|
useradd -r option and system account question
Hi everyone,
first of all excuse me for my english(I'm italian). Since I have never had the need to create one, the first time I encounterd it I asked myself: what is it? I was looking for MySql installation guidelines on mysql.com, when, reading them, I found this command: shell> useradd -r -g mysql mysql Now, I read the man page of useradd looking for explanation about -r option, but I didn't found it useful. It just says that -r options creates a System account, but it doesn't say anything else. So my question is: what is a system account? Few lines under the command it says: "Because the user is required only for ownership purposes, not login purposes, the useradd command uses the -r option to create a user that does not have login permissions to your server host." What would be the benefits if mysql user has not login permission? I hope I have been clear. Thank you so much for any answer. Marco Galassi |
Interesting question. The passwd (/etc/passwd) file is the file with a list of users. If you look at the passwd file, you will see that users have uid and gid after the username. For example root is uid 0 and gid 0. If UID_MIN is set to 500 in /etc/login.defs that means that any user that is created with useradd will now have a uid greater than 500. But if you specify the -r option, that means that you create a uid which is less than 500. So, what's the significance? The password , home directory and other settings from login.defs will not apply to this user. You have to manually create a home directory with -m parameter (man useradd).
|
System Accounts & /sbin/nologin
Marco,
System accounts are reserved for services and daemons. Old Unix systems would typically allow daemons and services access to files as root, which can create serious security problems if a service is hijacked. Thus, system accounts were implemented to limit the access that certain services and daemons have to files, etc on the system. With system accounts, access by services can be restricted to files pertinent to the service, and in this way limit the amount of damage that can be caused if the service is hijacked. A shell of "/sbin/nologin" prevents anyone from logging in to a service account, making it that much more difficult to compromise the service. If you are installing with .deb or .rpm packages the creation of special system accounts, files, and directories will most likely be handled by installation scripts within the package. Hope that helps, |
Indeed
Quote:
As above, it's the fact its uid is < UID_MIN (not always 500, some use 1000) and no passwd expire and no login shell. The uid thing is just for simple admin checking, no passwd expire is self-evident & no login is (as above) a security issue. |
Ok, so system accounts are reserved for services and deamons.
In fact I should create one specifically to run apache's deamon httpd. Here now another doubt about Apache Web Server and system accounts. I have on my system a personal account, called marco with users privileges: that's the usually user I use(excuse me for this word trick). Since I have created the server system account just to run httpd daemon, doesn't this mean that every html document I want to put into my document root must be owned by the apache system account? Or should I create html documents with my usual account marco, and then switch its owner into apache with chown or change its read,write,execute privileges with chmod? Thank you Marco Galassi |
Marco,
You should be able to create html content as any user any where on the system. After the files are created, just be sure to use cp and not mv (either as root or with sudo) to transfer them to your html directory. With the cp command, files will inherit the ownership and permission of the directory they are copied into (and SELinux contexts, if your system uses SELinux). With mv, files will retain their original ownership and permissions and not be accessible by the apache daemon. Also, /var/www/html/ is actually owned by root. |
Ok then.
Thank you all for the help. Marco Galassi |
| All times are GMT -5. The time now is 03:02 AM. |