Ping a Specific Port

Question

strugee

Asked: 2013-06-22 20:52:13 +0800 CST2013-06-22 20:52:13 +0800 CST 2013-06-22 20:52:13 +0800 CST

What are best practices for creating a system account? (*NIX)

772

I've manually installed a service called Gate One into /opt. I want to harden its security, so I thought I'd create a system account for it to use, because of least necessary privileges, and all that.

However, when I ran adduser --system gateone, it created a home directory, which I didn't really want. Therefore, I ran adduser --system --home-dir /opt/gateone gateone, because I'd seen some system accounts setting home directories pertaining to them. However, this made the login shell /bin/sh instead of /bin/false, which it had done the first time (when I didn't specify a home directory). I'm a bit confused now on what I should set these fields as.

tl;dr: when creating a system account on a *NIX operating system, what are the best practices for setting the home directory, the login shell, and anything else that's relevant? Why?

_{Note: I'm using Ubuntu 13.04 Raring, if it matters, since IIRC adduser can vary quite a bit distribution-to-distribution.}

2 Answers

Voted

Falcon Momot · Answer 1 · 2013-06-23T00:26:19+08:00

Best Answer

Falcon Momot

2013-06-23T00:26:19+08:002013-06-23T00:26:19+08:00

There isn't really a specific best practice, except that the shell should be /bin/false unless a shell is needed, the password hash should be ! unless the user is expected to log in, a descriptive name should be given, and a home directory should be set to /dev/null or similar if the application doesn't require a valid home directory. The user should have its own group, preferably in the system ID range; if it doesn't require a primary GID of root, for instance, don't give it one, and certainly don't give it users without a specific requirement. It all depends. Specify everything you care about (see man adduser for all the available options).

10

spinus · Answer 2 · 2013-06-23T00:35:13+08:00

spinus

2013-06-23T00:35:13+08:002013-06-23T00:35:13+08:00

If you try to install application the best choice is to make a package for that system and follow admin guideline for that system (in guides there is written how to install, where, how to integrate app with system and so on). As you are using Ubuntu you can follow Ubuntu/Debian guide. It may be time-consuming at first, but if you deploy it often (often upgrades) or on several machines it will helps you.

adduser command has switches to set up what are you asking for. Use adduser --help. Basically you can write adduser --system --home /var/lib/my_app --shell /bin/false --disable-login --disable-password. Note that most of system services has home directories in /var/lib/ or if you not provide a package for a system it probably should be as you wrote in /opt/<service>

0

What are best practices for creating a system account? (*NIX)

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?