18

From the adduser command, I saw the option --system to create a system user. A system user will use /bin/false and by default belong to nogroup. It also won't copy the /etc/skel to the home directory.

In which condition would I prefer to create a system user?

leeand00
  • 4,807
  • 13
  • 64
  • 106
steveyang
  • 623
  • 4
  • 9
  • 15

2 Answers2

21

When you are creating an account to run a daemon, service, or other system software, rather than an account for interactive use.

Technically, it makes no difference, but in the real world it turns out there are long term benefits in keeping user and software accounts in separate parts of the numeric space.

Mostly, it makes it easy to tell what the account is, and if a human should be able to log in.

Daniel Pittman
  • 5,692
  • 1
  • 22
  • 20
  • 1
    By software accounts, you mean those like `www-data` and `ftp` right? – steveyang Jan 18 '12 at 05:57
  • Those are good examples of software accounts, yes. Also `ntp`, or `postgres`, `postfix`. – Daniel Pittman Jan 18 '12 at 06:00
  • Thx. Those accounts in my system are mainly setup by software itself. Is there conditions I need to setup such accounts manually? – steveyang Jan 18 '12 at 06:04
  • Probably not terribly often, no. But if you were compiling the software from scratch yourself, it's easy to imagine a need as part of `make install`. Since there's not a tradition in *NIX of hiding the options used by scripts like the one run by `make install` from users (even in situations where it's rare for a user to want to use such an option, like mysql's `-B` flag), the option is available for you to use interactively on the off chance you'd ever need it. – BMDan Feb 02 '12 at 17:36
1

When deploying a production service in Linux you want to configure it as securely as possible. Ideally, you will create a unique Linux user for each service and give them only read and write permission to the exact files they need. You can go even further and create a "system" user that has no home directory, no login shell, and no password. This prevents the user from being able to login and does not provide a home directory for them to store files. If the service was ever compromised this limits the actions an attacker can take with the user running the service.

An excerpt from https://www.devdungeon.com/content/how-create-secure-linux-system-user.

reportaman
  • 111
  • 1