When deploying a production service in Linux you want to configure it as securely as possible. Ideally, you will create a unique Linux user for each service and give them only read and write permission to the exact files they need.
You can go even further and create a "system" user that has no home directory, no login shell, and no password. This prevents the user from being able to login and does not provide a home directory for them to store files.
If the service was ever compromised this limits the actions an attacker can take with the user running the service.
This example will show you how to create a system user with:
- No home directory
- No logn shell
- No password (Can't login)
We will also cover how to change ownership and permissions for files and directories to give your system user write access.
Create Linux system user
useradd example will create a user with no home directory, no login shell, and no password.
sudo useradd --system --no-create-home --shell=/sbin/nologin myuser
useradd command above will also create a group of the same name.
The group is useful when you want
root to own
a file but you want your new system user (via their group) to have write access.
See the next section for more notes on permissions.
These commands will ensure the root user owns everything, but the new system user will have write access via the group.
# Common permission settings for a deployment sudo chown -R root:myuser /path/to/change sudo chmod -R 775 /path/to/change
-R is only needed if you want to make changes recursively.
Note you may need to grant write permission on a directory. For example, if the user has write access to a file but not the directory it is in, then it will not be able to write to the file.
useradd command has many options and you can view more details
from the terminal using the following commands.
# View all options useradd --help # View the manual page man useradd
You can also view a copy of man page online at https://linux.die.net/man/8/useradd.
After reading this you should understand how to create a new Linux user that has limited features like no home directory and no login shell for enhanced security.