sysusers.d — Declarative allocation of system users and groups
/usr/lib/sysusers.d/*.conf
systemd-sysusers uses the
files from sysusers.d directory
to create system users and groups at package
installation or boot time. This tool may be used to
allocate system users and groups only, it is not
useful for creating non-system users and groups, as it
accesses /etc/passwd and
/etc/group directly, bypassing
any more complex user databases, for example any
database involving NIS or LDAP.
Each configuration file shall be named in the
style of
package.confpackage-part.conf
The file format is one line per user or group containing name, ID, GECOS field description and home directory:
# Type Name ID GECOS u httpd 440 "HTTP User" u authd /usr/bin/authd "Authorization user" g input - - m authd input u root 0 "Superuser" /root
The type consists of a single letter. The following line types are understood:
u¶Create a
system user and group of the
specified name should they not
exist yet. The user's primary
group will be set to the group
bearing the same name. The
user's shell will be set to
/sbin/nologin,
the home directory to the
specified home directory, or
/ if none
is given. The account will be
created disabled, so that
logins are not
allowed.
g¶Create a
system group of the specified
name should it not exist
yet. Note that
u
implicitly create a matching
group. The group will be
created with no password
set.
m¶Add a user to a group. If the user or group are not existing yet, they will be implicitly created.
r¶Add a range of numeric UIDs/GIDs to the pool to allocate new UIDs and GIDs from. If no line of this type is specified the range of UIDs/GIDs is set to some compiled-in default. Note that both UIDs and GIDs are allocated from the same pool, in order to ensure that users and groups of the same name are likely to carry the same numeric UID and GID.
The name field specifies the user or group name. It should be shorter than 31 characters and avoid any non-ASCII characters, and not begin with a numeric character. It is strongly recommended to pick user and group names that are unlikely to clash with normal users created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the underscore, and avoiding too generic names.
For m lines this
field should contain the user name to add to a
group.
For lines of type r
this field should be set to
"-".
For u and
g the numeric 32bit UID or
GID of the user/group. Do not use IDs 65535 or
4294967295, as they have special placeholder
meanings. Specify "-" for
automatic UID/GID allocation for the user or
group. Alternatively, specify an absolute path
in the file system. In this case the UID/GID
is read from the path's owner/group. This is
useful to create users whose UID/GID match the
owners of pre-existing files (such as SUID or
SGID binaries).
For m lines this
field should contain the group name to add to
a user to.
For lines of type r
this field should be set to a UID/GID range in
the format "FROM-TO" where
both values are formatted as decimal ASCII
numbers. Alternatively, a single UID/GID may
be specified formatted as decimal ASCII
numbers.
A short, descriptive string for users to be created, enclosed in quotation marks. Note that this field may not contain colons.
Only applies to lines of type
u and should otherwise be
left unset, or be set to
"-".
The home directory for a new system user. If omitted defaults to the root directory. It is recommended to not unnecessarily specify home directories for system users, unless software strictly requires one to be set.
Only applies to lines of type
u and should otherwise be
left unset, or be set to
"-".
Configuration files are read from directories in
/etc/, /run/, and
/usr/lib/, in order of precedence.
Each configuration file in these configuration directories shall be named in
the style of filename.conf/etc/ override files with the same name in
/run/ and /usr/lib/. Files in
/run/ override files with the same name in
/usr/lib/.
Packages should install their configuration files in
/usr/lib/. Files in /etc/ are
reserved for the local administrator, who may use this logic to override the
configuration files installed by vendor packages. All configuration files
are sorted by their filename in lexicographic order, regardless of which of
the directories they reside in. If multiple files specify the same option,
the entry in the file with the lexicographically latest name will take
precedence. It is recommended to prefix all filenames with a two-digit number
and a dash, to simplify the ordering of the files.
If the administrator wants to disable a configuration file supplied by
the vendor, the recommended way is to place a symlink to
/dev/null in the configuration directory in
/etc/, with the same filename as the vendor
configuration file.
Note that systemd-sysusers
will do nothing if the specified users or groups
already exist, so normally there no reason to override
sysusers.d vendor configuration,
except to block certain users or groups from being
created.