summaryrefslogtreecommitdiff
path: root/man
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-07-25 16:40:26 -0400
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2016-07-25 16:40:26 -0400
commitdadd6ecfa5eaf842763dca545b4c04f33831789e (patch)
treece34705fdfe6a36b661384f934b697295ada0672 /man
parente28973ee182434b59ff562c9b22823250c9fdb4c (diff)
parentd82047bef5b8a35fb2d1d4685f241383df1a1d76 (diff)
Merge pull request #3728 from poettering/dynamic-users
Diffstat (limited to 'man')
-rw-r--r--man/nss-myhostname.xml5
-rw-r--r--man/nss-mymachines.xml5
-rw-r--r--man/nss-resolve.xml7
-rw-r--r--man/nss-systemd.xml107
-rw-r--r--man/systemd.exec.xml36
5 files changed, 149 insertions, 11 deletions
diff --git a/man/nss-myhostname.xml b/man/nss-myhostname.xml
index a920ec334f..b1daaba02b 100644
--- a/man/nss-myhostname.xml
+++ b/man/nss-myhostname.xml
@@ -106,8 +106,8 @@
<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
<command>nss-myhostname</command> correctly:</para>
-<programlisting>passwd: compat mymachines
-group: compat mymachines
+<programlisting>passwd: compat mymachines systemd
+group: compat mymachines systemd
shadow: compat
hosts: files mymachines resolve <command>myhostname</command>
@@ -138,6 +138,7 @@ netgroup: nis</programlisting>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
diff --git a/man/nss-mymachines.xml b/man/nss-mymachines.xml
index ec047449bf..a70119e256 100644
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@@ -82,8 +82,8 @@
<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
<command>nss-mymachines</command> correctly:</para>
- <programlisting>passwd: compat <command>mymachines</command>
-group: compat <command>mymachines</command>
+ <programlisting>passwd: compat <command>mymachines</command> systemd
+group: compat <command>mymachines</command> systemd
shadow: compat
hosts: files <command>mymachines</command> resolve myhostname
@@ -103,6 +103,7 @@ netgroup: nis</programlisting>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
diff --git a/man/nss-resolve.xml b/man/nss-resolve.xml
index d9e56453e8..e6cc1d982a 100644
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@@ -81,8 +81,8 @@
<para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables <command>nss-resolve</command>
correctly:</para>
-<programlisting>passwd: compat mymachines
-group: compat mymachines
+<programlisting>passwd: compat mymachines systemd
+group: compat mymachines systemd
shadow: compat
hosts: files mymachines <command>resolve</command> myhostname
@@ -102,8 +102,9 @@ netgroup: nis</programlisting>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>
diff --git a/man/nss-systemd.xml b/man/nss-systemd.xml
new file mode 100644
index 0000000000..4228372e51
--- /dev/null
+++ b/man/nss-systemd.xml
@@ -0,0 +1,107 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<!--
+ This file is part of systemd.
+
+ Copyright 2016 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+-->
+
+<refentry id="nss-systemd">
+
+ <refentryinfo>
+ <title>nss-systemd</title>
+ <productname>systemd</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Lennart</firstname>
+ <surname>Poettering</surname>
+ <email>lennart@poettering.net</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>nss-systemd</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>nss-systemd</refname>
+ <refname>libnss_systemd.so.2</refname>
+ <refpurpose>Provide UNIX user and group name resolution for dynamic users and groups.</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <para><filename>libnss_systemd.so.2</filename></para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><command>nss-systemd</command> is a plug-in module for the GNU Name Service Switch (NSS) functionality of the
+ GNU C Library (<command>glibc</command>), providing UNIX user and group name resolution for dynamic users and
+ groups allocated through the <varname>DynamicUser=</varname> option in systemd unit files. See
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details on
+ this option.</para>
+
+ <para>To activate the NSS module, add <literal>systemd</literal> to the lines starting with
+ <literal>passwd:</literal> and <literal>group:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
+
+ <para>It is recommended to place <literal>systemd</literal> after the <literal>files</literal> or
+ <literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> lines so that
+ <filename>/etc/passwd</filename> and <filename>/etc/group</filename> based mappings take precedence.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Example</title>
+
+ <para>Here is an example <filename>/etc/nsswitch.conf</filename> file that enables
+ <command>nss-systemd</command> correctly:</para>
+
+ <programlisting>passwd: compat mymachines <command>systemd</command>
+group: compat mymachines <command>systemd</command>
+shadow: compat
+
+hosts: files mymachines resolve myhostname
+networks: files
+
+protocols: db files
+services: db files
+ethers: db files
+rpc: db files
+
+netgroup: nis</programlisting>
+
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nss-resolve</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>nss-mymachines</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>nsswitch.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 41ae6e76de..58ba582911 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -143,10 +143,38 @@
<term><varname>User=</varname></term>
<term><varname>Group=</varname></term>
- <listitem><para>Sets the Unix user or group that the processes
- are executed as, respectively. Takes a single user or group
- name or ID as argument. If no group is set, the default group
- of the user is chosen. These do not affect commands prefixed with <literal>+</literal>.</para></listitem>
+ <listitem><para>Set the UNIX user or group that the processes are executed as, respectively. Takes a single
+ user or group name, or numeric ID as argument. If no group is set, the default group of the user is used. This
+ setting does not affect commands whose command line is prefixed with <literal>+</literal>.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>DynamicUser=</varname></term>
+
+ <listitem><para>Takes a boolean parameter. If set, a UNIX user and group pair is allocated dynamically when the
+ unit is started, and released as soon as it is stopped. The user and group will not be added to
+ <filename>/etc/passwd</filename> or <filename>/etc/group</filename>, but are managed transiently during
+ runtime. The <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+ glibc NSS module provides integration of these dynamic users/groups into the system's user and group
+ databases. The user and group name to use may be configured via <varname>User=</varname> and
+ <varname>Group=</varname> (see above). If these options are not used and dynamic user/group allocation is
+ enabled for a unit, the name of the dynamic user/group is implicitly derived from the unit name. If the unit
+ name without the type suffix qualifies as valid user name it is used directly, otherwise a name incorporating a
+ hash of it is used. If a statically allocated user or group of the configured name already exists, it is used
+ and no dynamic user/group is allocated. Dynamic users/groups are allocated from the UID/GID range
+ 61184…65519. It is recommended to avoid this range for regular system or login users. At any point in time
+ each UID/GID from this range is only assigned to zero or one dynamically allocated users/groups in
+ use. However, UID/GIDs are recycled after a unit is terminated. Care should be taken that any processes running
+ as part of a unit for which dynamic users/groups are enabled do not leave files or directories owned by these
+ users/groups around, as a different unit might get the same UID/GID assigned later on, and thus gain access to
+ these files or directories. If <varname>DynamicUser=</varname> is enabled, <varname>PrivateTmp=</varname> is
+ implied. This ensures that the lifetime of temporary files created by the executed processes is bound to the
+ runtime of the service, and hence the lifetime of the dynamic user/group. Since <filename>/tmp</filename> and
+ <filename>/var/tmp</filename> are usually the only world-writable directories on a system this ensures that a
+ unit making use of dynamic user/group allocation cannot leave files around after unit termination. Use
+ <varname>RuntimeDirectory=</varname> (see below) in order to assign a writable runtime directory to a service,
+ owned by the dynamic user/group and removed automatically when the unit is terminated. Defaults to
+ off.</para></listitem>
</varlistentry>
<varlistentry>