mirror of
https://github.com/systemd/systemd.git
synced 2024-11-24 02:33:36 +08:00
239 lines
11 KiB
XML
239 lines
11 KiB
XML
<?xml version='1.0'?> <!--*-nxml-*-->
|
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
|
<!-- SPDX-License-Identifier: LGPL-2.1-or-later -->
|
|
|
|
<refentry id="systemd-sysusers"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude">
|
|
|
|
<refentryinfo>
|
|
<title>systemd-sysusers</title>
|
|
<productname>systemd</productname>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle>systemd-sysusers</refentrytitle>
|
|
<manvolnum>8</manvolnum>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname>systemd-sysusers</refname>
|
|
<refname>systemd-sysusers.service</refname>
|
|
<refpurpose>Allocate system users and groups</refpurpose>
|
|
</refnamediv>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>systemd-sysusers</command>
|
|
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
|
<arg choice="opt" rep="repeat"><replaceable>CONFIGFILE</replaceable></arg>
|
|
</cmdsynopsis>
|
|
|
|
<para><filename>systemd-sysusers.service</filename></para>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>Description</title>
|
|
|
|
<para><command>systemd-sysusers</command> creates system users and groups, based on files in the format
|
|
described in
|
|
<citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
|
</para>
|
|
|
|
<para>If invoked with no arguments, it applies all directives from all files found in the directories
|
|
specified by
|
|
<citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>. When
|
|
invoked with positional arguments, if option <option>--replace=<replaceable>PATH</replaceable></option>
|
|
is specified, arguments specified on the command line are used instead of the configuration file
|
|
<replaceable>PATH</replaceable>. Otherwise, just the configuration specified by the command line
|
|
arguments is executed. The string <literal>-</literal> may be specified instead of a filename to instruct
|
|
<command>systemd-sysusers</command> to read the configuration from standard input. If the argument is a
|
|
relative path, all configuration directories are searched for a matching file and the file found that has
|
|
the highest priority is executed. If the argument is an absolute path, that file is used directly without
|
|
searching of the configuration directories.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Options</title>
|
|
|
|
<para>The following options are understood:</para>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term><option>--root=<replaceable>root</replaceable></option></term>
|
|
<listitem><para>Takes a directory path as an argument. All
|
|
paths will be prefixed with the given alternate
|
|
<replaceable>root</replaceable> path, including config search
|
|
paths. </para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v215"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--image=<replaceable>image</replaceable></option></term>
|
|
|
|
<listitem><para>Takes a path to a disk image file or block device node. If specified all operations
|
|
are applied to file system in the indicated disk image. This is similar to <option>--root=</option>
|
|
but operates on file systems stored in disk images or block devices. The disk image should either
|
|
contain just a file system or a set of file systems within a GPT partition table, following the
|
|
<ulink url="https://uapi-group.org/specifications/specs/discoverable_partitions_specification">Discoverable Partitions
|
|
Specification</ulink>. For further information on supported disk images, see
|
|
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
|
switch of the same name.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v247"/></listitem>
|
|
</varlistentry>
|
|
|
|
<xi:include href="standard-options.xml" xpointer="image-policy-open" />
|
|
|
|
<varlistentry>
|
|
<term><option>--replace=<replaceable>PATH</replaceable></option></term>
|
|
<listitem><para>When this option is given, one or more positional arguments
|
|
must be specified. All configuration files found in the directories listed in
|
|
<citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
|
will be read, and the configuration given on the command line will be
|
|
handled instead of and with the same priority as the configuration file
|
|
<replaceable>PATH</replaceable>.</para>
|
|
|
|
<para>This option is intended to be used when package installation scripts
|
|
are running and files belonging to that package are not yet available on
|
|
disk, so their contents must be given on the command line, but the admin
|
|
configuration might already exist and should be given higher priority.
|
|
</para>
|
|
|
|
<example>
|
|
<title>RPM installation script for radvd</title>
|
|
|
|
<programlisting>echo 'u radvd - "radvd daemon"' | \
|
|
systemd-sysusers --replace=/usr/lib/sysusers.d/radvd.conf -</programlisting>
|
|
|
|
<para>This will create the radvd user as if
|
|
<filename>/usr/lib/sysusers.d/radvd.conf</filename> was already on disk.
|
|
An admin might override the configuration specified on the command line by
|
|
placing <filename>/etc/sysusers.d/radvd.conf</filename> or even
|
|
<filename>/etc/sysusers.d/00-overrides.conf</filename>.</para>
|
|
|
|
<para>Note that this is the expanded form, and when used in a package, this
|
|
would be written using a macro with "radvd" and a file containing the
|
|
configuration line as arguments.</para>
|
|
</example>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v238"/>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--dry-run</option></term>
|
|
<listitem><para>Process the configuration and figure out what entries would be created, but don't
|
|
actually write anything.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v250"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><option>--inline</option></term>
|
|
<listitem><para>Treat each positional argument as a separate configuration
|
|
line instead of a file name.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v238"/></listitem>
|
|
</varlistentry>
|
|
|
|
<xi:include href="standard-options.xml" xpointer="cat-config" />
|
|
<xi:include href="standard-options.xml" xpointer="tldr" />
|
|
<xi:include href="standard-options.xml" xpointer="no-pager" />
|
|
<xi:include href="standard-options.xml" xpointer="help" />
|
|
<xi:include href="standard-options.xml" xpointer="version" />
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Credentials</title>
|
|
|
|
<para><command>systemd-sysusers</command> supports the service credentials logic as implemented by
|
|
<varname>ImportCredential=</varname>/<varname>LoadCredential=</varname>/<varname>SetCredential=</varname>
|
|
(see <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
|
|
details). The following credentials are used when passed in:</para>
|
|
|
|
<variablelist class='system-credentials'>
|
|
<varlistentry>
|
|
<term><varname>passwd.hashed-password.<replaceable>user</replaceable></varname></term>
|
|
<listitem><para>A UNIX hashed password string to use for the specified user, when creating an entry
|
|
for it. This is particularly useful for the <literal>root</literal> user as it allows provisioning
|
|
the default root password to use via a unit file drop-in or from a container manager passing in this
|
|
credential. Note that setting this credential has no effect if the specified user account already
|
|
exists. This credential is hence primarily useful in first boot scenarios or systems that are fully
|
|
stateless and come up with an empty <filename>/etc/</filename> on every boot.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>passwd.plaintext-password.<replaceable>user</replaceable></varname></term>
|
|
|
|
<listitem><para>Similar to <literal>passwd.hashed-password.<replaceable>user</replaceable></literal>
|
|
but expect a literal, plaintext password, which is then automatically hashed before used for the user
|
|
account. If both the hashed and the plaintext credential are specified for the same user the
|
|
former takes precedence. It's generally recommended to specify the hashed version; however in test
|
|
environments with weaker requirements on security it might be easier to pass passwords in plaintext
|
|
instead.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>passwd.shell.<replaceable>user</replaceable></varname></term>
|
|
|
|
<listitem><para>Specifies the shell binary to use for the specified account when creating it.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v249"/></listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term><varname>sysusers.extra</varname></term>
|
|
|
|
<listitem><para>The contents of this credential may contain additional lines to operate on. The
|
|
credential contents should follow the same format as any other <filename>sysusers.d/</filename>
|
|
drop-in. If this credential is passed it is processed after all of the drop-in files read from the
|
|
file system.</para>
|
|
|
|
<xi:include href="version-info.xml" xpointer="v252"/></listitem>
|
|
</varlistentry>
|
|
</variablelist>
|
|
|
|
<para>Note that by default the <filename>systemd-sysusers.service</filename> unit file is set up to
|
|
inherit the <literal>passwd.hashed-password.root</literal>,
|
|
<literal>passwd.plaintext-password.root</literal>, <literal>passwd.shell.root</literal> and
|
|
<literal>sysusers.extra</literal> credentials from the service manager. Thus, when invoking a container
|
|
with an unpopulated <filename>/etc/</filename> for the first time it is possible to configure the root
|
|
user's password to be <literal>systemd</literal> like this:</para>
|
|
|
|
<para><programlisting># systemd-nspawn --image=… --set-credential=passwd.hashed-password.root:'$y$j9T$yAuRJu1o5HioZAGDYPU5d.$F64ni6J2y2nNQve90M/p0ZP0ECP/qqzipNyaY9fjGpC' …</programlisting></para>
|
|
|
|
<para>Note again that the data specified in this credential is consulted only when creating an account
|
|
for the first time, it may not be used for changing the password or shell of an account that already
|
|
exists.</para>
|
|
|
|
<para>Use <citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
for generating UNIX password hashes from the command line.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>Exit status</title>
|
|
|
|
<para>On success, 0 is returned, a non-zero failure code
|
|
otherwise.</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>See Also</title>
|
|
<para>
|
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
<citerefentry><refentrytitle>sysusers.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
|
<ulink url="https://systemd.io/UIDS-GIDS">Users, Groups, UIDs and GIDs on systemd systems</ulink>,
|
|
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
|
<citerefentry project='man-pages'><refentrytitle>mkpasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
|
</para>
|
|
</refsect1>
|
|
|
|
</refentry>
|