For security reasons, you might need to create a Linux user without the ability to log in. Jack Wallen shows you how.
As a Linux system administrator, there are times when you might need to create a user who doesn’t have the ability to log in. When would that type of user be necessary? Say, for instance, you have to create a user for an application to function properly, but you don’t want that user to either have a home directory or the ability to log in.
Security. The more users you have on your Linux system, the higher the chances malicious actors can break in and wreak havoc. This is especially true when we’re talking about a user account that won’t be used by an actual human, so it won’t be monitored in any way.
There are a number of ways to take care of this task, but I want to show you the correct way to do it.
SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)
What you’ll need
How to create the Linux account
Remember, we’re creating a Linux account that cannot log in. In other words, this is a system account. Let’s say, the account you want to create is called nouser. There are two proper ways to create this system account.
The first method requires you to manually configure the shell, such that the user cannot log in. Log in to your Linux server or desktop and issue the command:
sudo adduser nouser --shell=/bin/false
This will set the shell to /bin/false, so the nouser user will not be able to log in. You will be asked to enter and verify a password and then fill out information for the user (Figure A).
The next method uses the –system option like so:
sudo adduser nouser --system
The above method will create the account without a password and no shell so it cannot log in. However, the above method also creates a home directory. If you don’t want the home directory created, the command would then be:
sudo adduser nouser --system --no-create-home
Unless you absolutely have to have a home directory for the account, the absolute safest method is the last method. Why? Because there is no password for the account, nor is there a home directory.
How to add a user to a group
Often, system accounts belong to groups. Say this user needs to belong to the www-data group. To do that you would first create the user with the adduser command and then add them to the www-data group with the command:
sudo usermod -aG www-data nouser
You now have a system account, that cannot log in, which is a part of the www-data group.
Congratulations, you now know how to create Linux system users who cannot log in and do not have a home directory–use those users wisely.