diff options
Diffstat (limited to 'man/userdbctl.xml')
-rw-r--r-- | man/userdbctl.xml | 346 |
1 files changed, 346 insertions, 0 deletions
diff --git a/man/userdbctl.xml b/man/userdbctl.xml new file mode 100644 index 0000000..fbab810 --- /dev/null +++ b/man/userdbctl.xml @@ -0,0 +1,346 @@ +<?xml version='1.0'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> +<!-- SPDX-License-Identifier: LGPL-2.1-or-later --> + +<refentry id="userdbctl" conditional='ENABLE_USERDB' + xmlns:xi="http://www.w3.org/2001/XInclude"> + + <refentryinfo> + <title>userdbctl</title> + <productname>systemd</productname> + </refentryinfo> + + <refmeta> + <refentrytitle>userdbctl</refentrytitle> + <manvolnum>1</manvolnum> + </refmeta> + + <refnamediv> + <refname>userdbctl</refname> + <refpurpose>Inspect users, groups and group memberships</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis> + <command>userdbctl</command> + <arg choice="opt" rep="repeat">OPTIONS</arg> + <arg choice="req">COMMAND</arg> + <arg choice="opt" rep="repeat">NAME</arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1> + <title>Description</title> + + <para><command>userdbctl</command> may be used to inspect user and groups (as well as group memberships) + of the system. This client utility inquires user/group information provided by various system services, + both operating on JSON user/group records (as defined by the <ulink + url="https://systemd.io/USER_RECORD">JSON User Records</ulink> and <ulink + url="https://systemd.io/GROUP_RECORD">JSON Group Records</ulink> definitions), and classic UNIX NSS/glibc + user and group records. This tool is primarily a client to the <ulink + url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via Varlink</ulink>, and may also + pick up drop-in JSON user and group records from <filename>/etc/userdb/</filename>, + <filename>/run/userdb/</filename>, <filename>/run/host/userdb/</filename>, + <filename>/usr/lib/userdb/</filename>.</para> + </refsect1> + + <refsect1> + <title>Options</title> + + <para>The following options are understood:</para> + + <variablelist> + + <varlistentry> + <term><option>--output=</option><replaceable>MODE</replaceable></term> + + <listitem><para>Choose the output mode, takes one of <literal>classic</literal>, + <literal>friendly</literal>, <literal>table</literal>, <literal>json</literal>. If + <literal>classic</literal>, an output very close to the format of <filename>/etc/passwd</filename> or + <filename>/etc/group</filename> is generated. If <literal>friendly</literal> a more comprehensive and + user friendly, human readable output is generated; if <literal>table</literal> a minimal, tabular + output is generated; if <literal>json</literal> a JSON formatted output is generated. Defaults to + <literal>friendly</literal> if a user/group is specified on the command line, + <literal>table</literal> otherwise.</para> + + <para>Note that most output formats do not show all available information. In particular, + <literal>classic</literal> and <literal>table</literal> show only the most important fields. Various + modes also do not show password hashes. Use <literal>json</literal> to view all fields, including + any authentication fields.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><option>--json=</option><replaceable>FORMAT</replaceable></term> + + <listitem><para>Selects JSON output mode (like <option>--output=json</option>) and selects the + precise display mode. Takes one of <literal>pretty</literal> or <literal>short</literal>. If + <literal>pretty</literal>, human-friendly whitespace and newlines are inserted in the output to make + the JSON data more readable. If <literal>short</literal>, all superfluous whitespace is + suppressed.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--service=</option><replaceable>SERVICE</replaceable><optional>:<replaceable>SERVICE…</replaceable></optional></term> + <term><option>-s</option> <replaceable>SERVICE</replaceable>:<replaceable>SERVICE…</replaceable></term> + + <listitem><para>Controls which services to query for users/groups. Takes a list of one or more + service names, separated by <literal>:</literal>. See below for a list of well-known service + names. If not specified all available services are queried at once.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--with-nss=</option><replaceable>BOOL</replaceable></term> + + <listitem><para>Controls whether to include classic glibc/NSS user/group lookups in the output. If + <option>--with-nss=no</option> is used any attempts to resolve or enumerate users/groups provided + only via glibc NSS is suppressed. If <option>--with-nss=yes</option> is specified such users/groups + are included in the output (which is the default).</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--with-varlink=</option><replaceable>BOOL</replaceable></term> + + <listitem><para>Controls whether to include Varlink user/group lookups in the output, i.e. those done + via the <ulink url="https://systemd.io/USER_GROUP_API">User/Group Record Lookup API via + Varlink</ulink>. If <option>--with-varlink=no</option> is used any attempts to resolve or enumerate + users/groups provided only via Varlink are suppressed. If <option>--with-varlink=yes</option> is + specified such users/groups are included in the output (which is the default).</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--with-dropin=</option><replaceable>BOOL</replaceable></term> + + <listitem><para>Controls whether to include user/group lookups in the output that are defined using + drop-in files in <filename>/etc/userdb/</filename>, <filename>/run/userdb/</filename>, + <filename>/run/host/userdb/</filename>, <filename>/usr/lib/userdb/</filename>. If + <option>--with-dropin=no</option> is used these records are suppressed. If + <option>--with-dropin=yes</option> is specified such users/groups are included in the output (which + is the default).</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--synthesize=</option><replaceable>BOOL</replaceable></term> + + <listitem><para>Controls whether to synthesize records for the root and nobody users/groups if they + aren't defined otherwise. By default (or <literal>yes</literal>) such records are implicitly + synthesized if otherwise missing since they have special significance to the OS. When + <literal>no</literal> this synthesizing is turned off.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>-N</option></term> + + <listitem><para>This option is short for <option>--with-nss=no</option> + <option>--synthesize=no</option>. Use this option to show only records that are natively defined as + JSON user or group records, with all NSS/glibc compatibility and all implicit synthesis turned + off.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--multiplexer=</option><replaceable>BOOL</replaceable></term> + + <listitem><para>Controls whether to do lookups via the multiplexer service (if specified as true, the + default) or do lookups in the client (if specified as false). Using the multiplexer service is + typically preferable, since it runs in a locked down sandbox.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--chain</option></term> + + <listitem><para>When used with the <command>ssh-authorized-keys</command> command, this will allow + passing an additional command line after the user name that is chain executed after the lookup + completed. This allows chaining multiple tools that show SSH authorized keys.</para></listitem> + </varlistentry> + + <xi:include href="standard-options.xml" xpointer="no-pager" /> + <xi:include href="standard-options.xml" xpointer="no-legend" /> + <xi:include href="standard-options.xml" xpointer="help" /> + <xi:include href="standard-options.xml" xpointer="version" /> + </variablelist> + </refsect1> + + <refsect1> + <title>Commands</title> + + <para>The following commands are understood:</para> + + <variablelist> + + <varlistentry> + <term><command>user</command> <optional><replaceable>USER</replaceable>…</optional></term> + + <listitem><para>List all known users records or show details of one or more specified user + records. Use <option>--output=</option> to tweak output mode.</para></listitem> + </varlistentry> + + <varlistentry> + <term><command>group</command> <optional><replaceable>GROUP</replaceable>…</optional></term> + + <listitem><para>List all known group records or show details of one or more specified group + records. Use <option>--output=</option> to tweak output mode.</para></listitem> + </varlistentry> + + <varlistentry> + <term><command>users-in-group</command> <optional><replaceable>GROUP</replaceable>…</optional></term> + + <listitem><para>List users that are members of the specified groups. If no groups are specified list + all user/group memberships defined. Use <option>--output=</option> to tweak output + mode.</para></listitem> + </varlistentry> + + <varlistentry> + <term><command>groups-of-user</command> <optional><replaceable>USER</replaceable>…</optional></term> + + <listitem><para>List groups that the specified users are members of. If no users are specified list + all user/group memberships defined (in this case <command>groups-of-user</command> and + <command>users-in-group</command> are equivalent). Use <option>--output=</option> to tweak output + mode.</para></listitem> + </varlistentry> + + <varlistentry> + <term><command>services</command></term> + + <listitem><para>List all services currently providing user/group definitions to the system. See below + for a list of well-known services providing user information.</para></listitem> + </varlistentry> + + <varlistentry> + <term><command>ssh-authorized-keys</command></term> + + <listitem><para>Show SSH authorized keys for this account. This command is intended to be used to + allow the SSH daemon to pick up authorized keys from user records, see below.</para></listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1> + <title>Well-Known Services</title> + + <para>The <command>userdbctl services</command> command will list all currently running services that + provide user or group definitions to the system. The following well-known services are shown among + this list:</para> + + <variablelist> + <varlistentry> + <term><constant>io.systemd.DynamicUser</constant></term> + + <listitem><para>This service is provided by the system service manager itself (i.e. PID 1) and + makes all users (and their groups) synthesized through the <varname>DynamicUser=</varname> setting in + service unit files available to the system (see + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> for + details about this setting).</para></listitem> + </varlistentry> + + <varlistentry> + <term><constant>io.systemd.Home</constant></term> + + <listitem><para>This service is provided by + <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + and makes all users (and their groups) belonging to home directories managed by that service + available to the system.</para></listitem> + </varlistentry> + + <varlistentry> + <term><constant>io.systemd.Machine</constant></term> + + <listitem><para>This service is provided by + <citerefentry><refentrytitle>systemd-machined.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + and synthesizes records for all users/groups used by a container that employs user + namespacing.</para></listitem> + </varlistentry> + + <varlistentry> + <term><constant>io.systemd.Multiplexer</constant></term> + + <listitem><para>This service is provided by + <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + and multiplexes user/group look-ups to all other running lookup services. This is the primary entry point + for user/group record clients, as it simplifies client side implementation substantially since they + can ask a single service for lookups instead of asking all running services in parallel. + <command>userdbctl</command> uses this service preferably, too, unless <option>--with-nss=</option> + or <option>--service=</option> are used, in which case finer control over the services to talk to is + required.</para></listitem> + </varlistentry> + + <varlistentry> + <term><constant>io.systemd.NameServiceSwitch</constant></term> + + <listitem><para>This service is (also) provided by + <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + and converts classic NSS/glibc user and group records to JSON user/group records, providing full + backwards compatibility. Use <option>--with-nss=no</option> to disable this compatibility, see + above. Note that compatibility is actually provided in both directions: + <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry> will + automatically synthesize classic NSS/glibc user/group records from all JSON user/group records + provided to the system, thus using both APIs is mostly equivalent and provides access to the same + data, however the NSS/glibc APIs necessarily expose a more reduced set of fields + only.</para></listitem> + </varlistentry> + + <varlistentry> + <term><constant>io.systemd.DropIn</constant></term> + + <listitem><para>This service is (also) provided by + <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry> + and picks up JSON user/group records from <filename>/etc/userdb/</filename>, + <filename>/run/userdb/</filename>, <filename>/run/host/userdb/</filename>, + <filename>/usr/lib/userdb/</filename>.</para></listitem> + </varlistentry> + + </variablelist> + + <para>Note that <command>userdbctl</command> has internal support for NSS-based lookups too. This means + that if neither <constant>io.systemd.Multiplexer</constant> nor + <constant>io.systemd.NameServiceSwitch</constant> are running look-ups into the basic user/group + databases will still work.</para> + </refsect1> + + <refsect1> + <title>Integration with SSH</title> + + <para>The <command>userdbctl</command> tool may be used to make the list of SSH authorized keys possibly + contained in a user record available to the SSH daemon for authentication. For that configure the + following in <citerefentry + project='die-net'><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry>:</para> + + <programlisting>… +AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u +AuthorizedKeysCommandUser root +…</programlisting> + + <para>Sometimes it's useful to allow chain invocation of another program to list SSH authorized keys. By + using the <option>--chain</option> such a tool may be chain executed by <command>userdbctl + ssh-authorized-keys</command> once a lookup completes (regardless if an SSH key was found or + not). Example:</para> + + <programlisting>… +AuthorizedKeysCommand /usr/bin/userdbctl ssh-authorized-keys %u --chain /usr/bin/othertool %u +AuthorizedKeysCommandUser root +…</programlisting> + + <para>The above will first query the userdb database for SSH keys, and then chain execute + <command>/usr/bin/othertool</command> to also be queried.</para> + </refsect1> + + <refsect1> + <title>Exit status</title> + + <para>On success, 0 is returned, a non-zero failure code otherwise.</para> + </refsect1> + + <xi:include href="common-variables.xml" /> + + <refsect1> + <title>See Also</title> + <para> + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd-userdbd.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd-homed.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry><refentrytitle>nss-systemd</refentrytitle><manvolnum>8</manvolnum></citerefentry>, + <citerefentry project='man-pages'><refentrytitle>getent</refentrytitle><manvolnum>1</manvolnum></citerefentry> + </para> + </refsect1> + +</refentry> |