summaryrefslogtreecommitdiffstats
path: root/man/systemd-sysusers.xml
diff options
context:
space:
mode:
Diffstat (limited to 'man/systemd-sysusers.xml')
-rw-r--r--man/systemd-sysusers.xml238
1 files changed, 238 insertions, 0 deletions
diff --git a/man/systemd-sysusers.xml b/man/systemd-sysusers.xml
new file mode 100644
index 0000000..88645aa
--- /dev/null
+++ b/man/systemd-sysusers.xml
@@ -0,0 +1,238 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
+
+<refentry id="systemd-sysusers"
+ xmlns:xi="http://www.w3.org/2001/XInclude">
+
+ <refentryinfo>
+ <title>systemd-sysusers</title>
+ <productname>systemd</productname>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>systemd-sysusers</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>systemd-sysusers</refname>
+ <refname>systemd-sysusers.service</refname>
+ <refpurpose>Allocate system users and groups</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>systemd-sysusers</command>
+ <arg choice="opt" rep="repeat">OPTIONS</arg>
+ <arg choice="opt" rep="repeat"><replaceable>CONFIGFILE</replaceable></arg>
+ </cmdsynopsis>
+
+ <para><filename>systemd-sysusers.service</filename></para>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><command>systemd-sysusers</command> creates system users and groups, based on files in the format
+ described in
+ <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+
+ <para>If invoked with no arguments, it applies all directives from all files found in the directories
+ specified by
+ <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. When
+ invoked with positional arguments, if option <option>--replace=<replaceable>PATH</replaceable></option>
+ is specified, arguments specified on the command line are used instead of the configuration file
+ <replaceable>PATH</replaceable>. Otherwise, just the configuration specified by the command line
+ arguments is executed. The string <literal>-</literal> may be specified instead of a filename to instruct
+ <command>systemd-sysusers</command> to read the configuration from standard input. If the argument is a
+ relative path, all configuration directories are searched for a matching file and the file found that has
+ the highest priority is executed. If the argument is an absolute path, that file is used directly without
+ searching of the configuration directories.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Options</title>
+
+ <para>The following options are understood:</para>
+
+ <variablelist>
+ <varlistentry>
+ <term><option>--root=<replaceable>root</replaceable></option></term>
+ <listitem><para>Takes a directory path as an argument. All
+ paths will be prefixed with the given alternate
+ <replaceable>root</replaceable> path, including config search
+ paths. </para>
+
+ <xi:include href="version-info.xml" xpointer="v215"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--image=<replaceable>image</replaceable></option></term>
+
+ <listitem><para>Takes a path to a disk image file or block device node. If specified all operations
+ are applied to file system in the indicated disk image. This is similar to <option>--root=</option>
+ but operates on file systems stored in disk images or block devices. The disk image should either
+ contain just a file system or a set of file systems within a GPT partition table, following the
+ <ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
+ Specification</ulink>. For further information on supported disk images, see
+ <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
+ switch of the same name.</para>
+
+ <xi:include href="version-info.xml" xpointer="v247"/></listitem>
+ </varlistentry>
+
+ <xi:include href="standard-options.xml" xpointer="image-policy-open" />
+
+ <varlistentry>
+ <term><option>--replace=<replaceable>PATH</replaceable></option></term>
+ <listitem><para>When this option is given, one or more positional arguments
+ must be specified. All configuration files found in the directories listed in
+ <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ will be read, and the configuration given on the command line will be
+ handled instead of and with the same priority as the configuration file
+ <replaceable>PATH</replaceable>.</para>
+
+ <para>This option is intended to be used when package installation scripts
+ are running and files belonging to that package are not yet available on
+ disk, so their contents must be given on the command line, but the admin
+ configuration might already exist and should be given higher priority.
+ </para>
+
+ <example>
+ <title>RPM installation script for radvd</title>
+
+ <programlisting>echo 'u radvd - "radvd daemon"' | \
+ systemd-sysusers --replace=/usr/lib/sysusers.d/radvd.conf -</programlisting>
+
+ <para>This will create the radvd user as if
+ <filename>/usr/lib/sysusers.d/radvd.conf</filename> was already on disk.
+ An admin might override the configuration specified on the command line by
+ placing <filename>/etc/sysusers.d/radvd.conf</filename> or even
+ <filename>/etc/sysusers.d/00-overrides.conf</filename>.</para>
+
+ <para>Note that this is the expanded form, and when used in a package, this
+ would be written using a macro with "radvd" and a file containing the
+ configuration line as arguments.</para>
+ </example>
+
+ <xi:include href="version-info.xml" xpointer="v238"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--dry-run</option></term>
+ <listitem><para>Process the configuration and figure out what entries would be created, but don't
+ actually write anything.</para>
+
+ <xi:include href="version-info.xml" xpointer="v250"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><option>--inline</option></term>
+ <listitem><para>Treat each positional argument as a separate configuration
+ line instead of a file name.</para>
+
+ <xi:include href="version-info.xml" xpointer="v238"/></listitem>
+ </varlistentry>
+
+ <xi:include href="standard-options.xml" xpointer="cat-config" />
+ <xi:include href="standard-options.xml" xpointer="tldr" />
+ <xi:include href="standard-options.xml" xpointer="no-pager" />
+ <xi:include href="standard-options.xml" xpointer="help" />
+ <xi:include href="standard-options.xml" xpointer="version" />
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>Credentials</title>
+
+ <para><command>systemd-sysusers</command> supports the service credentials logic as implemented by
+ <varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
+ (see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
+ details). The following credentials are used when passed in:</para>
+
+ <variablelist class='system-credentials'>
+ <varlistentry>
+ <term><varname>passwd.hashed-password.<replaceable>user</replaceable></varname></term>
+ <listitem><para>A UNIX hashed password string to use for the specified user, when creating an entry
+ for it. This is particularly useful for the <literal>root</literal> user as it allows provisioning
+ the default root password to use via a unit file drop-in or from a container manager passing in this
+ credential. Note that setting this credential has no effect if the specified user account already
+ exists. This credential is hence primarily useful in first boot scenarios or systems that are fully
+ stateless and come up with an empty <filename>/etc/</filename> on every boot.</para>
+
+ <xi:include href="version-info.xml" xpointer="v249"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>passwd.plaintext-password.<replaceable>user</replaceable></varname></term>
+
+ <listitem><para>Similar to <literal>passwd.hashed-password.<replaceable>user</replaceable></literal>
+ but expect a literal, plaintext password, which is then automatically hashed before used for the user
+ account. If both the hashed and the plaintext credential are specified for the same user the
+ former takes precedence. It's generally recommended to specify the hashed version; however in test
+ environments with weaker requirements on security it might be easier to pass passwords in plaintext
+ instead.</para>
+
+ <xi:include href="version-info.xml" xpointer="v249"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>passwd.shell.<replaceable>user</replaceable></varname></term>
+
+ <listitem><para>Specifies the shell binary to use for the specified account when creating it.</para>
+
+ <xi:include href="version-info.xml" xpointer="v249"/></listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>sysusers.extra</varname></term>
+
+ <listitem><para>The contents of this credential may contain additional lines to operate on. The
+ credential contents should follow the same format as any other <filename>sysusers.d/</filename>
+ drop-in. If this credential is passed it is processed after all of the drop-in files read from the
+ file system.</para>
+
+ <xi:include href="version-info.xml" xpointer="v252"/></listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para>Note that by default the <filename>systemd-sysusers.service</filename> unit file is set up to
+ inherit the <literal>passwd.hashed-password.root</literal>,
+ <literal>passwd.plaintext-password.root</literal>, <literal>passwd.shell.root</literal> and
+ <literal>sysusers.extra</literal> credentials from the service manager. Thus, when invoking a container
+ with an unpopulated <filename>/etc/</filename> for the first time it is possible to configure the root
+ user's password to be <literal>systemd</literal> like this:</para>
+
+ <para><programlisting># systemd-nspawn --image=… --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' …</programlisting></para>
+
+ <para>Note again that the data specified in this credential is consulted only when creating an account
+ for the first time, it may not be used for changing the password or shell of an account that already
+ exists.</para>
+
+ <para>Use <citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ for generating UNIX password hashes from the command line.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Exit status</title>
+
+ <para>On success, 0 is returned, a non-zero failure code
+ otherwise.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <ulink url="https://systemd.io/UIDS-GIDS">Users, Groups, UIDs and GIDs on systemd systems</ulink>,
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>