Want some programming help? [close]

How to Create a Secure Linux System User

Introduction

When deploying a production service in Linux you want to configure it as securely as possible. Ideally, you will create a unique Linux user for each service and give them only read and write permission to the exact files they need.

You can go even further and create a "system" user that has no home directory, no login shell, and no password. This prevents the user from being able to login and does not provide a home directory for them to store files.

If the service was ever compromised this limits the actions an attacker can take with the user running the service.

This example will show you how to create a system user with:

  • No home directory
  • No logn shell
  • No password (Can't login)

We will also cover how to change ownership and permissions for files and directories to give your system user write access.

Create Linux system user

This useradd example will create a user with no home directory, no login shell, and no password.

sudo useradd --system --no-create-home --shell=/sbin/nologin myuser

Setting permissions

The useradd command above will also create a group of the same name. The group is useful when you want root to own a file but you want your new system user (via their group) to have write access. See the next section for more notes on permissions.

These commands will ensure the root user owns everything, but the new system user will have write access via the group.

# Common permission settings for a deployment
sudo chown -R root:myuser /path/to/change
sudo chmod -R 775 /path/to/change

The -R is only needed if you want to make changes recursively.

Note you may need to grant write permission on a directory. For example, if the user has write access to a file but not the directory it is in, then it will not be able to write to the file.

More options

The useradd command has many options and you can view more details from the terminal using the following commands.

# View all options
useradd --help
# View the manual page
man useradd

You can also view a copy of man page online at https://linux.die.net/man/8/useradd.

Conclusion

After reading this you should understand how to create a new Linux user that has limited features like no home directory and no login shell for enhanced security.

References

Advertisement