On an Ubuntu machine, if I run the following command:
adduser --system --no-create-home system-user
I create a system user named system-user
without home directory with /bin/false
as the shell. This user belongs to the nogroup
(GID 65534) by default. I want to use this user to run a daemon on my system.
But what about the password? Can I or someone else somehow login into this system account? I thought that maybe the password is empty, so I just tried to press Enter when the Password:
prompt appears in su system-user
:
$ su system-user
Password:
su: Authentication failure
Is it because of the /bin/false
shell? I don't know it because adduser
and useradd
manuals don't say how the password of system users is handled when the system user is created.
Can I be sure that no one in the system can login as this system user? Or should I do something else in order to protect this account? I would like that only the daemon will be able to use it and no one else…
Best Answer
The account will be setup without login possibilities as there is no valid password assigned to the account, and that is different from no password.
You can check this by doing
sudo grep -f system-user /etc/shadow
. The second field (between the first and second colon (:
)) will be a '*
' and no hash of any password you can provide will match against that. For that you have to set the password explicitly.Apart from that, the
/bin/false
entry for an account with a password will not give you "Authentication failure
", it will just immediately log you out without any message at all (as you can easily try by making a temporary account with a valid password)