Create restricted user on Debian server
That's the right track, but you'll want to indicate that it's a system user so that /etc/shadow
won't have any aging information. From the useradd
man page:
-r, --system
Create a system account. System users will be created with no aging information in /etc/shadow, and their numeric identifiers are choosen in the SYS_UID_MIN-SYS_UID_MAX range, defined in /etc/login.defs, instead of UID_MIN-UID_MAX (and their GID counterparts for the creation of groups). Note that useradd will not create a home directory for such an user, regardless of the default setting in /etc/login.defs (CREATE_HOME). You have to specify the -m options if you want a home directory for a system account to be created.
So you'll want something along the lines of:
useradd -s /usr/sbin/nologin -r -M tomcat
You can also create a home directory if you want, maybe something that belongs to the service, for example:
useradd -s /usr/sbin/nologin -r -M -d /etc/nginx nginx