Centos – Creating Group and User for Tomcat RHEL/CentOS

centoschownsoftware installationtomcatuseradd

I want to create an user for my Tomcat installation, but I was viewing multiple options:

# groupadd tomcat
#
# useradd -g tomcat -d /usr/local/tomcat tomcat
# useradd -g tomcat -c "Tomcat User" -d /usr/local/tomcat tomcat

Other alternative:

https://panovski.me/install-tomcat-8-on-centos-7/

# useradd -r -s /sbin/nologin tomcat
# chown -R tomcat: /usr/local/tomcat

In other page (hidden and recursive)

# useradd -r tomcat --shell /bin/false
# chown -hR tomcat: /usr/local/tomcat

Other option:?

# useradd -g tomcat -s /bin/bash -d /usr/local/tomcat tomcat
# chown -Rf tomcat.tomcat /usr/local/tomcat

I don't know what is the mistake or consequence, I want to know what is the best option

I think is best to use -h hidden, but

chown – change file owner and group

-r, --system
  Create a system account.

  System users will be created with no aging information in /etc/shadow, and their 
  numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in
  /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the
  creation of groups).

  Note that useradd will not create a home directory for such an user, regardless
  of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the
  -m options if you want a home directory for a system account to be created.

-s, --shell SHELL
  The name of the user's login shell. The default is to leave this field blank,
  which causes the system to select the default login shell specified by the SHELL
  variable in /etc/default/useradd, or an empty string by default.

In CentOS is needed to use -s or -r options?

EDIT 2

# useradd -r UserL5C --shell /bin/false
# more /etc/passwd | grep UserL5C
UserL5C:x:494:491::/home/UserL5C:/bin/false
# more /etc/group | grep UserL5C
UserL5C:x:491:
# finger UserL5C
Login: UserL5C                  Name: 
Directory: /home/UserL5C                Shell: /bin/false
Never logged in.
No mail.
No Plan.
#

UserL5C with UID and GID lower than 500

# useradd UserG5C --shell /bin/false
# more /etc/passwd | grep UserG5C
UserG5C:x:503:504::/home/UserG5C:/bin/false
# more /etc/group | grep UserG5C
UserG5C:x:504:
# finger UserG5C
Login: UserG5C                  Name: 
Directory: /home/UserG5C                Shell: /bin/false
Never logged in.
No mail.
No Plan.
#

UserG5C UID and GID greater than 500

# ls -al /home/
total 32
drwxr-xr-x.  5 root       root        4096 Jun 25 06:05 .
dr-xr-xr-x. 25 root       root        4096 Jun 25 05:19 ..
drwx------. 33 IntUser    IntUser     4096 Jun 25 05:46 IntUser
drwx------.  2 root       root       16384 Jun 13 09:56 lost+found
drwx------.  4 UserG5C    UserG5C     4096 Jun 25 06:01 UserG5C
#

The difference UserG5C creates homeDirectory

Question

It would be better to use: useradd UserG5C -M -s /bin/false because this user/account hasn't system privileges?

Best Answer

There are as many opinions as there are people. I think the best way to create tomcat user to do as follows:

# useradd -r -s /sbin/nologin tomcat
# chown -R tomcat: /usr/local/tomcat

It means, you will create system account. Info from man useradd:

System users will be created with no aging information in /etc/shadow,
and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX
range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their
GID counterparts for the creation of groups).

Also useradd -r ... creates the group with the same name as user and you don't need to create in by yourself.

BTW, if you'll decide to change something in user configuration (for example: specify home directory, or change shell), you will always can do it with usermod command.

Read man useradd and man usermod.

Edit

Really you should answer some questions:

Do you need system user (with UID < 500)?
Do you need shell or you want to disable shell access (/sbin/nologin, /bin/false)?
Do you need home directory for that user (BTW, tomcat possibly want to have it)?

Ok, you don't want UID < 500 and want home directory (it's not exists now), let's do the following command:

# useradd -U -d /usr/local/tomcat -m -s /bin/false tomcat

Option -U will create the group with same name. If you want add user description, use -c "Tomcat user".

If you already have the tomcat directory:

# useradd -U -d /usr/local/tomcat -M -s /bin/false tomcat

After that you should change the owner for tomcat directory (to allow tomcat user to work with it):

# chown -R tomcat: /usr/local/tomcat

Edit 2

You've asked, we are answering.

If your user has UID < 500 it only means it's the user for some service, not ordinary user (possibly human, who has shell access). It won't bring you the vulnerability because these users are not treated specially by operating system. Also it won't give you extended functionality. Only one thing why it's not good to use UIDs < 500: you can install some RPM-package in future and it will provide the user with the same UID. In that case you'll have some issues. That's it! BTW, tomcat installed from RPM provides user tomcat with UID=91 and group with GID=91 (at least in my Fedora):

$ id tomcat
uid=91(tomcat) gid=91(tomcat) groups=91(tomcat)

Ok, use /bin/false or /sbin/nologin.
You can specify / as home directory for your service like some packages do. For example, if you have tcpdump installed from RPM, you have the following string in /etc/passwd:

tcpdump:x:72:72::/:/sbin/nologin

In this case use useradd command with keys -d / and -M.

In other hand, tomcat installed from RPM, has correct home directory:

tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/bin/nologin

And now few words about chown.

These commands does the same job:

chown tomcat:tomcat /usr/local/tomcat
chown tomcat: /usr/local/tomcat

Quotation from man chown:

Group is unchanged if missing, but changed to login group if implied by a ':' following a symbolic OWNER.

Using . as OWNER/GROUP separator is deprecated now. Use :.

Best Answer

Related Solutions

Log in into a system user after I create him

Related Question