Create restricted user on Debian server
That's the right track, but you'll want to indicate that it's a system user so that /etc/shadow
won't have any aging information. From the useradd
man page:
-r, --system
Create a system account. System users will be created with no aging information in /etc/shadow, and their numeric identifiers are choosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups). Note that useradd will not create a home directory for such an user, regardless of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the -m options if you want a home directory for a system account to be created.
So you'll want something along the lines of:
useradd -s /usr/sbin/nologin -r -M tomcat
You can also create a home directory if you want, maybe something that belongs to the service, for example:
useradd -s /usr/sbin/nologin -r -M -d /etc/nginx nginx
Related videos on Youtube
J.Zil
Updated on September 18, 2022Comments
-
J.Zil over 1 year
I want to create a user account for each of the key programs installed on my debian server. For example, for the following programs:
Tomcat Nginx Supervisor PostgreSQL
This seems to be recommended based on my reading online. However, I want to restrict these user accounts as much as possible, so that they dont have a shell login, dont have access to the other programs and are as limited as possible but still functional.
Would anyone mind telling me how this could be achieved? My reading so far suggests this:
echo "/usr/sbin/nologin" >> /etc/shells useradd -s /usr/sbin/nologin tomcat
But I think there may be a more complete way of doing it.
EDIT: I'm using debian squeeze
-
Michael Hampton over 11 yearsThe respective packages should already add restricted user accounts.
-