| <?xml version="1.0"?> |
| <!--*-nxml-*--> |
| <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> |
| <!-- |
| This file is part of systemd. |
| |
| Copyright 2014 Lennart Poettering |
| |
| systemd is free software; you can redistribute it and/or modify it |
| under the terms of the GNU Lesser General Public License as published by |
| the Free Software Foundation; either version 2.1 of the License, or |
| (at your option) any later version. |
| |
| systemd is distributed in the hope that it will be useful, but |
| WITHOUT ANY WARRANTY; without even the implied warranty of |
| MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| Lesser General Public License for more details. |
| |
| You should have received a copy of the GNU Lesser General Public License |
| along with systemd; If not, see <http://www.gnu.org/licenses/>. |
| --> |
| <refentry id="sysusers.d"> |
| |
| <refentryinfo> |
| <title>sysusers.d</title> |
| <productname>systemd</productname> |
| |
| <authorgroup> |
| <author> |
| <contrib>Developer</contrib> |
| <firstname>Lennart</firstname> |
| <surname>Poettering</surname> |
| <email>lennart@poettering.net</email> |
| </author> |
| </authorgroup> |
| </refentryinfo> |
| |
| <refmeta> |
| <refentrytitle>sysusers.d</refentrytitle> |
| <manvolnum>5</manvolnum> |
| </refmeta> |
| |
| <refnamediv> |
| <refname>sysusers.d</refname> |
| <refpurpose>Declarative allocation of system users and groups</refpurpose> |
| </refnamediv> |
| |
| <refsynopsisdiv> |
| <para><filename>/usr/lib/sysusers.d/*.conf</filename></para> |
| </refsynopsisdiv> |
| |
| <refsect1> |
| <title>Description</title> |
| |
| <para><command>systemd-sysusers</command> uses the |
| files from <filename>sysusers.d</filename> directory |
| to create system users and groups at package |
| installation or boot time. This tool may be used to |
| allocate system users and groups only, it is not |
| useful for creating non-system users and groups, as it |
| accesses <filename>/etc/passwd</filename> and |
| <filename>/etc/group</filename> directly, bypassing |
| any more complex user databases, for example any |
| database involving NIS or LDAP.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>Configuration Format</title> |
| |
| <para>Each configuration file shall be named in the |
| style of |
| <filename><replaceable>package</replaceable>.conf</filename> |
| or |
| <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>. |
| The second variant should be used when it is desirable |
| to make it easy to override just this part of |
| configuration.</para> |
| |
| <para>The file format is one line per user or group |
| containing name, ID and GECOS field description:</para> |
| |
| <programlisting># Type Name ID GECOS |
| u httpd 440 "HTTP User" |
| u authd /usr/bin/authd "Authorization user" |
| g input - - |
| m authd input</programlisting> |
| |
| <refsect2> |
| <title>Type</title> |
| |
| <para>The type consists of a single |
| letter. The following line types are |
| understood:</para> |
| |
| <variablelist> |
| <varlistentry> |
| <term><varname>u</varname></term> |
| <listitem><para>Create a |
| system user and group of the |
| specified name should they not |
| exist yet. The user's primary |
| group will be set to the group |
| bearing the same name. The |
| user's shell will be set to |
| <filename>/sbin/nologin</filename>, |
| the home directory to |
| <filename>/</filename>. The |
| account will be created |
| disabled, so that logins are |
| not allowed.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>g</varname></term> |
| <listitem><para>Create a |
| system group of the specified |
| name should it not exist |
| yet. Note that |
| <varname>u</varname> |
| implicitly create a matching |
| group. The group will be |
| created with no password |
| set.</para></listitem> |
| </varlistentry> |
| |
| <varlistentry> |
| <term><varname>m</varname></term> |
| <listitem><para>Add a user to |
| a group. If the user or group |
| are not existing yet, they |
| will be implicitly |
| created.</para></listitem> |
| </varlistentry> |
| </variablelist> |
| </refsect2> |
| |
| <refsect2> |
| <title>Name</title> |
| |
| <para>The name field specifies the user or |
| group name. It should be be shorter than 31 |
| characters and avoid any non-ASCII characters, |
| and not begin with a numeric character. It is |
| strongly recommended to pick user and group |
| names that are unlikely to clash with normal |
| users created by the administrator. A good |
| scheme to guarantee this is by prefixing all |
| system and group names with the underscore, |
| and avoiding too generic names.</para> |
| |
| <para>For <varname>m</varname> lines this |
| field should contain the user name to add to a |
| group.</para> |
| </refsect2> |
| |
| <refsect2> |
| <title>ID</title> |
| |
| <para>For <varname>u</varname> and |
| <varname>g</varname> the numeric 32bit UID or |
| GID of the user/group. Do not use IDs 65535 or |
| 4294967295, as they have special placeholder |
| meanings. Specify "-" for automatic UID/GID |
| allocation for the user or |
| group. Alternatively, specify an absolute path |
| in the file system. In this case the UID/GID |
| is read from the path's owner/group. This is |
| useful to create users whose UID/GID match the |
| owners of pre-existing files (such as SUID or |
| SGID binaries).</para> |
| |
| <para>For <varname>m</varname> lines this |
| field should contain the group name to add to |
| a user to.</para> |
| </refsect2> |
| |
| <refsect2> |
| <title>GECOS</title> |
| |
| <para>A short, descriptive string for users to |
| be created, enclosed in quotation marks. Note |
| that this field may not contain colons.</para> |
| |
| <para>Only applies to lines of type |
| <varname>u</varname> and should otherwise be |
| left unset.</para> |
| </refsect2> |
| |
| </refsect1> |
| |
| <refsect1> |
| <title>Overriding vendor configuration</title> |
| |
| <para>Note that <command>systemd-sysusers</command> |
| will do nothing if the specified users or groups |
| already exist, so normally there no reason to override |
| <filename>sysusers.d</filename> vendor configuration, |
| except to block certain users or groups from being |
| created.</para> |
| |
| <para>Files in <filename>/etc/sysusers.d</filename> |
| override files with the same name in |
| <filename>/usr/lib/sysusers.d</filename> and |
| <filename>/run/sysusers.d</filename>. Files in |
| <filename>/run/sysusers.d</filename> override files |
| with the same name in |
| <filename>/usr/lib/sysusers.d</filename>. The scheme is the same as for |
| <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>, |
| except for the directory name.</para> |
| |
| <para>If the administrator wants to disable a |
| configuration file supplied by the vendor, the |
| recommended way is to place a symlink to |
| <filename>/dev/null</filename> in |
| <filename>/etc/sysusers.d/</filename> bearing the |
| same filename.</para> |
| </refsect1> |
| |
| <refsect1> |
| <title>See Also</title> |
| <para> |
| <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>, |
| <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry> |
| </para> |
| </refsect1> |
| |
| </refentry> |