3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5 This file is part of systemd.
7 Copyright 2014 Lennart Poettering
9 systemd is free software; you can redistribute it and/or modify it
10 under the terms of the GNU Lesser General Public License as published by
11 the Free Software Foundation; either version 2.1 of the License, or
12 (at your option) any later version.
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
19 You should have received a copy of the GNU Lesser General Public License
20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 <refentry id="sysusers.d">
25 <title>sysusers.d</title>
26 <productname>systemd</productname>
30 <contrib>Developer</contrib>
31 <firstname>Lennart</firstname>
32 <surname>Poettering</surname>
33 <email>lennart@poettering.net</email>
39 <refentrytitle>sysusers.d</refentrytitle>
40 <manvolnum>5</manvolnum>
44 <refname>sysusers.d</refname>
45 <refpurpose>Declarative allocation of system users and groups</refpurpose>
49 <para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
53 <title>Description</title>
55 <para><command>systemd-sysusers</command> uses the
56 files from <filename>sysusers.d</filename> directory
57 to create system users and groups at package
58 installation or boot time. This tool may be used to
59 allocate system users and groups only, it is not
60 useful for creating non-system users and groups, as it
61 accesses <filename>/etc/passwd</filename> and
62 <filename>/etc/group</filename> directly, bypassing
63 any more complex user databases, for example any
64 database involving NIS or LDAP.</para>
68 <title>Configuration Format</title>
70 <para>Each configuration file shall be named in the
72 <filename><replaceable>package</replaceable>.conf</filename>
74 <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
75 The second variant should be used when it is desirable
76 to make it easy to override just this part of
79 <para>The file format is one line per user or group
80 containing name, ID, GECOS field description and home directory:</para>
82 <programlisting># Type Name ID GECOS
83 u httpd 440 "HTTP User"
84 u authd /usr/bin/authd "Authorization user"
87 u root 0 "Superuser" /root</programlisting>
92 <para>The type consists of a single
93 letter. The following line types are
98 <term><varname>u</varname></term>
99 <listitem><para>Create a
100 system user and group of the
101 specified name should they not
102 exist yet. The user's primary
103 group will be set to the group
104 bearing the same name. The
105 user's shell will be set to
106 <filename>/sbin/nologin</filename>,
107 the home directory to the
108 specified home directory, or
109 <filename>/</filename> if none
110 is given. The account will be
111 created disabled, so that
113 allowed.</para></listitem>
117 <term><varname>g</varname></term>
118 <listitem><para>Create a
119 system group of the specified
120 name should it not exist
123 implicitly create a matching
124 group. The group will be
125 created with no password
126 set.</para></listitem>
130 <term><varname>m</varname></term>
131 <listitem><para>Add a user to
132 a group. If the user or group
133 are not existing yet, they
135 created.</para></listitem>
139 <term><varname>r</varname></term>
140 <listitem><para>Add a range of
141 numeric UIDs/GIDs to the pool
142 to allocate new UIDs and GIDs
143 from. If no line of this type
144 is specified the range of
145 UIDs/GIDs is set to some
146 compiled-in default. Note that
147 both UIDs and GIDs are
148 allocated from the same pool,
149 in order to ensure that users
150 and groups of the same name
151 are likely to carry the same
153 GID.</para></listitem>
162 <para>The name field specifies the user or
163 group name. It should be shorter than 31
164 characters and avoid any non-ASCII characters,
165 and not begin with a numeric character. It is
166 strongly recommended to pick user and group
167 names that are unlikely to clash with normal
168 users created by the administrator. A good
169 scheme to guarantee this is by prefixing all
170 system and group names with the underscore,
171 and avoiding too generic names.</para>
173 <para>For <varname>m</varname> lines this
174 field should contain the user name to add to a
177 <para>For lines of type <varname>r</varname>
178 this field should be set to
179 <literal>-</literal>.</para>
185 <para>For <varname>u</varname> and
186 <varname>g</varname> the numeric 32bit UID or
187 GID of the user/group. Do not use IDs 65535 or
188 4294967295, as they have special placeholder
189 meanings. Specify <literal>-</literal> for
190 automatic UID/GID allocation for the user or
191 group. Alternatively, specify an absolute path
192 in the file system. In this case the UID/GID
193 is read from the path's owner/group. This is
194 useful to create users whose UID/GID match the
195 owners of pre-existing files (such as SUID or
196 SGID binaries).</para>
198 <para>For <varname>m</varname> lines this
199 field should contain the group name to add to
202 <para>For lines of type <varname>r</varname>
203 this field should be set to a UID/GID range in
204 the format <literal>FROM-TO</literal> where
205 both values are formatted as decimal ASCII
206 numbers. Alternatively, a single UID/GID may
207 be specified formatted as decimal ASCII
214 <para>A short, descriptive string for users to
215 be created, enclosed in quotation marks. Note
216 that this field may not contain colons.</para>
218 <para>Only applies to lines of type
219 <varname>u</varname> and should otherwise be
220 left unset, or be set to
221 <literal>-</literal>.</para>
225 <title>Home Directory</title>
227 <para>The home directory for a new system
228 user. If omitted defaults to the root
229 directory. It is recommended to not
230 unnecessarily specify home directories for
231 system users, unless software strictly
232 requires one to be set.</para>
234 <para>Only applies to lines of type
235 <varname>u</varname> and should otherwise be
236 left unset, or be set to
237 <literal>-</literal>.</para>
243 <title>Overriding vendor configuration</title>
245 <para>Note that <command>systemd-sysusers</command>
246 will do nothing if the specified users or groups
247 already exist, so normally there no reason to override
248 <filename>sysusers.d</filename> vendor configuration,
249 except to block certain users or groups from being
252 <para>Files in <filename>/etc/sysusers.d</filename>
253 override files with the same name in
254 <filename>/usr/lib/sysusers.d</filename> and
255 <filename>/run/sysusers.d</filename>. Files in
256 <filename>/run/sysusers.d</filename> override files
257 with the same name in
258 <filename>/usr/lib/sysusers.d</filename>. The scheme is the same as for
259 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
260 except for the directory name.</para>
262 <para>If the administrator wants to disable a
263 configuration file supplied by the vendor, the
264 recommended way is to place a symlink to
265 <filename>/dev/null</filename> in
266 <filename>/etc/sysusers.d/</filename> bearing the
267 same filename.</para>
271 <title>See Also</title>
273 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
274 <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
275 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
~ianmdlvl / elogind.git / blob