Hello,
useradd -M johndoe
command create user without home directory and disable login.
I’d like to do same in YaST, but it doesn’t let empty “Home Directory” field. There’s an “Empty Home” possibility, but directory created anyway.
Is there any proper way to solve this using YaST?
Thanks any answer
I do not think so. GUI tools are written to cover the most “normal” cases. When they would be able to do all the possibilities that exist, they would not be understandable by most.
The most used way by system managers for users that should not be able to login is giving them /bin/false as shell. An otherone I have seen is giving /sbin/nologin as shell . The last one produces a message. (See the man pages).
For home directory often some directory that is connected to what that user is for is given.
You can see many examples in /etc/passwd .
I assume that when you use one of the above as shell and a directory of good choice as home directory, YaST > User and Group Management will do what you ask for.
BTW, that is what you say, but you do not prove that. For that you (and we) need
grep johndoe /etc/passwd
You’ve right.
useradd -M johndoe command results this:
johndoe:x:1005:100::/home/johndoe:/bin/bash
In this case there’s no directory in the filesystem.
The correct way should this:
useradd --no-create-hom --shell /sbin/nologin johndoe
and the result:
johndoe:x:1005:100::/home/johndoe:/sbin/nologin
@Zsiraf If you (in YaST) create the user as a system user (UID <1000) and no $HOME, what happens…
It’s an exciting question. 
But sorry, I’ll not test it now.
I’ll create users with YaST using “Empty Home” and “Disable login” options and setup /bin/false for login shell.
@Zsiraf but if they are users to run services, then should be <1000 system users…
I have the idea that you are in fact asking the wrong thing. Read How To Ask Questions The Smart Way
So what is your goal?
When it is in fact #2, there are now answers enough above I think. But I can show you another one. Look in /etc/shadow (which can only be done by root ):
boven:~ # grep sddm /etc/shadow
sddm:!:17156::::::
boven:~ #
Only one of many there. You see that the encrypted password there is ! , something that can never be the result of the encryption of any password, thus log in will always be rebuffed with: wrong password.
Oh yes, and be careful. Having a user without a home directory can have unexpected results depending on what the user is for. Think of scripts running under that user that use ${HOME} or “pathnames starting with ~ constructs”, etc.
A simple and direct answer is, no.
Please take a look at the system users in ‘/etc/passwd’ and the man page 5 for “shadow”.
A couple of examples –
dnsmasq:x:495:65533:dnsmasq:/var/lib/empty:/bin/false
ftpsecure:x:458:65534:Secure FTP User:/var/lib/empty:/bin/false
man:x:13:62:Manual pages viewer:/var/lib/empty:/sbin/nologin
rpc:x:473:65534:user for rpcbind:/var/lib/empty:/sbin/nologin
vnc:x:462:464:user for VNC:/var/lib/empty:/sbin/nologin
They’re all system users (used by system daemons), without a Home directory –
> l -d /var/lib/empty
drwxr-xr-x 2 root root 4096 15. Mär 2022 /var/lib/empty/
>
> rpm --query --whatprovides /var/lib/empty
filesystem-15.0-11.8.1.x86_64
>
The empty directory ‘/var/lib/empty’ is a directory defined by the “filesystem” package –
This package installs the basic directory structure. It also includes the home directories of system users.
This empty directory is used to strictly adhere to the requirements of the file ‘/etc/passwd’ and in particular the field “directory” –
This is the user’s home directory: the initial directory where the user is placed after logging in. The value in this field is used to set the HOME environment variable.
The effect on a Linux system if a user’s entry in ‘/etc/passwd’ has an empty “directory” field is undefined – in other words, the system’s behaviour if this field is empty cannot be guaranteed …
Now, ‘/etc/shadow’ –
dnsmasq:!:18492::::::
ftpsecure:!:18493::::::
man:!:18492::::::
rpc:!:18492::::::
vnc:!:18492::::::
The second field – “encrypted password” contains the character “!” – meaning –
A password field which starts with an exclamation mark means that the password is locked. The remaining characters on the line represent the password field before the password was locked.
In other words, the password is locked and, there’s no password.
The commands to do this are as follows –
# passwd --delete [LOGIN]
# passwd --lock [LOGIN]
Where “LOGIN” is the user’s login name as defied by the left most field of the ‘/etc/passwd’ fields.
Now the right most field of the entries in ‘/etc/passwd’ – “shell”
false - do nothing, unsuccessfully
nologin - politely refuse a login
I’m nitpicking here –
If, in ‘/etc/shadow’ the 2nd field of a user’s entry begins with the character “!” then, that user’s password is locked.
On the other hand, if the 2nd field ( “encrypted password”) contains a character which is never generated by “crypt” a UNIX® password can never be used to login – including empty passwords …
Hashed passphrases are always entirely printable ASCII, and do not contain any whitespace or the characters ‘:’, ‘;’, ‘*’, ‘!’, or ‘\’. (These characters are used as delimiters and special markers in the passwd(5) and shadow(5) files.)
Which then raises the question –
Which is why some newer system users for daemons now have either the character string “!!” or, the character string “!*” as the “encrypted password” field in ‘/etc/shadow’ –
Thanks for detailed answer. It’s really useful.
The story in few words.
I setup a samba server and I don’t want to let users login to the system just to shared folders with samba password. That’s why I was thinking about to create users without home folder. When I experienced it’s not possible, I created users with empty folder and “/bin/false” option.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.