See also:


Each service shall run under a dedicated user account, which only has access to the system ressources it requires - ideally none.

Access to ressources shall be read-only, with only well defined exceptions.


Services should not log to the filesystem by themselves, but rather log via pipes to dedicated log services.

Although each service should use a dedicated user account, log services may use the log user to simplify setup - this should be avoided for services with sensible data.

Log files/directories shall be readable — not writable — by the adm group, operators may be added to this group.


operators must have a normal user account. They may be added to the following groups:

  • sudo: for root access
  • staff: for root-less installation of local software
  • adm: for reading log files

Since about 2009 Debian decided to require the file /etc/staff-group-for-usr-local to exist in order for the staff group to make sense. See staff.

The Boy

The boy account is used for all kind of maintenance staff.

sudo -i
adduser --system  --group --uid 309 --home /etc/boy --shell /bin/sh --disabled-login --disabled-password boy
chgrp staff /etc/boy
chmod 2750 /etc/boy

Accounts, UIDs, GIDs

The Debian policy prescribes users and groups.

Some important users; all of them are in a group with the same name:

  • man:*:6:12:man:/var/cache/man:/usr/sbin/nologin
  • mail:*:8:8:mail:/var/mail:/usr/sbin/nologin
  • www-data:*:33:33:www-data:/var/www:/usr/sbin/nologin
  • backup:*:34:34:backup:/var/backups:/usr/sbin/nologin
  • list:*:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
  • nobody:*:65534:65534:nobody:/nonexistent:/usr/sbin/nologin

Some important groups:

  • adm:*:4:
  • sudo:*:27:
  • staff:*:50:
  • nogroup:*:65534:

Dan Bernstein maintains a list of unix account names and proposes UIDs/GIDs for some of the software he created.

Several of them are; in our interpretation:

  • Gdnscache:*:1270288640:65534:dnscache:/nonexistent:/usr/sbin/nologin
  • Gdnslog:*:1697246030:65534:dns logging:/nonexistent:/usr/sbin/nologin
  • Grbldns:*:1278078250:65534:rbldns:/nonexistent:/usr/sbin/nologin
  • Gtinydns:*:1168820790:65534:tinydns:/nonexistent:/usr/sbin/nologin

The simplest way to create them is by using vipw and copy/paste.