[Techtalk] creating a system user with no privileges

Carla Schroder carla at bratgrrl.com
Thu May 20 10:53:59 EST 2004 

On Thursday 20 May 2004 2:12 am, Conor Daly wrote:
> On Wed, May 19, 2004 at 02:47:03PM -0700 or thereabouts, Carla Schroder 
wrote:
> > OK my little geeklings, what's the most universal way to create a system 
user 
> > with no login, no homedir, and no password? I'm used to using adduser 
> > --system --no-create-home --disabled-password --disabled-login <name>
> > 
> > But I don't think adduser is standard except for Debian and Slackware, 
most 
> > distros use useradd, do they not? And I don't see obvious options in man 
> > useradd for doing the same thing.
> 
> Isn't that what user 'nobody' is for?
> 
> grep nobody /etc/passwd /etc/shadow
> /etc/passwd:nobody:x:99:99:Nobody:/:
> /etc/shadow:nobody:*:11414:0:99999:7:::

Some programs, like Postfix, warn against using 'nobody'. If the installation 
does not create the required Postfix users, you have to create them manually. 
Or when I'm torture-testing some poor innocent app, I want to create 
minimally-privilege users just for testing.

> The upshot of that is that the recipe for Carla's unprivileged user is
> something like:
> 
> useradd -d / -s /bin/false -u <xx> <name> 
> 
> where xx < 100
> 
> Assuming that 'useradd -D' returns values like:
> 
> root]# useradd -D
> GROUP=100
> HOME=/home
> INACTIVE=-1
> EXPIRE=
> SHELL=/bin/bash
> SKEL=/etc/skel
> 
> The impartant ones are EXPIRE and INACTIVE.  If these have values other than
> those above, you'll have to specify suitable values with the '-e' and '-f'
> switches.

Kewl, that makes sense. 

The default is to use the smallest ID  value greater
>               than 99 and greater than every other user.  Values between 0 
and
>               99 are typically reserved for system accounts.
>                          ^^^^^^^^^^^

This varies between systems. Red Hat system accounts are < 500, Debian's are < 
1000.

> AUTHOR
>        Julianne Frances Haugh
> 
> lest we forget the calibre of people we have here...
> 

Right on!

Thanks Conor, I was looking at man useradd, and just not getting it.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Carla Schroder
this message brought to you
by Libranet 2.8 and Kmail
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

More information about the Techtalk mailing list