Log in into a system user after I create him

useraddusers

On an Ubuntu machine, if I run the following command:

adduser --system --no-create-home system-user

I create a system user named system-user without home directory with /bin/false as the shell. This user belongs to the nogroup (GID 65534) by default. I want to use this user to run a daemon on my system.

But what about the password? Can I or someone else somehow login into this system account? I thought that maybe the password is empty, so I just tried to press Enter when the Password: prompt appears in su system-user:

$ su system-user
Password:
su: Authentication failure

Is it because of the /bin/false shell? I don't know it because adduser and useradd manuals don't say how the password of system users is handled when the system user is created.
Can I be sure that no one in the system can login as this system user? Or should I do something else in order to protect this account? I would like that only the daemon will be able to use it and no one else…

Best Answer

The account will be setup without login possibilities as there is no valid password assigned to the account, and that is different from no password.

You can check this by doing sudo grep -f system-user /etc/shadow. The second field (between the first and second colon (:)) will be a '*' and no hash of any password you can provide will match against that. For that you have to set the password explicitly.

Apart from that, the /bin/false entry for an account with a password will not give you "Authentication failure", it will just immediately log you out without any message at all (as you can easily try by making a temporary account with a valid password)

Related Solutions

Backing up and restoring a system user account

If you are doing backup and restore by hand, then things are relatively easy, especially if the new system is (nearly) completely new.

I doubt if you really need to backup and restore password, UID and GID. However, if you know the user password (which you should anyway), then you can change the password of the user on the new system accordingly. UID and GID can be assigned on user creation (look at -u and -g from useradd), or modified with usermod. The only problem is if you have created accounts on the new system, which may have taken the UID and GID, in which case you need to change that account first.

UID and GID only make sense if you have preserved permissions when copying files (see --preserve=mode from cp). All applications that I have used (not that I have used all application) use username and not UID or GID for configuration, so I don't think that will be a problem.

If you want a program where you can say "Backup this user!" on a machine and then "Restore that user!" on another machine then I don't know how a program could possibly do it ;) Breakage may occur, but if you have the config files under control you should not be afraid. If you have all the files, you can fix it!

CentOS – How to Create an Unprivileged User

From here (centos.org)

useradd (which is the actual binary the runs when you call adduser, it just behaves differently. See here about that.) has an flag -r which is documented as follows:

-r   Create a system account with a UID less than 500 and without a home directory

Which sounds like what you want to do.

Best Answer

Related Solutions

Backing up and restoring a system user account

CentOS – How to Create an Unprivileged User

Related Question