1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
|
<?xml version="1.0"?>
<!--*-nxml-*-->
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!--
This file is part of systemd.
Copyright 2014 Lennart Poettering
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
systemd is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public License
along with systemd; If not, see <http://www.gnu.org/licenses/>.
-->
<refentry id="sysusers.d">
<refentryinfo>
<title>sysusers.d</title>
<productname>systemd</productname>
<authorgroup>
<author>
<contrib>Developer</contrib>
<firstname>Lennart</firstname>
<surname>Poettering</surname>
<email>lennart@poettering.net</email>
</author>
</authorgroup>
</refentryinfo>
<refmeta>
<refentrytitle>sysusers.d</refentrytitle>
<manvolnum>5</manvolnum>
</refmeta>
<refnamediv>
<refname>sysusers.d</refname>
<refpurpose>Declarative allocation of system users and groups</refpurpose>
</refnamediv>
<refsynopsisdiv>
<para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
</refsynopsisdiv>
<refsect1>
<title>Description</title>
<para><command>systemd-sysusers</command> uses the
files from <filename>sysusers.d</filename> directory
to create system users and groups at package
installation or boot time. This tool may be used to
allocate system users and groups only, it is not
useful for creating non-system users and groups, as it
accesses <filename>/etc/passwd</filename> and
<filename>/etc/group</filename> directly, bypassing
any more complex user databases, for example any
database involving NIS or LDAP.</para>
</refsect1>
<refsect1>
<title>Configuration Format</title>
<para>Each configuration file shall be named in the
style of
<filename><replaceable>package</replaceable>.conf</filename>
or
<filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
The second variant should be used when it is desirable
to make it easy to override just this part of
configuration.</para>
<para>The file format is one line per user or group
containing name, ID and GECOS field description:</para>
<programlisting># Type Name ID GECOS
u httpd 440 "HTTP User"
u authd /usr/bin/authd "Authorization user"
g input - -
m authd input</programlisting>
<refsect2>
<title>Type</title>
<para>The type consists of a single
letter. The following line types are
understood:</para>
<variablelist>
<varlistentry>
<term><varname>u</varname></term>
<listitem><para>Create a
system user and group of the
specified name should they not
exist yet. The user's primary
group will be set to the group
bearing the same name. The
user's shell will be set to
<filename>/sbin/nologin</filename>,
the home directory to
<filename>/</filename>. The
account will be created
disabled, so that logins are
not allowed.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>g</varname></term>
<listitem><para>Create a
system group of the specified
name should it not exist
yet. Note that
<varname>u</varname>
implicitly create a matching
group. The group will be
created with no password
set.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>m</varname></term>
<listitem><para>Add a user to
a group. If the user or group
are not existing yet, they
will be implicitly
created.</para></listitem>
</varlistentry>
</variablelist>
</refsect2>
<refsect2>
<title>Name</title>
<para>The name field specifies the user or
group name. It should be be shorter than 31
characters and avoid any non-ASCII characters,
and not begin with a numeric character. It is
strongly recommended to pick user and group
names that are unlikely to clash with normal
users created by the administrator. A good
scheme to guarantee this is by prefixing all
system and group names with the underscore,
and avoiding too generic names.</para>
<para>For <varname>m</varname> lines this
field should contain the user name to add to a
group.</para>
</refsect2>
<refsect2>
<title>ID</title>
<para>For <varname>u</varname> and
<varname>g</varname> the numeric 32bit UID or
GID of the user/group. Do not use IDs 65535 or
4294967295, as they have special placeholder
meanings. Specify "-" for automatic UID/GID
allocation for the user or
group. Alternatively, specify an absolute path
in the file system. In this case the UID/GID
is read from the path's owner/group. This is
useful to create users whose UID/GID match the
owners of pre-existing files (such as SUID or
SGID binaries).</para>
<para>For <varname>m</varname> lines this
field should contain the group name to add to
a user to.</para>
</refsect2>
<refsect2>
<title>GECOS</title>
<para>A short, descriptive string for users to
be created, enclosed in quotation marks. Note
that this field may not contain colons.</para>
<para>Only applies to lines of type
<varname>u</varname> and should otherwise be
left unset.</para>
</refsect2>
</refsect1>
<refsect1>
<title>Overriding vendor configuration</title>
<para>Note that <command>systemd-sysusers</command>
will do nothing if the specified users or groups
already exist, so normally there no reason to override
<filename>sysusers.d</filename> vendor configuration,
except to block certain users or groups from being
created.</para>
<para>Files in <filename>/etc/sysusers.d</filename>
override files with the same name in
<filename>/usr/lib/sysusers.d</filename> and
<filename>/run/sysusers.d</filename>. Files in
<filename>/run/sysusers.d</filename> override files
with the same name in
<filename>/usr/lib/sysusers.d</filename>. The scheme is the same as for
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
except for the directory name.</para>
<para>If the administrator wants to disable a
configuration file supplied by the vendor, the
recommended way is to place a symlink to
<filename>/dev/null</filename> in
<filename>/etc/sysusers.d/</filename> bearing the
same filename.</para>
</refsect1>
<refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
</para>
</refsect1>
</refentry>
|