<title>Description</title>
<para><command>systemd-sysusers</command> uses the
- files from <filename>/usr/lib/sysusers.d/</filename>
+ files from <filename>sysusers.d</filename> directory
to create system users and groups at package
- installation or boot time. This tool may be used for
- allocating system users and groups only, it is not
+ installation or boot time. This tool may be used to
+ allocate system users and groups only, it is not
useful for creating non-system users and groups, as it
- accessed <filename>/etc/passwd</filename> and
+ accesses <filename>/etc/passwd</filename> and
<filename>/etc/group</filename> directly, bypassing
- any more complex user database, for example any
+ any more complex user databases, for example any
database involving NIS or LDAP.</para>
-
</refsect1>
<refsect1>
- <title>File Format</title>
-
- <para>Each file shall be named in the style of
- <filename><replaceable>package</replaceable>.conf</filename>.</para>
+ <title>Configuration Format</title>
- <para>All files are sorted by their filename in
- lexicographic order, regardless of which of the
- directories they reside in. If multiple files specify
- the same user or group, the entry in the file with the
- lexicographically earliest name will be applied, all
- all other conflicting entries will be logged as
- errors. Users and groups are
- processed in the order they are listed.</para>
+ <para>Each configuration file shall be named in the
+ style of
+ <filename><replaceable>package</replaceable>.conf</filename>
+ or
+ <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
+ The second variant should be used when it is desirable
+ to make it easy to override just this part of
+ configuration.</para>
<para>The file format is one line per user or group
- containing name, ID and GECOS field description:</para>
+ containing name, ID, GECOS field description and home directory:</para>
<programlisting># Type Name ID GECOS
u httpd 440 "HTTP User"
u authd /usr/bin/authd "Authorization user"
-g input - -</programlisting>
+g input - -
+m authd input
+u root 0 "Superuser" /root</programlisting>
<refsect2>
<title>Type</title>
group will be set to the group
bearing the same name. The
user's shell will be set to
- <filename>/sbin/login</filename>,
- the home directory to
- <filename>/</filename>. The
- account will be created
- disabled, so that logins are
- not allowed.</para></listitem>
+ <filename>/sbin/nologin</filename>,
+ the home directory to the
+ specified home directory, or
+ <filename>/</filename> if none
+ is given. The account will be
+ created disabled, so that
+ logins are not
+ allowed.</para></listitem>
</varlistentry>
<varlistentry>
created with no password
set.</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>m</varname></term>
+ <listitem><para>Add a user to
+ a group. If the user or group
+ are not existing yet, they
+ will be implicitly
+ created.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>r</varname></term>
+ <listitem><para>Add a range of
+ numeric UIDs/GIDs to the pool
+ to allocate new UIDs and GIDs
+ from. If no line of this type
+ is specified the range of
+ UIDs/GIDs is set to some
+ compiled-in default. Note that
+ both UIDs and GIDs are
+ allocated from the same pool,
+ in order to ensure that users
+ and groups of the same name
+ are likely to carry the same
+ numeric UID and
+ GID.</para></listitem>
+ </varlistentry>
+
</variablelist>
</refsect2>
<title>Name</title>
<para>The name field specifies the user or
- group name. It should be be shorter than 256
+ group name. It should be shorter than 31
characters and avoid any non-ASCII characters,
and not begin with a numeric character. It is
strongly recommended to pick user and group
scheme to guarantee this is by prefixing all
system and group names with the underscore,
and avoiding too generic names.</para>
+
+ <para>For <varname>m</varname> lines this
+ field should contain the user name to add to a
+ group.</para>
+
+ <para>For lines of type <varname>r</varname>
+ this field should be set to
+ <literal>-</literal>.</para>
</refsect2>
<refsect2>
<title>ID</title>
- <para>The numeric 32bit UID or GID of the
- user/group. Do not use IDs 65535 or
+ <para>For <varname>u</varname> and
+ <varname>g</varname> the numeric 32bit UID or
+ GID of the user/group. Do not use IDs 65535 or
4294967295, as they have special placeholder
- meanings. Specify "-" for automatic UID/GID
- allocation for the user or
+ meanings. Specify <literal>-</literal> for
+ automatic UID/GID allocation for the user or
group. Alternatively, specify an absolute path
in the file system. In this case the UID/GID
is read from the path's owner/group. This is
useful to create users whose UID/GID match the
owners of pre-existing files (such as SUID or
SGID binaries).</para>
+
+ <para>For <varname>m</varname> lines this
+ field should contain the group name to add to
+ a user to.</para>
+
+ <para>For lines of type <varname>r</varname>
+ this field should be set to a UID/GID range in
+ the format <literal>FROM-TO</literal> where
+ both values are formatted as decimal ASCII
+ numbers. Alternatively, a single UID/GID may
+ be specified formatted as decimal ASCII
+ numbers.</para>
</refsect2>
<refsect2>
<para>A short, descriptive string for users to
be created, enclosed in quotation marks. Note
that this field may not contain colons.</para>
+
+ <para>Only applies to lines of type
+ <varname>u</varname> and should otherwise be
+ left unset, or be set to
+ <literal>-</literal>.</para>
+ </refsect2>
+
+ <refsect2>
+ <title>Home Directory</title>
+
+ <para>The home directory for a new system
+ user. If omitted defaults to the root
+ directory. It is recommended to not
+ unnecessarily specify home directories for
+ system users, unless software strictly
+ requires one to be set.</para>
+
+ <para>Only applies to lines of type
+ <varname>u</varname> and should otherwise be
+ left unset, or be set to
+ <literal>-</literal>.</para>
</refsect2>
</refsect1>
+ <refsect1>
+ <title>Overriding vendor configuration</title>
+
+ <para>Note that <command>systemd-sysusers</command>
+ will do nothing if the specified users or groups
+ already exist, so normally there no reason to override
+ <filename>sysusers.d</filename> vendor configuration,
+ except to block certain users or groups from being
+ created.</para>
+
+ <para>Files in <filename>/etc/sysusers.d</filename>
+ override files with the same name in
+ <filename>/usr/lib/sysusers.d</filename> and
+ <filename>/run/sysusers.d</filename>. Files in
+ <filename>/run/sysusers.d</filename> override files
+ with the same name in
+ <filename>/usr/lib/sysusers.d</filename>. The scheme is the same as for
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ except for the directory name.</para>
+
+ <para>If the administrator wants to disable a
+ configuration file supplied by the vendor, the
+ recommended way is to place a symlink to
+ <filename>/dev/null</filename> in
+ <filename>/etc/sysusers.d/</filename> bearing the
+ same filename.</para>
+ </refsect1>
+
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>