For security reasons, you might need to create a Linux user without the ability to log in. Jack Wallen shows you how.

linuxadminhero.jpg

Image: Jack Wallen

As a Linux system administrator, there are times when you might need to create a user who doesn’t have the ability to log in. When would that type of user be necessary? Say, for instance, you have to create a user for an application to function properly, but you don’t want that user to either have a home directory or the ability to log in.

Why?

Security. The more users you have on your Linux system, the higher the chances malicious actors can break in and wreak havoc. This is especially true when we’re talking about a user account that won’t be used by an actual human, so it won’t be monitored in any way. 

There are a number of ways to take care of this task, but I want to show you the correct way to do it.

SEE: Windows 10 security: A guide for business leaders (TechRepublic Premium)

What you’ll need

How to create the Linux account

Remember, we’re creating a Linux account that cannot log in. In other words, this is a system account. Let’s say, the account you want to create is called nouser. There are two proper ways to create this system account.

The first method requires you to manually configure the shell, such that the user cannot log in. Log in to your Linux server or desktop and issue the command:

sudo adduser nouser --shell=/bin/false

This will set the shell to /bin/false, so the nouser user will not be able to log in. You will be asked to enter and verify a password and then fill out information for the user (Figure A).

Figure A

Creating the nouser account with adduser.

” data-credit rel=”noopener noreferrer nofollow”>accountb.jpg

accountb.jpg

Creating the nouser account with adduser.

The next method uses the –system option like so:

sudo adduser nouser --system

The above method will create the account without a password and no shell so it cannot log in. However, the above method also creates a home directory. If you don’t want the home directory created, the command would then be:

sudo adduser nouser --system --no-create-home

Unless you absolutely have to have a home directory for the account, the absolute safest method is the last method. Why? Because there is no password for the account, nor is there a home directory. 

How to add a user to a group

Often, system accounts belong to groups. Say this user needs to belong to the www-data group. To do that you would first create the user with the adduser command and then add them to the www-data group with the command:

sudo usermod -aG www-data nouser

You now have a system account, that cannot log in, which is a part of the www-data group. 

Congratulations, you now know how to create Linux system users who cannot log in and do not have a home directory–use those users wisely.

Also see

Source