JSON User/Group Records (as described in the JSON User
Records and JSON Group
Records documents) that are defined on the
local system may be queried with a Varlink API. This
API takes both the role of what
related calls are for
struct passwd, as well as the interfaces modules
implementing the glibc Name Service Switch
expose. Or in other words, it both allows applications to efficiently query
user/group records from local services, and allows local subsystems to provide
user/group records efficiently to local applications.
This simple API only exposes only three method calls, and requires only a small subset of the Varlink functionality.
The API described in this document is based on a simple subset of the mechanisms described by Varlink. The choice of preferring Varlink over D-Bus and other IPCs in this context was made for three reasons:
User/Group record resolution should work during early boot and late shutdown without special handling. This is very hard to do with D-Bus, as the broker service for D-Bus generally runs as regular system daemon and is hence only available at the latest boot stage.
The JSON user/group records are native JSON data, hence picking an IPC system that natively operates with JSON data is natural and clean.
IPC systems such as D-Bus do not provide flow control and are thus unusable for streaming data. They are useful to pass around short control messages, but as soon as potentially many and large objects shall be transferred, D-Bus is not suitable, as any such streaming of messages would be considered flooding in D-Bus’ logic, and thus possibly result in termination of communication. Since the APIs defined in this document need to support enumerating potentially large numbers of users and groups, D-Bus is simply not an appropriate option.
Each subsystem that needs to define users and groups on the local system is
supposed to implement this API, and offer its interfaces on a Varlink
SOCK_STREAM file system socket bound into the
/run/systemd/userdb/ directory. When a client wants to look up a user or
group record, it contacts all sockets bound in this directory in parallel, and
enqueues the same query to each. The first positive reply is then returned to
the application, or if all fail the last seen error is returned
instead. (Alternatively a special Varlink service is available,
io.systemd.Multiplexer which acts as frontend and will do the parallel
queries on behalf of the client, drastically simplifying client
development. This service is not available during earliest boot and final
Unlike with glibc NSS there’s no order or programmatic expression language defined in which queries are issued to the various services. Instead, all queries are always enqueued in parallel to all defined services, in order to make look-ups efficient, and the simple rule of “first successful lookup wins” is unconditionally followed for user and group look-ups (though not for membership lookups, see below).
This simple scheme only works safely as long as every service providing user/group records carefully makes sure not to answer with conflicting records. This API does not define any mechanisms for dealing with user/group name/ID collisions during look-up nor during record registration. It assumes the various subsystems that want to offer user and group records to the rest of the system have made sufficiently sure in advance that their definitions do not collide with those of other services. Clients are not expected to merge multiple definitions for the same user or group, and will also not be able to detect conflicts and suppress such conflicting records.
It is recommended to name the sockets in the directory in reverse domain name notation, but this is neither required nor enforced.
Any subsystem that wants to provide user/group records can do so, simply by binding a socket in the aforementioned directory. By default two services are listening there, that have special relevance:
io.systemd.NameServiceSwitch → This service makes the classic UNIX/glibc
NSS user/group records available as JSON User/Group records. Any such
records are automatically converted as needed, and possibly augmented with
information from the shadow databases.
io.systemd.Multiplexer → This service multiplexes client queries to all
other running services. It’s supposed to simplify client development: in
order to look up or enumerate user/group records it’s sufficient to talk to
one service instead of all of them in parallel. Note that it is not availabe
during earliest boot and final shutdown phases, hence for programs running
in that context it is preferable to implement the parallel lookup
Both these services are implemented by the same daemon
Note that these services currently implement a subset of Varlink only. For example, introspection is not available, and the resolver logic is not used.
systemd project provides two other services implementing this
io.systemd.DynamicUser → This service is implemented by the service
manager itself, and provides records for the users and groups synthesized
DynamicUser= in unit files.
io.systemd.Home → This service is implemented by
and provides records for the users and groups defined by the home
directories it manages.
Other projects are invited to implement these services too. For example it would make sense for LDAP/ActiveDirectory projects to implement these interfaces, which would provide them a way to do per-user resource management enforced by systemd and defined directly in LDAP directories.
Two-way compatibility with classic UNIX/glibc NSS user/group records is
provided. When using the Varlink API, lookups into databases provided only via
NSS (and not natively via Varlink) are handled by the
io.systemd.NameServiceSwitch service (see above). When using the NSS API
getpwnam() and friends) the
nss-systemd module will automatically
synthesize NSS records for users/groups natively defined via a Varlink
API. Special care is taken to avoid recursion between these two compatibility
Subsystems that shall provide user/group records to the system may choose between offering them via an NSS module or via a this Varlink API, either way all records are accessible via both APIs, due to the bidirectional forwarding. It is also possible to provide the same records via both APIs directly, but in that case the compatibility logic must be turned off. There are mechanisms in place for this, please contact the systemd project for details, as these are currently not documented.
This API defines no concepts for caching records. If caching is desired it should be implemented in the subsystems that provide the user records, not in the clients consuming them.
interface io.systemd.UserDatabase method GetUserRecord( uid : ?int, userName : ?string, service : string ) -> ( record : object, incomplete : boolean ) method GetGroupRecord( gid : ?int, groupName : ?string, service : string ) -> ( record : object, incomplete : boolean ) method GetMemberships( userName : ?string, groupName : ?string, service : string ) -> ( userName : string, groupName : string ) error NoRecordFound() error BadService() error ServiceNotAvailable() error ConflictingRecordFound()
GetUserRecord method looks up or enumerates a user record. If the
parameter is set it specifies the numeric UNIX UID to search for. If the
userName parameter is set it specifies the name of the user to search
for. Typically, only one of the two parameters are set, depending whether a
look-up by UID or by name is desired. However, clients may also specify both
parameters, in which case a record matching both will be returned, and if only
one exists that matches one of the two parameters but not the other an error of
ConflictingRecordFound is returned. If neither of the two parameters are set
the whole user database is enumerated. In this case the method call needs to be
more set, so that multiple method call replies may be generated as
effect, each carrying one user record.
service parameter is mandatory and should be set to the service name
being talked to (i.e. to the same name as the
AF_UNIX socket path, with the
/run/systemd/userdb/ prefix removed). This is useful to allow implementation
of multiple services on the same socket (which is used by
The method call returns one or more user records, depending which type of query is
used (see above). The record is returned in the
record field. The
incomplete field indicates whether the record is complete. Services providing
user record lookup should only pass the
privileged section of user records to
clients that either match the user the record is about or to sufficiently
privileged clients, for all others the section must be removed so that no
sensitive data is leaked this way. The
incomplete parameter should indicate
whether the record has been modified like this or not (i.e. it is
true if a
privileged section existed in the user record and was removed, and
privileged section existed or one existed but hasn’t been removed).
If no user record matching the specified UID or name is known the error
NoRecordFound is returned (this is also returned if neither UID nor name are
specified, and hence enumeration requested but the subsystem currently has no
If a method call with an incorrectly set
service field is received
(i.e. either not set at all, or not to the service’s own name) a
error is generated. Finally,
ServiceNotAvailable should be returned when the
backing subsystem is not operational for some reason and hence no information
about existence or non-existence of a record can be returned nor any user
record at all. (The
service field is defined in order to allow implementation
of daemons that provide multiple distinct user/group services over the same
AF_UNIX socket: in order to correctly determine which service a client wants
to talk to the client needs to provide the name in each request.)
GetGroupRecord method call works analogously but for groups.
GetMemberships method call may be used to inquire about group
groupName arguments take what the name
suggests. If one of the two is specified all matching memberships are returned,
if neither is specified all known memberships of any user and any group are
returned. The return value is a pair of user name and group name, where the
user is a member of the group. If both arguments are specified the specified
membership will be tested for, but no others, and the pair is returned if it is
defined. Unless both arguments are specified the method call needs to be made
more set, so that multiple replies can be returned (since typically
there are are multiple members per group and also multiple groups a user is
member of). As with
parameter needs to contain the name of the service being talked to, in order to
allow implementation of multiple service within the same IPC socket. In case no
matching membership is known
NoRecordFound is returned. The other two errors
are also generated in the same cases as for
GetGroupRecord the lists of memberships
returned by services are always combined. Thus unlike the other two calls a
membership lookup query has to wait for the last simultaneous query to complete
before the complete list is acquired.
Note that only the
GetMemberships call is authoritative about memberships of
users in groups. i.e. it should not be considered sufficient to check the
memberOf field of user records and the
members field of group records to
acquire the full list of memberships. The full list can only bet determined by
GetMemberships, and as mentioned requires merging of these lists of all local
services. Result of this is that it can be one service that defines a user A,
and another service that defines a group B, and a third service that declares
that A is a member of B.
And that’s really all there is to it.