Create a system account
Understand that many services require an account and that such accounts should not be available for logins.
A system account is generally a user used for a specific purpose and associated with a specific daemon. They are normal accounts with a UID, but usually differ for a few reasons:
- probably do not need a usable shell
- do not need a valid password (as no one would ever login using this account)
- might not have a standard home directory
A default install of a BSD system has several system accounts, for example:
root::0:0::0:0:Charlie &:/root:/bin/csh daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin operator:*:2:5::0:0:System &:/:/sbin/nologin bin:*:3:7::0:0:Binaries Commands and Source:/:/sbin/nologin sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin _pflogd:*:74:74::0:0:pflogd privsep:/var/empty:/sbin/nologin nobody:*:32767:32767::0:0:Unprivileged user:/nonexistent:/sbin/nologin
TODO: put some hash in the root's password field or maybe do not include "root" here
Notice that system accounts usually have an asterisk in the password field. No hash algorithm can match this, so the password is disabled.
Also the default shell for many system users is commonly the
TODO: explain purposes of these at least TODO: explain path to nologin differs or point to section that talks about it? TODO: point to section that explains ampersand in gecos field TODO: explain nobody
Other common system accounts include: uucp, www, toor, bind or named, proxy, and mailnull or postfix. Installing packages may also include additional system accounts, such as cyrus, gdm, and pgsql.
TODO: mention system groups also
TODO: mention dedicated accounts -- such as users or groups for mail or source builds or backup jobs, etc.
TODO: show example using useradd and pw to create a system user
- Manually run nologin
nologin(8); using a * in the password field of passwd(5)