3 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5 SPDX-License-Identifier: LGPL-2.1+
7 This file is part of systemd.
9 Copyright 2014 Lennart Poettering
11 systemd is free software; you can redistribute it and/or modify it
12 under the terms of the GNU Lesser General Public License as published by
13 the Free Software Foundation; either version 2.1 of the License, or
14 (at your option) any later version.
16 systemd is distributed in the hope that it will be useful, but
17 WITHOUT ANY WARRANTY; without even the implied warranty of
18 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
19 Lesser General Public License for more details.
21 You should have received a copy of the GNU Lesser General Public License
22 along with systemd; If not, see <http://www.gnu.org/licenses/>.
24 <refentry id=
"sysusers.d" conditional='ENABLE_SYSUSERS'
25 xmlns:
xi=
"http://www.w3.org/2001/XInclude">
28 <title>sysusers.d
</title>
29 <productname>systemd
</productname>
33 <contrib>Developer
</contrib>
34 <firstname>Lennart
</firstname>
35 <surname>Poettering
</surname>
36 <email>lennart@poettering.net
</email>
42 <refentrytitle>sysusers.d
</refentrytitle>
43 <manvolnum>5</manvolnum>
47 <refname>sysusers.d
</refname>
48 <refpurpose>Declarative allocation of system users and groups
</refpurpose>
52 <para><filename>/etc/sysusers.d/*.conf
</filename></para>
53 <para><filename>/run/sysusers.d/*.conf
</filename></para>
54 <para><filename>/usr/lib/sysusers.d/*.conf
</filename></para>
58 <title>Description
</title>
60 <para><command>systemd-sysusers
</command> uses the files from
61 <filename>sysusers.d
</filename> directory to create system users and groups and
62 to add users to groups, at package installation or boot time. This tool may be
63 used to allocate system users and groups only, it is not useful for creating
64 non-system (i.e. regular,
"human") users and groups, as it accesses
65 <filename>/etc/passwd
</filename> and
<filename>/etc/group
</filename> directly,
66 bypassing any more complex user databases, for example any database involving NIS
71 <title>Configuration Directories and Precedence
</title>
73 <para>Each configuration file shall be named in the style of
74 <filename><replaceable>package
</replaceable>.conf
</filename> or
75 <filename><replaceable>package
</replaceable>-
<replaceable>part
</replaceable>.conf
</filename>.
76 The second variant should be used when it is desirable to make it
77 easy to override just this part of configuration.
</para>
79 <para>Files in
<filename>/etc/sysusers.d
</filename> override files
80 with the same name in
<filename>/usr/lib/sysusers.d
</filename> and
81 <filename>/run/sysusers.d
</filename>. Files in
82 <filename>/run/sysusers.d
</filename> override files with the same
83 name in
<filename>/usr/lib/sysusers.d
</filename>. Packages should
84 install their configuration files in
85 <filename>/usr/lib/sysusers.d
</filename>. Files in
86 <filename>/etc/sysusers.d
</filename> are reserved for the local
87 administrator, who may use this logic to override the
88 configuration files installed by vendor packages. All
89 configuration files are sorted by their filename in lexicographic
90 order, regardless of which of the directories they reside in. If
91 multiple files specify the same path, the entry in the file with
92 the lexicographically earliest name will be applied. All later
93 entries for the same user and group names will be logged as warnings.
96 <para>If the administrator wants to disable a configuration file
97 supplied by the vendor, the recommended way is to place a symlink
98 to
<filename>/dev/null
</filename> in
99 <filename>/etc/sysusers.d/
</filename> bearing the same filename.
104 <title>Configuration File Format
</title>
106 <para>The file format is one line per user or group containing name, ID, GECOS
107 field description, home directory, and login shell:
</para>
109 <programlisting>#Type Name ID GECOS Home directory Shell
110 u httpd
404 "HTTP User"
111 u authd /usr/bin/authd
"Authorization user"
112 u postgres -
"Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb
115 u root
0 "Superuser" /root /bin/zsh
</programlisting>
117 <para>Empty lines and lines beginning with the
<literal>#
</literal> character are ignored, and may be used for
123 <para>The type consists of a single letter. The following line
124 types are understood:
</para>
128 <term><varname>u
</varname></term>
129 <listitem><para>Create a system user and group of the specified name should
130 they not exist yet. The user's primary group will be set to the group
131 bearing the same name. The account will be created disabled, so that logins
132 are not allowed.
</para></listitem>
136 <term><varname>g
</varname></term>
137 <listitem><para>Create a system group of the specified name
138 should it not exist yet. Note that
<varname>u
</varname>
139 implicitly create a matching group. The group will be
140 created with no password set.
</para></listitem>
144 <term><varname>m
</varname></term>
145 <listitem><para>Add a user to a group. If the user or group
146 do not exist yet, they will be implicitly
147 created.
</para></listitem>
151 <term><varname>r
</varname></term>
152 <listitem><para>Add a range of numeric UIDs/GIDs to the pool
153 to allocate new UIDs and GIDs from. If no line of this type
154 is specified, the range of UIDs/GIDs is set to some
155 compiled-in default. Note that both UIDs and GIDs are
156 allocated from the same pool, in order to ensure that users
157 and groups of the same name are likely to carry the same
158 numeric UID and GID.
</para></listitem>
167 <para>The name field specifies the user or group name. The specified name must consist only of the characters a-z,
168 A-Z,
0-
9,
<literal>_
</literal> and
<literal>-
</literal>, except for the first character which must be one of a-z,
169 A-Z or
<literal>_
</literal> (i.e. numbers and
<literal>-
</literal> are not permitted as first character). The
170 user/group name must have at least one character, and at most
31.
</para>
172 <para>It is strongly recommended to pick user and group names that are unlikely to clash with normal users
173 created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the
174 underscore, and avoiding too generic names.
</para>
176 <para>For
<varname>m
</varname> lines, this field should contain
177 the user name to add to a group.
</para>
179 <para>For lines of type
<varname>r
</varname>, this field should
180 be set to
<literal>-
</literal>.
</para>
186 <para>For
<varname>u
</varname> and
<varname>g
</varname>, the
187 numeric
32-bit UID or GID of the user/group. Do not use IDs
65535
188 or
4294967295, as they have special placeholder meanings.
189 Specify
<literal>-
</literal> for automatic UID/GID allocation
190 for the user or group (this is strongly recommended unless it is strictly
191 necessary to use a specific UID or GID). Alternatively, specify an absolute path
192 in the file system. In this case, the UID/GID is read from the
193 path's owner/group. This is useful to create users whose UID/GID
194 match the owners of pre-existing files (such as SUID or SGID
196 The syntax
<literal><replaceable>uid
</replaceable>:
<replaceable>gid
</replaceable></literal> is also supported to
197 allow creating user and group pairs with different numeric UID and GID values. The group with the indicated GID must get created explicitly before or it must already exist. Specifying
<literal>-
</literal> for the UID in this syntax
201 <para>For
<varname>m
</varname> lines, this field should contain
202 the group name to add to a user to.
</para>
204 <para>For lines of type
<varname>r
</varname>, this field should
205 be set to a UID/GID range in the format
206 <literal>FROM-TO
</literal>, where both values are formatted as
207 decimal ASCII numbers. Alternatively, a single UID/GID may be
208 specified formatted as decimal ASCII numbers.
</para>
214 <para>A short, descriptive string for users to be created, enclosed in
215 quotation marks. Note that this field may not contain colons.
</para>
217 <para>Only applies to lines of type
<varname>u
</varname> and should otherwise
218 be left unset (or
<literal>-
</literal>).
</para>
222 <title>Home Directory
</title>
224 <para>The home directory for a new system user. If omitted, defaults to the
225 root directory.
</para>
227 <para>Only applies to lines of type
<varname>u
</varname> and should otherwise
228 be left unset (or
<literal>-
</literal>). It is recommended to omit this, unless
229 software strictly requires a home directory to be set.
</para>
235 <para>The login shell of the user. If not specified, this will be set to
236 <filename>/sbin/nologin
</filename>, except if the UID of the user is
0, in
237 which case
<filename>/bin/sh
</filename> will be used.
</para>
239 <para>Only applies to lines of type
<varname>u
</varname> and should otherwise
240 be left unset (or
<literal>-
</literal>). It is recommended to omit this, unless
241 a shell different
<filename>/sbin/nologin
</filename> must be used.
</para>
246 <title>Idempotence
</title>
248 <para>Note that
<command>systemd-sysusers
</command> will do nothing if the
249 specified users or groups already exist or the users are members of specified
250 groups, so normally there is no reason to override
251 <filename>sysusers.d
</filename> vendor configuration, except to block certain
252 users or groups from being created.
</para>
256 <title>See Also
</title>
258 <citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
259 <citerefentry><refentrytitle>systemd-sysusers
</refentrytitle><manvolnum>8</manvolnum></citerefentry>
projects / thirdparty / systemd.git / blob