[thirdparty/systemd.git] / man / sysusers.d.xml

<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
  SPDX-License-Identifier: LGPL-2.1+

  This file is part of systemd.

  Copyright 2014 Lennart Poettering

  systemd is free software; you can redistribute it and/or modify it
  under the terms of the GNU Lesser General Public License as published by
  the Free Software Foundation; either version 2.1 of the License, or
  (at your option) any later version.

  systemd is distributed in the hope that it will be useful, but
  WITHOUT ANY WARRANTY; without even the implied warranty of
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  Lesser General Public License for more details.

  You should have received a copy of the GNU Lesser General Public License
  along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="sysusers.d" conditional='ENABLE_SYSUSERS'
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>sysusers.d</title>
    <productname>systemd</productname>

    <authorgroup>
      <author>
        <contrib>Developer</contrib>
        <firstname>Lennart</firstname>
        <surname>Poettering</surname>
        <email>lennart@poettering.net</email>
      </author>
    </authorgroup>
  </refentryinfo>

  <refmeta>
    <refentrytitle>sysusers.d</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>sysusers.d</refname>
    <refpurpose>Declarative allocation of system users and groups</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/etc/sysusers.d/*.conf</filename></para>
    <para><filename>/run/sysusers.d/*.conf</filename></para>
    <para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-sysusers</command> uses the files from
    <filename>sysusers.d</filename> directory to create system users and groups and
    to add users to groups, at package installation or boot time. This tool may be
    used to allocate system users and groups only, it is not useful for creating
    non-system (i.e. regular, "human") users and groups, as it accesses
    <filename>/etc/passwd</filename> and <filename>/etc/group</filename> directly,
    bypassing any more complex user databases, for example any database involving NIS
    or LDAP.</para>
  </refsect1>

  <refsect1>
    <title>Configuration Directories and Precedence</title>

    <para>Each configuration file shall be named in the style of
    <filename><replaceable>package</replaceable>.conf</filename> or
    <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
    The second variant should be used when it is desirable to make it
    easy to override just this part of configuration.</para>

    <para>Files in <filename>/etc/sysusers.d</filename> override files
    with the same name in <filename>/usr/lib/sysusers.d</filename> and
    <filename>/run/sysusers.d</filename>. Files in
    <filename>/run/sysusers.d</filename> override files with the same
    name in <filename>/usr/lib/sysusers.d</filename>. Packages should
    install their configuration files in
    <filename>/usr/lib/sysusers.d</filename>. Files in
    <filename>/etc/sysusers.d</filename> are reserved for the local
    administrator, who may use this logic to override the
    configuration files installed by vendor packages. All
    configuration files are sorted by their filename in lexicographic
    order, regardless of which of the directories they reside in. If
    multiple files specify the same path, the entry in the file with
    the lexicographically earliest name will be applied. All later
    entries for the same user and group names will be logged as warnings.
    </para>

    <para>If the administrator wants to disable a configuration file
    supplied by the vendor, the recommended way is to place a symlink
    to <filename>/dev/null</filename> in
    <filename>/etc/sysusers.d/</filename> bearing the same filename.
    </para>
  </refsect1>

  <refsect1>
    <title>Configuration File Format</title>

    <para>The file format is one line per user or group containing name, ID, GECOS
    field description, home directory, and login shell:</para>

    <programlisting>#Type Name     ID             GECOS                 Home directory Shell
u     httpd    404            "HTTP User"
u     authd    /usr/bin/authd "Authorization user"
u     postgres -              "Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb
g     input    -              -
m     authd    input
u     root     0              "Superuser"           /root          /bin/zsh</programlisting>

    <para>Empty lines and lines beginning with the <literal>#</literal> character are ignored, and may be used for
    commenting.</para>

    <refsect2>
      <title>Type</title>

      <para>The type consists of a single letter. The following line
      types are understood:</para>

      <variablelist>
        <varlistentry>
          <term><varname>u</varname></term>
          <listitem><para>Create a system user and group of the specified name should
          they not exist yet. The user's primary group will be set to the group
          bearing the same name. The account will be created disabled, so that logins
          are not allowed.</para></listitem>
        </varlistentry>

        <varlistentry>
          <term><varname>g</varname></term>
          <listitem><para>Create a system group of the specified name
          should it not exist yet. Note that <varname>u</varname>
          implicitly create a matching group. The group will be
          created with no password set.</para></listitem>
        </varlistentry>

        <varlistentry>
          <term><varname>m</varname></term>
          <listitem><para>Add a user to a group. If the user or group
          do not exist yet, they will be implicitly
          created.</para></listitem>
        </varlistentry>

        <varlistentry>
          <term><varname>r</varname></term>
          <listitem><para>Add a range of numeric UIDs/GIDs to the pool
          to allocate new UIDs and GIDs from. If no line of this type
          is specified, the range of UIDs/GIDs is set to some
          compiled-in default. Note that both UIDs and GIDs are
          allocated from the same pool, in order to ensure that users
          and groups of the same name are likely to carry the same
          numeric UID and GID.</para></listitem>
        </varlistentry>

      </variablelist>
    </refsect2>

    <refsect2>
      <title>Name</title>

      <para>The name field specifies the user or group name. The specified name must consist only of the characters a-z,
      A-Z, 0-9, <literal>_</literal> and <literal>-</literal>, except for the first character which must be one of a-z,
      A-Z or <literal>_</literal> (i.e. numbers and <literal>-</literal> are not permitted as first character). The
      user/group name must have at least one character, and at most 31.</para>

      <para>It is strongly recommended to pick user and group names that are unlikely to clash with normal users
      created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the
      underscore, and avoiding too generic names.</para>

      <para>For <varname>m</varname> lines, this field should contain
      the user name to add to a group.</para>

      <para>For lines of type <varname>r</varname>, this field should
      be set to <literal>-</literal>.</para>
    </refsect2>

    <refsect2>
      <title>ID</title>

      <para>For <varname>u</varname> and <varname>g</varname>, the
      numeric 32-bit UID or GID of the user/group. Do not use IDs 65535
      or 4294967295, as they have special placeholder meanings.
      Specify <literal>-</literal> for automatic UID/GID allocation
      for the user or group (this is strongly recommended unless it is strictly
      necessary to use a specific UID or GID). Alternatively, specify an absolute path
      in the file system. In this case, the UID/GID is read from the
      path's owner/group. This is useful to create users whose UID/GID
      match the owners of pre-existing files (such as SUID or SGID
      binaries).
      The syntax <literal><replaceable>uid</replaceable>:<replaceable>gid</replaceable></literal> is also supported to
      allow creating user and group pairs with different numeric UID and GID values. The group with the indicated GID must get created explicitly before or it must already exist.
      </para>

      <para>For <varname>m</varname> lines, this field should contain
      the group name to add to a user to.</para>

      <para>For lines of type <varname>r</varname>, this field should
      be set to a UID/GID range in the format
      <literal>FROM-TO</literal>, where both values are formatted as
      decimal ASCII numbers. Alternatively, a single UID/GID may be
      specified formatted as decimal ASCII numbers.</para>
    </refsect2>

    <refsect2>
      <title>GECOS</title>

      <para>A short, descriptive string for users to be created, enclosed in
      quotation marks. Note that this field may not contain colons.</para>

      <para>Only applies to lines of type <varname>u</varname> and should otherwise
      be left unset (or <literal>-</literal>).</para>
    </refsect2>

    <refsect2>
      <title>Home Directory</title>

      <para>The home directory for a new system user. If omitted, defaults to the
      root directory.</para>

      <para>Only applies to lines of type <varname>u</varname> and should otherwise
      be left unset (or <literal>-</literal>). It is recommended to omit this, unless
      software strictly requires a home directory to be set.</para>
    </refsect2>

    <refsect2>
      <title>Shell</title>

      <para>The login shell of the user. If not specified, this will be set to
      <filename>/sbin/nologin</filename>, except if the UID of the user is 0, in
      which case <filename>/bin/sh</filename> will be used.</para>

      <para>Only applies to lines of type <varname>u</varname> and should otherwise
      be left unset (or <literal>-</literal>). It is recommended to omit this, unless
      a shell different <filename>/sbin/nologin</filename> must be used.</para>
    </refsect2>
  </refsect1>

  <refsect1>
    <title>Idempotence</title>

    <para>Note that <command>systemd-sysusers</command> will do nothing if the
    specified users or groups already exist or the users are members of specified
    groups, so normally there is no reason to override
    <filename>sysusers.d</filename> vendor configuration, except to block certain
    users or groups from being created.</para>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>
Commit	Line	Data
	1	<?xml version="1.0"?>
	2	<!---nxml--->
	3	<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
	4	<!--
	5	SPDX-License-Identifier: LGPL-2.1+
	6
	7	This file is part of systemd.
	8
	9	Copyright 2014 Lennart Poettering
	10
	11	systemd is free software; you can redistribute it and/or modify it
	12	under the terms of the GNU Lesser General Public License as published by
	13	the Free Software Foundation; either version 2.1 of the License, or
	14	(at your option) any later version.
	15
	16	systemd is distributed in the hope that it will be useful, but
	17	WITHOUT ANY WARRANTY; without even the implied warranty of
	18	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	19	Lesser General Public License for more details.
	20
	21	You should have received a copy of the GNU Lesser General Public License
	22	along with systemd; If not, see <http://www.gnu.org/licenses/>.
	23	-->
	24	<refentry id="sysusers.d" conditional='ENABLE_SYSUSERS'
	25	xmlns:xi="http://www.w3.org/2001/XInclude">
	26
	27	<refentryinfo>
	28	<title>sysusers.d</title>
	29	<productname>systemd</productname>
	30
	31	<authorgroup>
	32	<author>
	33	<contrib>Developer</contrib>
	34	<firstname>Lennart</firstname>
	35	<surname>Poettering</surname>
	36	<email>lennart@poettering.net</email>
	37	</author>
	38	</authorgroup>
	39	</refentryinfo>
	40
	41	<refmeta>
	42	<refentrytitle>sysusers.d</refentrytitle>
	43	<manvolnum>5</manvolnum>
	44	</refmeta>
	45
	46	<refnamediv>
	47	<refname>sysusers.d</refname>
	48	<refpurpose>Declarative allocation of system users and groups</refpurpose>
	49	</refnamediv>
	50
	51	<refsynopsisdiv>
	52	<para><filename>/etc/sysusers.d/*.conf</filename></para>
	53	<para><filename>/run/sysusers.d/*.conf</filename></para>
	54	<para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
	55	</refsynopsisdiv>
	56
	57	<refsect1>
	58	<title>Description</title>
	59
	60	<para><command>systemd-sysusers</command> uses the files from
	61	<filename>sysusers.d</filename> directory to create system users and groups and
	62	to add users to groups, at package installation or boot time. This tool may be
	63	used to allocate system users and groups only, it is not useful for creating
	64	non-system (i.e. regular, "human") users and groups, as it accesses
	65	<filename>/etc/passwd</filename> and <filename>/etc/group</filename> directly,
	66	bypassing any more complex user databases, for example any database involving NIS
	67	or LDAP.</para>
	68	</refsect1>
	69
	70	<refsect1>
	71	<title>Configuration Directories and Precedence</title>
	72
	73	<para>Each configuration file shall be named in the style of
	74	<filename><replaceable>package</replaceable>.conf</filename> or
	75	<filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
	76	The second variant should be used when it is desirable to make it
	77	easy to override just this part of configuration.</para>
	78
	79	<para>Files in <filename>/etc/sysusers.d</filename> override files
	80	with the same name in <filename>/usr/lib/sysusers.d</filename> and
	81	<filename>/run/sysusers.d</filename>. Files in
	82	<filename>/run/sysusers.d</filename> override files with the same
	83	name in <filename>/usr/lib/sysusers.d</filename>. Packages should
	84	install their configuration files in
	85	<filename>/usr/lib/sysusers.d</filename>. Files in
	86	<filename>/etc/sysusers.d</filename> are reserved for the local
	87	administrator, who may use this logic to override the
	88	configuration files installed by vendor packages. All
	89	configuration files are sorted by their filename in lexicographic
	90	order, regardless of which of the directories they reside in. If
	91	multiple files specify the same path, the entry in the file with
	92	the lexicographically earliest name will be applied. All later
	93	entries for the same user and group names will be logged as warnings.
	94	</para>
	95
	96	<para>If the administrator wants to disable a configuration file
	97	supplied by the vendor, the recommended way is to place a symlink
	98	to <filename>/dev/null</filename> in
	99	<filename>/etc/sysusers.d/</filename> bearing the same filename.
	100	</para>
	101	</refsect1>
	102
	103	<refsect1>
	104	<title>Configuration File Format</title>
	105
	106	<para>The file format is one line per user or group containing name, ID, GECOS
	107	field description, home directory, and login shell:</para>
	108
	109	<programlisting>#Type Name ID GECOS Home directory Shell
	110	u httpd 404 "HTTP User"
	111	u authd /usr/bin/authd "Authorization user"
	112	u postgres - "Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb
	113	g input - -
	114	m authd input
	115	u root 0 "Superuser" /root /bin/zsh</programlisting>
	116
	117	<para>Empty lines and lines beginning with the <literal>#</literal> character are ignored, and may be used for
	118	commenting.</para>
	119
	120	<refsect2>
	121	<title>Type</title>
	122
	123	<para>The type consists of a single letter. The following line
	124	types are understood:</para>
	125
	126	<variablelist>
	127	<varlistentry>
	128	<term><varname>u</varname></term>
	129	<listitem><para>Create a system user and group of the specified name should
	130	they not exist yet. The user's primary group will be set to the group
	131	bearing the same name. The account will be created disabled, so that logins
	132	are not allowed.</para></listitem>
	133	</varlistentry>
	134
	135	<varlistentry>
	136	<term><varname>g</varname></term>
	137	<listitem><para>Create a system group of the specified name
	138	should it not exist yet. Note that <varname>u</varname>
	139	implicitly create a matching group. The group will be
	140	created with no password set.</para></listitem>
	141	</varlistentry>
	142
	143	<varlistentry>
	144	<term><varname>m</varname></term>
	145	<listitem><para>Add a user to a group. If the user or group
	146	do not exist yet, they will be implicitly
	147	created.</para></listitem>
	148	</varlistentry>
	149
	150	<varlistentry>
	151	<term><varname>r</varname></term>
	152	<listitem><para>Add a range of numeric UIDs/GIDs to the pool
	153	to allocate new UIDs and GIDs from. If no line of this type
	154	is specified, the range of UIDs/GIDs is set to some
	155	compiled-in default. Note that both UIDs and GIDs are
	156	allocated from the same pool, in order to ensure that users
	157	and groups of the same name are likely to carry the same
	158	numeric UID and GID.</para></listitem>
	159	</varlistentry>
	160
	161	</variablelist>
	162	</refsect2>
	163
	164	<refsect2>
	165	<title>Name</title>
	166
	167	<para>The name field specifies the user or group name. The specified name must consist only of the characters a-z,
	168	A-Z, 0-9, <literal>_</literal> and <literal>-</literal>, except for the first character which must be one of a-z,
	169	A-Z or <literal>_</literal> (i.e. numbers and <literal>-</literal> are not permitted as first character). The
	170	user/group name must have at least one character, and at most 31.</para>
	171
	172	<para>It is strongly recommended to pick user and group names that are unlikely to clash with normal users
	173	created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the
	174	underscore, and avoiding too generic names.</para>
	175
	176	<para>For <varname>m</varname> lines, this field should contain
	177	the user name to add to a group.</para>
	178
	179	<para>For lines of type <varname>r</varname>, this field should
	180	be set to <literal>-</literal>.</para>
	181	</refsect2>
	182
	183	<refsect2>
	184	<title>ID</title>
	185
	186	<para>For <varname>u</varname> and <varname>g</varname>, the
	187	numeric 32-bit UID or GID of the user/group. Do not use IDs 65535
	188	or 4294967295, as they have special placeholder meanings.
	189	Specify <literal>-</literal> for automatic UID/GID allocation
	190	for the user or group (this is strongly recommended unless it is strictly
	191	necessary to use a specific UID or GID). Alternatively, specify an absolute path
	192	in the file system. In this case, the UID/GID is read from the
	193	path's owner/group. This is useful to create users whose UID/GID
	194	match the owners of pre-existing files (such as SUID or SGID
	195	binaries).
	196	The syntax <literal><replaceable>uid</replaceable>:<replaceable>gid</replaceable></literal> is also supported to
	197	allow creating user and group pairs with different numeric UID and GID values. The group with the indicated GID must get created explicitly before or it must already exist.
	198	</para>
	199
	200	<para>For <varname>m</varname> lines, this field should contain
	201	the group name to add to a user to.</para>
	202
	203	<para>For lines of type <varname>r</varname>, this field should
	204	be set to a UID/GID range in the format
	205	<literal>FROM-TO</literal>, where both values are formatted as
	206	decimal ASCII numbers. Alternatively, a single UID/GID may be
	207	specified formatted as decimal ASCII numbers.</para>
	208	</refsect2>
	209
	210	<refsect2>
	211	<title>GECOS</title>
	212
	213	<para>A short, descriptive string for users to be created, enclosed in
	214	quotation marks. Note that this field may not contain colons.</para>
	215
	216	<para>Only applies to lines of type <varname>u</varname> and should otherwise
	217	be left unset (or <literal>-</literal>).</para>
	218	</refsect2>
	219
	220	<refsect2>
	221	<title>Home Directory</title>
	222
	223	<para>The home directory for a new system user. If omitted, defaults to the
	224	root directory.</para>
	225
	226	<para>Only applies to lines of type <varname>u</varname> and should otherwise
	227	be left unset (or <literal>-</literal>). It is recommended to omit this, unless
	228	software strictly requires a home directory to be set.</para>
	229	</refsect2>
	230
	231	<refsect2>
	232	<title>Shell</title>
	233
	234	<para>The login shell of the user. If not specified, this will be set to
	235	<filename>/sbin/nologin</filename>, except if the UID of the user is 0, in
	236	which case <filename>/bin/sh</filename> will be used.</para>
	237
	238	<para>Only applies to lines of type <varname>u</varname> and should otherwise
	239	be left unset (or <literal>-</literal>). It is recommended to omit this, unless
	240	a shell different <filename>/sbin/nologin</filename> must be used.</para>
	241	</refsect2>
	242	</refsect1>
	243
	244	<refsect1>
	245	<title>Idempotence</title>
	246
	247	<para>Note that <command>systemd-sysusers</command> will do nothing if the
	248	specified users or groups already exist or the users are members of specified
	249	groups, so normally there is no reason to override
	250	<filename>sysusers.d</filename> vendor configuration, except to block certain
	251	users or groups from being created.</para>
	252	</refsect1>
	253
	254	<refsect1>
	255	<title>See Also</title>
	256	<para>
	257	<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
	258	<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>
	259	</para>
	260	</refsect1>
	261
	262	</refentry>