3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
5 This file is part of systemd.
7 Copyright 2014 Lennart Poettering
9 systemd is free software; you can redistribute it and/or modify it
10 under the terms of the GNU Lesser General Public License as published by
11 the Free Software Foundation; either version 2.1 of the License, or
12 (at your option) any later version.
14 systemd is distributed in the hope that it will be useful, but
15 WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
17 Lesser General Public License for more details.
19 You should have received a copy of the GNU Lesser General Public License
20 along with systemd; If not, see <http://www.gnu.org/licenses/>.
22 <refentry id="sysusers.d">
25 <title>sysusers.d</title>
26 <productname>systemd</productname>
30 <contrib>Developer</contrib>
31 <firstname>Lennart</firstname>
32 <surname>Poettering</surname>
33 <email>lennart@poettering.net</email>
39 <refentrytitle>sysusers.d</refentrytitle>
40 <manvolnum>5</manvolnum>
44 <refname>sysusers.d</refname>
45 <refpurpose>Declarative allocation of system users and groups</refpurpose>
49 <para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
53 <title>Description</title>
55 <para><command>systemd-sysusers</command> uses the
56 files from <filename>sysusers.d</filename> directory
57 to create system users and groups at package
58 installation or boot time. This tool may be used to
59 allocate system users and groups only, it is not
60 useful for creating non-system users and groups, as it
61 accesses <filename>/etc/passwd</filename> and
62 <filename>/etc/group</filename> directly, bypassing
63 any more complex user databases, for example any
64 database involving NIS or LDAP.</para>
68 <title>Configuration Format</title>
70 <para>Each configuration file shall be named in the
72 <filename><replaceable>package</replaceable>.conf</filename>
74 <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
75 The second variant should be used when it is desirable
76 to make it easy to override just this part of
79 <para>The file format is one line per user or group
80 containing name, ID, GECOS field description and home directory:</para>
82 <programlisting># Type Name ID GECOS
83 u httpd 440 "HTTP User"
84 u authd /usr/bin/authd "Authorization user"
87 u root 0 "Superuser" /root</programlisting>
92 <para>The type consists of a single
93 letter. The following line types are
98 <term><varname>u</varname></term>
99 <listitem><para>Create a
100 system user and group of the
101 specified name should they not
102 exist yet. The user's primary
103 group will be set to the group
104 bearing the same name. The
105 user's shell will be set to
106 <filename>/sbin/nologin</filename>,
107 the home directory to the
108 specified home directory, or
109 <filename>/</filename> if none
110 is given. The account will be
111 created disabled, so that
113 allowed.</para></listitem>
117 <term><varname>g</varname></term>
118 <listitem><para>Create a
119 system group of the specified
120 name should it not exist
123 implicitly create a matching
124 group. The group will be
125 created with no password
126 set.</para></listitem>
130 <term><varname>m</varname></term>
131 <listitem><para>Add a user to
132 a group. If the user or group
133 are not existing yet, they
135 created.</para></listitem>
143 <para>The name field specifies the user or
144 group name. It should be shorter than 31
145 characters and avoid any non-ASCII characters,
146 and not begin with a numeric character. It is
147 strongly recommended to pick user and group
148 names that are unlikely to clash with normal
149 users created by the administrator. A good
150 scheme to guarantee this is by prefixing all
151 system and group names with the underscore,
152 and avoiding too generic names.</para>
154 <para>For <varname>m</varname> lines this
155 field should contain the user name to add to a
162 <para>For <varname>u</varname> and
163 <varname>g</varname> the numeric 32bit UID or
164 GID of the user/group. Do not use IDs 65535 or
165 4294967295, as they have special placeholder
166 meanings. Specify <literal>-</literal> for
167 automatic UID/GID allocation for the user or
168 group. Alternatively, specify an absolute path
169 in the file system. In this case the UID/GID
170 is read from the path's owner/group. This is
171 useful to create users whose UID/GID match the
172 owners of pre-existing files (such as SUID or
173 SGID binaries).</para>
175 <para>For <varname>m</varname> lines this
176 field should contain the group name to add to
183 <para>A short, descriptive string for users to
184 be created, enclosed in quotation marks. Note
185 that this field may not contain colons.</para>
187 <para>Only applies to lines of type
188 <varname>u</varname> and should otherwise be
189 left unset, or be set to
190 <literal>-</literal>.</para>
194 <title>Home Directory</title>
196 <para>The home directory for a new system
197 user. If omitted defaults to the root
198 directory. It is recommended to not
199 unnecessarily specify home directories for
200 system users, unless software strictly
201 requires one to be set.</para>
203 <para>Only applies to lines of type
204 <varname>u</varname> and should otherwise be
205 left unset, or be set to
206 <literal>-</literal>.</para>
212 <title>Overriding vendor configuration</title>
214 <para>Note that <command>systemd-sysusers</command>
215 will do nothing if the specified users or groups
216 already exist, so normally there no reason to override
217 <filename>sysusers.d</filename> vendor configuration,
218 except to block certain users or groups from being
221 <para>Files in <filename>/etc/sysusers.d</filename>
222 override files with the same name in
223 <filename>/usr/lib/sysusers.d</filename> and
224 <filename>/run/sysusers.d</filename>. Files in
225 <filename>/run/sysusers.d</filename> override files
226 with the same name in
227 <filename>/usr/lib/sysusers.d</filename>. The scheme is the same as for
228 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
229 except for the directory name.</para>
231 <para>If the administrator wants to disable a
232 configuration file supplied by the vendor, the
233 recommended way is to place a symlink to
234 <filename>/dev/null</filename> in
235 <filename>/etc/sysusers.d/</filename> bearing the
236 same filename.</para>
240 <title>See Also</title>
242 <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
243 <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
244 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>