28

What is the purpose and benefit of using the --system option when adding a user, or even a group?

I'd like to know why I'm seeing this added to many Docker containers and recommended as a best practice?

For example sake I'm adding a non-root user to an Alpine Docker container for use when developing and again for runtime.

The current versions I'm using are:

  • adduser version is 3.118, and the Alpine adduser man
  • Alpine version is 3.12
  • Docker v19.03.13 on Windows 10 (20H2 update)

The man page reads "Create a system user", O.K. but what do you get as a system user? Or being in a system group when using addgroup -S.

I do not have a System Admin background, so I'm not sure what that means and would like clarity as to when I should use this?

Some Other Reading

Searching Google has provide some insight but no way to verify what I've read. That it does not ask you to set a password for the user, but then I can use use --disabled-password for that.

I then found this post here, I got that its for organization purposes, but does not help me much either. I'm only a little bit more clearm, yet not confident enough to explain when to use them.

What's the difference between a normal user and a system user?

Improve this question
0

2 Answers 2

Reset to default
19

System users are a like normal users but for are set an organizational purpose. The only difference is :

  • They don't have an expiry date ( no aging set )
  • Their uids are below 999 like set on /etc/login.defs (can be changed) :

Also there is Standard System Users which come with the OS or with a package install most of them have the above attributes ( Conventional ):

  • The majority of them have /sbin/nologin or /bin/false as a shell
  • They have "*" or "!!" in /etc/shadow meaning that none can simply use them.
  • And can have attributes that i have shown on the first section.

To check these standard system users list : /usr/share/doc/setup-/uidgid

An example could be by adding mypapp user as a system user ; so in case for example we want to setup Identity Access Management policy in our environment that we can automate for all users ; we have to do it only for system users based on their uids because in case of mypapp account expires the application will stop running.

Improve this answer
2
  • That example really helps. I never considered that accounts expire if they are not system. Commented Nov 15, 2020 at 13:30
  • I also found the Ubuntu docs which help provide a nice reference: adduser, addgroup - add a user or group to the system. I like how Alpine Linux is minimalist on the software, but not documentation. Commented Nov 15, 2020 at 13:31
3

On Alpine Linux, adduser -S will create a system user whose user ID starts from 100, and who can not login:

kong:x:100:65533:Linux User,,,:/home/kong:/sbin/nologin

but it is different without -S :

horward:x:1000:1000:Linux User,,,:/home/horward:/bin/ash
Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.