- How to Create a Secure Linux System User
- Create Linux system user
- Setting permissions
- More options
- Conclusion
- References
- System Users and Human Users in Linux Explained with Examples
- System Users and Human Users in Linux Explained with Examples
- Human Users
- System Users
- How to Find UID and GID of a user
- Create System User
- Create System group
- Good To Know
How to Create a Secure Linux System User
When deploying a production service in Linux you want to configure it as securely as possible. Ideally, you will create a unique Linux user for each service and give them only read and write permission to the exact files they need.
You can go even further and create a «system» user that has no home directory, no login shell, and no password. This prevents the user from being able to login and does not provide a home directory for them to store files.
If the service was ever compromised this limits the actions an attacker can take with the user running the service.
This example will show you how to create a system user with:
We will also cover how to change ownership and permissions for files and directories to give your system user write access.
Create Linux system user
This useradd example will create a user with no home directory, no login shell, and no password.
sudo useradd --system --no-create-home --shell=/sbin/nologin myuser Setting permissions
The useradd command above will also create a group of the same name. The group is useful when you want root to own a file but you want your new system user (via their group) to have write access. See the next section for more notes on permissions.
These commands will ensure the root user owns everything, but the new system user will have write access via the group.
# Common permission settings for a deployment sudo chown -R root:myuser /path/to/change sudo chmod -R 775 /path/to/change The -R is only needed if you want to make changes recursively.
Note you may need to grant write permission on a directory. For example, if the user has write access to a file but not the directory it is in, then it will not be able to write to the file.
More options
The useradd command has many options and you can view more details from the terminal using the following commands.
# View all options useradd --help # View the manual page man useradd You can also view a copy of man page online at https://linux.die.net/man/8/useradd.
Conclusion
After reading this you should understand how to create a new Linux user that has limited features like no home directory and no login shell for enhanced security.
References
System Users and Human Users in Linux Explained with Examples
In this article, we will look into two types of user in Linux — System Users and Human Users. As you probably know, every Linux System has an entity called User which performs a range of system management tasks. Each user will have a unique ID called UID(User ID) and GID(Group ID). Similarly, there is another entity available called groups which is nothing but collection of users has its own role to play. User Management and Groups is an integral part of Linux System Administration which needs to be understood in detail. Here we will look into different types of users in detail with examples.
System Users and Human Users in Linux Explained with Examples
There are basically two types of users in Linux:-
Human Users
Each user has unique UID(User ID) and GID(Group ID) . Whenever a user is created, it owns a home directory where all personal files and folders can be stored.
Switch to home directory. Then create a new user. We will notice that whenever a new user is created, its home directory also gets created.
[root@cyberithub home]# pwd /home [root@cyberithub home]# useradd cyberithub [root@cyberithub home]# ls cyberithub
Human users are further of two types:-
- Root user -> also known as superuser which has all the privileges and has all the control to do anything on the system.
- Common user -> also known as unprivileged users has limited rights to perform operation on their owned files and directory. Normal users can be given different level of privileges or complete root privilege totally based on the need and requirement.
System Users
System Users mostly run system services and processes in the background also known as non-interactive processes. System Users doesn’t own home directory. We can find all the created users details in /etc/passwd file and all active groups details in /etc/group file.
Root user has the privileges to add, delete, update any users and groups. Below are the useful command to perform any operations on users and groups.
a) useradd -> to create a new user
[root@cyberithub home]# useradd cyberithub [root@cyberithub home]# grep cyberithub /etc/passwd cyberithub:x:1003:1003::/home/ cyberithub:/bin/bash
b) userdel -> to delete an existing user
[root@cyberithub home]# userdel cyberithub c) groupadd -> to create a new group
[root@cyberithub home]# groupadd cyberithub [root@cyberithub home]# grep cyberithub /etc/group cyberithub:x:1003:
d) groupdel -> to delete an existing group
[root@cyberithub home]# groupdel cyberithub e) usermod -> make changes to existing users. There are many operations that can be performed once the user is created like adding the comment, changing the password, changing the home dir etc. One such example is given below. We are changing the home directory of user cyberithub from /home/cyberithub to /home/gpuser . More about usermod command.
[root@cyberithub home]# grep cyberithub /etc/passwd cyberithub:x:1003:1003::/home/ cyberithub:/bin/bash [root@cyberithub home]# usermod -d /home/gpuser cyberithub [root@cyberithub home]# grep cyberithub /etc/passwd cyberithub:x:1003:1003::/home/gpuser:/bin/bash
f) passwd -> create or change password for any user
[root@cyberithub home]# passwd cyberithub Changing password for user cyberithub. New password: Retype new password: passwd: all authentication tokens updated successfully. How to Find UID and GID of a user
To find the UID or GID of any user simply execute below command.
a) id -> to view the UID and GID of current user
[root@cyberithub home]# id uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 b) id user_name -> to view UID and GID of a particular user
[root@cyberithub home]# id cyberithub uid=1003(cyberithub) gid=1003(cyberithub) groups=1003(cyberithub) Create System User
System users can also be created using useradd command but with some extra flags in the command. Below we are creating a system user called ‘cyberuser’ where
r -> create a system user with a real ID in the correct numerical range for system users
s -> specifies the login shell
/bin/false -> dummy command that prevents the user from logging into the system.
[root@cyberithub home]# useradd -rs /bin/false cyberuser [root@cyberithub home]# grep cyberuser /etc/passwd cyberuser:x:997:993::/home/cyberuser:/bin/false
Create System group
System user can be created using the same command but with -r flag.
[root@cyberithub home]# groupadd -r cyberuser [root@cyberithub home]# grep cyberuser /etc/group cyberuser:x:993:
Good To Know
Human users differ from Group users in terms of UID and GID range that are assigned to them. This setting can be found in /etc/login.defs file. Notice the below section of the file where UID and GID range is different for system and human users.
[root@cyberithub home]# view /etc/login.defs # Min/max values for automatic uid selection in useradd # UID_MIN 1000 UID_MAX 60000 # System accounts SYS_UID_MIN 201 SYS_UID_MAX 999 # # Min/max values for automatic gid selection in groupadd # GID_MIN 1000 GID_MAX 60000 # System accounts SYS_GID_MIN 201 SYS_GID_MAX 999 #