I want to create an user for my Tomcat installation, but I was viewing multiple options:
# groupadd tomcat
#
# useradd -g tomcat -d /usr/local/tomcat tomcat
# useradd -g tomcat -c "Tomcat User" -d /usr/local/tomcat tomcat
Other alternative:
https://panovski.me/install-tomcat-8-on-centos-7/
# useradd -r -s /sbin/nologin tomcat
# chown -R tomcat: /usr/local/tomcat
In other page (hidden and recursive)
# useradd -r tomcat --shell /bin/false
# chown -hR tomcat: /usr/local/tomcat
Other option:?
# useradd -g tomcat -s /bin/bash -d /usr/local/tomcat tomcat
# chown -Rf tomcat.tomcat /usr/local/tomcat
I don't know what is the mistake or consequence, I want to know what is the best option
I think is best to use -h hidden, but
chown – change file owner and group
-r, --system
Create a system account.
System users will be created with no aging information in /etc/shadow, and their
numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in
/etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the
creation of groups).
Note that useradd will not create a home directory for such an user, regardless
of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the
-m options if you want a home directory for a system account to be created.
-s, --shell SHELL
The name of the user's login shell. The default is to leave this field blank,
which causes the system to select the default login shell specified by the SHELL
variable in /etc/default/useradd, or an empty string by default.
In CentOS is needed to use -s or -r options?
EDIT 2
# useradd -r UserL5C --shell /bin/false
# more /etc/passwd | grep UserL5C
UserL5C:x:494:491::/home/UserL5C:/bin/false
# more /etc/group | grep UserL5C
UserL5C:x:491:
# finger UserL5C
Login: UserL5C Name:
Directory: /home/UserL5C Shell: /bin/false
Never logged in.
No mail.
No Plan.
#
UserL5C with UID and GID lower than 500
# useradd UserG5C --shell /bin/false
# more /etc/passwd | grep UserG5C
UserG5C:x:503:504::/home/UserG5C:/bin/false
# more /etc/group | grep UserG5C
UserG5C:x:504:
# finger UserG5C
Login: UserG5C Name:
Directory: /home/UserG5C Shell: /bin/false
Never logged in.
No mail.
No Plan.
#
UserG5C UID and GID greater than 500
# ls -al /home/
total 32
drwxr-xr-x. 5 root root 4096 Jun 25 06:05 .
dr-xr-xr-x. 25 root root 4096 Jun 25 05:19 ..
drwx------. 33 IntUser IntUser 4096 Jun 25 05:46 IntUser
drwx------. 2 root root 16384 Jun 13 09:56 lost+found
drwx------. 4 UserG5C UserG5C 4096 Jun 25 06:01 UserG5C
#
The difference UserG5C creates homeDirectory
Question
It would be better to use: useradd UserG5C -M -s /bin/false because this user/account hasn't system privileges?
Best Answer
There are as many opinions as there are people. I think the best way to create tomcat user to do as follows:
It means, you will create system account. Info from
man useradd
:Also
useradd -r ...
creates the group with the same name as user and you don't need to create in by yourself.BTW, if you'll decide to change something in user configuration (for example: specify home directory, or change shell), you will always can do it with
usermod
command.Read
man useradd
andman usermod
.Edit
Really you should answer some questions:
/sbin/nologin, /bin/false
)?Ok, you don't want UID < 500 and want home directory (it's not exists now), let's do the following command:
Option
-U
will create the group with same name. If you want add user description, use-c "Tomcat user"
.If you already have the tomcat directory:
After that you should change the owner for tomcat directory (to allow tomcat user to work with it):
Edit 2
You've asked, we are answering.
Ok, use
/bin/false
or/sbin/nologin
.You can specify
/
as home directory for your service like some packages do. For example, if you have tcpdump installed from RPM, you have the following string in/etc/passwd
:In this case use
useradd
command with keys-d /
and-M
.In other hand, tomcat installed from RPM, has correct home directory:
And now few words about
chown
.These commands does the same job:
Quotation from
man chown
:Using
.
as OWNER/GROUP separator is deprecated now. Use:
.