BSDwiki/ Create a system account

Create a system account

Author: name contact BSD flavour

Reviewer: name contact BSD flavour

Reviewer: name contact BSD flavour

Concept

Understand that many services require an account and that such accounts should not be available for logins.

Introduction

A system account is generally a user used for a specific purpose and associated with a specific daemon. They are normal accounts with a UID, but usually differ for a few reasons:

  • probably do not need a usable shell
  • do not need a valid password (as no one would ever login using this account)
  • might not have a standard home directory

A default install of a BSD system has several system accounts, for example:

root::0:0::0:0:Charlie &:/root:/bin/csh
daemon:*:1:1::0:0:Owner of many system processes:/root:/sbin/nologin
operator:*:2:5::0:0:System &:/:/sbin/nologin
bin:*:3:7::0:0:Binaries Commands and Source:/:/sbin/nologin
sshd:*:22:22::0:0:Secure Shell Daemon:/var/empty:/sbin/nologin
_pflogd:*:74:74::0:0:pflogd privsep:/var/empty:/sbin/nologin
nobody:*:32767:32767::0:0:Unprivileged user:/nonexistent:/sbin/nologin

TODO: put some hash in the root's password field or maybe do not include "root" here

Notice that system accounts usually have an asterisk in the password field. No hash algorithm can match this, so the password is disabled. Also the default shell for many system users is commonly the nologin program.

TODO: explain purposes of these at least TODO: explain path to nologin differs or point to section that talks about it? TODO: point to section that explains ampersand in gecos field TODO: explain nobody

Other common system accounts include: uucp, www, toor, bind or named, proxy, and mailnull or postfix. Installing packages may also include additional system accounts, such as cyrus, gdm, and pgsql.

TODO: mention system groups also

TODO: mention dedicated accounts -- such as users or groups for mail or source builds or backup jobs, etc.

Examples

TODO: show example using useradd and pw to create a system user

Practice Exercises

  1. Manually run nologin

More information

nologin(8); using a * in the password field of passwd(5)