The first steps when starting with a new server is almost invariably creating a new user so that you disable root connections through SSH. Adding the new user is something not much thought is given to. Let’s explore this in greater detail and understand how to create users associated with specific groups, create users who can’t login, but can perform operations on the server.
The default usage is adduser {user-name}. When issued it performs some key functions
When invoked with no arguments, it creates a regular new user defining a home directory and then prompts for a password. You will then provide information about the new user (Name/Phone number etc.).
# adduser support
Adding user `support' ...
Adding new group `support' (1002) ...
Adding new user `support' (1001) with group `support' ...
Creating home directory `/home/support' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Changing the user information for support
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
When setup this way, every new user is defined to a new group of their own. In our example, a new group called support is defined.
You may want to define multiple ids to a single group to make it easier to manage permissions. Extending our previous example, we are adding additional users to the support group.
# adduser supp001 --ingroup support
Adding user `supp001' ...
Adding new user `supp001' (1002) with group `support' ...
Creating home directory `/home/supp001' ...
Copying files from `/etc/skel' ...
Enter new UNIX password:
You can verify that they belong to the same group by listing their home directories
# ls -la /home
total 20
drwxr-xr-x 5 root root 4096 Jan 28 13:46 .
drwxr-xr-x 23 root root 4096 Oct 1 10:32 ..
drwxr-xr-x 3 administrator administrator 4096 Oct 1 00:57 administrator
drwxr-xr-x 2 supp001 support 4096 Jan 28 13:46 supp001
drwxr-xr-x 2 support support 4096 Jan 28 13:44 support
You can list that these accounts are created by viewing the /etc/passwd file
support:x:1001:1002:,,,:/home/support:/bin/bash
supp001:x:1002:1002:,,,:/home/supp001:/bin/bash
In the above examples, the /bin/bash represents the shell to be used by the user. This can be overridden when you create the new user
# adduser --shell /bin/dash dasher
When you list this user in the passwd file, you can see the custom shell
dasher:x:1003:1003:,,,:/home/dasher:/bin/dash
Usually, the home directory is a folder under /home with the user name. You can choose to override this to a custom directory using the –home option. Let’s say you want to create a user webdev and set their home directory to /var/www, you can enter
# adduser --home /var/www webdev
When listing this user, you can see
webdev:x:1004:1004:,,,:/var/www:/bin/bash
You can also choose to setup no home directories. In such cases, the home becomes the root folder
# adduser --no-create-home beroot
The user in the passwd file looks like this
beroot:x:1005:1005:,,,:/home/beroot:/bin/bash
Though the passwd file contains a home directory the directory does not exist
# ls -la /home
total 24
drwxr-xr-x 6 root root 4096 Jan 28 14:16 .
drwxr-xr-x 23 root root 4096 Oct 1 10:32 ..
drwxr-xr-x 2 dasher dasher 4096 Jan 28 14:16 dasher
drwxr-xr-x 2 supp001 support 4096 Jan 28 13:46 supp001
drwxr-xr-x 2 support support 4096 Jan 28 13:44 support
Users of your server may feel more at rest if you allow them to change their password when they login the first time. Once you setup the new user (supp003, for e.g.) with a password, you can enter the command
# passwd -e supp003
This expires their password immediately and they will be forced to change their password the next time they login
In some cases we would like to define users to run applications such a a daemon or a service. These users don’t usually need an interactive login or a mail directory. You can define them by using the –system option
# adduser --system webserv
Adding system user `webserv' (UID 112) ...
Adding new user `webserv' (UID 112) with group `nogroup' ...
Creating home directory `/home/webserv' ...
You will not be able to login to this account.
# su webserv
This account is currently not available.
The system account is assigned to nogroup unlike normal users who get a new group created. The account in passwd looks like this
webserv:x:112:65534::/home/webserv:/usr/sbin/nologin
The /usr/sbin/nologin specifies that the account cannot be used to login. (You can also create a normal user with disabled login by setting the shell to /usr/sbin/nologin)
One final note on system users. They have a low UID (<1000, our example has 112). Some programs check this value to automatically determine if the user is a normal user or a system user to allow or disallow access.
In some tutorials, you may have seen the usage of the command useradd instead of adduser. The former is a low level utility that is invoked by adduser to carry out the process of adding users. You can achieve the same results using either command. However, the options passed to useradd are slightly different than described above. Another important feature is that when an id is created using useradd, it is disabled and cannot be used until a password is set using the passwd command.
Setting up specific user for tasks improves security on the server and allows you to work with the least privileges required for work to be done.