I would like to know difference between user and service account.
I know that e.g. Jenkins
installed to ubuntu is not a user, but service account.
- What is use of service account?
- When we need them?
- How can I create service account?
accountsservicesusers
I would like to know difference between user and service account.
I know that e.g. Jenkins
installed to ubuntu is not a user, but service account.
Best Answer
User accounts are used by real users, service accounts are used by system services such as web servers, mail transport agents, databases etc. By convention, and only by convention, service accounts have user IDs in the low range, e.g. < 1000 or so. Except for UID 0, service accounts don't have any special privileges. Service accounts may - and typically do - own specific resources, even device special files, but they don't have superuser-like privileges.
Service accounts can be created like ordinary user accounts (e.g. using
useradd
). However, service accounts are typically created and configured by the package manager upon installation of the service software. So, even as an administrator you should be rarely directly concerned with the creation of service accounts.For good reason: In contrast to user accounts, service accounts often don't have a "proper" login shell, i.e. they have
/usr/sbin/nologin
as login shell (or, back in the old days,/bin/false
). Moreover, service accounts are typically locked, i.e. it is not possible to login (for traditional/etc/passwd
and/etc/shadow
this can be achieved by setting the password hash to arbitrary values such as*
orx
). This is to harden the service accounts against abuse (defense in depth).Having individual service accounts for each service serves two main purposes: It is a security measure to reduce the impact in case of an incident with one service (compartmentalization), and it simplifies administration as it becomes easier to track down what resources belong to which service. See this or this answers on related questions for more details.