How to create/add a system account

[fwyKKCkQze2z]

Hi Forums

This one has been bugging me for quite some time now: how do you create (or remove, for that matter) a "system account" in FreeBSD? The Handbook's section 3.3.1.1 mentions "Systems Accounts" and what they are used for (to run software), but does not say how to set one up: Users and Basic Account Management.

Is this also done with adduser?

If I want to run custom software, it might make sense to use/set up a custom system account too, right? But how?

 

[tommiie]

System accounts are normal user accounts but more limited, e.g. no shell and no home directory. Their user ID is usually under 1000 but that is not a requirement. In fact, system accounts are just plain user accounts but called that way because a service which starts as the root user drops its privileges to this account with limited privileges (hence the no shell or home directory).

As an example, Apache/nginx use the system account 'httpd' (or similar) to which they drop their privileges after the initial setup. This user should not own any files (not even the website files), nor have a shell, nor have a home directory, etc.

 

[fwyKKCkQze2z]

Thanks, tommiie

System accounts are normal user accounts but more limited, e.g. no shell and no home directory. Their user ID is usually under 1000 but that is not a requirement. In fact, system accounts are just plain user accounts but called that way because a service which starts as the root user drops its privileges to this account with limited privileges (hence the no shell or home directory).

As an example, Apache/nginx use the system account 'httpd' (or similar) to which they drop their privileges after the initial setup. This user should not own any files (not even the website files), nor have a shell, nor have a home directory, etc.

Unfortunately, this is basically what I do know. What I do not know is how to create/set up such an account... Would I use adduser but not set a home and shell and lock the account (and maybe a UID below 1000 (or whatever FreeBSD's equivalent of /etc/login.defs says)?

 

[SirDice]

You can use adduser(8) but pw(8) is generally easier for this.

 

[k.jacker]

pw(8) is quite a read, so for convenience I'd like to provide you with a little example.

pw useradd foo -u 990 -c "Captain Foo,Testlab" -s /usr/sbin/nologin -G group1,group2,group3

By default, pw will not create a home directory and the shell will be set to /bin/sh if you omit the -s option.
Groups can be provided separated by comma, or separated by spaces when quoted (which is handy when the groups are output from a script).

For a quick look at pw useradd's options, pw useradd help is easier then the manpage.

To remove a user: rmuser(8)

Hope that get's you started

 

[fwyKKCkQze2z]

Wow, thanks everyone. That was quick and is very much appreciated. This all will get me going.