I've manually installed a service called Gate One into /opt
. I want to harden its security, so I thought I'd create a system account for it to use, because of least necessary privileges, and all that.
However, when I ran adduser --system gateone
, it created a home directory, which I didn't really want. Therefore, I ran adduser --system --home-dir /opt/gateone gateone
, because I'd seen some system accounts setting home directories pertaining to them. However, this made the login shell /bin/sh
instead of /bin/false
, which it had done the first time (when I didn't specify a home directory). I'm a bit confused now on what I should set these fields as.
tl;dr: when creating a system account on a *NIX operating system, what are the best practices for setting the home directory, the login shell, and anything else that's relevant? Why?
Note: I'm using Ubuntu 13.04 Raring, if it matters, since IIRC adduser
can vary quite a bit distribution-to-distribution.
Best Answer
There isn't really a specific best practice, except that the shell should be /bin/false unless a shell is needed, the password hash should be
!
unless the user is expected to log in, a descriptive name should be given, and a home directory should be set to/dev/null
or similar if the application doesn't require a valid home directory. The user should have its own group, preferably in the system ID range; if it doesn't require a primary GID of root, for instance, don't give it one, and certainly don't give it users without a specific requirement. It all depends. Specify everything you care about (seeman adduser
for all the available options).