Creating a Linux user who cannot get an interactive shell on Debian or Ubuntu

Every now and then you find yourself repeating the same Linux admin tasks, querying the community and having to piecemeal together an answer. This is the case with creating a “service account” to run satellite instances of Rhasspy on a bunch of Debian-based IoT devices scattered around my house. The purpose is so that you aren’t running a service (daemon) as yourself or as root. This creates a situation where if someone where to use the webpage to somehow hack into the computer, they would be limited in what they can do because they won’t have access immediately to a Linux shell.

3D Printed Rhasspy running on Raspberry Pi4 courtesy @tobetobe

The commands below will create a user named ‘rhasspy’ with its own $HOME directory for placing the settings in the “.profile/rhasspy” and for installing the service account’s instance of a Python environment. Because rhasspy uses the audio resources of the computer indirectly, I went ahead and added the $username to the ‘audio’ group. and then finally set the default shell of the $username to ‘/sbin/nologin’.

username=rhasspy
password=REPLACEWITHYOUROWNPASSWORD

sudo adduser --comment "" --disabled-password $username
sudo chpasswd <<<"$username:$password"
sudo usermod -a -G audio $username
sudo usermod -s /sbin/nologin $username

As is the case with all techno-things this approach will become outdated over time, so check the commands against the current version of Debian or Ubuntu. Drop me a line on Twitter if you find this useful or if needs updating.

Post Disclaimer

The information contained on this post is my opinion, and mine alone (with the occasional voice of friend). It does not represent the opinions of any clients or employers.


Posted

in

by