Create restricted user for programs

Spadez · September 20, 2012, 4:46pm

want to create a user account for each of the key programs installed on my debian server. For example, for the following programs:

Tomcat Nginx Supervisor PostgreSQL

This seems to be recommended based on my reading online. However, I want to restrict these user accounts as much as possible, so that they dont have a shell login, dont have access to the other programs and are as limited as possible but still functional.

Would anyone mind telling me how this could be achieved? My reading so far suggests this:

echo "/usr/sbin/nologin" >> /etc/shells
useradd -s /usr/sbin/nologin tomcat

But I think there may be a more complete way of doing it.

EDIT: I'm using debian squeeze

DGPickett · September 20, 2012, 4:50pm

Man Page for rsh (all Section 1m) - The UNIX and Linux Forums as shell?

Spadez · September 20, 2012, 4:53pm

Ok, so this is better?

useradd -s -r /usr/sbin/nologin tomcat

DGPickett · September 20, 2012, 5:18pm

No you want restricted not disabled: The nologin command displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled. The rsh and the .profile of the home dir, which you set up, controls what they can do. You can set their $PATH to a dir with 4 commands, for instance.

$ whence rsh
/usr/bin/rsh
$ rsh -h
$ rsh
$ ps -f
   UID   PID  PPID  C    STIME TTY       TIME COMMAND
my_id       1007 24683  0 17:12:37 ttyp9     0:00 rsh -h
my_id       1032  1024 51 17:12:54 ttyp9     0:00 ps -f
my_id       1024  1007  0 17:12:51 ttyp9     0:00 rsh
my_id     24683 24682  0 08:41:54 ttyp9     0:00 -ksh
$ pwd
/home/my_id
$ cd /tmp
rsh: cd: The operation is not allowed in a restricted shell.
$