2014-06-29 22:15:01 +02:00
|
|
|
<?xml version="1.0"?>
|
|
|
|
|
<!--*-nxml-*-->
|
|
|
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
|
|
|
<!--
|
|
|
|
|
This file is part of systemd.
|
|
|
|
|
|
|
|
|
|
Copyright 2014 Lennart Poettering
|
|
|
|
|
|
|
|
|
|
systemd is free software; you can redistribute it and/or modify it
|
|
|
|
|
under the terms of the GNU Lesser General Public License as published by
|
|
|
|
|
the Free Software Foundation; either version 2.1 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
systemd is distributed in the hope that it will be useful, but
|
|
|
|
|
WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
Lesser General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Lesser General Public License
|
|
|
|
|
along with systemd; If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
-->
|
|
|
|
|
<refentry id="sysusers.d">
|
|
|
|
|
|
|
|
|
|
<refentryinfo>
|
|
|
|
|
<title>sysusers.d</title>
|
|
|
|
|
<productname>systemd</productname>
|
|
|
|
|
|
|
|
|
|
<authorgroup>
|
|
|
|
|
<author>
|
|
|
|
|
<contrib>Developer</contrib>
|
|
|
|
|
<firstname>Lennart</firstname>
|
|
|
|
|
<surname>Poettering</surname>
|
|
|
|
|
<email>lennart@poettering.net</email>
|
|
|
|
|
</author>
|
|
|
|
|
</authorgroup>
|
|
|
|
|
</refentryinfo>
|
|
|
|
|
|
|
|
|
|
<refmeta>
|
|
|
|
|
<refentrytitle>sysusers.d</refentrytitle>
|
|
|
|
|
<manvolnum>5</manvolnum>
|
|
|
|
|
</refmeta>
|
|
|
|
|
|
|
|
|
|
<refnamediv>
|
|
|
|
|
<refname>sysusers.d</refname>
|
|
|
|
|
<refpurpose>Declarative allocation of system users and groups</refpurpose>
|
|
|
|
|
</refnamediv>
|
|
|
|
|
|
|
|
|
|
<refsynopsisdiv>
|
|
|
|
|
<para><filename>/usr/lib/sysusers.d/*.conf</filename></para>
|
|
|
|
|
</refsynopsisdiv>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
|
|
|
|
<title>Description</title>
|
|
|
|
|
|
|
|
|
|
<para><command>systemd-sysusers</command> uses the
|
2014-07-10 14:50:32 +02:00
|
|
|
files from <filename>sysusers.d</filename> directory
|
2014-06-29 22:15:01 +02:00
|
|
|
to create system users and groups at package
|
2014-07-10 14:50:32 +02:00
|
|
|
installation or boot time. This tool may be used to
|
|
|
|
|
allocate system users and groups only, it is not
|
2014-06-29 22:15:01 +02:00
|
|
|
useful for creating non-system users and groups, as it
|
2014-07-10 14:50:32 +02:00
|
|
|
accesses <filename>/etc/passwd</filename> and
|
2014-06-29 22:15:01 +02:00
|
|
|
<filename>/etc/group</filename> directly, bypassing
|
2014-07-10 14:50:32 +02:00
|
|
|
any more complex user databases, for example any
|
2014-06-29 22:15:01 +02:00
|
|
|
database involving NIS or LDAP.</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
<refsect1>
|
2014-07-10 14:50:32 +02:00
|
|
|
<title>Configuration Format</title>
|
2014-06-29 22:15:01 +02:00
|
|
|
|
2014-07-10 14:50:32 +02:00
|
|
|
<para>Each configuration file shall be named in the
|
|
|
|
|
style of
|
|
|
|
|
<filename><replaceable>package</replaceable>.conf</filename>
|
|
|
|
|
or
|
|
|
|
|
<filename><replaceable>package</replaceable>-<replaceable>part</replaceable>.conf</filename>.
|
|
|
|
|
The second variant should be used when it is desirable
|
|
|
|
|
to make it easy to override just this part of
|
|
|
|
|
configuration.</para>
|
2014-06-29 22:15:01 +02:00
|
|
|
|
|
|
|
|
<para>The file format is one line per user or group
|
|
|
|
|
containing name, ID and GECOS field description:</para>
|
|
|
|
|
|
|
|
|
|
<programlisting># Type Name ID GECOS
|
|
|
|
|
u httpd 440 "HTTP User"
|
|
|
|
|
u authd /usr/bin/authd "Authorization user"
|
2014-07-03 19:54:46 +02:00
|
|
|
g input - -
|
|
|
|
|
m authd input</programlisting>
|
2014-06-29 22:15:01 +02:00
|
|
|
|
|
|
|
|
<refsect2>
|
|
|
|
|
<title>Type</title>
|
|
|
|
|
|
|
|
|
|
<para>The type consists of a single
|
|
|
|
|
letter. The following line types are
|
|
|
|
|
understood:</para>
|
|
|
|
|
|
|
|
|
|
<variablelist>
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>u</varname></term>
|
|
|
|
|
<listitem><para>Create a
|
|
|
|
|
system user and group of the
|
|
|
|
|
specified name should they not
|
|
|
|
|
exist yet. The user's primary
|
|
|
|
|
group will be set to the group
|
|
|
|
|
bearing the same name. The
|
|
|
|
|
user's shell will be set to
|
2014-07-13 16:56:16 +02:00
|
|
|
<filename>/sbin/nologin</filename>,
|
2014-06-29 22:15:01 +02:00
|
|
|
the home directory to
|
|
|
|
|
<filename>/</filename>. The
|
|
|
|
|
account will be created
|
|
|
|
|
disabled, so that logins are
|
|
|
|
|
not allowed.</para></listitem>
|
|
|
|
|
</varlistentry>
|
|
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>g</varname></term>
|
|
|
|
|
<listitem><para>Create a
|
|
|
|
|
system group of the specified
|
|
|
|
|
name should it not exist
|
|
|
|
|
yet. Note that
|
|
|
|
|
<varname>u</varname>
|
|
|
|
|
implicitly create a matching
|
|
|
|
|
group. The group will be
|
|
|
|
|
created with no password
|
|
|
|
|
set.</para></listitem>
|
|
|
|
|
</varlistentry>
|
2014-07-03 19:54:46 +02:00
|
|
|
|
|
|
|
|
<varlistentry>
|
|
|
|
|
<term><varname>m</varname></term>
|
|
|
|
|
<listitem><para>Add a user to
|
|
|
|
|
a group. If the user or group
|
|
|
|
|
are not existing yet, they
|
|
|
|
|
will be implicitly
|
|
|
|
|
created.</para></listitem>
|
|
|
|
|
</varlistentry>
|
2014-06-29 22:15:01 +02:00
|
|
|
</variablelist>
|
|
|
|
|
</refsect2>
|
|
|
|
|
|
|
|
|
|
<refsect2>
|
|
|
|
|
<title>Name</title>
|
|
|
|
|
|
|
|
|
|
<para>The name field specifies the user or
|
2014-07-23 12:40:07 +02:00
|
|
|
group name. It should be shorter than 31
|
2014-06-29 22:15:01 +02:00
|
|
|
characters and avoid any non-ASCII characters,
|
|
|
|
|
and not begin with a numeric character. It is
|
|
|
|
|
strongly recommended to pick user and group
|
|
|
|
|
names that are unlikely to clash with normal
|
|
|
|
|
users created by the administrator. A good
|
|
|
|
|
scheme to guarantee this is by prefixing all
|
|
|
|
|
system and group names with the underscore,
|
|
|
|
|
and avoiding too generic names.</para>
|
2014-07-03 19:54:46 +02:00
|
|
|
|
|
|
|
|
<para>For <varname>m</varname> lines this
|
|
|
|
|
field should contain the user name to add to a
|
|
|
|
|
group.</para>
|
2014-06-29 22:15:01 +02:00
|
|
|
</refsect2>
|
|
|
|
|
|
|
|
|
|
<refsect2>
|
|
|
|
|
<title>ID</title>
|
|
|
|
|
|
2014-07-03 19:54:46 +02:00
|
|
|
<para>For <varname>u</varname> and
|
|
|
|
|
<varname>g</varname> the numeric 32bit UID or
|
|
|
|
|
GID of the user/group. Do not use IDs 65535 or
|
2014-06-29 22:15:01 +02:00
|
|
|
4294967295, as they have special placeholder
|
|
|
|
|
meanings. Specify "-" for automatic UID/GID
|
|
|
|
|
allocation for the user or
|
|
|
|
|
group. Alternatively, specify an absolute path
|
|
|
|
|
in the file system. In this case the UID/GID
|
|
|
|
|
is read from the path's owner/group. This is
|
|
|
|
|
useful to create users whose UID/GID match the
|
|
|
|
|
owners of pre-existing files (such as SUID or
|
|
|
|
|
SGID binaries).</para>
|
2014-07-03 19:54:46 +02:00
|
|
|
|
|
|
|
|
<para>For <varname>m</varname> lines this
|
|
|
|
|
field should contain the group name to add to
|
|
|
|
|
a user to.</para>
|
2014-06-29 22:15:01 +02:00
|
|
|
</refsect2>
|
|
|
|
|
|
|
|
|
|
<refsect2>
|
|
|
|
|
<title>GECOS</title>
|
|
|
|
|
|
|
|
|
|
<para>A short, descriptive string for users to
|
|
|
|
|
be created, enclosed in quotation marks. Note
|
|
|
|
|
that this field may not contain colons.</para>
|
2014-07-03 19:54:46 +02:00
|
|
|
|
|
|
|
|
<para>Only applies to lines of type
|
|
|
|
|
<varname>u</varname> and should otherwise be
|
|
|
|
|
left unset.</para>
|
2014-06-29 22:15:01 +02:00
|
|
|
</refsect2>
|
|
|
|
|
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
2014-07-10 14:50:32 +02:00
|
|
|
<refsect1>
|
|
|
|
|
<title>Overriding vendor configuration</title>
|
|
|
|
|
|
|
|
|
|
<para>Note that <command>systemd-sysusers</command>
|
|
|
|
|
will do nothing if the specified users or groups
|
|
|
|
|
already exist, so normally there no reason to override
|
|
|
|
|
<filename>sysusers.d</filename> vendor configuration,
|
|
|
|
|
except to block certain users or groups from being
|
|
|
|
|
created.</para>
|
|
|
|
|
|
|
|
|
|
<para>Files in <filename>/etc/sysusers.d</filename>
|
|
|
|
|
override files with the same name in
|
|
|
|
|
<filename>/usr/lib/sysusers.d</filename> and
|
|
|
|
|
<filename>/run/sysusers.d</filename>. Files in
|
|
|
|
|
<filename>/run/sysusers.d</filename> override files
|
|
|
|
|
with the same name in
|
|
|
|
|
<filename>/usr/lib/sysusers.d</filename>. The scheme is the same as for
|
|
|
|
|
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
|
|
|
except for the directory name.</para>
|
|
|
|
|
|
|
|
|
|
<para>If the administrator wants to disable a
|
|
|
|
|
configuration file supplied by the vendor, the
|
|
|
|
|
recommended way is to place a symlink to
|
|
|
|
|
<filename>/dev/null</filename> in
|
|
|
|
|
<filename>/etc/sysusers.d/</filename> bearing the
|
|
|
|
|
same filename.</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
2014-06-29 22:15:01 +02:00
|
|
|
<refsect1>
|
|
|
|
|
<title>See Also</title>
|
|
|
|
|
<para>
|
|
|
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
2014-07-10 14:50:32 +02:00
|
|
|
<citerefentry><refentrytitle>systemd-sysusers</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
|
|
|
|
<citerefentry><refentrytitle>tmpfiles.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
2014-06-29 22:15:01 +02:00
|
|
|
</para>
|
|
|
|
|
</refsect1>
|
|
|
|
|
|
|
|
|
|
</refentry>
|
