Users to run containers - isNormalUser / isSystemUser?

Hello everybody,

I have a category of users that might be considered as normal / system and I’m not sure. Could you help please?

My existing users:

  • .isNormalUser Users that log in via SSH / via desktop login
  • .isSystemUser Users used to run systemd services (I currently don’t have any)

Now I want to create users that I’ll use to run Podman containers. The users will be accessed only via sudo -su user / sudo su user. In other words it shouldn’t be possible to for example SSH into the user. I’m thinking they should be .isNormalUser.

What about passwords for these users? Am I safe to keep them without password? My SSHD is setup to require key and I think the default setting is that users without password cannot login but I’m not sure if it is OK to keep such users without password…

Thank you.

That sounds like a pretty typical system user to me, though that by itself is not enough to prevent ssh-ing into them.

Why would you like them to be “normal” users? Keep in mind that this only means that their UID will be > 1000, and things like login screens will show their user name (which you probably wouldn’t want, though I imagine you don’t have a login screen).

Setting no password for a user (which is different from a password that is the empty string) will prevent login, regardless of whether the user is a system or a normal user, or whether you log into them locally or via ssh. The only option to log into such users is to force it with su executed by root or using something like sudo.

The NixOS option description explains this, among other things: NixOS Search

Yeah, I wouldn’t want that. I was thinking about a normal user since I’ll often use the users after sudo -su user (not as a systemd service) and because it might be useful to have a home directory. But thinking about that now, I won’t need the home dir and podman shouldn’t require that.

Thanks a lot, I didn’t know that. I did some research and I realized that ! in /etc/shadow means no password, not empty password:

grep -E 'custom1|nixbld1:' /etc/shadow

So yeah, all good. I’ll create the users as system users. Thank you very much.

I know that in NixOS configuration I can setup initial password. Is it possible to force “no password” (not empty)? And I’m not asking about initial “no password”, I’m asking about overwriting password (if set for any reason) by “no password” every time I run nixos-rebuild boot / switch.

Thank you.

From the docs:

The options hashedPassword, password and passwordFile controls what password is set for the user. (…) If none of these three options are set, no password is assigned to the user, and the user will not be able to do password logins.

To make sure the password is always overwritten to be disabled, you probably also need to turn users.mutableUsers off:

On system activation, the existing contents of the /etc/passwd and /etc/group files will be merged with the contents generated from the users.users and users.groups options. The initial password for a user will be set according to users.users, but existing passwords will not be changed.

If set to false, the contents of the user and group files will simply be replaced on system activation. This also holds for the user passwords; all changed passwords will be reset according to the users.users configuration on activation.

This is a great option, unfortunately not something I can use since I’d need something like users.mutableSpecialUsers (I don’t want to replace for example my user password). But that’s OK, it was just an idea, I didn’t really think that NixOS will have a setting option for that.

Thank you very much @TLATER

1 Like