I run a service on a debian/linux machine which runs at boot with a 'screen' session I can always attach to.
I would like to create a username which I can run this service as. At the moment I use a 'regular' login account. I would like the added security of a username dedicated to this sevrice (similar to the way 'nobody' or 'web' are used with apache).
Requirements:
- No ability to login, locally or remotely (so no password to manage)
- Ability for approved users to gain access to the screen session, and interact with the service.
I imagine the solution will have creative use of su/sudo and the details of how to create the account.
Best Answer
First, create the account the
screen
session runs as (say it's calledscreenimage
), as well as a group of users allowed to use it (sayscreenusers
):Then for each user allowed to use it, add them to the
screenusers
group:Then, add approved users to
/etc/sudoers
: runvisudo
and add the lineETA: To address the other answers on this post: the
--system
creates accounts with no shell or password. Thesudoers
line means that the users are clamped to runningscreen
, as thescreenimage
user only.