<?xml version="1.0"?>
<!--*-nxml-*-->
-<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
-<!--
- This file is part of systemd.
-
- Copyright 2014 Lennart Poettering
-
- systemd is free software; you can redistribute it and/or modify it
- under the terms of the GNU Lesser General Public License as published by
- the Free Software Foundation; either version 2.1 of the License, or
- (at your option) any later version.
-
- systemd is distributed in the hope that it will be useful, but
- WITHOUT ANY WARRANTY; without even the implied warranty of
- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
- Lesser General Public License for more details.
-
- You should have received a copy of the GNU Lesser General Public License
- along with systemd; If not, see <http://www.gnu.org/licenses/>.
--->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1+ -->
<refentry id="sysusers.d" conditional='ENABLE_SYSUSERS'
xmlns:xi="http://www.w3.org/2001/XInclude">
<refentryinfo>
<title>sysusers.d</title>
<productname>systemd</productname>
-
- <authorgroup>
- <author>
- <contrib>Developer</contrib>
- <firstname>Lennart</firstname>
- <surname>Poettering</surname>
- <email>lennart@poettering.net</email>
- </author>
- </authorgroup>
</refentryinfo>
<refmeta>
<para><filename>/etc/sysusers.d/*.conf</filename></para>
<para><filename>/run/sysusers.d/*.conf</filename></para>
<para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
+
+ <programlisting>
+#Type Name ID GECOS Home directory Shell
+u user_name uid "User Description" /path/to/shell
+u user_name uid:gid - -
+u user_name /file/owned/by/user - -
+g group_name gid "Group Description"
+g group_name /file/owned/by/group -
+m user_name group_name
+r - lowest-highest</programlisting>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
- <para><command>systemd-sysusers</command> uses the files from <filename>sysusers.d</filename> directory to create
- system users and groups at package installation or boot time. This tool may be used to allocate system users and
- groups only, it is not useful for creating non-system (i.e. regular, "human") users and groups, as it accesses
- <filename>/etc/passwd</filename> and <filename>/etc/group</filename> directly, bypassing any more complex user
- databases, for example any database involving NIS or LDAP.</para>
+ <para><command>systemd-sysusers</command> uses the files from
+ <filename>sysusers.d</filename> directory to create system users and groups and
+ to add users to groups, at package installation or boot time. This tool may be
+ used to allocate system users and groups only, it is not useful for creating
+ non-system (i.e. regular, "human") users and groups, as it accesses
+ <filename>/etc/passwd</filename> and <filename>/etc/group</filename> directly,
+ bypassing any more complex user databases, for example any database involving NIS
+ or LDAP.</para>
</refsect1>
<refsect1>
<refsect1>
<title>Configuration File Format</title>
- <para>The file format is one line per user or group containing
- name, ID, GECOS field description and home directory:</para>
+ <para>The file format is one line per user or group containing name, ID, GECOS
+ field description, home directory, and login shell:</para>
- <programlisting>#Type Name ID GECOS Home directory
-u httpd 440 "HTTP User"
-u authd /usr/bin/authd "Authorization user"
-g input - -
-m authd input
-u root 0 "Superuser" /root</programlisting>
+ <programlisting>#Type Name ID GECOS Home directory Shell
+u httpd 404 "HTTP User"
+u _authd /usr/bin/authd "Authorization user"
+u postgres - "Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb
+g input - -
+m _authd input
+u root 0 "Superuser" /root /bin/zsh
+r - 500-900
+</programlisting>
<para>Empty lines and lines beginning with the <literal>#</literal> character are ignored, and may be used for
commenting.</para>
<variablelist>
<varlistentry>
<term><varname>u</varname></term>
- <listitem><para>Create a system user and group of the
- specified name should they not exist yet. The user's primary
- group will be set to the group bearing the same name. The
- user's shell will be set to
- <filename>/sbin/nologin</filename>, the home directory to
- the specified home directory, or <filename>/</filename> if
- none is given. The account will be created disabled, so that
- logins are not allowed.</para></listitem>
+ <listitem><para>Create a system user and group of the specified name should
+ they not exist yet. The user's primary group will be set to the group
+ bearing the same name unless the ID field specifies it. The account will be
+ created disabled, so that logins are not allowed.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>g</varname></term>
<listitem><para>Create a system group of the specified name
should it not exist yet. Note that <varname>u</varname>
- implicitly create a matching group. The group will be
+ implicitly creates a matching group. The group will be
created with no password set.</para></listitem>
</varlistentry>
A-Z or <literal>_</literal> (i.e. numbers and <literal>-</literal> are not permitted as first character). The
user/group name must have at least one character, and at most 31.</para>
+ <para>For further details about the syntax of user/group names, see <ulink
+ url="https://systemd.io/USER_NAMES">User/Group Name Syntax</ulink>.</para>
+
<para>It is strongly recommended to pick user and group names that are unlikely to clash with normal users
created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the
underscore, and avoiding too generic names.</para>
numeric 32-bit UID or GID of the user/group. Do not use IDs 65535
or 4294967295, as they have special placeholder meanings.
Specify <literal>-</literal> for automatic UID/GID allocation
- for the user or group. Alternatively, specify an absolute path
+ for the user or group (this is strongly recommended unless it is strictly
+ necessary to use a specific UID or GID). Alternatively, specify an absolute path
in the file system. In this case, the UID/GID is read from the
path's owner/group. This is useful to create users whose UID/GID
match the owners of pre-existing files (such as SUID or SGID
- binaries).</para>
+ binaries).
+ The syntaxes <literal><replaceable>uid</replaceable>:<replaceable>gid</replaceable></literal> and
+ <literal><replaceable>uid</replaceable>:<replaceable>groupname</replaceable></literal> are supported to
+ allow creating users with specific primary groups. The given group must be created explicitly, or it
+ must already exist. Specifying <literal>-</literal> for the UID in these syntaxes is also supported.
+ </para>
<para>For <varname>m</varname> lines, this field should contain
the group name to add to a user to.</para>
<refsect2>
<title>GECOS</title>
- <para>A short, descriptive string for users to be created,
- enclosed in quotation marks. Note that this field may not
- contain colons.</para>
+ <para>A short, descriptive string for users to be created, enclosed in
+ quotation marks. Note that this field may not contain colons.</para>
- <para>Only applies to lines of type <varname>u</varname> and
- should otherwise be left unset, or be set to
- <literal>-</literal>.</para>
+ <para>Only applies to lines of type <varname>u</varname> and should otherwise
+ be left unset (or <literal>-</literal>).</para>
</refsect2>
<refsect2>
<title>Home Directory</title>
- <para>The home directory for a new system user. If omitted,
- defaults to the root directory. It is recommended to not
- unnecessarily specify home directories for system users, unless
- software strictly requires one to be set.</para>
+ <para>The home directory for a new system user. If omitted, defaults to the
+ root directory.</para>
- <para>Only applies to lines of type <varname>u</varname> and
- should otherwise be left unset, or be set to
- <literal>-</literal>.</para>
+ <para>Only applies to lines of type <varname>u</varname> and should otherwise
+ be left unset (or <literal>-</literal>). It is recommended to omit this, unless
+ software strictly requires a home directory to be set.</para>
</refsect2>
+
+ <refsect2>
+ <title>Shell</title>
+
+ <para>The login shell of the user. If not specified, this will be set to
+ <filename>/usr/sbin/nologin</filename>, except if the UID of the user is 0, in
+ which case <filename>/bin/sh</filename> will be used.</para>
+
+ <para>Only applies to lines of type <varname>u</varname> and should otherwise
+ be left unset (or <literal>-</literal>). It is recommended to omit this, unless
+ a shell different <filename>/usr/sbin/nologin</filename> must be used.</para>
+ </refsect2>
+ </refsect1>
+
+ <refsect1>
+ <title>Specifiers</title>
+
+ <para>Specifiers can be used in the "Name", "ID", "GECOS", "Home directory", and "Shell" fields.
+ An unknown or unresolvable specifier is treated as invalid configuration.
+ The following expansions are understood:</para>
+ <table>
+ <title>Specifiers available</title>
+ <tgroup cols='3' align='left' colsep='1' rowsep='1'>
+ <colspec colname="spec" />
+ <colspec colname="mean" />
+ <colspec colname="detail" />
+ <thead>
+ <row>
+ <entry>Specifier</entry>
+ <entry>Meaning</entry>
+ <entry>Details</entry>
+ </row>
+ </thead>
+ <tbody>
+ <row>
+ <entry><literal>%b</literal></entry>
+ <entry>Boot ID</entry>
+ <entry>The boot ID of the running system, formatted as string. See <citerefentry><refentrytitle>random</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information.</entry>
+ </row>
+ <row>
+ <entry><literal>%H</literal></entry>
+ <entry>Host name</entry>
+ <entry>The hostname of the running system.</entry>
+ </row>
+ <row>
+ <entry><literal>%m</literal></entry>
+ <entry>Machine ID</entry>
+ <entry>The machine ID of the running system, formatted as string. See <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more information.</entry>
+ </row>
+ <row>
+ <entry><literal>%T</literal></entry>
+ <entry>Directory for temporary files</entry>
+ <entry>This is either <filename>/tmp</filename> or the path <literal>$TMPDIR</literal>, <literal>$TEMP</literal> or <literal>$TMP</literal> are set to.</entry>
+ </row>
+ <row>
+ <entry><literal>%v</literal></entry>
+ <entry>Kernel release</entry>
+ <entry>Identical to <command>uname -r</command> output.</entry>
+ </row>
+ <row>
+ <entry><literal>%V</literal></entry>
+ <entry>Directory for larger and persistent temporary files</entry>
+ <entry>This is either <filename>/var/tmp</filename> or the path <literal>$TMPDIR</literal>, <literal>$TEMP</literal> or <literal>$TMP</literal> are set to.</entry>
+ </row>
+ <row>
+ <entry><literal>%%</literal></entry>
+ <entry>Escaped <literal>%</literal></entry>
+ <entry>Single percent sign.</entry>
+ </row>
+ </tbody>
+ </tgroup>
+ </table>
</refsect1>
<refsect1>
<title>Idempotence</title>
- <para>Note that <command>systemd-sysusers</command> will do
- nothing if the specified users or groups already exist, so
- normally, there is no reason to override
- <filename>sysusers.d</filename> vendor configuration, except to
- block certain users or groups from being created.</para>
+ <para>Note that <command>systemd-sysusers</command> will do nothing if the
+ specified users or groups already exist or the users are members of specified
+ groups, so normally there is no reason to override
+ <filename>sysusers.d</filename> vendor configuration, except to block certain
+ users or groups from being created.</para>
</refsect1>
<refsect1>