| blob | 4b54286e7fbac2da1d52b7b068ba8bdf4db1f238 |
1 <?xml version="1.0"?>
2 <!--*-nxml-*-->
3 <!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
4 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd">
5 <!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
6 <refentry id="sysusers.d" conditional='ENABLE_SYSUSERS'
7 xmlns:xi="http://www.w3.org/2001/XInclude">
9 <refentryinfo>
10 <title>sysusers.d</title>
11 <productname>systemd</productname>
12 </refentryinfo>
14 <refmeta>
15 <refentrytitle>sysusers.d</refentrytitle>
16 <manvolnum>5</manvolnum>
17 </refmeta>
19 <refnamediv>
20 <refname>sysusers.d</refname>
21 <refpurpose>Declarative allocation of system users and groups</refpurpose>
22 </refnamediv>
24 <refsynopsisdiv>
25 <para><simplelist>
26 <member><filename>/etc/sysusers.d/*.conf</filename></member>
27 <member><filename>/run/sysusers.d/*.conf</filename></member>
28 <member><filename>/usr/local/lib/sysusers.d/*.conf</filename></member>
29 <member><filename>/usr/lib/sysusers.d/*.conf</filename></member>
30 </simplelist></para>
32 <programlisting>
33 #Type Name ID GECOS Home directory Shell
34 u user_name uid "User Description" /home/dir /path/to/shell
35 u user_name uid:gid "User Description" /home/dir /path/to/shell
36 u user_name /file/owned/by/user "User Description" /home/dir /path/to/shell
37 g group_name gid
38 g group_name /file/owned/by/group
39 m user_name group_name
40 r - lowest-highest</programlisting>
41 </refsynopsisdiv>
43 <refsect1>
44 <title>Description</title>
46 <para><command>systemd-sysusers</command> uses the files from
47 <filename>sysusers.d</filename> directory to create system users and groups and
48 to add users to groups, at package installation or boot time. This tool may be
49 used to allocate system users and groups only, it is not useful for creating
50 non-system (i.e. regular, "human") users and groups, as it accesses
51 <filename>/etc/passwd</filename> and <filename>/etc/group</filename> directly,
52 bypassing any more complex user databases, for example any database involving NIS
53 or LDAP.</para>
54 </refsect1>
56 <refsect1>
57 <title>Configuration Directories and Precedence</title>
59 <para>Each configuration file shall be named in the style of
60 <filename><replaceable>package</replaceable>.conf</filename> or
61 <filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
62 The second variant should be used when it is desirable to make it
63 easy to override just this part of configuration.</para>
65 <para>Files in <filename>/etc/sysusers.d</filename> override files
66 with the same name in <filename>/usr/lib/sysusers.d</filename> and
67 <filename>/run/sysusers.d</filename>. Files in
68 <filename>/run/sysusers.d</filename> override files with the same
69 name in <filename>/usr/lib/sysusers.d</filename>. Packages should
70 install their configuration files in
71 <filename>/usr/lib/sysusers.d</filename>. Files in
72 <filename>/etc/sysusers.d</filename> are reserved for the local
73 administrator, who may use this logic to override the
74 configuration files installed by vendor packages. All
75 configuration files are sorted by their filename in lexicographic
76 order, regardless of which of the directories they reside in. If
77 multiple files specify the same path, the entry in the file with
78 the lexicographically earliest name will be applied. All later
79 entries for the same user and group names will be logged as warnings.
80 </para>
82 <para>If the administrator wants to disable a configuration file
83 supplied by the vendor, the recommended way is to place a symlink
84 to <filename>/dev/null</filename> in
85 <filename>/etc/sysusers.d/</filename> bearing the same filename.
86 </para>
87 </refsect1>
89 <refsect1>
90 <title>Configuration File Format</title>
92 <para>The file format is one line per user or group containing name, ID, GECOS
93 field description, home directory, and login shell:</para>
95 <programlisting>#Type Name ID GECOS Home directory Shell
96 u! httpd 404 "HTTP User"
97 u! _authd /usr/bin/authd "Authorization user"
98 u! postgres - "Postgresql Database" /var/lib/pgsql /usr/libexec/postgresdb
99 g input - -
100 m _authd input
101 u root 0 "Superuser" /root /bin/zsh
102 r - 500-900
103 </programlisting>
105 <para>Empty lines and lines beginning with the <literal>#</literal> character are ignored, and may be used for
106 commenting.</para>
108 <refsect2>
109 <title>Type</title>
111 <para>The type consists of a single letter. The following line
112 types are understood:</para>
114 <variablelist>
115 <varlistentry>
116 <term><varname>u</varname></term>
117 <listitem><para>Create a system user and group of the specified name should
118 they not exist yet. The user's primary group will be set to the group
119 bearing the same name unless the ID field specifies it. The account will be
120 created disabled, so that logins are not allowed.</para>
122 <para>Type <varname>u</varname> may be suffixed with an exclamation mark (<literal>u!</literal>) to
123 create a fully locked account. This is recommended, since logins should typically not be allowed
124 for system users. With or without the exclamation mark an invalid password is set. For
125 <literal>u!</literal>, the account is also locked, which makes a difference for non-password forms
126 of authentication, such as SSH or similar.</para>
128 <xi:include href="version-info.xml" xpointer="v215"/></listitem>
129 </varlistentry>
131 <varlistentry>
132 <term><varname>g</varname></term>
133 <listitem><para>Create a system group of the specified name
134 should it not exist yet. Note that <varname>u</varname>
135 implicitly creates a matching group. The group will be
136 created with no password set.</para>
138 <xi:include href="version-info.xml" xpointer="v215"/></listitem>
139 </varlistentry>
141 <varlistentry>
142 <term><varname>m</varname></term>
143 <listitem><para>Add a user to a group. If the user or group
144 do not exist yet, they will be implicitly
145 created.</para>
147 <xi:include href="version-info.xml" xpointer="v215"/></listitem>
148 </varlistentry>
150 <varlistentry>
151 <term><varname>r</varname></term>
152 <listitem><para>Add a range of numeric UIDs/GIDs to the pool
153 to allocate new UIDs and GIDs from. If no line of this type
154 is specified, the range of UIDs/GIDs is set to some
155 compiled-in default. Note that both UIDs and GIDs are
156 allocated from the same pool, in order to ensure that users
157 and groups of the same name are likely to carry the same
158 numeric UID and GID.</para>
160 <xi:include href="version-info.xml" xpointer="v216"/></listitem>
161 </varlistentry>
163 </variablelist>
164 </refsect2>
166 <refsect2>
167 <title>Name</title>
169 <para>The name field specifies the user or group name. The specified name must consist only of the characters a-z,
170 A-Z, 0-9, <literal>_</literal> and <literal>-</literal>, except for the first character which must be one of a-z,
171 A-Z or <literal>_</literal> (i.e. numbers and <literal>-</literal> are not permitted as first character). The
172 user/group name must have at least one character, and at most 31.</para>
174 <para>For further details about the syntax of user/group names, see <ulink
175 url="https://systemd.io/USER_NAMES">User/Group Name Syntax</ulink>.</para>
177 <para>It is strongly recommended to pick user and group names that are unlikely to clash with normal users
178 created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the
179 underscore, and avoiding too generic names.</para>
181 <para>For <varname>m</varname> lines, this field should contain
182 the user name to add to a group.</para>
184 <para>For lines of type <varname>r</varname>, this field should
185 be set to <literal>-</literal>.</para>
186 </refsect2>
188 <refsect2>
189 <title>ID</title>
191 <para>For <varname>u</varname> and <varname>g</varname>, the
192 numeric 32-bit UID or GID of the user/group. Do not use IDs 65535
193 or 4294967295, as they have special placeholder meanings.
194 Specify <literal>-</literal> for automatic UID/GID allocation
195 for the user or group (this is strongly recommended unless it is strictly
196 necessary to use a specific UID or GID). Alternatively, specify an absolute path
197 in the file system. In this case, the UID/GID is read from the
198 path's owner/group. This is useful to create users whose UID/GID
199 match the owners of pre-existing files (such as SUID or SGID
200 binaries).
201 The syntaxes <literal><replaceable>uid</replaceable>:<replaceable>gid</replaceable></literal> and
202 <literal><replaceable>uid</replaceable>:<replaceable>groupname</replaceable></literal> are supported to
203 allow creating users with specific primary groups. The given group must be created explicitly, or it
204 must already exist. Specifying <literal>-</literal> for the UID in these syntaxes is also supported.
205 </para>
207 <para>For <varname>m</varname> lines, this field should contain
208 the group name to add to a user to.</para>
210 <para>For lines of type <varname>r</varname>, this field should
211 be set to a UID/GID range in the format
212 <literal>FROM-TO</literal>, where both values are formatted as
213 decimal ASCII numbers. Alternatively, a single UID/GID may be
214 specified formatted as decimal ASCII numbers.</para>
215 </refsect2>
217 <refsect2>
218 <title>GECOS</title>
220 <para>A short, descriptive string for users to be created, enclosed in
221 quotation marks. Note that this field may not contain colons.</para>
223 <para>Only applies to lines of type <varname>u</varname> and should otherwise
224 be left unset (or <literal>-</literal>).</para>
225 </refsect2>
227 <refsect2>
228 <title>Home Directory</title>
230 <para>The home directory for a new system user. If omitted, defaults to the
231 root directory.</para>
233 <para>Only applies to lines of type <varname>u</varname> and should otherwise
234 be left unset (or <literal>-</literal>). It is recommended to omit this, unless
235 software strictly requires a home directory to be set.</para>
237 <para><command>systemd-sysusers</command> only sets the home directory record in the
238 user database. To actually create the directory, consider adding a corresponding
239 <citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
240 fragment.</para>
241 </refsect2>
243 <refsect2>
244 <title>Shell</title>
246 <para>The login shell of the user. If not specified, this will be set to
247 <filename>/usr/sbin/nologin</filename>, except if the UID of the user is 0, in
248 which case <filename>/bin/sh</filename> will be used.</para>
250 <para>Only applies to lines of type <varname>u</varname> and should otherwise
251 be left unset (or <literal>-</literal>). It is recommended to omit this, unless
252 a shell different <filename>/usr/sbin/nologin</filename> must be used.</para>
253 </refsect2>
254 </refsect1>
256 <refsect1>
257 <title>Specifiers</title>
259 <para>Specifiers can be used in the <literal>Name</literal>, <literal>ID</literal>,
260 <literal>GECOS</literal>, <literal>Home directory</literal>, and <literal>Shell</literal> fields. An
261 unknown or unresolvable specifier is treated as invalid configuration. The following expansions are
262 understood:</para>
264 <table class='specifiers'>
265 <title>Specifiers available</title>
266 <tgroup cols='3' align='left' colsep='1' rowsep='1'>
267 <colspec colname="spec" />
268 <colspec colname="mean" />
269 <colspec colname="detail" />
270 <thead>
271 <row>
272 <entry>Specifier</entry>
273 <entry>Meaning</entry>
274 <entry>Details</entry>
275 </row>
276 </thead>
277 <tbody>
278 <xi:include href="standard-specifiers.xml" xpointer="a"/>
279 <xi:include href="standard-specifiers.xml" xpointer="A"/>
280 <xi:include href="standard-specifiers.xml" xpointer="b"/>
281 <xi:include href="standard-specifiers.xml" xpointer="B"/>
282 <xi:include href="standard-specifiers.xml" xpointer="H"/>
283 <xi:include href="standard-specifiers.xml" xpointer="l"/>
284 <xi:include href="standard-specifiers.xml" xpointer="m"/>
285 <xi:include href="standard-specifiers.xml" xpointer="M"/>
286 <xi:include href="standard-specifiers.xml" xpointer="o"/>
287 <xi:include href="standard-specifiers.xml" xpointer="q"/>
288 <xi:include href="standard-specifiers.xml" xpointer="T"/>
289 <xi:include href="standard-specifiers.xml" xpointer="v"/>
290 <xi:include href="standard-specifiers.xml" xpointer="V"/>
291 <xi:include href="standard-specifiers.xml" xpointer="w"/>
292 <xi:include href="standard-specifiers.xml" xpointer="W"/>
293 <xi:include href="standard-specifiers.xml" xpointer="percent"/>
294 </tbody>
295 </tgroup>
296 </table>
297 </refsect1>
299 <refsect1>
300 <title>Idempotence</title>
302 <para>Note that <command>systemd-sysusers</command> will do nothing if the
303 specified users or groups already exist or the users are members of specified
304 groups, so normally there is no reason to override
305 <filename>sysusers.d</filename> vendor configuration, except to block certain
306 users or groups from being created.</para>
307 </refsect1>
309 <refsect1>
310 <title>See Also</title>
311 <para><simplelist type="inline">
312 <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
313 <member><citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry></member>
314 </simplelist></para>
315 </refsect1>
317 </refentry>