Security – Create restricted user on Debian server

bashSecurityshelluser-accounts

I want to create a user account for each of the key programs installed on my debian server. For example, for the following programs:

Tomcat Nginx Supervisor PostgreSQL

This seems to be recommended based on my reading online. However, I want to restrict these user accounts as much as possible, so that they dont have a shell login, dont have access to the other programs and are as limited as possible but still functional.

Would anyone mind telling me how this could be achieved? My reading so far suggests this:

echo "/usr/sbin/nologin" >> /etc/shells
useradd -s /usr/sbin/nologin tomcat

But I think there may be a more complete way of doing it.

EDIT: I'm using debian squeeze

Best Answer

That's the right track, but you'll want to indicate that it's a system user so that /etc/shadow won't have any aging information. From the useradd man page:

-r, --system

      Create a system account.

      System users will be created with no aging information in /etc/shadow, and their numeric identifiers are choosen in the
      SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of
      groups).

      Note that useradd will not create a home directory for such an user, regardless of the default setting in /etc/login.defs
      (CREATE_HOME). You have to specify the -m options if you want a home directory for a system account to be created.

So you'll want something along the lines of:

useradd -s /usr/sbin/nologin -r -M tomcat

You can also create a home directory if you want, maybe something that belongs to the service, for example:

useradd -s /usr/sbin/nologin -r -M -d /etc/nginx nginx
Related Topic