How To Create A Service User in Linux For Data Transfer Only

How To Create A Service User in Linux For Data Transfer Only

 
 
Create the service account: Use the useradd command to create a new user account. For example, to create a service account called "data-transfer", you can run:
 
sudo useradd -m -s /usr/sbin/nologin data-transfer
 
This will create a new user account with no login shell and a home directory.
Set permissions: To restrict the service account to data transfer only, you can set permissions on the directories and files it is allowed to access. For example, you can create a directory called "/data" and give the service account read and write access to that directory:
 
sudo mkdir /data sudo chown root:root /data sudo chmod 700 /data sudo setfacl -m u:data-transfer:rw /data
 
This will create a directory called "/data" owned by the root user, and give read and write access to the "data-transfer" user.
 
Disable password login: To prevent users from logging in as the service account, you can disable password login for that user. Use the passwd command to set a random, unguessable password for the user:
 
sudo passwd -l data-transfer
 
This will lock the password for the "data-transfer" user, effectively disabling password login.
 
Use the service account for data transfer: You can now use the service account for data transfer operations, such as transferring files between servers using tools like rsync or scp. To use the service account, you will need to specify its username and password when prompted.
 
Note that it is still possible for users with sudo privileges to switch to the service account using the su or sudo su commands. To prevent this, you can configure sudo to restrict users from switching to the service account by adding the following line to the /etc/sudoers file:
 
Defaults:data-transfer !authenticate
 
This will prevent users from switching to the "data-transfer" user using sudo su or similar commands. However, note that this will not prevent users from running commands as the "data-transfer" user using sudo -u data-transfer <command>.
 
 
 
 

Conclusion


 
Check out my other blog posts here ✏️
 
 
If you want to chit-chat, discuss security topics, learn how to get into security or just plain hang out feel free to reach out via my socials or setup a mentoring call:
📞