I run a service on a debian/linux machine which runs at boot with a 'screen' session I can always attach to.
I would like to create a username which I can run this service as. At the moment I use a 'regular' login account. I would like the added security of a username dedicated to this sevrice (similar to the way 'nobody' or 'web' are used with apache).
Requirements:
- No ability to login, locally or remotely (so no password to manage)
- Ability for approved users to gain access to the screen session, and interact with the service.
I imagine the solution will have creative use of su/sudo and the details of how to create the account.
First, create the account the
screensession runs as (say it's calledscreenimage), as well as a group of users allowed to use it (sayscreenusers):Then for each user allowed to use it, add them to the
screenusersgroup:Then, add approved users to
/etc/sudoers: runvisudoand add the lineETA: To address the other answers on this post: the
--systemcreates accounts with no shell or password. Thesudoersline means that the users are clamped to runningscreen, as thescreenimageuser only.Creating the user is the easy part. Simply add a user with adduser script (this is debian specific but I noticed it's in your tags) then edit the resulting /etc/passwd line for that user. Change the
xto a!this makes it so that no password will ever match as valid. Change/bin/bashto/bin/falseso that if someone did log in as this user they would get no shell.As for the rest it really depends on what service you're trying to run or how you need to interact with it. I feel like there's probably some better way to work that out than running it in a screen session.
OK, how about (in /etc/rc.something):
and set user's shell to
/bin/false.