Creating Group and User for Tomcat RHEL/CentOS
Solution 1
There are as many opinions as there are people. I think the best way to create tomcat user to do as follows:
# useradd -r -s /sbin/nologin tomcat
# chown -R tomcat: /usr/local/tomcat
It means, you will create system account. Info from man useradd
:
System users will be created with no aging information in /etc/shadow,
and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX
range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their
GID counterparts for the creation of groups).
Also useradd -r ...
creates the group with the same name as user and you don't need to create in by yourself.
BTW, if you'll decide to change something in user configuration (for example: specify home directory, or change shell), you will always can do it with usermod
command.
Read man useradd
and man usermod
.
Edit
Really you should answer some questions:
- Do you need system user (with UID < 500)?
- Do you need shell or you want to disable shell access (
/sbin/nologin, /bin/false
)? - Do you need home directory for that user (BTW, tomcat possibly want to have it)?
Ok, you don't want UID < 500 and want home directory (it's not exists now), let's do the following command:
# useradd -U -d /usr/local/tomcat -m -s /bin/false tomcat
Option -U
will create the group with same name.
If you want add user description, use -c "Tomcat user"
.
If you already have the tomcat directory:
# useradd -U -d /usr/local/tomcat -M -s /bin/false tomcat
After that you should change the owner for tomcat directory (to allow tomcat user to work with it):
# chown -R tomcat: /usr/local/tomcat
Edit 2
You've asked, we are answering.
- If your user has UID < 500 it only means it's the user for some service, not ordinary user (possibly human, who has shell access). It won't bring you the vulnerability because these users are not treated specially by operating system. Also it won't give you extended functionality. Only one thing why it's not good to use UIDs < 500: you can install some RPM-package in future and it will provide the user with the same UID. In that case you'll have some issues. That's it! BTW, tomcat installed from RPM provides user tomcat with UID=91 and group with GID=91 (at least in my Fedora):
$ id tomcat
uid=91(tomcat) gid=91(tomcat) groups=91(tomcat)
Ok, use
/bin/false
or/sbin/nologin
.You can specify
/
as home directory for your service like some packages do. For example, if you have tcpdump installed from RPM, you have the following string in/etc/passwd
:
tcpdump:x:72:72::/:/sbin/nologin
In this case use useradd
command with keys -d /
and -M
.
In other hand, tomcat installed from RPM, has correct home directory:
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/bin/nologin
And now few words about chown
.
These commands does the same job:
chown tomcat:tomcat /usr/local/tomcat
chown tomcat: /usr/local/tomcat
Quotation from man chown
:
Group is unchanged if missing, but changed to login group if implied by a ':' following a symbolic OWNER.
Using .
as OWNER/GROUP separator is deprecated now. Use :
.
Solution 2
useradd -m -d /home/thenewuser -s /bin/bash -c "the new user" -U thenewuser
-c "message" : extra information about the user.
-U thenewuser : Create a group with the same name as the user, and add the user to this group.
-N : the -N argument tells the system not to create a group having the user’s name
-m, --create-home are same: Create the user's home directory if it does not exist.
-d, --home HOME_DIR : The new user will be created using HOME_DIR as the value for the user's login directory.
if -d is not used the default homedirectory will be /home/thenewuser
-m -d /data/thenewuser : the -m argument creates the /data/thenewuser homedirectory, specified by the -d argument.
-M : the -M argument tells the system not to create a home directory
-s /bin/bash : the -s is used for specifing the user’s default shell, /bin/bash in this case.
-s or --shell are same.
-s /sbin/nologin : The /sbin/nologin for Fedora and /usr/sbin/nologin for Debian are two shells that return you a polite message like “this account is not available” and do not allow you to log into the system. This message can be customized.
-s /bin/false : Is an old shell used to deny a user’s login. The /bin/false exits immediatly when false exists. The user accounts with /bin/false or /bin/true as their default shells are locked.
-s /sbin/nologin belongs to unix-linux while /bin/false part of GNU Coreutils. These shells must be listed in the /etc/shells file, to work.
The users with /sbin/nologin (or /usr/sbin/nologin) can connect through ssh or ftp, but the users with /bin/false are completely locked out from the system.
with useradd -D : You can also view the default parameters set for new user to be created using
# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
#
Check another alternatives in: http://www.golinuxhub.com/2014/04/10-practical-examples-to-use-useradd.html
-r : the -r arguments is for creating a system user
Check user
finger
Example
# finger mysql
Login: mysql Name:
Directory: /home/mysql Shell: /bin/bash
Never logged in.
No mail.
No Plan.
#
CentOS 6 doesn't have this command, but you can easily install it with
yum install finger
.
other
` http://www.tecmint.com/add-users-in-linux/
Related videos on Youtube
Lluís Alemany-Puig
Updated on September 18, 2022Comments
-
Lluís Alemany-Puig almost 2 years
I want to create an user for my Tomcat installation, but I was viewing multiple options:
# groupadd tomcat # # useradd -g tomcat -d /usr/local/tomcat tomcat # useradd -g tomcat -c "Tomcat User" -d /usr/local/tomcat tomcat
Other alternative:
https://panovski.me/install-tomcat-8-on-centos-7/
# useradd -r -s /sbin/nologin tomcat # chown -R tomcat: /usr/local/tomcat
In other page (hidden and recursive)
# useradd -r tomcat --shell /bin/false # chown -hR tomcat: /usr/local/tomcat
Other option:?
# useradd -g tomcat -s /bin/bash -d /usr/local/tomcat tomcat # chown -Rf tomcat.tomcat /usr/local/tomcat
I don't know what is the mistake or consequence, I want to know what is the best option
I think is best to use -h hidden, but
chown - change file owner and group
-r, --system Create a system account. System users will be created with no aging information in /etc/shadow, and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups). Note that useradd will not create a home directory for such an user, regardless of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the -m options if you want a home directory for a system account to be created. -s, --shell SHELL The name of the user's login shell. The default is to leave this field blank, which causes the system to select the default login shell specified by the SHELL variable in /etc/default/useradd, or an empty string by default.
In CentOS is needed to use -s or -r options?
EDIT 2
# useradd -r UserL5C --shell /bin/false # more /etc/passwd | grep UserL5C UserL5C:x:494:491::/home/UserL5C:/bin/false # more /etc/group | grep UserL5C UserL5C:x:491: # finger UserL5C Login: UserL5C Name: Directory: /home/UserL5C Shell: /bin/false Never logged in. No mail. No Plan. #
UserL5C with UID and GID lower than 500
# useradd UserG5C --shell /bin/false # more /etc/passwd | grep UserG5C UserG5C:x:503:504::/home/UserG5C:/bin/false # more /etc/group | grep UserG5C UserG5C:x:504: # finger UserG5C Login: UserG5C Name: Directory: /home/UserG5C Shell: /bin/false Never logged in. No mail. No Plan. #
UserG5C UID and GID greater than 500
# ls -al /home/ total 32 drwxr-xr-x. 5 root root 4096 Jun 25 06:05 . dr-xr-xr-x. 25 root root 4096 Jun 25 05:19 .. drwx------. 33 IntUser IntUser 4096 Jun 25 05:46 IntUser drwx------. 2 root root 16384 Jun 13 09:56 lost+found drwx------. 4 UserG5C UserG5C 4096 Jun 25 06:01 UserG5C #
The difference UserG5C creates homeDirectory
Question
It would be better to use: useradd UserG5C -M -s /bin/false because this user/account hasn't system privileges?
-
svq about 9 yearsI've edited my answer. Hope, it will help you.
-
Lluís Alemany-Puig about 9 yearsAnswers: 1) I don't know, I think that UID means System User and vice versa. I have doubts. If I haven't System User maybe I loss functionality, but I have it then I will have vulnerability. 2) I think the shell isn't needed. 3) I think doesn't need homeDirectory although have ownership over tomcat directory.
-
svq about 9 yearsNew edit added. Enjoy!
-
Lluís Alemany-Puig about 9 yearsThe last question is: has it
# useradd -r -d /usr/local/tomcat -s /sbin/nologin tomcat
sense?. In other words, to use -r together with -d? -
svq about 9 yearsYes, it make sense to use these keys together. If you omit
-d
key, the home directory will be specified as/home/tomcat
in/etc/passwd
. If you want to change this behavior, you should use-d
. -
mFeinstein about 7 yearsAccording to this website: cyberciti.biz/faq/understanding-etcpasswd-file-format uid from 1-99 should be to predefined accounts...so isn't it wrong to put tomcat on uid 91?
-
svq about 7 yearsIt's not wrong because these accounts usually predefined by Linux distribution developers. Fedora project developers decided to assign uid 91 to tomcat - ok, no problem. The tomcat package can be installed "out of the box" with Fedora Linux, so user tomcat is predefined. If you want to install tomcat manually from tarball (with manually created user) it's better to choose uid > 99.
-
mFeinstein about 7 yearsohhh interesting, I didn't know they reserved these uids to services from outside linux itself. thanks!
-
Community over 2 yearsAs it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.