3 <!DOCTYPE refentry PUBLIC
"-//OASIS//DTD DocBook XML V4.5//EN"
4 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5 <!-- SPDX-License-Identifier: LGPL-2.1+ -->
6 <refentry id=
"sysusers.d" conditional='ENABLE_SYSUSERS'
7 xmlns:
xi=
"http://www.w3.org/2001/XInclude">
10 <title>sysusers.d
</title>
11 <productname>systemd
</productname>
15 <refentrytitle>sysusers.d
</refentrytitle>
16 <manvolnum>5</manvolnum>
20 <refname>sysusers.d
</refname>
21 <refpurpose>Declarative allocation of system users and groups
</refpurpose>
25 <para><filename>/etc/sysusers.d/*.conf
</filename></para>
26 <para><filename>/run/sysusers.d/*.conf
</filename></para>
27 <para><filename>/usr/lib/sysusers.d/*.conf
</filename></para>
30 #Type Name ID GECOS Home directory Shell
31 u user_name uid
"User Description" /path/to/shell
32 u user_name uid:gid - -
33 u user_name /file/owned/by/user - -
34 g group_name gid
"Group Description"
35 g group_name /file/owned/by/group -
36 m user_name group_name
37 r - lowest-highest
</programlisting>
41 <title>Description
</title>
43 <para><command>systemd-sysusers
</command> uses the files from
44 <filename>sysusers.d
</filename> directory to create system users and groups and
45 to add users to groups, at package installation or boot time. This tool may be
46 used to allocate system users and groups only, it is not useful for creating
47 non-system (i.e. regular,
"human") users and groups, as it accesses
48 <filename>/etc/passwd
</filename> and
<filename>/etc/group
</filename> directly,
49 bypassing any more complex user databases, for example any database involving NIS
54 <title>Configuration Directories and Precedence
</title>
56 <para>Each configuration file shall be named in the style of
57 <filename><replaceable>package
</replaceable>.conf
</filename> or
58 <filename><replaceable>package
</replaceable>-
<replaceable>part
</replaceable>.conf
</filename>.
59 The second variant should be used when it is desirable to make it
60 easy to override just this part of configuration.
</para>
62 <para>Files in
<filename>/etc/sysusers.d
</filename> override files
63 with the same name in
<filename>/usr/lib/sysusers.d
</filename> and
64 <filename>/run/sysusers.d
</filename>. Files in
65 <filename>/run/sysusers.d
</filename> override files with the same
66 name in
<filename>/usr/lib/sysusers.d
</filename>. Packages should
67 install their configuration files in
68 <filename>/usr/lib/sysusers.d
</filename>. Files in
69 <filename>/etc/sysusers.d
</filename> are reserved for the local
70 administrator, who may use this logic to override the
71 configuration files installed by vendor packages. All
72 configuration files are sorted by their filename in lexicographic
73 order, regardless of which of the directories they reside in. If
74 multiple files specify the same path, the entry in the file with
75 the lexicographically earliest name will be applied. All later
76 entries for the same user and group names will be logged as warnings.
79 <para>If the administrator wants to disable a configuration file
80 supplied by the vendor, the recommended way is to place a symlink
81 to
<filename>/dev/null
</filename> in
82 <filename>/etc/sysusers.d/
</filename> bearing the same filename.
87 <title>Configuration File Format
</title>
89 <para>The file format is one line per user or group containing name, ID, GECOS
90 field description, home directory, and login shell:
</para>
92 <programlisting>#Type Name ID GECOS Home directory Shell
93 u httpd
404 "HTTP User"
94 u _authd /usr/bin/authd
"Authorization user"
95 u postgres -
"Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb
98 u root
0 "Superuser" /root /bin/zsh
102 <para>Empty lines and lines beginning with the
<literal>#
</literal> character are ignored, and may be used for
108 <para>The type consists of a single letter. The following line
109 types are understood:
</para>
113 <term><varname>u
</varname></term>
114 <listitem><para>Create a system user and group of the specified name should
115 they not exist yet. The user's primary group will be set to the group
116 bearing the same name unless the ID field specifies it. The account will be
117 created disabled, so that logins are not allowed.
</para></listitem>
121 <term><varname>g
</varname></term>
122 <listitem><para>Create a system group of the specified name
123 should it not exist yet. Note that
<varname>u
</varname>
124 implicitly creates a matching group. The group will be
125 created with no password set.
</para></listitem>
129 <term><varname>m
</varname></term>
130 <listitem><para>Add a user to a group. If the user or group
131 do not exist yet, they will be implicitly
132 created.
</para></listitem>
136 <term><varname>r
</varname></term>
137 <listitem><para>Add a range of numeric UIDs/GIDs to the pool
138 to allocate new UIDs and GIDs from. If no line of this type
139 is specified, the range of UIDs/GIDs is set to some
140 compiled-in default. Note that both UIDs and GIDs are
141 allocated from the same pool, in order to ensure that users
142 and groups of the same name are likely to carry the same
143 numeric UID and GID.
</para></listitem>
152 <para>The name field specifies the user or group name. The specified name must consist only of the characters a-z,
153 A-Z,
0-
9,
<literal>_
</literal> and
<literal>-
</literal>, except for the first character which must be one of a-z,
154 A-Z or
<literal>_
</literal> (i.e. numbers and
<literal>-
</literal> are not permitted as first character). The
155 user/group name must have at least one character, and at most
31.
</para>
157 <para>It is strongly recommended to pick user and group names that are unlikely to clash with normal users
158 created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the
159 underscore, and avoiding too generic names.
</para>
161 <para>For
<varname>m
</varname> lines, this field should contain
162 the user name to add to a group.
</para>
164 <para>For lines of type
<varname>r
</varname>, this field should
165 be set to
<literal>-
</literal>.
</para>
171 <para>For
<varname>u
</varname> and
<varname>g
</varname>, the
172 numeric
32-bit UID or GID of the user/group. Do not use IDs
65535
173 or
4294967295, as they have special placeholder meanings.
174 Specify
<literal>-
</literal> for automatic UID/GID allocation
175 for the user or group (this is strongly recommended unless it is strictly
176 necessary to use a specific UID or GID). Alternatively, specify an absolute path
177 in the file system. In this case, the UID/GID is read from the
178 path's owner/group. This is useful to create users whose UID/GID
179 match the owners of pre-existing files (such as SUID or SGID
181 The syntaxes
<literal><replaceable>uid
</replaceable>:
<replaceable>gid
</replaceable></literal> and
182 <literal><replaceable>uid
</replaceable>:
<replaceable>groupname
</replaceable></literal> are supported to
183 allow creating users with specific primary groups. The given group must be created explicitly, or it
184 must already exist. Specifying
<literal>-
</literal> for the UID in these syntaxes is also supported.
187 <para>For
<varname>m
</varname> lines, this field should contain
188 the group name to add to a user to.
</para>
190 <para>For lines of type
<varname>r
</varname>, this field should
191 be set to a UID/GID range in the format
192 <literal>FROM-TO
</literal>, where both values are formatted as
193 decimal ASCII numbers. Alternatively, a single UID/GID may be
194 specified formatted as decimal ASCII numbers.
</para>
200 <para>A short, descriptive string for users to be created, enclosed in
201 quotation marks. Note that this field may not contain colons.
</para>
203 <para>Only applies to lines of type
<varname>u
</varname> and should otherwise
204 be left unset (or
<literal>-
</literal>).
</para>
208 <title>Home Directory
</title>
210 <para>The home directory for a new system user. If omitted, defaults to the
211 root directory.
</para>
213 <para>Only applies to lines of type
<varname>u
</varname> and should otherwise
214 be left unset (or
<literal>-
</literal>). It is recommended to omit this, unless
215 software strictly requires a home directory to be set.
</para>
221 <para>The login shell of the user. If not specified, this will be set to
222 <filename>/usr/sbin/nologin
</filename>, except if the UID of the user is
0, in
223 which case
<filename>/bin/sh
</filename> will be used.
</para>
225 <para>Only applies to lines of type
<varname>u
</varname> and should otherwise
226 be left unset (or
<literal>-
</literal>). It is recommended to omit this, unless
227 a shell different
<filename>/usr/sbin/nologin
</filename> must be used.
</para>
232 <title>Specifiers
</title>
234 <para>Specifiers can be used in the
"Name",
"ID",
"GECOS",
"Home directory", and
"Shell" fields.
235 An unknown or unresolvable specifier is treated as invalid configuration.
236 The following expansions are understood:
</para>
238 <title>Specifiers available
</title>
239 <tgroup cols='
3' align='left' colsep='
1' rowsep='
1'
>
240 <colspec colname=
"spec" />
241 <colspec colname=
"mean" />
242 <colspec colname=
"detail" />
245 <entry>Specifier
</entry>
246 <entry>Meaning
</entry>
247 <entry>Details
</entry>
252 <entry><literal>%b
</literal></entry>
253 <entry>Boot ID
</entry>
254 <entry>The boot ID of the running system, formatted as string. See
<citerefentry><refentrytitle>random
</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information.
</entry>
257 <entry><literal>%H
</literal></entry>
258 <entry>Host name
</entry>
259 <entry>The hostname of the running system.
</entry>
262 <entry><literal>%m
</literal></entry>
263 <entry>Machine ID
</entry>
264 <entry>The machine ID of the running system, formatted as string. See
<citerefentry><refentrytitle>machine-id
</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more information.
</entry>
267 <entry><literal>%T
</literal></entry>
268 <entry>Directory for temporary files
</entry>
269 <entry>This is either
<filename>/tmp
</filename> or the path
<literal>$TMPDIR
</literal>,
<literal>$TEMP
</literal> or
<literal>$TMP
</literal> are set to.
</entry>
272 <entry><literal>%v
</literal></entry>
273 <entry>Kernel release
</entry>
274 <entry>Identical to
<command>uname -r
</command> output.
</entry>
277 <entry><literal>%V
</literal></entry>
278 <entry>Directory for larger and persistent temporary files
</entry>
279 <entry>This is either
<filename>/var/tmp
</filename> or the path
<literal>$TMPDIR
</literal>,
<literal>$TEMP
</literal> or
<literal>$TMP
</literal> are set to.
</entry>
282 <entry><literal>%%
</literal></entry>
283 <entry>Escaped
<literal>%
</literal></entry>
284 <entry>Single percent sign.
</entry>
292 <title>Idempotence
</title>
294 <para>Note that
<command>systemd-sysusers
</command> will do nothing if the
295 specified users or groups already exist or the users are members of specified
296 groups, so normally there is no reason to override
297 <filename>sysusers.d
</filename> vendor configuration, except to block certain
298 users or groups from being created.
</para>
302 <title>See Also
</title>
304 <citerefentry><refentrytitle>systemd
</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
305 <citerefentry><refentrytitle>systemd-sysusers
</refentrytitle><manvolnum>8</manvolnum></citerefentry>
projects / thirdparty / systemd.git / blob