Hello,

I am wondering what exactly is a system account? I am looking for a way
to create users that can't log on (and have no passwords), ie that are
only used to run demons (like 'nobody' is for httpd). I suspect that
system accounts might be the ticket?

Would it be enough to create one with useradd -r without specifying a
password?

Another thing I seem to remember (I think it was in the manual to some
ftp server) is to set the users shell to something impossible, maybe
that would be another/better/the only way? I've seen some accounts in
/etc/passwd with /bin/false as shell, is that it? On the other hand
'nobody' appears to be preconfigured with /bin/bash...

Or should I just stop worrying too much, set up users with a password
that nobody knows, and be done with it?

Many thanks in advance!


Bjoern

Bjoern <bjoern_p1@gmx.net> wrote:
> I am wondering what exactly is a system account? I am looking for a way
> to create users that can't log on (and have no passwords), ie that are
> only used to run demons (like 'nobody' is for httpd). I suspect that
> system accounts might be the ticket?

Edit your passwd file to taste, and stop stumbling over nomenclature.

Peter

Bjoern wrote:

> Hello,
>
> I am wondering what exactly is a system account? I am looking for a way
> to create users that can't log on (and have no passwords), ie that are
> only used to run demons (like 'nobody' is for httpd). I suspect that
> system accounts might be the ticket?
>
> Would it be enough to create one with useradd -r without specifying a
> password?

I'd also urge you to set the shell to "/sbin/nologin", and make sure it
has a UID less than 500 or so to indicate that it is in fact a system
account, not a local user account.

> Another thing I seem to remember (I think it was in the manual to some
> ftp server) is to set the users shell to something impossible, maybe
> that would be another/better/the only way? I've seen some accounts in
> /etc/passwd with /bin/false as shell, is that it? On the other hand
> 'nobody' appears to be preconfigured with /bin/bash...
>
> Or should I just stop worrying too much, set up users with a password
> that nobody knows, and be done with it?

See above. What you need depends on the specific account. If you need to
be able to "su" to that user's account and run normal shell commands,
such as "postgres" for a postgresql daemon, then you may need an active
shell.

Bjoern wrote:

> Hello,
>
> I am wondering what exactly is a system account? I am looking for a way
> to create users that can't log on (and have no passwords), ie that are
> only used to run demons (like 'nobody' is for httpd). I suspect that
> system accounts might be the ticket?

I forgot to add: if you're running an NIS server, there is a setting for
Linux's version of NIS to prevent publishing NIS accounts with UID's
less than some specific number. This allows you to have system accounts
on your NIS server that are not published to the clients, preventing all
sorts of fascinating conflicts. So it's also helpful to keep system
accounts with low-numbered UID's.

Many thanks for the helpful answers!


Bjoern

Nico Kadel-Garcia wrote:
> Bjoern wrote:
>
>> Hello,
>>
>> I am wondering what exactly is a system account? I am looking for a
>> way to create users that can't log on (and have no passwords), ie that
>> are only used to run demons (like 'nobody' is for httpd). I suspect
>> that system accounts might be the ticket?
>
>
> I forgot to add: if you're running an NIS server, there is a setting for
> Linux's version of NIS to prevent publishing NIS accounts with UID's
> less than some specific number. This allows you to have system accounts
> on your NIS server that are not published to the clients, preventing all
> sorts of fascinating conflicts. So it's also helpful to keep system
> accounts with low-numbered UID's.
>