Declarative allocation of system users and groups
systemd-sysusers uses the files from sysusers.d directory to create system users and groups at package installation or boot time. This tool may be used to allocate system users and groups only, it is not useful for creating non-system users and groups, as it accesses /etc/passwd and /etc/group directly, bypassing any more complex user databases, for example any database involving NIS or LDAP.
Each configuration file shall be named in the style of package.conf or package-part.conf. The second variant should be used when it is desirable to make it easy to override just this part of configuration.
The file format is one line per user or group containing name, ID and GECOS field description:
# Type Name ID GECOS u httpd 440 "HTTP User" u authd /usr/bin/authd "Authorization user" g input - - m authd input
The type consists of a single letter. The following line types are understood:
Create a system user and group of the specified name should they not exist yet. The user's primary group will be set to the group bearing the same name. The user's shell will be set to /sbin/nologin, the home directory to /. The account will be created disabled, so that logins are not allowed.
Create a system group of the specified name should it not exist yet. Note that u implicitly create a matching group. The group will be created with no password set.
Add a user to a group. If the user or group are not existing yet, they will be implicitly created.
The name field specifies the user or group name. It should be be shorter than 31 characters and avoid any non-ASCII characters, and not begin with a numeric character. It is strongly recommended to pick user and group names that are unlikely to clash with normal users created by the administrator. A good scheme to guarantee this is by prefixing all system and group names with the underscore, and avoiding too generic names.
For m lines this field should contain the user name to add to a group.
For u and g the numeric 32bit UID or GID of the user/group. Do not use IDs 65535 or 4294967295, as they have special placeholder meanings. Specify "-" for automatic UID/GID allocation for the user or group. Alternatively, specify an absolute path in the file system. In this case the UID/GID is read from the path's owner/group. This is useful to create users whose UID/GID match the owners of pre-existing files (such as SUID or SGID binaries).
For m lines this field should contain the group name to add to a user to.
A short, descriptive string for users to be created, enclosed in quotation marks. Note that this field may not contain colons.
Only applies to lines of type u and should otherwise be left unset.
Note that systemd-sysusers will do nothing if the specified users or groups already exist, so normally there no reason to override sysusers.d vendor configuration, except to block certain users or groups from being created.
Files in /etc/sysusers.d override files with the same name in /usr/lib/sysusers.d and /run/sysusers.d. Files in /run/sysusers.d override files with the same name in /usr/lib/sysusers.d. The scheme is the same as for tmpfiles.d(5), except for the directory name.
If the administrator wants to disable a configuration file supplied by the vendor, the recommended way is to place a symlink to /dev/null in /etc/sysusers.d/ bearing the same filename.