]>
Commit | Line | Data |
---|---|---|
3b2db6f1 LP |
1 | <?xml version='1.0'?> |
2 | <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" | |
3 | "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> | |
db9ecf05 | 4 | <!-- SPDX-License-Identifier: LGPL-2.1-or-later --> |
3b2db6f1 LP |
5 | |
6 | <refentry id="userdbctl" conditional='ENABLE_USERDB' | |
7 | xmlns:xi="http://www.w3.org/2001/XInclude"> | |
8 | ||
9 | <refentryinfo> | |
10 | <title>userdbctl</title> | |
11 | <productname>systemd</productname> | |
12 | </refentryinfo> | |
13 | ||
14 | <refmeta> | |
15 | <refentrytitle>userdbctl</refentrytitle> | |
16 | <manvolnum>1</manvolnum> | |
17 | </refmeta> | |
18 | ||
19 | <refnamediv> | |
20 | <refname>userdbctl</refname> | |
21 | <refpurpose>Inspect users, groups and group memberships</refpurpose> | |
22 | </refnamediv> | |
23 | ||
24 | <refsynopsisdiv> | |
25 | <cmdsynopsis> | |
26 | <command>userdbctl</command> | |
27 | <arg choice="opt" rep="repeat">OPTIONS</arg> | |
28 | <arg choice="req">COMMAND</arg> | |
29 | <arg choice="opt" rep="repeat">NAME</arg> | |
30 | </cmdsynopsis> | |
31 | </refsynopsisdiv> | |
32 | ||
33 | <refsect1> | |
34 | <title>Description</title> | |
35 | ||
36 | <para><command>userdbctl</command> may be used to inspect user and groups (as well as group memberships) | |
37 | of the system. This client utility inquires user/group information provided by various system services, | |
38 | both operating on JSON user/group records (as defined by the <ulink | |
cf3ce054 ZJS |
39 | url="https://systemd.io/USER_RECORD">JSON User Records</ulink> and <ulink |
40 | url="https://systemd.io/GROUP_RECORD">JSON Group Records</ulink> definitions), and classic UNIX NSS/glibc | |
3b2db6f1 | 41 | user and group records. This tool is primarily a client to the <ulink |
c96a3012 LP |
42 | url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via Varlink</ulink>, and may also |
43 | pick up drop-in JSON user and group records from <filename>/etc/userdb/</filename>, | |
44 | <filename>/run/userdb/</filename>, <filename>/run/host/userdb/</filename>, | |
be0d27ee | 45 | <filename>/usr/lib/userdb/</filename>.</para> |
3b2db6f1 LP |
46 | </refsect1> |
47 | ||
48 | <refsect1> | |
49 | <title>Options</title> | |
50 | ||
51 | <para>The following options are understood:</para> | |
52 | ||
53 | <variablelist> | |
54 | ||
55 | <varlistentry> | |
56 | <term><option>--output=</option><replaceable>MODE</replaceable></term> | |
57 | ||
58 | <listitem><para>Choose the output mode, takes one of <literal>classic</literal>, | |
59 | <literal>friendly</literal>, <literal>table</literal>, <literal>json</literal>. If | |
60 | <literal>classic</literal>, an output very close to the format of <filename>/etc/passwd</filename> or | |
61 | <filename>/etc/group</filename> is generated. If <literal>friendly</literal> a more comprehensive and | |
62 | user friendly, human readable output is generated; if <literal>table</literal> a minimal, tabular | |
63 | output is generated; if <literal>json</literal> a JSON formatted output is generated. Defaults to | |
64 | <literal>friendly</literal> if a user/group is specified on the command line, | |
f7dc8248 ZJS |
65 | <literal>table</literal> otherwise.</para> |
66 | ||
67 | <para>Note that most output formats do not show all available information. In particular, | |
68 | <literal>classic</literal> and <literal>table</literal> show only the most important fields. Various | |
69 | modes also do not show password hashes. Use <literal>json</literal> to view all fields, including | |
70 | any authentication fields.</para> | |
71 | </listitem> | |
3b2db6f1 LP |
72 | </varlistentry> |
73 | ||
74 | <varlistentry> | |
75 | <term><option>--service=</option><replaceable>SERVICE</replaceable><optional>:<replaceable>SERVICE…</replaceable></optional></term> | |
76 | <term><option>-s</option> <replaceable>SERVICE</replaceable>:<replaceable>SERVICE…</replaceable></term> | |
77 | ||
78 | <listitem><para>Controls which services to query for users/groups. Takes a list of one or more | |
79 | service names, separated by <literal>:</literal>. See below for a list of well-known service | |
80 | names. If not specified all available services are queried at once.</para></listitem> | |
81 | </varlistentry> | |
82 | ||
83 | <varlistentry> | |
84 | <term><option>--with-nss=</option><replaceable>BOOL</replaceable></term> | |
85 | ||
86 | <listitem><para>Controls whether to include classic glibc/NSS user/group lookups in the output. If | |
87 | <option>--with-nss=no</option> is used any attempts to resolve or enumerate users/groups provided | |
88 | only via glibc NSS is suppressed. If <option>--with-nss=yes</option> is specified such users/groups | |
89 | are included in the output (which is the default).</para></listitem> | |
90 | </varlistentry> | |
91 | ||
c96a3012 LP |
92 | <varlistentry> |
93 | <term><option>--with-varlink=</option><replaceable>BOOL</replaceable></term> | |
94 | ||
95 | <listitem><para>Controls whether to include Varlink user/group lookups in the output, i.e. those done | |
96 | via the <ulink url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via | |
97 | Varlink</ulink>. If <option>--with-varlink=no</option> is used any attempts to resolve or enumerate | |
98 | users/groups provided only via Varlink are suppressed. If <option>--with-varlink=yes</option> is | |
99 | specified such users/groups are included in the output (which is the default).</para></listitem> | |
100 | </varlistentry> | |
101 | ||
102 | <varlistentry> | |
103 | <term><option>--with-dropin=</option><replaceable>BOOL</replaceable></term> | |
104 | ||
105 | <listitem><para>Controls whether to include user/group lookups in the output that are defined using | |
106 | drop-in files in <filename>/etc/userdb/</filename>, <filename>/run/userdb/</filename>, | |
be0d27ee | 107 | <filename>/run/host/userdb/</filename>, <filename>/usr/lib/userdb/</filename>. If |
c96a3012 LP |
108 | <option>--with-dropin=no</option> is used these records are suppressed. If |
109 | <option>--with-dropin=yes</option> is specified such users/groups are included in the output (which | |
110 | is the default).</para></listitem> | |
111 | </varlistentry> | |
112 | ||
3b2db6f1 LP |
113 | <varlistentry> |
114 | <term><option>--synthesize=</option><replaceable>BOOL</replaceable></term> | |
115 | ||
116 | <listitem><para>Controls whether to synthesize records for the root and nobody users/groups if they | |
117 | aren't defined otherwise. By default (or <literal>yes</literal>) such records are implicitly | |
118 | synthesized if otherwise missing since they have special significance to the OS. When | |
119 | <literal>no</literal> this synthesizing is turned off.</para></listitem> | |
120 | </varlistentry> | |
121 | ||
122 | <varlistentry> | |
123 | <term><option>-N</option></term> | |
124 | ||
125 | <listitem><para>This option is short for <option>--with-nss=no</option> | |
126 | <option>--synthesize=no</option>. Use this option to show only records that are natively defined as | |
127 | JSON user or group records, with all NSS/glibc compatibility and all implicit synthesis turned | |
128 | off.</para></listitem> | |
129 | </varlistentry> | |
130 | ||
131 | <xi:include href="standard-options.xml" xpointer="no-pager" /> | |
132 | <xi:include href="standard-options.xml" xpointer="no-legend" /> | |
133 | <xi:include href="standard-options.xml" xpointer="help" /> | |
134 | <xi:include href="standard-options.xml" xpointer="version" /> | |
135 | </variablelist> | |
136 | </refsect1> | |
137 | ||
138 | <refsect1> | |
139 | <title>Commands</title> | |
140 | ||
141 | <para>The following commands are understood:</para> | |
142 | ||
143 | <variablelist> | |
144 | ||
145 | <varlistentry> | |
146 | <term><command>user</command> <optional><replaceable>USER</replaceable>…</optional></term> | |
147 | ||
148 | <listitem><para>List all known users records or show details of one or more specified user | |
149 | records. Use <option>--output=</option> to tweak output mode.</para></listitem> | |
150 | </varlistentry> | |
151 | ||
152 | <varlistentry> | |
153 | <term><command>group</command> <optional><replaceable>GROUP</replaceable>…</optional></term> | |
154 | ||
155 | <listitem><para>List all known group records or show details of one or more specified group | |
156 | records. Use <option>--output=</option> to tweak output mode.</para></listitem> | |
157 | </varlistentry> | |
158 | ||
159 | <varlistentry> | |
160 | <term><command>users-in-group</command> <optional><replaceable>GROUP</replaceable>…</optional></term> | |
161 | ||
162 | <listitem><para>List users that are members of the specified groups. If no groups are specified list | |
163 | all user/group memberships defined. Use <option>--output=</option> to tweak output | |
164 | mode.</para></listitem> | |
165 | </varlistentry> | |
166 | ||
167 | <varlistentry> | |
168 | <term><command>groups-of-user</command> <optional><replaceable>USER</replaceable>…</optional></term> | |
169 | ||
170 | <listitem><para>List groups that the specified users are members of. If no users are specified list | |
171 | all user/group memberships defined (in this case <command>groups-of-user</command> and | |
172 | <command>users-in-group</command> are equivalent). Use <option>--output=</option> to tweak output | |
173 | mode.</para></listitem> | |
174 | </varlistentry> | |
175 | ||
176 | <varlistentry> | |
177 | <term><command>services</command></term> | |
178 | ||
179 | <listitem><para>List all services currently providing user/group definitions to the system. See below | |
180 | for a list of well-known services providing user information.</para></listitem> | |
181 | </varlistentry> | |
182 | ||
183 | <varlistentry> | |
184 | <term><command>ssh-authorized-keys</command></term> | |
185 | ||
186 | <listitem><para>This operation is not a public, user-facing interface. It is used to allow the SSH daemon to pick | |
187 | up authorized keys from user records, see below.</para></listitem> | |
188 | </varlistentry> | |
189 | </variablelist> | |
190 | </refsect1> | |
191 | ||
192 | <refsect1> | |
193 | <title>Well-Known Services</title> | |
194 | ||
195 | <para>The <command>userdbctl services</command> command will list all currently running services that | |
e9dd6984 ZJS |
196 | provide user or group definitions to the system. The following well-known services are shown among |
197 | this list:</para> | |
3b2db6f1 LP |
198 | |
199 | <variablelist> | |
3b2db6f1 LP |
200 | <varlistentry> |
201 | <term><constant>io.systemd.DynamicUser</constant></term> | |
202 | ||
203 | <listitem><para>This service is provided by the system service manager itself (i.e. PID 1) and | |
204 | makes all users (and their groups) synthesized through the <varname>DynamicUser=</varname> setting in | |
205 | service unit files available to the system (see | |
206 | <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for | |
207 | details about this setting).</para></listitem> | |
208 | </varlistentry> | |
209 | ||
210 | <varlistentry> | |
211 | <term><constant>io.systemd.Home</constant></term> | |
212 | ||
213 | <listitem><para>This service is provided by | |
214 | <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
215 | and makes all users (and their groups) belonging to home directories managed by that service | |
216 | available to the system.</para></listitem> | |
217 | </varlistentry> | |
218 | ||
4c2cf157 LP |
219 | <varlistentry> |
220 | <term><constant>io.systemd.Machine</constant></term> | |
221 | ||
222 | <listitem><para>This service is provided by | |
223 | <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
224 | and synthesizes records for all users/groups used by a container that employs user | |
225 | namespacing.</para></listitem> | |
226 | </varlistentry> | |
227 | ||
3b2db6f1 LP |
228 | <varlistentry> |
229 | <term><constant>io.systemd.Multiplexer</constant></term> | |
230 | ||
231 | <listitem><para>This service is provided by | |
232 | <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
233 | and multiplexes user/group look-ups to all other running lookup services. This is the primary entry point | |
234 | for user/group record clients, as it simplifies client side implementation substantially since they | |
235 | can ask a single service for lookups instead of asking all running services in parallel. | |
236 | <command>userdbctl</command> uses this service preferably, too, unless <option>--with-nss=</option> | |
237 | or <option>--service=</option> are used, in which case finer control over the services to talk to is | |
238 | required.</para></listitem> | |
239 | </varlistentry> | |
240 | ||
241 | <varlistentry> | |
afe6a9c4 | 242 | <term><constant>io.systemd.NameServiceSwitch</constant></term> |
3b2db6f1 LP |
243 | |
244 | <listitem><para>This service is (also) provided by | |
245 | <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
246 | and converts classic NSS/glibc user and group records to JSON user/group records, providing full | |
247 | backwards compatibility. Use <option>--with-nss=no</option> to disable this compatibility, see | |
248 | above. Note that compatibility is actually provided in both directions: | |
249 | <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> will | |
250 | automatically synthesize classic NSS/glibc user/group records from all JSON user/group records | |
251 | provided to the system, thus using both APIs is mostly equivalent and provides access to the same | |
252 | data, however the NSS/glibc APIs necessarily expose a more reduced set of fields | |
253 | only.</para></listitem> | |
254 | </varlistentry> | |
c96a3012 LP |
255 | |
256 | <varlistentry> | |
257 | <term><constant>io.systemd.DropIn</constant></term> | |
258 | ||
259 | <listitem><para>This service is (also) provided by | |
260 | <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> | |
261 | and picks up JSON user/group records from <filename>/etc/userdb/</filename>, | |
262 | <filename>/run/userdb/</filename>, <filename>/run/host/userdb/</filename>, | |
be0d27ee | 263 | <filename>/usr/lib/userdb/</filename>.</para></listitem> |
c96a3012 LP |
264 | </varlistentry> |
265 | ||
3b2db6f1 LP |
266 | </variablelist> |
267 | ||
268 | <para>Note that <command>userdbctl</command> has internal support for NSS-based lookups too. This means | |
269 | that if neither <constant>io.systemd.Multiplexer</constant> nor | |
afe6a9c4 | 270 | <constant>io.systemd.NameServiceSwitch</constant> are running look-ups into the basic user/group |
3b2db6f1 LP |
271 | databases will still work.</para> |
272 | </refsect1> | |
273 | ||
274 | <refsect1> | |
275 | <title>Integration with SSH</title> | |
276 | ||
277 | <para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly | |
278 | contained in a user record available to the SSH daemon for authentication. For that configure the | |
279 | following in <citerefentry | |
62641751 | 280 | project='die-net'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para> |
3b2db6f1 LP |
281 | |
282 | <programlisting>… | |
283 | AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u | |
284 | AuthorizedKeysCommandUser root | |
285 | …</programlisting> | |
286 | </refsect1> | |
287 | ||
288 | <refsect1> | |
289 | <title>Exit status</title> | |
290 | ||
291 | <para>On success, 0 is returned, a non-zero failure code otherwise.</para> | |
292 | </refsect1> | |
293 | ||
4ef3ca34 | 294 | <xi:include href="common-variables.xml" /> |
3b2db6f1 LP |
295 | |
296 | <refsect1> | |
297 | <title>See Also</title> | |
298 | <para> | |
299 | <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, | |
300 | <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
301 | <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
302 | <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, | |
303 | <citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry> | |
304 | </para> | |
305 | </refsect1> | |
306 | ||
307 | </refentry> |