I use apache2-mpm-itk to run one of my web applications with a custom uid and gid, both for audit and security reasons. This works nicely, however I am not sure what kind of privileges this user would need. I am currently doing something like useradd mywebapp -U -d/tmp -c"Custom webapp User"
but that creates pretty much a regular user.
So first a newbie question: how do I add a 'system' user that can that cannot be used for e.g. ssh'in or does not appear in the login screen on Ubuntu Desktop?
And what kind of privileges would I need to give this user? E.g. I assume that www-data can write to the Apache log files, so it needs something more than a regular user. But at the same time I don't want to give it more privileges than necessary to run my webapp, definitely not root.
Best Answer
will work just fine for your requirement. It creates the user with unset/random password. If you insist on disabling shell access to the user you could change the shell option for this user to /bin/false with commands like
As for not showing username in GDM login screen, you need to give the username UID below 1000. This makes Ubuntu treat the user as a system user, which then won't show up on the login screen.
Add the user in whatever way you prefer(maybe just like above), and then run:
Where 599 is an unused UID below 1000, and username is your new user.