man/sysusers.d.xml

   1 <?xml version="1.0"?>
   2 <!--*-nxml-*-->
   3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
   4 <!--
   5   This file is part of systemd.
   6
   7   Copyright 2014 Lennart Poettering
   8
   9   systemd is free software; you can redistribute it and/or modify it
  10   under the terms of the GNU Lesser General Public License as published by
  11   the Free Software Foundation; either version 2.1 of the License, or
  12   (at your option) any later version.
  13
  14   systemd is distributed in the hope that it will be useful, but
  15   WITHOUT ANY WARRANTY; without even the implied warranty of
  16   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  17   Lesser General Public License for more details.
  18
  19   You should have received a copy of the GNU Lesser General Public License
  20   along with systemd; If not, see <http://www.gnu.org/licenses/>.
  21 -->
  22 <refentry id="sysusers.d">
  23
  24         <refentryinfo>
  25                 <title>sysusers.d</title>
  26                 <productname>systemd</productname>
  27
  28                 <authorgroup>
  29                         <author>
  30                                 <contrib>Developer</contrib>
  31                                 <firstname>Lennart</firstname>
  32                                 <surname>Poettering</surname>
  33                                 <email>lennart@poettering.net</email>
  34                         </author>
  35                 </authorgroup>
  36         </refentryinfo>
  37
  38         <refmeta>
  39                 <refentrytitle>sysusers.d</refentrytitle>
  40                 <manvolnum>5</manvolnum>
  41         </refmeta>
  42
  43         <refnamediv>
  44                 <refname>sysusers.d</refname>
  45                 <refpurpose>Declarative allocation of system users and groups</refpurpose>
  46         </refnamediv>
  47
  48         <refsynopsisdiv>
  49                 <para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
  50         </refsynopsisdiv>
  51
  52         <refsect1>
  53                 <title>Description</title>
  54
  55                 <para><command>systemd-sysusers</command> uses the
  56                 files from <filename>sysusers.d</filename> directory
  57                 to create system users and groups at package
  58                 installation or boot time. This tool may be used to
  59                 allocate system users and groups only, it is not
  60                 useful for creating non-system users and groups, as it
  61                 accesses <filename>/etc/passwd</filename> and
  62                 <filename>/etc/group</filename> directly, bypassing
  63                 any more complex user databases, for example any
  64                 database involving NIS or LDAP.</para>
  65         </refsect1>
  66
  67         <refsect1>
  68                 <title>Configuration Format</title>
  69
  70                 <para>Each configuration file shall be named in the
  71                 style of
  72                 <filename><replaceable>package</replaceable>.conf</filename>
  73                 or
  74                 <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
  75                 The second variant should be used when it is desirable
  76                 to make it easy to override just this part of
  77                 configuration.</para>
  78
  79                 <para>The file format is one line per user or group
  80                 containing name, ID and GECOS field description:</para>
  81
  82                 <programlisting># Type Name ID GECOS
  83 u httpd 440 "HTTP User"
  84 u authd /usr/bin/authd "Authorization user"
  85 g input - -
  86 m authd input</programlisting>
  87
  88                 <refsect2>
  89                         <title>Type</title>
  90
  91                         <para>The type consists of a single
  92                         letter. The following line types are
  93                         understood:</para>
  94
  95                         <variablelist>
  96                                 <varlistentry>
  97                                         <term><varname>u</varname></term>
  98                                         <listitem><para>Create a
  99                                         system user and group of the
 100                                         specified name should they not
 101                                         exist yet. The user's primary
 102                                         group will be set to the group
 103                                         bearing the same name. The
 104                                         user's shell will be set to
 105                                         <filename>/sbin/nologin</filename>,
 106                                         the home directory to
 107                                         <filename>/</filename>. The
 108                                         account will be created
 109                                         disabled, so that logins are
 110                                         not allowed.</para></listitem>
 111                                 </varlistentry>
 112
 113                                 <varlistentry>
 114                                         <term><varname>g</varname></term>
 115                                         <listitem><para>Create a
 116                                         system group of the specified
 117                                         name should it not exist
 118                                         yet. Note that
 119                                         <varname>u</varname>
 120                                         implicitly create a matching
 121                                         group. The group will be
 122                                         created with no password
 123                                         set.</para></listitem>
 124                                 </varlistentry>
 125
 126                                 <varlistentry>
 127                                         <term><varname>m</varname></term>
 128                                         <listitem><para>Add a user to
 129                                         a group. If the user or group
 130                                         are not existing yet, they
 131                                         will be implicitly
 132                                         created.</para></listitem>
 133                                 </varlistentry>
 134                         </variablelist>
 135                 </refsect2>
 136
 137                 <refsect2>
 138                         <title>Name</title>
 139
 140                         <para>The name field specifies the user or
 141                         group name. It should be shorter than 31
 142                         characters and avoid any non-ASCII characters,
 143                         and not begin with a numeric character. It is
 144                         strongly recommended to pick user and group
 145                         names that are unlikely to clash with normal
 146                         users created by the administrator. A good
 147                         scheme to guarantee this is by prefixing all
 148                         system and group names with the underscore,
 149                         and avoiding too generic names.</para>
 150
 151                         <para>For <varname>m</varname> lines this
 152                         field should contain the user name to add to a
 153                         group.</para>
 154                 </refsect2>
 155
 156                 <refsect2>
 157                         <title>ID</title>
 158
 159                         <para>For <varname>u</varname> and
 160                         <varname>g</varname> the numeric 32bit UID or
 161                         GID of the user/group. Do not use IDs 65535 or
 162                         4294967295, as they have special placeholder
 163                         meanings. Specify "-" for automatic UID/GID
 164                         allocation for the user or
 165                         group. Alternatively, specify an absolute path
 166                         in the file system. In this case the UID/GID
 167                         is read from the path's owner/group. This is
 168                         useful to create users whose UID/GID match the
 169                         owners of pre-existing files (such as SUID or
 170                         SGID binaries).</para>
 171
 172                         <para>For <varname>m</varname> lines this
 173                         field should contain the group name to add to
 174                         a user to.</para>
 175                 </refsect2>
 176
 177                 <refsect2>
 178                         <title>GECOS</title>
 179
 180                         <para>A short, descriptive string for users to
 181                         be created, enclosed in quotation marks. Note
 182                         that this field may not contain colons.</para>
 183
 184                         <para>Only applies to lines of type
 185                         <varname>u</varname> and should otherwise be
 186                         left unset.</para>
 187                 </refsect2>
 188
 189         </refsect1>
 190
 191         <refsect1>
 192                 <title>Overriding vendor configuration</title>
 193
 194                 <para>Note that <command>systemd-sysusers</command>
 195                 will do nothing if the specified users or groups
 196                 already exist, so normally there no reason to override
 197                 <filename>sysusers.d</filename> vendor configuration,
 198                 except to block certain users or groups from being
 199                 created.</para>
 200
 201                 <para>Files in <filename>/etc/sysusers.d</filename>
 202                 override files with the same name in
 203                 <filename>/usr/lib/sysusers.d</filename> and
 204                 <filename>/run/sysusers.d</filename>. Files in
 205                 <filename>/run/sysusers.d</filename> override files
 206                 with the same name in
 207                 <filename>/usr/lib/sysusers.d</filename>. The scheme is the same as for
 208                 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
 209                 except for the directory name.</para>
 210
 211                 <para>If the administrator wants to disable a
 212                 configuration file supplied by the vendor, the
 213                 recommended way is to place a symlink to
 214                 <filename>/dev/null</filename> in
 215                 <filename>/etc/sysusers.d/</filename> bearing the
 216                 same filename.</para>
 217         </refsect1>
 218
 219         <refsect1>
 220                 <title>See Also</title>
 221                 <para>
 222                         <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
 223                         <citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
 224                         <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
 225                 </para>
 226         </refsect1>
 227
 228 </refentry>