The why? Why to create separate users for different applications in Linux
I won't copy/paste or restate the answers already present in the different forums. Instead I am going to quote the answers directly here for reference.
I prefer to have each application service run as its own user in order to have as much isolation between them as possible. If any part of the system gets broken or compromised I'd like to localise the damage as much as possible.
When deploying a production service in Linux you want to configure it as securely as possible. Ideally, you will create a unique Linux user for each service and give them only read and write permission to the exact files they need. You can go even further and create a "system" user that has no home directory, no login shell, and no password. This prevents the user from being able to login and does not provide a home directory for them to store files. If the service was ever compromised this limits the actions an attacker can take with the user running the service.
Technically, it makes no difference, but in the real world it turns out there are long term benefits in keeping user and software accounts in separate parts of the numeric space.
Mostly, it makes it easy to tell what the account is, and if a human should be able to log in.
Next, how to create separate users in Linux for different applications. (For ubuntu click here)
In a fresh linux system we only have a single root user. But using the credentials of the root user is potentially dangerous as the user is allowed to do anything. In order to limit the damage a super privileged user can inflict on the system we create separate users for running different applications, scripts, or databases.
-
As a root user run:
adduser newuser
Or run the command with
sudo
. Enter the password for the user and other details.
-
Optional: add the user to the Sudo group
This allows the user to gain root access when called with the sudo prefix.usermod -aG sudo newuser
Or run the command with
sudo
.
For more details see this
- Switching to the newly created user
su - newuser
Example: Creating user for Tomcat in Ubuntu
- Create a non-root user to run Tomcat. First create a group called
tomcat
that runs the server
sudo groupadd tomcat
and
sudo useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat
This creates a new tomcat
user, makes it a member of the tomcat
group and assigns it a home directory of /opt/tomcat
and disables log in to the account.
Full docs on tomcat installation here and here.
Updated link to tomcat installation.
Top comments (0)