In the realm of server management, maintaining security and organizational integrity is paramount. One of the best practices to achieve this is by creating service-specific user accounts. This tutorial will walk you through the process of creating dedicated user accounts for services on a Linux system. This practice helps minimize the security risk posed by services running with broader permissions than necessary, alongside improving system organization and compliance.

Why Create Service-Specific User Accounts?

  1. Enhanced Security: If a service is compromised, the attacker only gains access to the files and resources associated with that user account.

  2. Least Privilege Principle: By assigning minimal permissions necessary for the service’s operation, potential damage and access can be contained.

  3. Better Process Management: By running services under specific users, it becomes easier to manage and monitor processes.

  4. Audit and Accountability: Easier tracking of activities based on user accounts makes auditing aspects of system usage more straightforward and efficient.

Prerequisites

  • A Linux machine (Ubuntu, CentOS, Debian, etc.)

  • Basic understanding of Linux commands and terminal

  • Sudo or root access

Step 1: Create a New User Account

We’ll start by creating a dedicated user account for the service. Replace serviceuser with your chosen username (ideally, use a descriptive name related to the service).

sudo adduser serviceuser

You’ll be prompted to enter a password and some optional information for the user account. For most use cases, it’s acceptable to simply press Enter to skip the additional information.

Step 2: Assign the User to a Group

It’s a good practice to create a service-specific group for the user. Here, we will create a group named serviceGroup and add our user serviceuser to it.

sudo groupadd serviceGroup

sudo usermod -aG serviceGroup serviceuser

Step 3: Set Permissions

Now that you’ve created a user and a group, you’ll want to assign the appropriate permissions to the directories or files the service will access. For instance, if your service needs to access a directory in /opt/my_service, you’d do the following:

sudo mkdir -p /opt/my_service

sudo chown serviceuser:serviceGroup /opt/my_service

sudo chmod 750 /opt/my_service

This configuration gives the serviceuser full permissions and the serviceGroup read and execute permissions while others do not have access.

Step 4: Create and Configure the Service

You can now create your service. Let’s assume you have a script named my_script.sh that you want to run. Here’s how to structure the service file.

  1. Create the service file: Create a new file in the systemd system directory. For our service:

sudo nano /etc/systemd/system/myservice.service

  1. Define the service: Add the following content to define the service. Replace paths as necessary.

[Unit]

Description=My Custom Service

After=network.target



[Service]

Type=simple

User=serviceuser

Group=serviceGroup

ExecStart=/opt/my_service/my_script.sh

Restart=on-failure



[Install]

WantedBy=multi-user.target

  1. Reload the Systemd Daemon: After creating or modifying service files, reload the systemd manager configuration.

sudo systemctl daemon-reload

Step 5: Start and Enable the Service

Now that your service is defined, you can start and enable it to run on boot.

sudo systemctl start myservice

sudo systemctl enable myservice

Step 6: Verify the Service Status

To verify that your service is running correctly, use:

sudo systemctl status myservice

This command will give you a comprehensive status report of the service. Make sure everything is running as expected.

Step 7: Manage the Service

When managing your service, you’ll likely need commands to restart, stop, or check logs. Here are some handy commands:

  • Restart the Service: 

sudo systemctl restart myservice

  • Stop the Service: 

sudo systemctl stop myservice

  • View Logs:

To view logs related to your service, use journalctl:

sudo journalctl -u myservice

Conclusion

Creating service-specific user accounts on a Linux machine is crucial for security and management. By following the above steps, you ensure that each service runs in its context, minimizing risks while enhancing observability. As you continue to manage services, always ensure that privilege levels are kept as low as necessary, adhering to the principle of least privilege.

By implementing these best practices, you’re on your way to a more secure and organized Linux environment!

Feel free to reach out in the comments if you have any questions or need further assistance. Happy Linuxing!