How To Create A Service User in Linux For Data Transfer Only

Create the service account: Use the useradd command to create a new user account. For example, to create a service account called "data-transfer", you can run:


sudo useradd -m -s /usr/sbin/nologin data-transfer

This will create a new user account with no login shell and a home directory.

Set permissions: To restrict the service account to data transfer only, you can set permissions on the directories and files it is allowed to access. For example, you can create a directory called "/data" and give the service account read and write access to that directory:


sudo mkdir /data
sudo chown root:root /data
sudo chmod 700 /data
sudo setfacl -m u:data-transfer:rw /data

This will create a directory called "/data" owned by the root user, and give read and write access to the "data-transfer" user.

Disable password login: To prevent users from logging in as the service account, you can disable password login for that user. Use the passwd command to set a random, unguessable password for the user:


sudo passwd -l data-transfer

This will lock the password for the "data-transfer" user, effectively disabling password login.

Use the service account for data transfer: You can now use the service account for data transfer operations, such as transferring files between servers using tools like rsync or scp. To use the service account, you will need to specify its username and password when prompted.

Note that it is still possible for users with sudo privileges to switch to the service account using the su or sudo su commands. To prevent this, you can configure sudo to restrict users from switching to the service account by adding the following line to the /etc/sudoers file:


Defaults:data-transfer !authenticate

This will prevent users from switching to the "data-transfer" user using sudo su or similar commands. However, note that this will not prevent users from running commands as the "data-transfer" user using sudo -u data-transfer <command>.