From d1b04f47e32bd1012ae2e3e6ac9159702463bf15 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Wed, 21 Aug 2024 10:10:34 +0200 Subject: [PATCH] man: document .membership files that nss-systemd processes This has been a glaring omission the docs: when people create .user/.group/.user-privileged/.group-privileged drop-in files, they should also create matching .membership files. --- man/nss-systemd.xml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/man/nss-systemd.xml b/man/nss-systemd.xml index 4233bf6a437..890faaea329 100644 --- a/man/nss-systemd.xml +++ b/man/nss-systemd.xml @@ -93,6 +93,17 @@ lrwxrwxrwx. 1 root root 19 May 10 4711.user-privileged -> foobar.user-privileg .user-privileged and .group-privileged suffixes) should contain this section, exclusively. + In addition to the two types of user record files and the two types of group record files there's a + fifth type of file that may be placed in the searched directories: files that indicate membership of + users in groups. Specifically, for every pair of user/group where the user shall be a member of a group a + file named + username:groupname.membership + should be created, i.e. the textual UNIX user name, followed by a colon, followed by the textual UNIX + group name, suffixed by .membership. The contents of these files are currently not + read, and the files should be created empty. The mere existence of these files is enough to effect a + user/group membership. If a program provides user and/or group record files in the searched directories, + it should always also create such files, both for primary and auxiliary group memberships. + Note that static user/group records generally do not override conflicting records in /etc/passwd or /etc/group or other account databases. In fact, before dropping in these files a reasonable level of care should be taken to avoid user/group name and -- 2.47.3