Creating Group and User for Tomcat RHEL/CentOS

centos software-installation chown useradd tomcat
15,876

Solution 1

There are as many opinions as there are people. I think the best way to create tomcat user to do as follows:

# useradd -r -s /sbin/nologin tomcat
# chown -R tomcat: /usr/local/tomcat

It means, you will create system account. Info from man useradd:

System users will be created with no aging information in /etc/shadow,
and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX
range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their
GID counterparts for the creation of groups).

Also useradd -r ... creates the group with the same name as user and you don't need to create in by yourself.

BTW, if you'll decide to change something in user configuration (for example: specify home directory, or change shell), you will always can do it with usermod command.

Read man useradd and man usermod.

Edit

Really you should answer some questions:

  1. Do you need system user (with UID < 500)?
  2. Do you need shell or you want to disable shell access (/sbin/nologin, /bin/false)?
  3. Do you need home directory for that user (BTW, tomcat possibly want to have it)?

Ok, you don't want UID < 500 and want home directory (it's not exists now), let's do the following command:

# useradd -U -d /usr/local/tomcat -m -s /bin/false tomcat

Option -U will create the group with same name. If you want add user description, use -c "Tomcat user".

If you already have the tomcat directory:

# useradd -U -d /usr/local/tomcat -M -s /bin/false tomcat

After that you should change the owner for tomcat directory (to allow tomcat user to work with it):

# chown -R tomcat: /usr/local/tomcat

Edit 2

You've asked, we are answering.

  1. If your user has UID < 500 it only means it's the user for some service, not ordinary user (possibly human, who has shell access). It won't bring you the vulnerability because these users are not treated specially by operating system. Also it won't give you extended functionality. Only one thing why it's not good to use UIDs < 500: you can install some RPM-package in future and it will provide the user with the same UID. In that case you'll have some issues. That's it! BTW, tomcat installed from RPM provides user tomcat with UID=91 and group with GID=91 (at least in my Fedora):
$ id tomcat
uid=91(tomcat) gid=91(tomcat) groups=91(tomcat)

  1. Ok, use /bin/false or /sbin/nologin.

  2. You can specify / as home directory for your service like some packages do. For example, if you have tcpdump installed from RPM, you have the following string in /etc/passwd:

tcpdump:x:72:72::/:/sbin/nologin

In this case use useradd command with keys -d / and -M.

In other hand, tomcat installed from RPM, has correct home directory:

tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/bin/nologin

And now few words about chown.

These commands does the same job:

chown tomcat:tomcat /usr/local/tomcat
chown tomcat: /usr/local/tomcat

Quotation from man chown:

Group is unchanged if missing, but changed to login group if implied by a ':' following a symbolic OWNER.

Using . as OWNER/GROUP separator is deprecated now. Use :.

Solution 2

useradd -m -d /home/thenewuser -s /bin/bash -c "the new user" -U thenewuser

-c "message" : extra information about the user.

-U thenewuser : Create a group with the same name as the user, and add the user to this group.

-N : the -N argument tells the system not to create a group having the user’s name

-m, --create-home are same: Create the user's home directory if it does not exist.

-d, --home HOME_DIR : The new user will be created using HOME_DIR as the value for the user's login directory.
if -d is not used the default homedirectory will be /home/thenewuser

-m -d /data/thenewuser : the -m argument creates the /data/thenewuser homedirectory, specified by the -d argument.

-M : the -M argument tells the system not to create a home directory

-s /bin/bash : the -s is used for specifing the user’s default shell, /bin/bash in this case.

-s or --shell are same.

-s /sbin/nologin : The /sbin/nologin for Fedora and /usr/sbin/nologin for Debian are two shells that return you a polite message like “this account is not available” and do not allow you to log into the system. This message can be customized.

-s /bin/false : Is an old shell used to deny a user’s login. The /bin/false exits immediatly when false exists. The user accounts with /bin/false or /bin/true as their default shells are locked.

-s /sbin/nologin belongs to unix-linux while /bin/false part of GNU Coreutils. These shells must be listed in the /etc/shells file, to work.

The users with /sbin/nologin (or /usr/sbin/nologin) can connect through ssh or ftp, but the users with /bin/false are completely locked out from the system.

with useradd -D : You can also view the default parameters set for new user to be created using

# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
#

Check another alternatives in: http://www.golinuxhub.com/2014/04/10-practical-examples-to-use-useradd.html

-r : the -r arguments is for creating a system user

Check user

finger

Example

# finger mysql
  Login: mysql                      Name: 
  Directory: /home/mysql            Shell: /bin/bash
  Never logged in.
  No mail.
  No Plan.
#

CentOS 6 doesn't have this command, but you can easily install it with

yum install finger

.

other ` http://www.tecmint.com/add-users-in-linux/

Share:
15,876

Related videos on Youtube

Lluís Alemany-Puig
Author by

Lluís Alemany-Puig

Updated on September 18, 2022

Comments

  • Lluís Alemany-Puig
    Lluís Alemany-Puig almost 2 years

    I want to create an user for my Tomcat installation, but I was viewing multiple options:

    # groupadd tomcat
#
# useradd -g tomcat -d /usr/local/tomcat tomcat
# useradd -g tomcat -c "Tomcat User" -d /usr/local/tomcat tomcat

    Other alternative:

    https://panovski.me/install-tomcat-8-on-centos-7/

    # useradd -r -s /sbin/nologin tomcat
# chown -R tomcat: /usr/local/tomcat

    In other page (hidden and recursive)

    # useradd -r tomcat --shell /bin/false
# chown -hR tomcat: /usr/local/tomcat

    Other option:?

    # useradd -g tomcat -s /bin/bash -d /usr/local/tomcat tomcat
# chown -Rf tomcat.tomcat /usr/local/tomcat

    I don't know what is the mistake or consequence, I want to know what is the best option

    I think is best to use -h hidden, but

    chown - change file owner and group

    -r, --system
  Create a system account.

  System users will be created with no aging information in /etc/shadow, and their 
  numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in
  /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the
  creation of groups).

  Note that useradd will not create a home directory for such an user, regardless
  of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the
  -m options if you want a home directory for a system account to be created.

-s, --shell SHELL
  The name of the user's login shell. The default is to leave this field blank,
  which causes the system to select the default login shell specified by the SHELL
  variable in /etc/default/useradd, or an empty string by default.

    In CentOS is needed to use -s or -r options?

    EDIT 2

    # useradd -r UserL5C --shell /bin/false
# more /etc/passwd | grep UserL5C
UserL5C:x:494:491::/home/UserL5C:/bin/false
# more /etc/group | grep UserL5C
UserL5C:x:491:
# finger UserL5C
Login: UserL5C                  Name: 
Directory: /home/UserL5C                Shell: /bin/false
Never logged in.
No mail.
No Plan.
#

    UserL5C with UID and GID lower than 500

    # useradd UserG5C --shell /bin/false
# more /etc/passwd | grep UserG5C
UserG5C:x:503:504::/home/UserG5C:/bin/false
# more /etc/group | grep UserG5C
UserG5C:x:504:
# finger UserG5C
Login: UserG5C                  Name: 
Directory: /home/UserG5C                Shell: /bin/false
Never logged in.
No mail.
No Plan.
#

    UserG5C UID and GID greater than 500

    # ls -al /home/
total 32
drwxr-xr-x.  5 root       root        4096 Jun 25 06:05 .
dr-xr-xr-x. 25 root       root        4096 Jun 25 05:19 ..
drwx------. 33 IntUser    IntUser     4096 Jun 25 05:46 IntUser
drwx------.  2 root       root       16384 Jun 13 09:56 lost+found
drwx------.  4 UserG5C    UserG5C     4096 Jun 25 06:01 UserG5C
#

    The difference UserG5C creates homeDirectory

    Question

    It would be better to use: useradd UserG5C -M -s /bin/false because this user/account hasn't system privileges?

  • svq
    svq about 9 years
    I've edited my answer. Hope, it will help you.
  • Lluís Alemany-Puig
    Lluís Alemany-Puig about 9 years
    Answers: 1) I don't know, I think that UID means System User and vice versa. I have doubts. If I haven't System User maybe I loss functionality, but I have it then I will have vulnerability. 2) I think the shell isn't needed. 3) I think doesn't need homeDirectory although have ownership over tomcat directory.
  • svq
    svq about 9 years
    New edit added. Enjoy!
  • Lluís Alemany-Puig
    Lluís Alemany-Puig about 9 years
    The last question is: has it # useradd -r -d /usr/local/tomcat -s /sbin/nologin tomcat sense?. In other words, to use -r together with -d?
  • svq
    svq about 9 years
    Yes, it make sense to use these keys together. If you omit -d key, the home directory will be specified as /home/tomcat in /etc/passwd. If you want to change this behavior, you should use -d.
  • mFeinstein
    mFeinstein about 7 years
    According to this website: cyberciti.biz/faq/understanding-etcpasswd-file-format uid from 1-99 should be to predefined accounts...so isn't it wrong to put tomcat on uid 91?
  • svq
    svq about 7 years
    It's not wrong because these accounts usually predefined by Linux distribution developers. Fedora project developers decided to assign uid 91 to tomcat - ok, no problem. The tomcat package can be installed "out of the box" with Fedora Linux, so user tomcat is predefined. If you want to install tomcat manually from tarball (with manually created user) it's better to choose uid > 99.
  • mFeinstein
    mFeinstein about 7 years
    ohhh interesting, I didn't know they reserved these uids to services from outside linux itself. thanks!
  • Community
    Community over 2 years
    As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Starting Tomcat Service when starting CentOS/RHEL/Fedora
Systemd tomcat.service failed with no errors
Getting error chown: invalid group: ‘nobody:nogroup’ while setting up an NFS server drive ownership permission
FTP 553 Could not create file (centOS)
JasperReports: java.lang.NoClassDefFoundError: Could not initialize class net.sf.jasperreports.engine.util.JRStyledTextParser
Adding java_opts params in Tomcat 6
Tomcat 7 javax.el.ELException
How to start tomcat7 when catalina.sh does not work?
Package: git-1.7.6.1-1.el5.rf.i386 (rpmforge) Requires: libcurl.so.3
How to install Tomcat 7.0.42 on Ubuntu 12.04.3 LTS?