There are as many opinions as there are people.
I think the best way to create tomcat user to do as follows:
# useradd -r -s /sbin/nologin tomcat
# chown -R tomcat: /usr/local/tomcat
It means, you will create system account. Info from man useradd
:
System users will be created with no aging information in /etc/shadow,
and their numeric identifiers are chosen in the SYS_UID_MIN-SYS_UID_MAX
range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their
GID counterparts for the creation of groups).
Also useradd -r ...
creates the group with the same name as user and you don't need to create in by yourself.
BTW, if you'll decide to change something in user configuration (for example: specify home directory, or change shell), you will always can do it with usermod
command.
Read man useradd
and man usermod
.
Edit
Really you should answer some questions:
- Do you need system user (with UID < 500)?
- Do you need shell or you want to disable shell access (
/sbin/nologin, /bin/false
)?
- Do you need home directory for that user (BTW, tomcat possibly want to
have it)?
Ok, you don't want UID < 500 and want home directory (it's not exists now), let's do the following command:
# useradd -U -d /usr/local/tomcat -m -s /bin/false tomcat
Option -U
will create the group with same name.
If you want add user description, use -c "Tomcat user"
.
If you already have the tomcat directory:
# useradd -U -d /usr/local/tomcat -M -s /bin/false tomcat
After that you should change the owner for tomcat directory (to allow tomcat user to work with it):
# chown -R tomcat: /usr/local/tomcat
Edit 2
You've asked, we are answering.
- If your user has UID < 500 it only means it's the user for some service, not ordinary user (possibly human, who has shell access). It won't bring you the vulnerability because these users are not treated specially by operating system. Also it won't give you extended functionality. Only one thing why it's not good to use UIDs < 500: you can install some RPM-package in future and it will provide the user with the same UID. In that case you'll have some issues. That's it! BTW, tomcat installed from RPM provides user tomcat with UID=91 and group with GID=91 (at least in my Fedora):
$ id tomcat
uid=91(tomcat) gid=91(tomcat) groups=91(tomcat)
Ok, use /bin/false
or /sbin/nologin
.
You can specify /
as home directory for your service like some packages do. For example, if you have tcpdump installed from RPM, you have the following string in /etc/passwd
:
tcpdump:x:72:72::/:/sbin/nologin
In this case use useradd
command with keys -d /
and -M
.
In other hand, tomcat installed from RPM, has correct home directory:
tomcat:x:91:91:Apache Tomcat:/usr/share/tomcat:/bin/nologin
And now few words about chown
.
These commands does the same job:
chown tomcat:tomcat /usr/local/tomcat
chown tomcat: /usr/local/tomcat
Quotation from man chown
:
Group is unchanged if missing, but changed to login group if
implied by a ':' following a symbolic OWNER.
Using .
as OWNER/GROUP separator is deprecated now. Use :
.
Best Answer
Yes, all files under
/usr
should be owned by root, except that files under/usr/local
may or may not be owned by root depending on site policies. It's normal for root to own files that only a system administrator is supposed to modify.There are a few files that absolutely need to be owned by root or else your system won't work properly. These are setuid root executables, which run as root no matter who invoked them. Common setuid root binaries include
su
andsudo
(programs to run another program as a different user, after authentication),sudoedit
(a companion tosudo
to edit files rather than run an arbitrary programs), and programs to modify user accounts (passwd
,chsh
,chfn
).In addition, a number of programs need to run with additional group privileges, and need to be owned by the appropriate group (and by the root user) and have the setgid bit set.
You can, and should, restore proper permissions from the package database. If you attempt to repair manually, you're bound to miss something and leave some hard-to-diagnose bugs lying around. Run the following commands: