Skip to Content
Linux V-ServerLinux users for system services

Hardening Linux Services: Dedicated Service Users

Running services as root is a significant security risk. If a service is compromised, the attacker gains full control over the entire system. To prevent this, we use the Principle of Least Privilege by creating dedicated system users that only have access to what they absolutely need.

Core Concept

The goal is to create a “Service User” that:

  1. Has no login capabilities.
  2. Has no home directory.
  3. Can only access its specific application files.
  4. Runs within a hardened systemd sandbox.

Implementation Guide

Create a System User

System users are different from regular users; they have a UID in the system range and no interactive shell.

sudo adduser --system --no-create-home --shell /usr/sbin/nologin <service-or-user-name>
  • --system: Creates a system-level user.
  • --no-create-home: Prevents the creation of /home/<service-or-user-name>.
  • --shell /usr/sbin/nologin: Disallows any form of interactive login.

Define a Dedicated Group

For cleaner permission management, assign the user to its own primary group instead of the default nogroup.

sudo groupadd <service-or-user-name>
sudo usermod -g <service-or-user-name> <service-or-user-name>

Setup Directory Structure

A service should operate within its own isolated boundaries. Typically, this involves a data directory and a configuration directory.

sudo mkdir -p /var/lib/<service-or-user-name>  # For data/state
sudo mkdir -p /etc/<service-or-user-name       # For configuration

Assign Ownership and Permissions

Restrict access so that only this specific user can read or write to these folders.

sudo chown -R <service-or-user-name>:<service-or-user-name> /var/lib/<service-or-user-name>
sudo chown -R <service-or-user-name>:<service-or-user-name> /etc/<service-or-user-name>
sudo chmod 750 /var/lib/<service-or-user-name>

Security Impact: This ensures that other non-privileged users on the system cannot peek into the service’s data.

Configure the Systemd Unit

To run the process as your new user, update your systemd service file (usually in /etc/systemd/system/).

/etc/systemd/system/<<service-name>.service
[Unit]
Description=My Service
 
[Service]
User=<service-or-user-name>
Group=<service-or-user-name>
ExecStart=/usr/bin/my-binary
Restart=always

Enable Systemd Sandboxing

Systemd provides powerful flags to further isolate the process from the rest of the OS. Add these to your [Service] section:

/etc/systemd/system/<service-name>.service
[Service]
# File system protection
ProtectSystem=full
ProtectHome=yes
PrivateTmp=yes
 
# Privilege protection
NoNewPrivileges=yes
RestrictRealtime=yes
  • ProtectSystem=full: Makes /usr, /boot, and /etc read-only for the service.
  • PrivateTmp: Gives the service its own private /tmp folder.
  • NoNewPrivileges: Prevents the process from ever gaining more rights (like sudo).

Optional: Resource and Network Limits

If you want to be even stricter, you can limit the service’s footprint:

# Network restriction (e.g., allow only local communication)
IPAddressAllow=127.0.0.1
IPAddressDeny=any
 
# Resource limits
MemoryMax=512M
TasksMax=50

Best Practices

Even with a dedicated user, remember these two rules:

  • Package Management: Always use root (via apt or dnf) to install software. Never change ownership of system binaries to your service user.
  • Minimal Write Access: If a service only needs to read its config, use chown root:service-name and chmod 640 for files in /etc/service-name.

Result

Each service now runs as a separate, non-loggable, minimally privileged user. If a vulnerability is exploited, the attacker remains trapped within the service’s specific directory and cannot access system-wide files or other users’ data.

Note for External Collaborators

A final important note:
Due to this strict isolation, regular users (e.g., developers without root privileges) will not be able to view or edit the service’s files. If you need to grant an external user specific read or write permissions to these directories without compromising the service user’s security, standard POSIX permissions reach their limits.

In this case, the guide on Linux ACLs (Access Control Lists) will be particularly relevant, as it allows you to assign fine-grained permissions for additional users without changing the primary ownership.

Created: 04.01.2026

Last Updated: 04.01.2026

Access linux servers securely with SSH 2.0Linux Access Control Lists (ACLs)