|
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | USER RECORD PROPERTIES | COMMANDS | EXIT STATUS | ENVIRONMENT | EXAMPLES | SEE ALSO | NOTES | COLOPHON |
HOMECTL(1) homectl HOMECTL(1)
homectl - Create, remove, change or inspect home directories
homectl [OPTIONS...] {COMMAND} [NAME...]
homectl may be used to create, remove, change or inspect a user's
home directory. It's primarily a command interfacing with
systemd-homed.service(8) which manages home directories of users.
Home directories managed by systemd-homed.service are self-contained,
and thus include the user's full metadata record in the home's data
storage itself, making them easy to migrate between machines. In
particular, a home directory describes a matching user record, and
every user record managed by systemd-homed.service also implies
existence and encapsulation of a home directory. The user account and
home directory become the same concept.
The following backing storage mechanisms are supported:
· An individual LUKS2 encrypted loopback file for a user, stored in
/home/*.home. At login the file system contained in this files is
mounted, after the LUKS2 encrypted volume has been attached. The
user's password is identical to the encryption passphrase of the
LUKS2 volume. Access to data without preceding user
authentication is thus not possible, even for the system
administrator. This storage mechanism provides the strongest data
security and is thus recommended.
· Similar, but the LUKS2 encrypted file system is located on
regular block device, such as an USB storage stick. In this mode
home directories and all data they include are nicely migratable
between machines, simply by plugging the USB stick into different
systems at different times.
· An encrypted directory using "fscrypt" on file systems that
support it (at the moment this is primarily "ext4"), located in
/home/*.homedir. This mechanism also provides encryption, but
substantially weaker than LUKS2, as most file system metadata is
unprotected. Moreover it currently does not support changing user
passwords once the home directory has been created.
· A "btrfs" subvolume for each user, also located in
/home/*.homedir. This provides no encryption, but good quota
support.
· A regular directory for each user, also located in
/home/*.homedir. This provides no encryption, but is a suitable
fallback available on all machines, even where LUKS2, "fscrypt"
or "btrfs" support is not available.
· An individual Windows file share (CIFS) for each user.
Note that systemd-homed.service and homectl will not manage "classic"
UNIX user accounts as created with useradd(8) or similar tools. In
particular, this functionality is not suitable for managing system
users (i.e. users with a UID below 1000) but is exclusive to regular
("human") users.
Note that users/home directories managed via systemd-homed.service do
not show up in /etc/passwd and similar files, they are synthesized
via glibc NSS during runtime. They are thus resolvable and may be
enumerated via the getent(1) tool.
This tool interfaces directly with systemd-homed.service, and may
execute specific commands on the home directories it manages. Since
every home directory managed that way also defines a JSON user and
group record these home directories may also be inspected and
enumerated via userdbctl(1).
Home directories managed by systemd-homed.service are usually in one
of two states, or in a transition state between them: when "active"
they are unlocked and mounted, and thus accessible to the system and
its programs; when "inactive" they are not mounted and thus not
accessible. Activation happens automatically at login of the user and
usually can only complete after a password (or other authentication
token) has been supplied. Deactivation happens after the user fully
logged out. A home directory remains active as long as the user is
logged in at least once, i.e. has at least one login session. When
the user logs in a second time simultaneously the home directory
remains active. It is deactivated only after the last of the user's
sessions ends.
The following general options are understood (further options that
control the various properties of user records managed by
systemd-homed.service are documented further down):
--identity=FILE
Read the user's JSON record from the specified file. If passed as
"-" read the user record from standard input. The supplied JSON
object must follow the structure documented on JSON User
Records[1]. This option may be used in conjunction with the
create and update commands (see below), where it allows
configuring the user record in JSON as-is, instead of setting the
individual user record properties (see below).
--json=FORMAT, -J
Controls whether to output the user record in JSON format, if the
inspect command (see below) is used. Takes one of "pretty",
"short" or "off". If "pretty" human-friendly whitespace and
newlines are inserted in the output to make the JSON data more
readable. If "short" all superfluous whitespace is suppressed. If
"off" (the default) the user information is not shown in JSON
format but in a friendly human readable formatting instead. The
-J option picks "pretty" when run interactively and "short"
otherwise.
--export-format=FORMAT, -E, -EE
When used with the inspect verb in JSON mode (see above) may be
used to suppress certain aspects of the JSON user record on
output. Specifically, if "stripped" format is used the binding
and runtime fields of the record are removed. If "minimal" format
is used the cryptographic signature is removed too. If "full"
format is used the full JSON record is shown (this is the
default). This option is useful for copying an existing user
record to a different system in order to create a similar user
there with the same settings. Specifically: homectl inspect -EE |
ssh root@othersystem homectl create -i- may be used as simple
command line for replicating a user on another host. -E is
equivalent to -j --export-format=stripped, -EE to -j
--export-format=minimal. Note that when replicating user accounts
user records acquired in "stripped" mode will retain the original
cryptographic signatures and thus may only be modified when the
private key to update them is available on the destination
machine. When replicating users in "minimal" mode, the signature
is removed during the replication and thus the record will be
implicitly signed with the key of the destination machine and may
be updated there without any private key replication.
-H, --host=
Execute the operation remotely. Specify a hostname, or a username
and hostname separated by "@", to connect to. The hostname may
optionally be suffixed by a port ssh is listening on, separated
by ":", and then a container name, separated by "/", which
connects directly to a specific container on the specified host.
This will use SSH to talk to the remote machine manager instance.
Container names may be enumerated with machinectl -H HOST. Put
IPv6 addresses in brackets.
-M, --machine=
Execute operation on a local container. Specify a container name
to connect to.
--no-pager
Do not pipe output into a pager.
--no-legend
Do not print the legend, i.e. column headers and the footer with
hints.
--no-ask-password
Do not query the user for authentication for privileged
operations.
-h, --help
Print a short help text and exit.
--version
Print a short version string and exit.
The following options control various properties of the user
records/home directories that systemd-homed.service manages. These
switches may be used in conjunction with the create and update
commands for configuring various aspects of the home directory and
the user account:
--real-name=NAME, -c NAME
The real name for the user. This corresponds with the GECOS field
on classic UNIX NSS records.
--realm=REALM
The realm for the user. The realm associates a user with a
specific organization or installation, and allows distuingishing
users of the same name defined in different contexts. The realm
can be any string that also qualifies as valid DNS domain name,
and it is recommended to use the organization's or installation's
domain name for this purpose, but this is not enforced nor
required. On each system only a single user of the same name may
exist, and if a user with the same name and realm is seen it is
assumed to refer to the same user while a user with the same name
but different realm is considered a different user. Note that
this means that two users sharing the same name but with distinct
realms are not allowed on the same system. Assigning a realm to a
user is optional.
--email-address=EMAIL
Takes an electronic mail address to associate with the user. On
log-in the $EMAIL environment variable is initialized from this
value.
--location=TEXT
Takes location specification for this user. This is free-form
text, which might or might not be usable by geo-location
applications. Example: --location="Berlin, Germany" or
--location="Basement, Room 3a"
--icon-name=ICON
Takes an icon name to associate with the user, following the
scheme defined by the Icon Naming Specification[2].
--home-dir=PATH, -dPATH
Takes a path to use as home directory for the user. Note that
this is the directory the user's home directory is mounted to
while the user is logged in. This is not where the user's data is
actually stored, see --image-path= for that. If not specified
defaults to /home/$USER.
--uid=UID
Takes a preferred numeric UNIX UID to assign this user. If a user
is to be created with the specified UID and it is already taken
by a different user on the local system then creation of the home
directory is refused. Note though, if after creating the home
directory it is used on a different system and the configured UID
is taken by another user there, then systemd-homed may assign the
user a different UID on that system. The specified UID must be
outside of the system user range. It is recommended to use the
60001...60513 UID range for this purpose. If not specified, the
UID is automatically picked. If the home directory is found to be
owned by a different UID when logging in, the home directory and
everything underneath it will have its ownership changed
automatically before login completes.
Note that users managed by systemd-homed always have a matching
group associated with the same name as well as a GID matching the
UID of the user. Thus, configuring the GID separately is not
permitted.
--member-of=GROUP, -G GROUP
Takes a comma-separated list of auxiliary UNIX groups this user
shall belong to. Example: --member-of=wheel to provide the user
with administrator privileges. Note that systemd-homed does not
manage any groups besides a group matching the user in name and
numeric UID/GID. Thus any groups listed here must be registered
independently, for example with groupadd(8). Any non-existent
groups are ignored. This option may be used more than once, in
which case all specified group lists are combined. If the user is
currently a member of a group which is not listed, the user will
be removed from the group.
--skel=PATH
Takes a file system path to a directory. Specifies the skeleton
directory to initialize the home directory with. All files and
directories in the specified path are copied into any newly
create home directory. If not specified defaults to /etc/skel/.
--shell=SHELL
Takes a file system path. Specifies the shell binary to execute
on terminal logins. If not specified defaults to /bin/bash.
--setenv=VARIABLE=VALUE
Takes an environment variable assignment to set for all user
processes. Note that a number of other settings also result in
environment variables to be set for the user, including --email=,
--timezone= and --language=. May be used multiple times to set
multiple environment variables.
--timezone=TIMEZONE
Takes a timezone specification as string that sets the timezone
for the specified user. Expects a `tzdata` location string. When
the user logs in the $TZ environment variable is initialized from
this setting. Example: --timezone=Europe/Amsterdam will result in
the environment variable "TZ=:Europe/Amsterdam".
--language=LANG
Takes a specifier indicating the preferred language of the user.
The $LANG environment variable is initialized from this value on
login, and thus a value suitable for this environment variable is
accepted here, for example --language=de_DE.UTF8.
--ssh-authorized-keys=KEYS
Either takes a SSH authorized key line to associate with the user
record or a "@" character followed by a path to a file to read
one or more such lines from. SSH keys configured this way are
made available to SSH to permit access to this home directory and
user record. This option may be used more than once to configure
multiple SSH keys.
--pkcs11-token-uri=URI
Takes an RFC 7512 PKCS#11 URI referencing a security token (e.g.
YubiKey or PIV smartcard) that shall be able to unlock the user
account. The security token URI should reference a security token
with exactly one pair of X.509 certificate and private key. A
random secret key is then generated, encrypted with the public
key of the X.509 certificate, and stored as part of the user
record. At login time it is decrypted with the PKCS#11 module and
then used to unlock the account and associated resources. See
below for an example how to set up authentication with a security
token.
Instead of a valid PKCS#11 URI, the special strings "list" and
"auto" may be specified. If "list" is passed, a brief table of
suitable, currently plugged in PKCS#11 hardware tokens is shown,
along with their URIs. If "auto" is passed, a suitable PKCS#11
hardware token is automatically selected (this operation will
fail if there isn't exactly one suitable token discovered). The
latter is a useful shortcut for the most common case where a
single PKCS#11 hardware token is plugged in.
Note that many hardware security tokens implement both
PKCS#11/PIV and FIDO2 with the "hmac-secret" extension (for
example: the YubiKey 5 series), as supported with the
--fido2-device= option below. Both mechanisms are similarly
powerful, though FIDO2 is the more modern technology. PKCS#11/PIV
tokens have the benefit of being recognizable before
authentication and hence can be used for implying the user
identity to use for logging in, which FIDO2 does not allow.
PKCS#11/PIV devices generally require initialization (i.e.
storing a private/public key pair on them, see example below)
before they can be used; FIDO2 security tokens generally do not
required that, and work out of the box.
--fido2-device=PATH
Takes a path to a Linux "hidraw" device (e.g. /dev/hidraw1),
referring to a FIDO2 security token implementing the
"hmac-secret" extension, that shall be able to unlock the user
account. If used, a random salt value is generated on the host,
which is passed to the FIDO2 device, which calculates a HMAC hash
of it, keyed by its internal secret key. The result is then used
as key for unlocking the user account. The random salt is
included in the user record, so that whenever authentication is
needed it can be passed again to the FIDO2 token, to retrieve the
actual key.
Instead of a valid path to a FIDO2 "hidraw" device the special
strings "list" and "auto" may be specified. If "list" is passed,
a brief table of suitable discovered FIDO2 devices is shown. If
"auto" is passed, a suitable FIDO2 token is automatically
selected, if exactly one is discovered. The latter is a useful
shortcut for the most common case where a single FIDO2 hardware
token is plugged in.
Note that FIDO2 devices suitable for this option must implement
the "hmac-secret" extension. Most current devices (such as the
YubiKey 5 series) do. If the extension is not implemented the
device cannot be used for unlocking home directories.
Note that many hardware security tokens implement both FIDO2 and
PKCS#11/PIV (and thus may be used with either --fido2-device= or
--pkcs11-token-uri=), for a discussion see above.
--locked=BOOLEAN
Takes a boolean argument. Specifies whether this user account
shall be locked. If true logins into this account are prohibited,
if false (the default) they are permitted (of course, only if
authorization otherwise succeeds).
--not-before=TIMESTAMP, --not-after=TIMESTAMP
These options take a timestamp string, in the format documented
in systemd.time(7) and configures points in time before and after
logins into this account are not permitted.
--rate-limit-interval=SECS, --rate-limit-burst=NUMBER
Configures a rate limit on authentication attempts for this user.
If the user attempts to authenticate more often than the
specified number, on a specific system, within the specified time
interval authentication is refused until the time interval
passes. Defaults to 10 times per 1min.
--password-hint=TEXT
Takes a password hint to store alongside the user record. This
string is stored accessible only to privileged users and the user
itself and may not be queried by other users. Example:
--password-hint="My first pet's name"
--enforce-password-policy=BOOL, -P
Takes a boolean argument. Configures whether to enforce the
system's password policy for this user, regarding quality and
strength of selected passwords. Defaults to on. -P is short for
---enforce-password-policy=no.
--password-change-now=BOOL
Takes a boolean argument. If true the user is asked to change
their password on next login.
--password-change-min=TIME, --password-change-max=TIME,
--password-change-warn=TIME, --password-change-inactive=TIME
Each of these options takes a time span specification as argument
(in the syntax documented in systemd.time(7)) and configures
various aspects of the user's password expiration policy.
Specifically, --password-change-min= configures how much time has
to pass after changing the password of the user until the
password may be changed again. If the user tries to change their
password before this time passes the attempt is refused.
--password-change-max= configures how soon after it has been
changed the password expires and needs to be changed again. After
this time passes logging in may only proceed after the password
is changed. --password-change-warn= specifies how much earlier
than then the time configured with --password-change-max= the
user is warned at login to change their password as it will
expire soon. Finally --password-change-inactive= configures the
time which has to pass after the password as expired until the
user is not permitted to log in or change the password anymore.
Note that these options only apply to password authentication,
and do not apply to other forms of authentication, for example
PKCS#11-based security token authentication.
--disk-size=BYTES
Either takes a size in bytes as argument (possibly using the
usual K, M, G, ... suffixes for 1024 base values), or a
percentage value and configures the disk space to assign to the
user. If a percentage value is specified (i.e. the argument
suffixed with "%") it is taken relative to the available disk
space of the backing file system. If the LUKS2 backend is used
this configures the size of the loopback file and file system
contained therein. For the other storage backends configures disk
quota using the filesystem's native quota logic, if available. If
not specified, defaults to 85% of the available disk space for
the LUKS2 backend and to no quota for the others.
--access-mode=MODE
Takes a UNIX file access mode written in octal. Configures the
access mode of the home directory itself. Note that this is only
used when the directory is first created, and the user may change
this any time afterwards. Example: --access-mode=0700
--umask=MASK
Takes the access mode mask (in octal syntax) to apply to newly
created files and directories of the user ("umask"). If set this
controls the initial umask set for all login sessions of the
user, possibly overriding the system's defaults.
--nice=NICE
Takes the numeric scheduling priority ("nice level") to apply to
the processes of the user at login time. Takes a numeric value in
the range -20 (highest priority) to 19 (lowest priority).
--rlimit=LIMIT=VALUE[:VALUE]
Allows configuration of resource limits for processes of this
user, see getrlimit(2) for details. Takes a resource limit name
(e.g. "LIMIT_NOFILE") followed by an equal sign, followed by a
numeric limit. Optionally, separated by colon a second numeric
limit may be specified. If two are specified this refers to the
soft and hard limits, respectively. If only one limit is
specified the setting sets both limits in one.
--tasks-max=TASKS
Takes a non-zero unsigned integer as argument. Configures the
maximum numer of tasks (i.e. threads, where each process is at
least one thread) the user may have at any given time. This limit
applies to all tasks forked off the user's sessions, even if they
change user identity via su(1) or a similar tool. Use
--rlimit=LIMIT_NPROC= to place a limit on the tasks actually
running under the UID of the user, thus excluding any child
processes that might have changed user identity. This controls
the TasksMax= setting of the per-user systemd slice unit
user-$UID.slice. See systemd.resource-control(5) for further
details.
--memory-high=BYTES, --memory-max=BYTES
Set a limit on the memory a user may take up on a system at any
given time in bytes (the usual K, M, G, ... suffixes are
supported, to the base of 1024). This includes all memory used by
the user itself and all processes they forked off that changed
user credentials. This controls the MemoryHigh= and MemoryMax=
settings of the per-user systemd slice unit user-$UID.slice. See
systemd.resource-control(5) for further details.
--cpu-weight=WEIGHT, --io-weight=WEIGHT
Set CPU and IO scheduling weights of the processes of the user,
including those of processes forked off by the user that changed
user credentials. Takes a numeric value in the range 1...10000.
This controls the CPUWeight= and IOWeight= settings of the
per-user systemd slice unit user-$UID.slice. See
systemd.resource-control(5) for further details.
--storage=STORAGE
Selects the storage mechanism to use for this home directory.
Takes one of "luks", "fscrypt", "directory", "subvolume", "cifs".
For details about these mechanisms, see above. If a new home
directory is created and the storage type is not specifically
specified, homed.conf(5) defines which default storage to use.
--image-path=PATH
Takes a file system path. Configures where to place the user's
home directory. When LUKS2 storage is used refers to the path to
the loopback file, otherwise to the path to the home directory.
When unspecified defaults to /home/$USER.home when LUKS storage
is used and /home/$USER.homedir for the other storage mechanisms.
Not defined for the "cifs" storage mechanism. To use LUKS2
storage on a regular block device (for example a USB stick) pass
the path to the block device here.
--fs-type=TYPE
When LUKS2 storage is used configures the file system type to use
inside the home directory LUKS2 container. One of "ext4", "xfs",
"btrfs". If not specified homed.conf(5) defines which default
file system type to use. Note that "xfs" is not recommended as
its support for file system resizing is too limited.
--luks-discard=BOOL
When LUKS2 storage is used configures whether to enable the
"discard" feature of the file system. If enabled the file system
on top of the LUKS2 volume will report empty block information to
LUKS2 and the loopback file below, ensuring that empty space in
the home directory is returned to the backing file system below
the LUKS2 volume, resulting in a "sparse" loopback file. This
option mostly defaults to off, since this permits over-committing
home directories which results in I/O errors if the underlying
file system runs full while the upper file system wants to
allocate a block. Such I/O errors are generally not handled well
by file systems nor applications. When LUKS2 storage is used on
top of regular block devices (instead of on top a loopback file)
the discard logic defaults to on.
--luks-offline-discard=BOOL
Similar to --luks-discard=, controls the trimming of the file
system. However, while --luks-discard= controls what happens when
the home directory is active, --luks-offline-discard= controls
what happens when it becomes inactive, i.e. whether to
trim/allocate the storage when deactivating the home directory.
This option defaults to on, to ensure disk space is minimized
while a user is not logged in.
--luks-cipher=CIPHER, --luks-cipher-mode=MODE,
--luks-volume-key-size=BITS, --luks-pbkdf-type=TYPE,
--luks-pbkdf-hash-algorithm=ALGORITHM,
--luks-pbkdf-time-cost=SECONDS, --luks-pbkdf-memory-cost=BYTES,
--luks-pbkdf-parallel-threads=THREADS
Configures various cryptographic parameters for the LUKS2 storage
mechanism. See cryptsetup(8) for details on the specific
attributes.
--nosuid=BOOL, --nodev=BOOL, --noexec=BOOL
Configures the "nosuid", "nodev" and "noexec" mount options for
the home directories. By default "nodev" and "nosuid" are on,
while "noexec" is off. For details about these mount options see
mount(8).
--cifs-domain=DOMAIN, --cifs-user-name=USER, --cifs-service=SERVICE
Configures the Windows File Sharing (CIFS) domain and user to
associate with the home directory/user account, as well as the
file share ("service") to mount as directory. The latter is used
when "cifs" storage is selected.
--stop-delay=SECS
Configures the time the per-user service manager shall continue
to run after the all sessions of the user ended. The default is
configured in logind.conf(5) (for home directories of LUKS2
storage located on removable media this defaults to 0 though). A
longer time makes sure quick, repetitive logins are more
efficient as the user's service manager doesn't have to be
started every time.
--kill-processes=BOOL
Configures whether to kill all processes of the user on logout.
The default is configured in logind.conf(5).
--auto-login=BOOL
Takes a boolean argument. Configures whether the graphical UI of
the system should automatically log this user in if possible.
Defaults to off. If less or more than one user is marked this way
automatic login is disabled.
The following commands are understood:
list
List all home directories (along with brief details) currently
managed by systemd-homed.service. This command is also executed
if none is specified on the command line. (Note that the list of
users shown by this command does not include users managed by
other subsystems, such as system users or any traditional users
listed in /etc/passwd.)
activate USER [USER...]
Activate one or more home directories. The home directories of
each listed user will be activated and made available under their
mount points (typically in /home/$USER). Note that any home
activated this way stays active indefinitely, until it is
explicitly deactivated again (with deactivate, see below), or the
user logs in and out again and it thus is deactivated due to the
automatic deactivation-on-logout logic.
Activation of a home directory involves various operations that
depend on the selected storage mechanism. If the LUKS2 mechanism
is used, this generally involves: inquiring the user for a
password, setting up a loopback device, validating and activating
the LUKS2 volume, checking the file system, mounting the file
system, and potentially changing the ownership of all included
files to the correct UID/GID.
deactivate USER [USER...]
Deactivate one or more home directories. This undoes the effect
of activate.
inspect USER [USER...]
Show various details about the specified home directories. This
shows various information about the home directory and its user
account, including runtime data such as current state, disk use
and similar. Combine with --json= to show the detailed JSON user
record instead, possibly combined with --export-format= to
suppress certain aspects of the output.
authenticate USER [USER...]
Validate authentication credentials of a home directory. This
queries the caller for a password (or similar) and checks that it
correctly unlocks the home directory. This leaves the home
directory in the state it is in, i.e. it leaves the home
directory in inactive state if it was inactive before, and in
active state if it was active before.
create USER, create --identity=PATH [USER]
Create a new home directory/user account of the specified name.
Use the various user record property options (as documented
above) to control various aspects of the home directory and its
user accounts.
The specified user name should follow the strict syntax described
on User/Group Name Syntax[3].
remove USER
Remove a home directory/user account. This will remove both the
home directory's user record and the home directory itself, and
thus delete all files and directories owned by the user.
update USER, update --identity=PATH [USER]
Update a home directory/user account. Use the various user record
property options (as documented above) to make changes to the
account, or alternatively provide a full, updated JSON user
record via the --identity= option.
Note that changes to user records not signed by a cryptographic
private key available locally are not permitted, unless
--identity= is used with a user record that is already correctly
signed by a recognized private key.
passwd USER
Change the password of the specified home directory/user account.
resize USER BYTES
Change the disk space assigned to the specified home directory.
If the LUKS2 storage mechanism is used this will automatically
resize the loopback file and the file system contained within.
Note that if "ext4" is used inside of the LUKS2 volume, it is
necessary to deactivate the home directory before shrinking it
(i.e the user has to log out). Growing can be done while the home
directory is active. If "xfs" is used inside of the LUKS2 volume
the home directory may not be shrunk whatsoever. On all three of
"ext4", "xfs" and "btrfs" the home directory may be grown while
the user is logged in, and on the latter also shrunk while the
user is logged in. If the "subvolume", "directory", "fscrypt"
storage mechanisms are used, resizing will change file system
quota.
lock USER
Temporarily suspend access to the user's home directory and
remove any associated cryptographic keys from memory. Any
attempts to access the user's home directory will stall until the
home directory is unlocked again (i.e. re-authenticated). This
functionality is primarily intended to be used during system
suspend to make sure the user's data cannot be accessed until the
user re-authenticates on resume. This operation is only defined
for home directories that use the LUKS2 storage mechanism.
unlock USER
Resume access to the user's home directory again, undoing the
effect of lock above. This requires authentication of the user,
as the cryptographic keys required for access to the home
directory need to be reacquired.
lock-all
Execute the lock command on all suitable home directories at
once. This operation is generally executed on system suspend
(i.e. by systemctl suspend and related commands), to ensure all
active user's cryptographic keys for accessing their home
directories are removed from memory.
with USER COMMAND...
Activate the specified user's home directory, run the specified
command (under the caller's identity, not the specified user's)
and deactivate the home directory afterwards again (unless the
user is logged in otherwise). This command is useful for running
privileged backup scripts and such, but requires authentication
with the user's credentials in order to be able to unlock the
user's home directory.
On success, 0 is returned, a non-zero failure code otherwise.
$SYSTEMD_PAGER
Pager to use when --no-pager is not given; overrides $PAGER. If
neither $SYSTEMD_PAGER nor $PAGER are set, a set of well-known
pager implementations are tried in turn, including less(1) and
more(1), until one is found. If no pager implementation is
discovered no pager is invoked. Setting this environment variable
to an empty string or the value "cat" is equivalent to passing
--no-pager.
$SYSTEMD_LESS
Override the options passed to less (by default "FRSXMK").
Users might want to change two options in particular:
K
This option instructs the pager to exit immediately when
Ctrl+C is pressed. To allow less to handle Ctrl+C itself to
switch back to the pager command prompt, unset this option.
If the value of $SYSTEMD_LESS does not include "K", and the
pager that is invoked is less, Ctrl+C will be ignored by the
executable, and needs to be handled by the pager.
X
This option instructs the pager to not send termcap
initialization and deinitialization strings to the terminal.
It is set by default to allow command output to remain
visible in the terminal even after the pager exits.
Nevertheless, this prevents some pager functionality from
working, in particular paged output cannot be scrolled with
the mouse.
See less(1) for more discussion.
$SYSTEMD_LESSCHARSET
Override the charset passed to less (by default "utf-8", if the
invoking terminal is determined to be UTF-8 compatible).
$SYSTEMD_COLORS
The value must be a boolean. Controls whether colorized output
should be generated. This can be specified to override the
decision that systemd makes based on $TERM and what the console
is connected to.
$SYSTEMD_URLIFY
The value must be a boolean. Controls whether clickable links
should be generated in the output for terminal emulators
supporting this. This can be specified to override the decision
that systemd makes based on $TERM and other conditions.
Example 1. Create a user "waldo" in the administrator group "wheel",
and assign 500 MiB disk space to them.
homectl create waldo --real-name="Waldo McWaldo" -G wheel --disk-size=500M
Example 2. Create a user "wally" on a USB stick, and assign a maximum
of 500 concurrent tasks to them.
homectl create wally --real-name="Wally McWally" --image-path=/dev/disk/by-id/usb-SanDisk_Ultra_Fit_476fff954b2b5c44-0:0 --tasks-max=500
Example 3. Change nice level of user "odlaw" to +5 and make sure the
environment variable $SOME is set to the string "THING" for them on
login.
homectl update odlaw --nice=5 --setenv=SOME=THING
Example 4. Set up authentication with a YubiKey security token using
PKCS#11/PIV:
# Clear the Yubikey from any old keys (careful!)
ykman piv reset
# Generate a new private/public key pair on the device, store the public key in 'pubkey.pem'.
ykman piv generate-key -a RSA2048 9d pubkey.pem
# Create a self-signed certificate from this public key, and store it on the device.
ykman piv generate-certificate --subject "Knobelei" 9d pubkey.pem
# We don't need the public key on disk anymore
rm pubkey.pem
# Allow the security token to unlock the account of user 'lafcadio'.
homectl update lafcadio --pkcs11-token-uri=auto
Example 5. Set up authentication with a FIDO2 security token:
# Allow a FIDO2 security token to unlock the account of user 'nihilbaxter'.
homectl update nihilbaxter --fido2-device=auto
systemd(1), systemd-homed.service(8), homed.conf(5), userdbctl(1),
useradd(8), cryptsetup(8)
1. JSON User Records
https://systemd.io/USER_RECORD
2. Icon Naming Specification
https://standards.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html
3. User/Group Name Syntax
https://systemd.io/USER_NAMES
This page is part of the systemd (systemd system and service manager)
project. Information about the project can be found at
⟨http://www.freedesktop.org/wiki/Software/systemd⟩. If you have a bug
report for this manual page, see
⟨http://www.freedesktop.org/wiki/Software/systemd/#bugreports⟩. This
page was obtained from the project's upstream Git repository
⟨https://github.com/systemd/systemd.git⟩ on 2020-08-13. (At that
time, the date of the most recent commit that was found in the repos‐
itory was 2020-08-11.) If you discover any rendering problems in
this HTML version of the page, or you believe there is a better or
more up-to-date source for the page, or you have corrections or
improvements to the information in this COLOPHON (which is not part
of the original manual page), send a mail to man-pages@man7.org
systemd 246 HOMECTL(1)
Pages that refer to this page: homed.conf(5) , homed.conf.d(5) , org.freedesktop.home1(5) , 30-systemd-environment-d-generator(7) , systemd.directives(7) , systemd.index(7) , pam_systemd_home(8) , systemd-homed(8) , systemd-homed.service(8)