]>
Commit | Line | Data |
---|---|---|
21236ab5 LP |
1 | <?xml version="1.0"?> |
2 | <!--*-nxml-*--> | |
3a54a157 ZJS |
3 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" |
4 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
db9ecf05 | 5 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
e6de49ab | 6 | <refentry id="sysusers.d" conditional='ENABLE_SYSUSERS' |
798d3a52 ZJS |
7 | xmlns:xi="http://www.w3.org/2001/XInclude"> |
8 | ||
9 | <refentryinfo> | |
10 | <title>sysusers.d</title> | |
11 | <productname>systemd</productname> | |
798d3a52 ZJS |
12 | </refentryinfo> |
13 | ||
14 | <refmeta> | |
15 | <refentrytitle>sysusers.d</refentrytitle> | |
16 | <manvolnum>5</manvolnum> | |
17 | </refmeta> | |
18 | ||
19 | <refnamediv> | |
20 | <refname>sysusers.d</refname> | |
21 | <refpurpose>Declarative allocation of system users and groups</refpurpose> | |
22 | </refnamediv> | |
23 | ||
24 | <refsynopsisdiv> | |
9b5c390f YW |
25 | <para><filename>/etc/sysusers.d/*.conf</filename></para> |
26 | <para><filename>/run/sysusers.d/*.conf</filename></para> | |
798d3a52 | 27 | <para><filename>/usr/lib/sysusers.d/*.conf</filename></para> |
6bdd90fb ZJS |
28 | |
29 | <programlisting> | |
fc706b48 ZJS |
30 | #Type Name ID GECOS Home directory Shell |
31 | u user_name uid "User Description" /home/dir /path/to/shell | |
32 | u user_name uid:gid "User Description" /home/dir /path/to/shell | |
33 | u user_name /file/owned/by/user "User Description" /home/dir /path/to/shell | |
34 | g group_name gid | |
35 | g group_name /file/owned/by/group | |
6bdd90fb ZJS |
36 | m user_name group_name |
37 | r - lowest-highest</programlisting> | |
798d3a52 ZJS |
38 | </refsynopsisdiv> |
39 | ||
40 | <refsect1> | |
41 | <title>Description</title> | |
42 | ||
7b1aaf66 ZJS |
43 | <para><command>systemd-sysusers</command> uses the files from |
44 | <filename>sysusers.d</filename> directory to create system users and groups and | |
45 | to add users to groups, at package installation or boot time. This tool may be | |
46 | used to allocate system users and groups only, it is not useful for creating | |
47 | non-system (i.e. regular, "human") users and groups, as it accesses | |
48 | <filename>/etc/passwd</filename> and <filename>/etc/group</filename> directly, | |
49 | bypassing any more complex user databases, for example any database involving NIS | |
50 | or LDAP.</para> | |
798d3a52 ZJS |
51 | </refsect1> |
52 | ||
53 | <refsect1> | |
8165be2e | 54 | <title>Configuration Directories and Precedence</title> |
798d3a52 ZJS |
55 | |
56 | <para>Each configuration file shall be named in the style of | |
57 | <filename><replaceable>package</replaceable>.conf</filename> or | |
58 | <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>. | |
59 | The second variant should be used when it is desirable to make it | |
60 | easy to override just this part of configuration.</para> | |
61 | ||
8165be2e ZJS |
62 | <para>Files in <filename>/etc/sysusers.d</filename> override files |
63 | with the same name in <filename>/usr/lib/sysusers.d</filename> and | |
64 | <filename>/run/sysusers.d</filename>. Files in | |
65 | <filename>/run/sysusers.d</filename> override files with the same | |
66 | name in <filename>/usr/lib/sysusers.d</filename>. Packages should | |
67 | install their configuration files in | |
68 | <filename>/usr/lib/sysusers.d</filename>. Files in | |
69 | <filename>/etc/sysusers.d</filename> are reserved for the local | |
70 | administrator, who may use this logic to override the | |
71 | configuration files installed by vendor packages. All | |
72 | configuration files are sorted by their filename in lexicographic | |
73 | order, regardless of which of the directories they reside in. If | |
74 | multiple files specify the same path, the entry in the file with | |
75 | the lexicographically earliest name will be applied. All later | |
76 | entries for the same user and group names will be logged as warnings. | |
77 | </para> | |
78 | ||
79 | <para>If the administrator wants to disable a configuration file | |
80 | supplied by the vendor, the recommended way is to place a symlink | |
81 | to <filename>/dev/null</filename> in | |
82 | <filename>/etc/sysusers.d/</filename> bearing the same filename. | |
83 | </para> | |
84 | </refsect1> | |
85 | ||
86 | <refsect1> | |
87 | <title>Configuration File Format</title> | |
88 | ||
7b1aaf66 ZJS |
89 | <para>The file format is one line per user or group containing name, ID, GECOS |
90 | field description, home directory, and login shell:</para> | |
798d3a52 | 91 | |
7b1aaf66 ZJS |
92 | <programlisting>#Type Name ID GECOS Home directory Shell |
93 | u httpd 404 "HTTP User" | |
6bdd90fb | 94 | u _authd /usr/bin/authd "Authorization user" |
7b1aaf66 ZJS |
95 | u postgres - "Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb |
96 | g input - - | |
6bdd90fb ZJS |
97 | m _authd input |
98 | u root 0 "Superuser" /root /bin/zsh | |
99 | r - 500-900 | |
100 | </programlisting> | |
21236ab5 | 101 | |
565dab8e LP |
102 | <para>Empty lines and lines beginning with the <literal>#</literal> character are ignored, and may be used for |
103 | commenting.</para> | |
104 | ||
798d3a52 ZJS |
105 | <refsect2> |
106 | <title>Type</title> | |
107 | ||
108 | <para>The type consists of a single letter. The following line | |
109 | types are understood:</para> | |
110 | ||
111 | <variablelist> | |
112 | <varlistentry> | |
113 | <term><varname>u</varname></term> | |
7b1aaf66 ZJS |
114 | <listitem><para>Create a system user and group of the specified name should |
115 | they not exist yet. The user's primary group will be set to the group | |
649916d3 | 116 | bearing the same name unless the ID field specifies it. The account will be |
aefdc112 AK |
117 | created disabled, so that logins are not allowed.</para> |
118 | ||
119 | <xi:include href="version-info.xml" xpointer="v215"/></listitem> | |
798d3a52 ZJS |
120 | </varlistentry> |
121 | ||
122 | <varlistentry> | |
123 | <term><varname>g</varname></term> | |
124 | <listitem><para>Create a system group of the specified name | |
125 | should it not exist yet. Note that <varname>u</varname> | |
6bdd90fb | 126 | implicitly creates a matching group. The group will be |
aefdc112 AK |
127 | created with no password set.</para> |
128 | ||
129 | <xi:include href="version-info.xml" xpointer="v215"/></listitem> | |
798d3a52 ZJS |
130 | </varlistentry> |
131 | ||
132 | <varlistentry> | |
133 | <term><varname>m</varname></term> | |
134 | <listitem><para>Add a user to a group. If the user or group | |
cd72d204 | 135 | do not exist yet, they will be implicitly |
aefdc112 AK |
136 | created.</para> |
137 | ||
138 | <xi:include href="version-info.xml" xpointer="v215"/></listitem> | |
798d3a52 ZJS |
139 | </varlistentry> |
140 | ||
141 | <varlistentry> | |
142 | <term><varname>r</varname></term> | |
143 | <listitem><para>Add a range of numeric UIDs/GIDs to the pool | |
144 | to allocate new UIDs and GIDs from. If no line of this type | |
b938cb90 | 145 | is specified, the range of UIDs/GIDs is set to some |
798d3a52 ZJS |
146 | compiled-in default. Note that both UIDs and GIDs are |
147 | allocated from the same pool, in order to ensure that users | |
148 | and groups of the same name are likely to carry the same | |
aefdc112 AK |
149 | numeric UID and GID.</para> |
150 | ||
151 | <xi:include href="version-info.xml" xpointer="v216"/></listitem> | |
798d3a52 ZJS |
152 | </varlistentry> |
153 | ||
154 | </variablelist> | |
155 | </refsect2> | |
156 | ||
157 | <refsect2> | |
158 | <title>Name</title> | |
159 | ||
565dab8e LP |
160 | <para>The name field specifies the user or group name. The specified name must consist only of the characters a-z, |
161 | A-Z, 0-9, <literal>_</literal> and <literal>-</literal>, except for the first character which must be one of a-z, | |
162 | A-Z or <literal>_</literal> (i.e. numbers and <literal>-</literal> are not permitted as first character). The | |
163 | user/group name must have at least one character, and at most 31.</para> | |
164 | ||
887a8fa3 LP |
165 | <para>For further details about the syntax of user/group names, see <ulink |
166 | url="https://systemd.io/USER_NAMES">User/Group Name Syntax</ulink>.</para> | |
167 | ||
565dab8e LP |
168 | <para>It is strongly recommended to pick user and group names that are unlikely to clash with normal users |
169 | created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the | |
170 | underscore, and avoiding too generic names.</para> | |
798d3a52 | 171 | |
b938cb90 | 172 | <para>For <varname>m</varname> lines, this field should contain |
798d3a52 ZJS |
173 | the user name to add to a group.</para> |
174 | ||
b938cb90 | 175 | <para>For lines of type <varname>r</varname>, this field should |
798d3a52 ZJS |
176 | be set to <literal>-</literal>.</para> |
177 | </refsect2> | |
178 | ||
179 | <refsect2> | |
180 | <title>ID</title> | |
181 | ||
b938cb90 JE |
182 | <para>For <varname>u</varname> and <varname>g</varname>, the |
183 | numeric 32-bit UID or GID of the user/group. Do not use IDs 65535 | |
798d3a52 ZJS |
184 | or 4294967295, as they have special placeholder meanings. |
185 | Specify <literal>-</literal> for automatic UID/GID allocation | |
7b1aaf66 ZJS |
186 | for the user or group (this is strongly recommended unless it is strictly |
187 | necessary to use a specific UID or GID). Alternatively, specify an absolute path | |
b938cb90 | 188 | in the file system. In this case, the UID/GID is read from the |
798d3a52 ZJS |
189 | path's owner/group. This is useful to create users whose UID/GID |
190 | match the owners of pre-existing files (such as SUID or SGID | |
4cb41413 | 191 | binaries). |
649916d3 DM |
192 | The syntaxes <literal><replaceable>uid</replaceable>:<replaceable>gid</replaceable></literal> and |
193 | <literal><replaceable>uid</replaceable>:<replaceable>groupname</replaceable></literal> are supported to | |
194 | allow creating users with specific primary groups. The given group must be created explicitly, or it | |
195 | must already exist. Specifying <literal>-</literal> for the UID in these syntaxes is also supported. | |
4cb41413 | 196 | </para> |
798d3a52 | 197 | |
b938cb90 | 198 | <para>For <varname>m</varname> lines, this field should contain |
798d3a52 ZJS |
199 | the group name to add to a user to.</para> |
200 | ||
b938cb90 | 201 | <para>For lines of type <varname>r</varname>, this field should |
798d3a52 | 202 | be set to a UID/GID range in the format |
b938cb90 | 203 | <literal>FROM-TO</literal>, where both values are formatted as |
798d3a52 ZJS |
204 | decimal ASCII numbers. Alternatively, a single UID/GID may be |
205 | specified formatted as decimal ASCII numbers.</para> | |
206 | </refsect2> | |
207 | ||
208 | <refsect2> | |
209 | <title>GECOS</title> | |
210 | ||
7b1aaf66 ZJS |
211 | <para>A short, descriptive string for users to be created, enclosed in |
212 | quotation marks. Note that this field may not contain colons.</para> | |
798d3a52 | 213 | |
7b1aaf66 ZJS |
214 | <para>Only applies to lines of type <varname>u</varname> and should otherwise |
215 | be left unset (or <literal>-</literal>).</para> | |
798d3a52 ZJS |
216 | </refsect2> |
217 | ||
218 | <refsect2> | |
219 | <title>Home Directory</title> | |
220 | ||
7b1aaf66 ZJS |
221 | <para>The home directory for a new system user. If omitted, defaults to the |
222 | root directory.</para> | |
798d3a52 | 223 | |
7b1aaf66 ZJS |
224 | <para>Only applies to lines of type <varname>u</varname> and should otherwise |
225 | be left unset (or <literal>-</literal>). It is recommended to omit this, unless | |
226 | software strictly requires a home directory to be set.</para> | |
a1de7d01 LW |
227 | |
228 | <para><command>systemd-sysusers</command> only sets the home directory record in the | |
229 | user database. To actually create the directory, consider adding a corresponding | |
230 | <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> | |
231 | fragment.</para> | |
7b1aaf66 ZJS |
232 | </refsect2> |
233 | ||
234 | <refsect2> | |
235 | <title>Shell</title> | |
236 | ||
237 | <para>The login shell of the user. If not specified, this will be set to | |
6db90462 | 238 | <filename>/usr/sbin/nologin</filename>, except if the UID of the user is 0, in |
7b1aaf66 ZJS |
239 | which case <filename>/bin/sh</filename> will be used.</para> |
240 | ||
241 | <para>Only applies to lines of type <varname>u</varname> and should otherwise | |
242 | be left unset (or <literal>-</literal>). It is recommended to omit this, unless | |
6db90462 | 243 | a shell different <filename>/usr/sbin/nologin</filename> must be used.</para> |
798d3a52 | 244 | </refsect2> |
798d3a52 ZJS |
245 | </refsect1> |
246 | ||
33ab22fc YW |
247 | <refsect1> |
248 | <title>Specifiers</title> | |
249 | ||
65528745 ZJS |
250 | <para>Specifiers can be used in the <literal>Name</literal>, <literal>ID</literal>, |
251 | <literal>GECOS</literal>, <literal>Home directory</literal>, and <literal>Shell</literal> fields. An | |
252 | unknown or unresolvable specifier is treated as invalid configuration. The following expansions are | |
253 | understood:</para> | |
254 | ||
255 | <table class='specifiers'> | |
256 | <title>Specifiers available</title> | |
257 | <tgroup cols='3' align='left' colsep='1' rowsep='1'> | |
258 | <colspec colname="spec" /> | |
259 | <colspec colname="mean" /> | |
260 | <colspec colname="detail" /> | |
261 | <thead> | |
262 | <row> | |
263 | <entry>Specifier</entry> | |
264 | <entry>Meaning</entry> | |
265 | <entry>Details</entry> | |
266 | </row> | |
267 | </thead> | |
268 | <tbody> | |
269 | <xi:include href="standard-specifiers.xml" xpointer="a"/> | |
9a515f0a | 270 | <xi:include href="standard-specifiers.xml" xpointer="A"/> |
65528745 ZJS |
271 | <xi:include href="standard-specifiers.xml" xpointer="b"/> |
272 | <xi:include href="standard-specifiers.xml" xpointer="B"/> | |
273 | <xi:include href="standard-specifiers.xml" xpointer="H"/> | |
e97708fa | 274 | <xi:include href="standard-specifiers.xml" xpointer="l"/> |
65528745 | 275 | <xi:include href="standard-specifiers.xml" xpointer="m"/> |
9a515f0a | 276 | <xi:include href="standard-specifiers.xml" xpointer="M"/> |
65528745 | 277 | <xi:include href="standard-specifiers.xml" xpointer="o"/> |
806d919c | 278 | <xi:include href="standard-specifiers.xml" xpointer="T"/> |
65528745 | 279 | <xi:include href="standard-specifiers.xml" xpointer="v"/> |
806d919c | 280 | <xi:include href="standard-specifiers.xml" xpointer="V"/> |
65528745 ZJS |
281 | <xi:include href="standard-specifiers.xml" xpointer="w"/> |
282 | <xi:include href="standard-specifiers.xml" xpointer="W"/> | |
283 | <xi:include href="standard-specifiers.xml" xpointer="percent"/> | |
284 | </tbody> | |
285 | </tgroup> | |
286 | </table> | |
33ab22fc YW |
287 | </refsect1> |
288 | ||
798d3a52 ZJS |
289 | <refsect1> |
290 | <title>Idempotence</title> | |
291 | ||
7b1aaf66 ZJS |
292 | <para>Note that <command>systemd-sysusers</command> will do nothing if the |
293 | specified users or groups already exist or the users are members of specified | |
294 | groups, so normally there is no reason to override | |
295 | <filename>sysusers.d</filename> vendor configuration, except to block certain | |
296 | users or groups from being created.</para> | |
798d3a52 ZJS |
297 | </refsect1> |
298 | ||
299 | <refsect1> | |
300 | <title>See Also</title> | |
301 | <para> | |
302 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
303 | <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
304 | </para> | |
305 | </refsect1> | |
21236ab5 LP |
306 | |
307 | </refentry> |