want to create a user account for each of the key programs installed on my debian server. For example, for the following programs:
Tomcat Nginx Supervisor PostgreSQL
This seems to be recommended based on my reading online. However, I want to restrict these user accounts as much as possible, so that they dont have a shell login, dont have access to the other programs and are as limited as possible but still functional.
Would anyone mind telling me how this could be achieved? My reading so far suggests this:
No you want restricted not disabled: The nologin command displays a message that an account is not available and exits non-zero. It is intended as a replacement shell field for accounts that have been disabled. The rsh and the .profile of the home dir, which you set up, controls what they can do. You can set their $PATH to a dir with 4 commands, for instance.
$ whence rsh
/usr/bin/rsh
$ rsh -h
$ rsh
$ ps -f
UID PID PPID C STIME TTY TIME COMMAND
my_id 1007 24683 0 17:12:37 ttyp9 0:00 rsh -h
my_id 1032 1024 51 17:12:54 ttyp9 0:00 ps -f
my_id 1024 1007 0 17:12:51 ttyp9 0:00 rsh
my_id 24683 24682 0 08:41:54 ttyp9 0:00 -ksh
$ pwd
/home/my_id
$ cd /tmp
rsh: cd: The operation is not allowed in a restricted shell.
$