What is the equivalent user for nobody:nobody from CentOS?

I am converting from centOS and am used to having a nobody:nobody user:group for running services. Does Ubuntu have a similar best practice user:group combination for running a service?


Solution 1:

You can use nobody:nogroup if you really do want a user/group with no permissions. But Debian derivatives tend to define a user and/or group per task to ensure that your unprivileged services are separated from each other.

Solution 2:

Ubuntu has a nobody user and a nogroup group, I guess these can be used equivalently if you want.

Having all (or most) services running under the same user defeats part of the purpose of using a non-privileged user; thus I think the recommended best practice is for each service to have its own user (e.g. apache runs as www-data, I think exim4 will have an exim4 user, spamassassin will have a spamd user (I think!), and so on). When you install a service it takes care of creating this user for you. Sometimes managing permissions to ensure services can talk to each other can be slightly cumbersome, but these instances are usually well-documented and the added security and compartmentalization are worth the (minor) hassle.