[Techtalk] creating a system user with no privileges
Conor Daly
c.daly at met.ie
Thu May 20 09:12:21 EST 2004
On Wed, May 19, 2004 at 02:47:03PM -0700 or thereabouts, Carla Schroder wrote:
> OK my little geeklings, what's the most universal way to create a system user
> with no login, no homedir, and no password? I'm used to using adduser
> --system --no-create-home --disabled-password --disabled-login <name>
>
> But I don't think adduser is standard except for Debian and Slackware, most
> distros use useradd, do they not? And I don't see obvious options in man
> useradd for doing the same thing.
Isn't that what user 'nobody' is for?
grep nobody /etc/passwd /etc/shadow
/etc/passwd:nobody:x:99:99:Nobody:/:
/etc/shadow:nobody:*:11414:0:99999:7:::
No home dir (well, '/' but no permissions on it), no shell, no login. Now,
interestingly, there's nothing in the 'shell' field for 'nobody's entry
while for user 'named' there's:
grep named /etc/passwd /etc/shadow
/etc/passwd:named:x:25:25:Named:/var/named:/bin/false
/etc/shadow:named:!!:11414:0:99999:7:::
which has a 'shell' of /bin/false which is effectively no shell. The
password entry in /etc/shadow is '!!' rather than '*' for nobody. Does
'--system' simply assign a uid < 100?
looking at 'man useradd' it appears that:
SYNOPSIS
useradd [-c comment] [-d home_dir]
[-e expire_date] [-f inactive_time]
[-g initial_group] [-G group[,...]]
[-m [-k skeleton_dir] | -M] [-n] [-o] [-p passwd] [-r]
[-s shell] [-u uid] login
-d home_dir
The new user will be created using home_dir as the value for the
user's login directory. The default is to append the login name
to default_home and use that as the login directory name.
-m The user's home directory will be created if it does not exist.
The files contained in skeleton_dir will be copied to the home
directory if the -k option is used, otherwise the files con-
tained in /etc/skel will be used instead. Any directories con-
tained in skeleton_dir or /etc/skel will be created in the
user's home directory as well. The -k option is only valid in
conjunction with the -m option. The default is to not create
the directory and to not copy any files.
^^^^^^^^^^^
-p passwd
The encrypted password, as returned by crypt(3). The default is
to disable the account.
^^^^^^^^^^^
-s shell
The name of the user's login shell. The default is to leave
this field blank, which causes the system to select the default
login shell.
^^^^^^^^^^^
-u uid The numerical value of the user's ID. This value must be
unique, unless the -o option is used. The value must be non-
negative. The default is to use the smallest ID value greater
than 99 and greater than every other user. Values between 0 and
99 are typically reserved for system accounts.
^^^^^^^^^^^
The upshot of that is that the recipe for Carla's unprivileged user is
something like:
useradd -d / -s /bin/false -u <xx> <name>
where xx < 100
Assuming that 'useradd -D' returns values like:
root]# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
The impartant ones are EXPIRE and INACTIVE. If these have values other than
those above, you'll have to specify suitable values with the '-e' and '-f'
switches.
It also says:
AUTHOR
Julianne Frances Haugh
lest we forget the calibre of people we have here...
Conor
--
Conor Daly, Please avoid sending me
Met Eireann, Glasnevin Hill, Word or PowerPoint attachments.
Dublin 9, Ireland http://www.fsf.org/philosophy/no-word-attachments.html
Ph +3531 8064276 Fax +3531 8064247
**********************************************************************
This e-mail and any files transmitted with it are confidential
and intended solely for the addressee. If you have received
this email in error please notify the sender.
This e-mail message has also been scanned for the
presence of computer viruses.
**********************************************************************
More information about the Techtalk
mailing list