mirror of
https://git.proxmox.com/git/systemd
synced 2025-05-29 10:01:12 +00:00
118 lines
11 KiB
HTML
118 lines
11 KiB
HTML
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>sysusers.d</title><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><style>
|
|
a.headerlink {
|
|
color: #c60f0f;
|
|
font-size: 0.8em;
|
|
padding: 0 4px 0 4px;
|
|
text-decoration: none;
|
|
visibility: hidden;
|
|
}
|
|
|
|
a.headerlink:hover {
|
|
background-color: #c60f0f;
|
|
color: white;
|
|
}
|
|
|
|
h1:hover > a.headerlink, h2:hover > a.headerlink, h3:hover > a.headerlink, dt:hover > a.headerlink {
|
|
visibility: visible;
|
|
}
|
|
</style><a href="index.html">Index </a>·
|
|
<a href="systemd.directives.html">Directives </a>·
|
|
<a href="../python-systemd/index.html">Python </a>·
|
|
<a href="../libudev/index.html">libudev </a>·
|
|
<a href="../libudev/index.html">gudev </a><span style="float:right">systemd 219</span><hr><div class="refentry"><a name="sysusers.d"></a><div class="titlepage"></div><div class="refnamediv"><h2>Name</h2><p>sysusers.d — Declarative allocation of system users and groups</p></div><div class="refsynopsisdiv"><h2>Synopsis</h2><p><code class="filename">/usr/lib/sysusers.d/*.conf</code></p></div><div class="refsect1"><a name="idm140640894650496"></a><h2 id="Description">Description<a class="headerlink" title="Permalink to this headline" href="#Description">¶</a></h2><p><span class="command"><strong>systemd-sysusers</strong></span> uses the files from
|
|
<code class="filename">sysusers.d</code> directory to create system users
|
|
and groups at package installation or boot time. This tool may be
|
|
used to allocate system users and groups only, it is not useful
|
|
for creating non-system users and groups, as it accesses
|
|
<code class="filename">/etc/passwd</code> and
|
|
<code class="filename">/etc/group</code> directly, bypassing any more
|
|
complex user databases, for example any database involving NIS or
|
|
LDAP.</p></div><div class="refsect1"><a name="idm140640894646336"></a><h2 id="Configuration Format">Configuration Format<a class="headerlink" title="Permalink to this headline" href="#Configuration%20Format">¶</a></h2><p>Each configuration file shall be named in the style of
|
|
<code class="filename"><em class="replaceable"><code>package</code></em>.conf</code> or
|
|
<code class="filename"><em class="replaceable"><code>package</code></em>-<em class="replaceable"><code>part</code></em>.conf</code>.
|
|
The second variant should be used when it is desirable to make it
|
|
easy to override just this part of configuration.</p><p>The file format is one line per user or group containing
|
|
name, ID, GECOS field description and home directory:</p><pre class="programlisting"># Type Name ID GECOS
|
|
u httpd 440 "HTTP User"
|
|
u authd /usr/bin/authd "Authorization user"
|
|
g input - -
|
|
m authd input
|
|
u root 0 "Superuser" /root</pre><div class="refsect2"><a name="idm140640894570208"></a><h3 id="Type">Type<a class="headerlink" title="Permalink to this headline" href="#Type">¶</a></h3><p>The type consists of a single letter. The following line
|
|
types are understood:</p><div class="variablelist"><dl class="variablelist"><dt id="u"><span class="term"><code class="varname">u</code></span><a class="headerlink" title="Permalink to this term" href="#u">¶</a></dt><dd><p>Create a system user and group of the
|
|
specified name should they not exist yet. The user's primary
|
|
group will be set to the group bearing the same name. The
|
|
user's shell will be set to
|
|
<code class="filename">/sbin/nologin</code>, the home directory to
|
|
the specified home directory, or <code class="filename">/</code> if
|
|
none is given. The account will be created disabled, so that
|
|
logins are not allowed.</p></dd><dt id="g"><span class="term"><code class="varname">g</code></span><a class="headerlink" title="Permalink to this term" href="#g">¶</a></dt><dd><p>Create a system group of the specified name
|
|
should it not exist yet. Note that <code class="varname">u</code>
|
|
implicitly create a matching group. The group will be
|
|
created with no password set.</p></dd><dt id="m"><span class="term"><code class="varname">m</code></span><a class="headerlink" title="Permalink to this term" href="#m">¶</a></dt><dd><p>Add a user to a group. If the user or group
|
|
are not existing yet, they will be implicitly
|
|
created.</p></dd><dt id="r"><span class="term"><code class="varname">r</code></span><a class="headerlink" title="Permalink to this term" href="#r">¶</a></dt><dd><p>Add a range of numeric UIDs/GIDs to the pool
|
|
to allocate new UIDs and GIDs from. If no line of this type
|
|
is specified the range of UIDs/GIDs is set to some
|
|
compiled-in default. Note that both UIDs and GIDs are
|
|
allocated from the same pool, in order to ensure that users
|
|
and groups of the same name are likely to carry the same
|
|
numeric UID and GID.</p></dd></dl></div></div><div class="refsect2"><a name="idm140640894707600"></a><h3 id="Name">Name<a class="headerlink" title="Permalink to this headline" href="#Name">¶</a></h3><p>The name field specifies the user or group name. It should
|
|
be shorter than 31 characters and avoid any non-ASCII
|
|
characters, and not begin with a numeric character. It is
|
|
strongly recommended to pick user and group names that are
|
|
unlikely to clash with normal users created by the
|
|
administrator. A good scheme to guarantee this is by prefixing
|
|
all system and group names with the underscore, and avoiding too
|
|
generic names.</p><p>For <code class="varname">m</code> lines this field should contain
|
|
the user name to add to a group.</p><p>For lines of type <code class="varname">r</code> this field should
|
|
be set to "<code class="literal">-</code>".</p></div><div class="refsect2"><a name="idm140640894703632"></a><h3 id="ID">ID<a class="headerlink" title="Permalink to this headline" href="#ID">¶</a></h3><p>For <code class="varname">u</code> and <code class="varname">g</code> the
|
|
numeric 32bit UID or GID of the user/group. Do not use IDs 65535
|
|
or 4294967295, as they have special placeholder meanings.
|
|
Specify "<code class="literal">-</code>" for automatic UID/GID allocation
|
|
for the user or group. Alternatively, specify an absolute path
|
|
in the file system. In this case the UID/GID is read from the
|
|
path's owner/group. This is useful to create users whose UID/GID
|
|
match the owners of pre-existing files (such as SUID or SGID
|
|
binaries).</p><p>For <code class="varname">m</code> lines this field should contain
|
|
the group name to add to a user to.</p><p>For lines of type <code class="varname">r</code> this field should
|
|
be set to a UID/GID range in the format
|
|
"<code class="literal">FROM-TO</code>" where both values are formatted as
|
|
decimal ASCII numbers. Alternatively, a single UID/GID may be
|
|
specified formatted as decimal ASCII numbers.</p></div><div class="refsect2"><a name="idm140640894697968"></a><h3 id="GECOS">GECOS<a class="headerlink" title="Permalink to this headline" href="#GECOS">¶</a></h3><p>A short, descriptive string for users to be created,
|
|
enclosed in quotation marks. Note that this field may not
|
|
contain colons.</p><p>Only applies to lines of type <code class="varname">u</code> and
|
|
should otherwise be left unset, or be set to
|
|
"<code class="literal">-</code>".</p></div><div class="refsect2"><a name="idm140640894695152"></a><h3 id="Home Directory">Home Directory<a class="headerlink" title="Permalink to this headline" href="#Home%20Directory">¶</a></h3><p>The home directory for a new system user. If omitted
|
|
defaults to the root directory. It is recommended to not
|
|
unnecessarily specify home directories for system users, unless
|
|
software strictly requires one to be set.</p><p>Only applies to lines of type <code class="varname">u</code> and
|
|
should otherwise be left unset, or be set to
|
|
"<code class="literal">-</code>".</p></div></div><div class="refsection"><a name="confd"></a><h2>Configuration Directories and Precedence</h2><p>Configuration files are read from directories in
|
|
<code class="filename">/etc/</code>, <code class="filename">/run/</code>, and
|
|
<code class="filename">/usr/lib/</code>, in order of precedence.
|
|
Each configuration file in these configuration directories shall be named in
|
|
the style of <code class="filename"><em class="replaceable"><code>filename</code></em>.conf</code>.
|
|
Files in <code class="filename">/etc/</code> override files with the same name in
|
|
<code class="filename">/run/</code> and <code class="filename">/usr/lib/</code>. Files in
|
|
<code class="filename">/run/</code> override files with the same name in
|
|
<code class="filename">/usr/lib/</code>.</p><p>Packages should install their configuration files in
|
|
<code class="filename">/usr/lib/</code>. Files in <code class="filename">/etc/</code> are
|
|
reserved for the local administrator, who may use this logic to override the
|
|
configuration files installed by vendor packages. All configuration files
|
|
are sorted by their filename in lexicographic order, regardless of which of
|
|
the directories they reside in. If multiple files specify the same option,
|
|
the entry in the file with the lexicographically latest name will take
|
|
precedence. It is recommended to prefix all filenames with a two-digit number
|
|
and a dash, to simplify the ordering of the files.</p><p>If the administrator wants to disable a configuration file supplied by
|
|
the vendor, the recommended way is to place a symlink to
|
|
<code class="filename">/dev/null</code> in the configuration directory in
|
|
<code class="filename">/etc/</code>, with the same filename as the vendor
|
|
configuration file.</p></div><div class="refsect1"><a name="idm140640894683952"></a><h2 id="Idempotence">Idempotence<a class="headerlink" title="Permalink to this headline" href="#Idempotence">¶</a></h2><p>Note that <span class="command"><strong>systemd-sysusers</strong></span> will do
|
|
nothing if the specified users or groups already exist, so
|
|
normally there no reason to override
|
|
<code class="filename">sysusers.d</code> vendor configuration, except to
|
|
block certain users or groups from being created.</p></div><div class="refsect1"><a name="idm140640894681232"></a><h2 id="See Also">See Also<a class="headerlink" title="Permalink to this headline" href="#See%20Also">¶</a></h2><p>
|
|
<a href="systemd.html"><span class="citerefentry"><span class="refentrytitle">systemd</span>(1)</span></a>,
|
|
<a href="systemd-sysusers.html"><span class="citerefentry"><span class="refentrytitle">systemd-sysusers</span>(8)</span></a>
|
|
</p></div></div></body></html>
|