LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 07-21-2011, 10:46 AM   #1
macogala
LQ Newbie
 
Registered: Jul 2011
Location: Italy
Distribution: Debian
Posts: 6

Rep: Reputation: Disabled
useradd -r option and system account question


Hi everyone,
first of all excuse me for my english(I'm italian).

Since I have never had the need to create one, the first time I encounterd it I asked myself: what is it?

I was looking for MySql installation guidelines on mysql.com, when, reading them, I found this command:

shell> useradd -r -g mysql mysql

Now, I read the man page of useradd looking for explanation about -r option, but I didn't found it useful.
It just says that -r options creates a System account, but it doesn't say anything else.

So my question is: what is a system account?

Few lines under the command it says:
"Because the user is required only for ownership purposes, not login purposes, the useradd command uses the -r option to create a user that does not have login permissions to your server host."

What would be the benefits if mysql user has not login permission?

I hope I have been clear.
Thank you so much for any answer.

Marco Galassi
 
Old 07-21-2011, 11:06 AM   #2
rch
Member
 
Registered: Feb 2003
Location: Santa Clara,CA
Distribution: Mandriva
Posts: 909

Rep: Reputation: 48
Interesting question. The passwd (/etc/passwd) file is the file with a list of users. If you look at the passwd file, you will see that users have uid and gid after the username. For example root is uid 0 and gid 0. If UID_MIN is set to 500 in /etc/login.defs that means that any user that is created with useradd will now have a uid greater than 500. But if you specify the -r option, that means that you create a uid which is less than 500. So, what's the significance? The password , home directory and other settings from login.defs will not apply to this user. You have to manually create a home directory with -m parameter (man useradd).
 
Old 07-21-2011, 03:45 PM   #3
brian-ocs
LQ Newbie
 
Registered: Jul 2011
Location: San Diego, CA
Distribution: CentOS 6, Linux Mint Debian Edition
Posts: 18

Rep: Reputation: 1
System Accounts & /sbin/nologin

Marco,

System accounts are reserved for services and daemons. Old Unix systems would typically allow daemons and services access to files as root, which can create serious security problems if a service is hijacked. Thus, system accounts were implemented to limit the access that certain services and daemons have to files, etc on the system. With system accounts, access by services can be restricted to files pertinent to the service, and in this way limit the amount of damage that can be caused if the service is hijacked. A shell of "/sbin/nologin" prevents anyone from logging in to a service account, making it that much more difficult to compromise the service.

If you are installing with .deb or .rpm packages the creation of special system accounts, files, and directories will most likely be handled by installation scripts within the package.

Hope that helps,
 
Old 07-21-2011, 06:28 PM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,357

Rep: Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367Reputation: 2367
Indeed
Quote:
This flag is used to create a system account. That is, a user with a UID lower than the value of UID_MIN defined in /etc/login.defs and whose password does not expire. Note that useradd will not create a home directory for such an user, regardless of the default setting in /etc/login.defs. You have to specify -m option if you want a home directory for a system account to be created. This is an option added by Red Hat
http://linux.die.net/man/8/useradd
As above, it's the fact its uid is < UID_MIN (not always 500, some use 1000) and no passwd expire and no login shell.
The uid thing is just for simple admin checking, no passwd expire is self-evident & no login is (as above) a security issue.
 
Old 07-22-2011, 04:14 AM   #5
macogala
LQ Newbie
 
Registered: Jul 2011
Location: Italy
Distribution: Debian
Posts: 6

Original Poster
Rep: Reputation: Disabled
Ok, so system accounts are reserved for services and deamons.

In fact I should create one specifically to run apache's deamon httpd.
Here now another doubt about Apache Web Server and system accounts.

I have on my system a personal account, called marco with users privileges: that's the usually user I use(excuse me for this word trick). Since I have created the server system account just to run httpd daemon, doesn't this mean that every html document I want to put into my document root must be owned by the apache system account? Or should I create html documents with my usual account marco, and then switch its owner into apache with chown or change its read,write,execute privileges with chmod?

Thank you

Marco Galassi
 
Old 07-22-2011, 11:09 AM   #6
brian-ocs
LQ Newbie
 
Registered: Jul 2011
Location: San Diego, CA
Distribution: CentOS 6, Linux Mint Debian Edition
Posts: 18

Rep: Reputation: 1
Marco,

You should be able to create html content as any user any where on the system. After the files are created, just be sure to use cp and not mv (either as root or with sudo) to transfer them to your html directory.

With the cp command, files will inherit the ownership and permission of the directory they are copied into (and SELinux contexts, if your system uses SELinux). With mv, files will retain their original ownership and permissions and not be accessible by the apache daemon.

Also, /var/www/html/ is actually owned by root.
 
Old 07-23-2011, 03:04 AM   #7
macogala
LQ Newbie
 
Registered: Jul 2011
Location: Italy
Distribution: Debian
Posts: 6

Original Poster
Rep: Reputation: Disabled
Ok then.
Thank you all for the help.

Marco Galassi
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
useradd - question about --non-unique option cygnus-x1 Linux - General 2 02-27-2008 10:57 AM
system account or user account??? yenonn Linux - Newbie 6 05-10-2006 07:49 PM
is it legitimate and allowed and can be done to make another user account set uid and gid to null 0 to make another root account with different name and possibly not damage the debian system creating and using that new account BenJoBoy Linux - Newbie 12 01-29-2006 10:02 AM
question about useradd hongxing Linux - Software 4 11-14-2005 07:00 AM
useradd:'invalid user name' error when creating a machine account on RedHat Linux ES4 santosh0805 Linux - General 1 07-12-2005 08:39 AM


All times are GMT -5. The time now is 08:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration