aboutsummaryrefslogtreecommitdiff
blob: e47d36c73a5ddda8394c1cad1fc4fa3a694f4c27 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
  SPDX-License-Identifier: LGPL-2.1+
-->
<refentry id="sysusers.d" conditional='ENABLE_SYSUSERS'
    xmlns:xi="http://www.w3.org/2001/XInclude">

  <refentryinfo>
    <title>sysusers.d</title>
    <productname>systemd</productname>
  </refentryinfo>

  <refmeta>
    <refentrytitle>sysusers.d</refentrytitle>
    <manvolnum>5</manvolnum>
  </refmeta>

  <refnamediv>
    <refname>sysusers.d</refname>
    <refpurpose>Declarative allocation of system users and groups</refpurpose>
  </refnamediv>

  <refsynopsisdiv>
    <para><filename>/etc/sysusers.d/*.conf</filename></para>
    <para><filename>/run/sysusers.d/*.conf</filename></para>
    <para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
  </refsynopsisdiv>

  <refsect1>
    <title>Description</title>

    <para><command>systemd-sysusers</command> uses the files from
    <filename>sysusers.d</filename> directory to create system users and groups and
    to add users to groups, at package installation or boot time. This tool may be
    used to allocate system users and groups only, it is not useful for creating
    non-system (i.e. regular, "human") users and groups, as it accesses
    <filename>/etc/passwd</filename> and <filename>/etc/group</filename> directly,
    bypassing any more complex user databases, for example any database involving NIS
    or LDAP.</para>
  </refsect1>

  <refsect1>
    <title>Configuration Directories and Precedence</title>

    <para>Each configuration file shall be named in the style of
    <filename><replaceable>package</replaceable>.conf</filename> or
    <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
    The second variant should be used when it is desirable to make it
    easy to override just this part of configuration.</para>

    <para>Files in <filename>/etc/sysusers.d</filename> override files
    with the same name in <filename>/usr/lib/sysusers.d</filename> and
    <filename>/run/sysusers.d</filename>. Files in
    <filename>/run/sysusers.d</filename> override files with the same
    name in <filename>/usr/lib/sysusers.d</filename>. Packages should
    install their configuration files in
    <filename>/usr/lib/sysusers.d</filename>. Files in
    <filename>/etc/sysusers.d</filename> are reserved for the local
    administrator, who may use this logic to override the
    configuration files installed by vendor packages. All
    configuration files are sorted by their filename in lexicographic
    order, regardless of which of the directories they reside in. If
    multiple files specify the same path, the entry in the file with
    the lexicographically earliest name will be applied. All later
    entries for the same user and group names will be logged as warnings.
    </para>

    <para>If the administrator wants to disable a configuration file
    supplied by the vendor, the recommended way is to place a symlink
    to <filename>/dev/null</filename> in
    <filename>/etc/sysusers.d/</filename> bearing the same filename.
    </para>
  </refsect1>

  <refsect1>
    <title>Configuration File Format</title>

    <para>The file format is one line per user or group containing name, ID, GECOS
    field description, home directory, and login shell:</para>

    <programlisting>#Type Name     ID             GECOS                 Home directory Shell
u     httpd    404            "HTTP User"
u     authd    /usr/bin/authd "Authorization user"
u     postgres -              "Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb
g     input    -              -
m     authd    input
u     root     0              "Superuser"           /root          /bin/zsh</programlisting>

    <para>Empty lines and lines beginning with the <literal>#</literal> character are ignored, and may be used for
    commenting.</para>

    <refsect2>
      <title>Type</title>

      <para>The type consists of a single letter. The following line
      types are understood:</para>

      <variablelist>
        <varlistentry>
          <term><varname>u</varname></term>
          <listitem><para>Create a system user and group of the specified name should
          they not exist yet. The user's primary group will be set to the group
          bearing the same name. The account will be created disabled, so that logins
          are not allowed.</para></listitem>
        </varlistentry>

        <varlistentry>
          <term><varname>g</varname></term>
          <listitem><para>Create a system group of the specified name
          should it not exist yet. Note that <varname>u</varname>
          implicitly create a matching group. The group will be
          created with no password set.</para></listitem>
        </varlistentry>

        <varlistentry>
          <term><varname>m</varname></term>
          <listitem><para>Add a user to a group. If the user or group
          do not exist yet, they will be implicitly
          created.</para></listitem>
        </varlistentry>

        <varlistentry>
          <term><varname>r</varname></term>
          <listitem><para>Add a range of numeric UIDs/GIDs to the pool
          to allocate new UIDs and GIDs from. If no line of this type
          is specified, the range of UIDs/GIDs is set to some
          compiled-in default. Note that both UIDs and GIDs are
          allocated from the same pool, in order to ensure that users
          and groups of the same name are likely to carry the same
          numeric UID and GID.</para></listitem>
        </varlistentry>

      </variablelist>
    </refsect2>

    <refsect2>
      <title>Name</title>

      <para>The name field specifies the user or group name. The specified name must consist only of the characters a-z,
      A-Z, 0-9, <literal>_</literal> and <literal>-</literal>, except for the first character which must be one of a-z,
      A-Z or <literal>_</literal> (i.e. numbers and <literal>-</literal> are not permitted as first character). The
      user/group name must have at least one character, and at most 31.</para>

      <para>It is strongly recommended to pick user and group names that are unlikely to clash with normal users
      created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the
      underscore, and avoiding too generic names.</para>

      <para>For <varname>m</varname> lines, this field should contain
      the user name to add to a group.</para>

      <para>For lines of type <varname>r</varname>, this field should
      be set to <literal>-</literal>.</para>
    </refsect2>

    <refsect2>
      <title>ID</title>

      <para>For <varname>u</varname> and <varname>g</varname>, the
      numeric 32-bit UID or GID of the user/group. Do not use IDs 65535
      or 4294967295, as they have special placeholder meanings.
      Specify <literal>-</literal> for automatic UID/GID allocation
      for the user or group (this is strongly recommended unless it is strictly
      necessary to use a specific UID or GID). Alternatively, specify an absolute path
      in the file system. In this case, the UID/GID is read from the
      path's owner/group. This is useful to create users whose UID/GID
      match the owners of pre-existing files (such as SUID or SGID
      binaries).
      The syntax <literal><replaceable>uid</replaceable>:<replaceable>gid</replaceable></literal> is also supported to
      allow creating user and group pairs with different numeric UID and GID values. The group with the indicated GID must get created explicitly before or it must already exist. Specifying <literal>-</literal> for the UID in this syntax
      is also supported.
      </para>

      <para>For <varname>m</varname> lines, this field should contain
      the group name to add to a user to.</para>

      <para>For lines of type <varname>r</varname>, this field should
      be set to a UID/GID range in the format
      <literal>FROM-TO</literal>, where both values are formatted as
      decimal ASCII numbers. Alternatively, a single UID/GID may be
      specified formatted as decimal ASCII numbers.</para>
    </refsect2>

    <refsect2>
      <title>GECOS</title>

      <para>A short, descriptive string for users to be created, enclosed in
      quotation marks. Note that this field may not contain colons.</para>

      <para>Only applies to lines of type <varname>u</varname> and should otherwise
      be left unset (or <literal>-</literal>).</para>
    </refsect2>

    <refsect2>
      <title>Home Directory</title>

      <para>The home directory for a new system user. If omitted, defaults to the
      root directory.</para>

      <para>Only applies to lines of type <varname>u</varname> and should otherwise
      be left unset (or <literal>-</literal>). It is recommended to omit this, unless
      software strictly requires a home directory to be set.</para>
    </refsect2>

    <refsect2>
      <title>Shell</title>

      <para>The login shell of the user. If not specified, this will be set to
      <filename>/sbin/nologin</filename>, except if the UID of the user is 0, in
      which case <filename>/bin/sh</filename> will be used.</para>

      <para>Only applies to lines of type <varname>u</varname> and should otherwise
      be left unset (or <literal>-</literal>). It is recommended to omit this, unless
      a shell different <filename>/sbin/nologin</filename> must be used.</para>
    </refsect2>
  </refsect1>

  <refsect1>
    <title>Specifiers</title>

    <para>Specifiers can be used in the "Name", "ID", "GECOS", "Home directory", and "Shell" fields.
    An unknown or unresolvable specifier is treated as invalid configuration.
    The following expansions are understood:</para>
      <table>
        <title>Specifiers available</title>
        <tgroup cols='3' align='left' colsep='1' rowsep='1'>
          <colspec colname="spec" />
          <colspec colname="mean" />
          <colspec colname="detail" />
          <thead>
            <row>
              <entry>Specifier</entry>
              <entry>Meaning</entry>
              <entry>Details</entry>
            </row>
          </thead>
          <tbody>
            <row>
              <entry><literal>%b</literal></entry>
              <entry>Boot ID</entry>
              <entry>The boot ID of the running system, formatted as string. See <citerefentry><refentrytitle>random</refentrytitle><manvolnum>4</manvolnum></citerefentry> for more information.</entry>
            </row>
            <row>
              <entry><literal>%H</literal></entry>
              <entry>Host name</entry>
              <entry>The hostname of the running system.</entry>
            </row>
            <row>
              <entry><literal>%m</literal></entry>
              <entry>Machine ID</entry>
              <entry>The machine ID of the running system, formatted as string. See <citerefentry><refentrytitle>machine-id</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more information.</entry>
            </row>
            <row>
              <entry><literal>%T</literal></entry>
              <entry>Directory for temporary files</entry>
              <entry>This is either <filename>/tmp</filename> or the path <literal>$TMPDIR</literal>, <literal>$TEMP</literal> or <literal>$TMP</literal> are set to.</entry>
            </row>
            <row>
              <entry><literal>%v</literal></entry>
              <entry>Kernel release</entry>
              <entry>Identical to <command>uname -r</command> output.</entry>
            </row>
            <row>
              <entry><literal>%V</literal></entry>
              <entry>Directory for larger and persistent temporary files</entry>
              <entry>This is either <filename>/var/tmp</filename> or the path <literal>$TMPDIR</literal>, <literal>$TEMP</literal> or <literal>$TMP</literal> are set to.</entry>
            </row>
            <row>
              <entry><literal>%%</literal></entry>
              <entry>Escaped <literal>%</literal></entry>
              <entry>Single percent sign.</entry>
            </row>
          </tbody>
        </tgroup>
      </table>
  </refsect1>

  <refsect1>
    <title>Idempotence</title>

    <para>Note that <command>systemd-sysusers</command> will do nothing if the
    specified users or groups already exist or the users are members of specified
    groups, so normally there is no reason to override
    <filename>sysusers.d</filename> vendor configuration, except to block certain
    users or groups from being created.</para>
  </refsect1>

  <refsect1>
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    </para>
  </refsect1>

</refentry>