3

On an Ubuntu machine, if I run the following command:

adduser --system --no-create-home system-user

I create a system user named system-user without home directory with /bin/false as the shell. This user belongs to the nogroup (GID 65534) by default. I want to use this user to run a daemon on my system.

But what about the password? Can I or someone else somehow login into this system account? I thought that maybe the password is empty, so I just tried to press Enter when the Password: prompt appears in su system-user:

$ su system-user
Password:
su: Authentication failure

Is it because of the /bin/false shell? I don't know it because adduser and useradd manuals don't say how the password of system users is handled when the system user is created. Can I be sure that no one in the system can login as this system user? Or should I do something else in order to protect this account? I would like that only the daemon will be able to use it and no one else...

Improve this question
1
  • Please note the difference between su system-user and sudo su system-user (or running su system-user as root): You will be able to su into that user, independently of the fact if there is a password set. Most system users however have /usr/sbin/nologin or /bin/false as default shells, making it impossible to successfully su into that user. Changing the default shell will allow you assigning system-user's identity. Commented Aug 25, 2015 at 9:03

2 Answers 2

Reset to default
4

The account will be setup without login possibilities as there is no valid password assigned to the account, and that is different from no password.

You can check this by doing sudo grep -f system-user /etc/shadow. The second field (between the first and second colon (:)) will be a '*' and no hash of any password you can provide will match against that. For that you have to set the password explicitly.

Apart from that, the /bin/false entry for an account with a password will not give you "Authentication failure", it will just immediately log you out without any message at all (as you can easily try by making a temporary account with a valid password)

Improve this answer
2
  • Thanks! Yes, when I cat /etc/shadow, system-user has an * in the second field. All the other daemons have the asterisk in the second field too. Just as a side note, root has an ! instead of an * in the second field, what does it mean? I knew that ! means password is locked, however I can log in into root using sudo... Commented Aug 25, 2015 at 8:22
  • 1
    @user3019105 That means you cannot login as root, (e.g. from the console), sudo in most out-of-the-box setups require you to provide the password you use for your username, not the root password. Commented Aug 25, 2015 at 8:26
1

You should first initialize the passwd of your user :

$passwd system-user

then return two times in order to create a blank passwd.

You can verify that there's no passwd in the file /etc/shadows (the second field should be empty). But yes, this account will not be protected even with no $HOME neither shell. All users with a sudo account will be able to use it.

Improve this answer
2
  • I read the OPs question as that result is exactly what is not wanted. Commented Aug 25, 2015 at 8:27
  • (cannot edit for some reason), but it is /etc/shadow not /etc/shadows Commented Aug 25, 2015 at 8:41

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.