man/sysusers.d.xml

   1 <?xml version="1.0"?>
   2 <!--*-nxml-*-->
   3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!--
   5   SPDX-License-Identifier: LGPL-2.1+
   6
   7   This file is part of systemd.
   8
   9   Copyright 2014 Lennart Poettering
  10 -->
  11 <refentry id="sysusers.d" conditional='ENABLE_SYSUSERS'
  12     xmlns:xi="http://www.w3.org/2001/XInclude">
  13
  14   <refentryinfo>
  15     <title>sysusers.d</title>
  16     <productname>systemd</productname>
  17
  18     <authorgroup>
  19       <author>
  20         <contrib>Developer</contrib>
  21         <firstname>Lennart</firstname>
  22         <surname>Poettering</surname>
  23         <email>lennart@poettering.net</email>
  24       </author>
  25     </authorgroup>
  26   </refentryinfo>
  27
  28   <refmeta>
  29     <refentrytitle>sysusers.d</refentrytitle>
  30     <manvolnum>5</manvolnum>
  31   </refmeta>
  32
  33   <refnamediv>
  34     <refname>sysusers.d</refname>
  35     <refpurpose>Declarative allocation of system users and groups</refpurpose>
  36   </refnamediv>
  37
  38   <refsynopsisdiv>
  39     <para><filename>/etc/sysusers.d/*.conf</filename></para>
  40     <para><filename>/run/sysusers.d/*.conf</filename></para>
  41     <para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
  42   </refsynopsisdiv>
  43
  44   <refsect1>
  45     <title>Description</title>
  46
  47     <para><command>systemd-sysusers</command> uses the files from
  48     <filename>sysusers.d</filename> directory to create system users and groups and
  49     to add users to groups, at package installation or boot time. This tool may be
  50     used to allocate system users and groups only, it is not useful for creating
  51     non-system (i.e. regular, "human") users and groups, as it accesses
  52     <filename>/etc/passwd</filename> and <filename>/etc/group</filename> directly,
  53     bypassing any more complex user databases, for example any database involving NIS
  54     or LDAP.</para>
  55   </refsect1>
  56
  57   <refsect1>
  58     <title>Configuration Directories and Precedence</title>
  59
  60     <para>Each configuration file shall be named in the style of
  61     <filename><replaceable>package</replaceable>.conf</filename> or
  62     <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
  63     The second variant should be used when it is desirable to make it
  64     easy to override just this part of configuration.</para>
  65
  66     <para>Files in <filename>/etc/sysusers.d</filename> override files
  67     with the same name in <filename>/usr/lib/sysusers.d</filename> and
  68     <filename>/run/sysusers.d</filename>. Files in
  69     <filename>/run/sysusers.d</filename> override files with the same
  70     name in <filename>/usr/lib/sysusers.d</filename>. Packages should
  71     install their configuration files in
  72     <filename>/usr/lib/sysusers.d</filename>. Files in
  73     <filename>/etc/sysusers.d</filename> are reserved for the local
  74     administrator, who may use this logic to override the
  75     configuration files installed by vendor packages. All
  76     configuration files are sorted by their filename in lexicographic
  77     order, regardless of which of the directories they reside in. If
  78     multiple files specify the same path, the entry in the file with
  79     the lexicographically earliest name will be applied. All later
  80     entries for the same user and group names will be logged as warnings.
  81     </para>
  82
  83     <para>If the administrator wants to disable a configuration file
  84     supplied by the vendor, the recommended way is to place a symlink
  85     to <filename>/dev/null</filename> in
  86     <filename>/etc/sysusers.d/</filename> bearing the same filename.
  87     </para>
  88   </refsect1>
  89
  90   <refsect1>
  91     <title>Configuration File Format</title>
  92
  93     <para>The file format is one line per user or group containing name, ID, GECOS
  94     field description, home directory, and login shell:</para>
  95
  96     <programlisting>#Type Name     ID             GECOS                 Home directory Shell
  97 u     httpd    404            "HTTP User"
  98 u     authd    /usr/bin/authd "Authorization user"
  99 u     postgres -              "Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb
 100 g     input    -              -
 101 m     authd    input
 102 u     root     0              "Superuser"           /root          /bin/zsh</programlisting>
 103
 104     <para>Empty lines and lines beginning with the <literal>#</literal> character are ignored, and may be used for
 105     commenting.</para>
 106
 107     <refsect2>
 108       <title>Type</title>
 109
 110       <para>The type consists of a single letter. The following line
 111       types are understood:</para>
 112
 113       <variablelist>
 114         <varlistentry>
 115           <term><varname>u</varname></term>
 116           <listitem><para>Create a system user and group of the specified name should
 117           they not exist yet. The user's primary group will be set to the group
 118           bearing the same name. The account will be created disabled, so that logins
 119           are not allowed.</para></listitem>
 120         </varlistentry>
 121
 122         <varlistentry>
 123           <term><varname>g</varname></term>
 124           <listitem><para>Create a system group of the specified name
 125           should it not exist yet. Note that <varname>u</varname>
 126           implicitly create a matching group. The group will be
 127           created with no password set.</para></listitem>
 128         </varlistentry>
 129
 130         <varlistentry>
 131           <term><varname>m</varname></term>
 132           <listitem><para>Add a user to a group. If the user or group
 133           do not exist yet, they will be implicitly
 134           created.</para></listitem>
 135         </varlistentry>
 136
 137         <varlistentry>
 138           <term><varname>r</varname></term>
 139           <listitem><para>Add a range of numeric UIDs/GIDs to the pool
 140           to allocate new UIDs and GIDs from. If no line of this type
 141           is specified, the range of UIDs/GIDs is set to some
 142           compiled-in default. Note that both UIDs and GIDs are
 143           allocated from the same pool, in order to ensure that users
 144           and groups of the same name are likely to carry the same
 145           numeric UID and GID.</para></listitem>
 146         </varlistentry>
 147
 148       </variablelist>
 149     </refsect2>
 150
 151     <refsect2>
 152       <title>Name</title>
 153
 154       <para>The name field specifies the user or group name. The specified name must consist only of the characters a-z,
 155       A-Z, 0-9, <literal>_</literal> and <literal>-</literal>, except for the first character which must be one of a-z,
 156       A-Z or <literal>_</literal> (i.e. numbers and <literal>-</literal> are not permitted as first character). The
 157       user/group name must have at least one character, and at most 31.</para>
 158
 159       <para>It is strongly recommended to pick user and group names that are unlikely to clash with normal users
 160       created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the
 161       underscore, and avoiding too generic names.</para>
 162
 163       <para>For <varname>m</varname> lines, this field should contain
 164       the user name to add to a group.</para>
 165
 166       <para>For lines of type <varname>r</varname>, this field should
 167       be set to <literal>-</literal>.</para>
 168     </refsect2>
 169
 170     <refsect2>
 171       <title>ID</title>
 172
 173       <para>For <varname>u</varname> and <varname>g</varname>, the
 174       numeric 32-bit UID or GID of the user/group. Do not use IDs 65535
 175       or 4294967295, as they have special placeholder meanings.
 176       Specify <literal>-</literal> for automatic UID/GID allocation
 177       for the user or group (this is strongly recommended unless it is strictly
 178       necessary to use a specific UID or GID). Alternatively, specify an absolute path
 179       in the file system. In this case, the UID/GID is read from the
 180       path's owner/group. This is useful to create users whose UID/GID
 181       match the owners of pre-existing files (such as SUID or SGID
 182       binaries).
 183       The syntax <literal><replaceable>uid</replaceable>:<replaceable>gid</replaceable></literal> is also supported to
 184       allow creating user and group pairs with different numeric UID and GID values. The group with the indicated GID must get created explicitly before or it must already exist. Specifying <literal>-</literal> for the UID in this syntax
 185       is also supported.
 186       </para>
 187
 188       <para>For <varname>m</varname> lines, this field should contain
 189       the group name to add to a user to.</para>
 190
 191       <para>For lines of type <varname>r</varname>, this field should
 192       be set to a UID/GID range in the format
 193       <literal>FROM-TO</literal>, where both values are formatted as
 194       decimal ASCII numbers. Alternatively, a single UID/GID may be
 195       specified formatted as decimal ASCII numbers.</para>
 196     </refsect2>
 197
 198     <refsect2>
 199       <title>GECOS</title>
 200
 201       <para>A short, descriptive string for users to be created, enclosed in
 202       quotation marks. Note that this field may not contain colons.</para>
 203
 204       <para>Only applies to lines of type <varname>u</varname> and should otherwise
 205       be left unset (or <literal>-</literal>).</para>
 206     </refsect2>
 207
 208     <refsect2>
 209       <title>Home Directory</title>
 210
 211       <para>The home directory for a new system user. If omitted, defaults to the
 212       root directory.</para>
 213
 214       <para>Only applies to lines of type <varname>u</varname> and should otherwise
 215       be left unset (or <literal>-</literal>). It is recommended to omit this, unless
 216       software strictly requires a home directory to be set.</para>
 217     </refsect2>
 218
 219     <refsect2>
 220       <title>Shell</title>
 221
 222       <para>The login shell of the user. If not specified, this will be set to
 223       <filename>/sbin/nologin</filename>, except if the UID of the user is 0, in
 224       which case <filename>/bin/sh</filename> will be used.</para>
 225
 226       <para>Only applies to lines of type <varname>u</varname> and should otherwise
 227       be left unset (or <literal>-</literal>). It is recommended to omit this, unless
 228       a shell different <filename>/sbin/nologin</filename> must be used.</para>
 229     </refsect2>
 230   </refsect1>
 231
 232   <refsect1>
 233     <title>Specifiers</title>
 234
 235     <para>Specifiers can be used in the "Name", "ID", "GECOS", "Home directory", and "Shell" fields.
 236     An unknown or unresolvable specifier is treated as invalid configuration.
 237     The following expansions are understood:</para>
 238       <table>
 239         <title>Specifiers available</title>
 240         <tgroup cols='3' align='left' colsep='1' rowsep='1'>
 241           <colspec colname="spec" />
 242           <colspec colname="mean" />
 243           <colspec colname="detail" />
 244           <thead>
 245             <row>
 246               <entry>Specifier</entry>
 247               <entry>Meaning</entry>
 248               <entry>Details</entry>
 249             </row>
 250           </thead>
 251           <tbody>
 252             <row>
 253               <entry><literal>%b</literal></entry>
 254               <entry>Boot ID</entry>
 255               <entry>The boot ID of the running system, formatted as string. See <citerefentry><refentrytitle>random</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information.</entry>
 256             </row>
 257             <row>
 258               <entry><literal>%H</literal></entry>
 259               <entry>Host name</entry>
 260               <entry>The hostname of the running system.</entry>
 261             </row>
 262             <row>
 263               <entry><literal>%m</literal></entry>
 264               <entry>Machine ID</entry>
 265               <entry>The machine ID of the running system, formatted as string. See <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more information.</entry>
 266             </row>
 267             <row>
 268               <entry><literal>%T</literal></entry>
 269               <entry>Directory for temporary files</entry>
 270               <entry>This is either <filename>/tmp</filename> or the path <literal>$TMPDIR</literal>, <literal>$TEMP</literal> or <literal>$TMP</literal> are set to.</entry>
 271             </row>
 272             <row>
 273               <entry><literal>%v</literal></entry>
 274               <entry>Kernel release</entry>
 275               <entry>Identical to <command>uname -r</command> output.</entry>
 276             </row>
 277             <row>
 278               <entry><literal>%V</literal></entry>
 279               <entry>Directory for larger and persistent temporary files</entry>
 280               <entry>This is either <filename>/var/tmp</filename> or the path <literal>$TMPDIR</literal>, <literal>$TEMP</literal> or <literal>$TMP</literal> are set to.</entry>
 281             </row>
 282             <row>
 283               <entry><literal>%%</literal></entry>
 284               <entry>Escaped <literal>%</literal></entry>
 285               <entry>Single percent sign.</entry>
 286             </row>
 287           </tbody>
 288         </tgroup>
 289       </table>
 290   </refsect1>
 291
 292   <refsect1>
 293     <title>Idempotence</title>
 294
 295     <para>Note that <command>systemd-sysusers</command> will do nothing if the
 296     specified users or groups already exist or the users are members of specified
 297     groups, so normally there is no reason to override
 298     <filename>sysusers.d</filename> vendor configuration, except to block certain
 299     users or groups from being created.</para>
 300   </refsect1>
 301
 302   <refsect1>
 303     <title>See Also</title>
 304     <para>
 305       <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 306       <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>
 307     </para>
 308   </refsect1>
 309
 310 </refentry>