Linux – In what condition, should I create a system user instead of a normal user

linuxsystem-useruseraddusers

From the adduser command, I saw the option --system to create a system user.
A system user will use /bin/false and by default belong to nogroup. It also won't copy the /etc/skel to the home directory.

In which condition would I prefer to create a system user?

Best Answer

When you are creating an account to run a daemon, service, or other system software, rather than an account for interactive use.

Technically, it makes no difference, but in the real world it turns out there are long term benefits in keeping user and software accounts in separate parts of the numeric space.

Mostly, it makes it easy to tell what the account is, and if a human should be able to log in.

Related Solutions

Linux – create home directories after create users

This might sound like a silly idea, but if the users aren't actually doing anything, you could do:

cat /etc/passwd | cut -f 1 -d : >/tmp/users.list

Then edit /tmp/users.list to only contain the users you want. Then do:


for i in `cat /tmp/users.list`
do
    userdel $i
    useradd -m $i
done

However, many Redhat based distributions will create you a new home directory when you first login, providing it is specified in /etc/passwd where the directory should be.

To test that, do an "su - " and see if it does "the right thing". If it doesn't, the above script will work quite nicely, I think.

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Best Answer

Related Solutions

Linux – create home directories after create users

Linux – How to run a server on port 80 as a normal user on Linux

Related Topic