-in or from a container manager passing in this | |
163 | credential. Note that setting this credential has no effect if the specified user account already | |
164 | exists. This credential is hence primarily useful in first boot scenarios or systems that are fully | |
ec07c3c8 AK |
165 | stateless and come up with an empty <filename>/etc/</filename> on every boot.</para> |
166 | ||
167 | <xi:include href="version-info.xml" xpointer="v249"/></listitem> | |
99e9f896 LP |
168 | </varlistentry> |
169 | ||
170 | <varlistentry> | |
8914f7e8 | 171 | <term><varname>passwd.plaintext-password.<replaceable>user</replaceable></varname></term> |
99e9f896 LP |
172 | |
173 | <listitem><para>Similar to <literal>passwd.hashed-password.<replaceable>user</replaceable></literal> | |
174 | but expect a literal, plaintext password, which is then automatically hashed before used for the user | |
175 | account. If both the hashed and the plaintext credential are specified for the same user the | |
176 | former takes precedence. It's generally recommended to specify the hashed version; however in test | |
177 | environments with weaker requirements on security it might be easier to pass passwords in plaintext | |
ec07c3c8 AK |
178 | instead.</para> |
179 | ||
180 | <xi:include href="version-info.xml" xpointer="v249"/></listitem> | |
99e9f896 LP |
181 | </varlistentry> |
182 | ||
183 | <varlistentry> | |
8914f7e8 | 184 | <term><varname>passwd.shell.<replaceable>user</replaceable></varname></term> |
99e9f896 | 185 | |
ec07c3c8 AK |
186 | <listitem><para>Specifies the shell binary to use for the specified account when creating it.</para> |
187 | ||
188 | <xi:include href="version-info.xml" xpointer="v249"/></listitem> | |
99e9f896 | 189 | </varlistentry> |
3acb6ede LP |
190 | |
191 | <varlistentry> | |
8914f7e8 | 192 | <term><varname>sysusers.extra</varname></term> |
3acb6ede LP |
193 | |
194 | <listitem><para>The contents of this credential may contain additional lines to operate on. The | |
195 | credential contents should follow the same format as any other <filename>sysusers.d/</filename> | |
196 | drop-in. If this credential is passed it is processed after all of the drop-in files read from the | |
ec07c3c8 AK |
197 | file system.</para> |
198 | ||
199 | <xi:include href="version-info.xml" xpointer="v252"/></listitem> | |
3acb6ede | 200 | </varlistentry> |
99e9f896 LP |
201 | </variablelist> |
202 | ||
203 | <para>Note that by default the <filename>systemd-sysusers.service</filename> unit file is set up to | |
204 | inherit the <literal>passwd.hashed-password.root</literal>, | |
3acb6ede LP |
205 | <literal>passwd.plaintext-password.root</literal>, <literal>passwd.shell.root</literal> and |
206 | <literal>sysusers.extra</literal> credentials from the service manager. Thus, when invoking a container | |
207 | with an unpopulated <filename>/etc/</filename> for the first time it is possible to configure the root | |
208 | user's password to be <literal>systemd</literal> like this:</para> | |
99e9f896 | 209 | |
c5f62204 | 210 | <para><programlisting># systemd-nspawn --image=… --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' …</programlisting></para> |
99e9f896 | 211 | |
3acb6ede | 212 | <para>Note again that the data specified in this credential is consulted only when creating an account |
99e9f896 LP |
213 | for the first time, it may not be used for changing the password or shell of an account that already |
214 | exists.</para> | |
798d3a52 | 215 | |
ff9412c1 | 216 | <para>Use <citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry> |
99e9f896 | 217 | for generating UNIX password hashes from the command line.</para> |
798d3a52 ZJS |
218 | </refsect1> |
219 | ||
220 | <refsect1> | |
221 | <title>Exit status</title> | |
222 | ||
223 | <para>On success, 0 is returned, a non-zero failure code | |
224 | otherwise.</para> | |
225 | </refsect1> | |
226 | ||
227 | <refsect1> | |
228 | <title>See Also</title> | |
13a69c12 DT |
229 | <para><simplelist type="inline"> |
230 | <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> | |
231 | <member><citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry></member> | |
232 | <member><ulink url="https://systemd.io/UIDS-GIDS">Users, Groups, UIDs and GIDs on systemd systems</ulink></member> | |
233 | <member><citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> | |
234 | <member><citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> | |
235 | </simplelist></para> | |
798d3a52 | 236 | </refsect1> |
21236ab5 LP |
237 | |
238 | </refentry> |