What does the `–system` flag for **adduser** do?

What is the purpose and benefit of using the --system option when adding a
user, or even a group?

I’d like to know why I’m seeing this added to many Docker containers and recommended as a
best practice?

For example sake I’m adding a non-root user to an Alpine Docker container
for use when developing and again for runtime.

The current versions I’m using are:

  • adduser version is 3.118, and the Alpine adduser man
  • Alpine version is 3.12
  • Docker v19.03.13 on Windows 10 (20H2 update)

The man page reads "Create a system user", O.K. but what do you get as a system
user? Or being in a system group when using addgroup -S.

I do not have a System Admin background, so I’m not sure what that means and
would like clarity as to when I should use this?

Some Other Reading

Searching Google has provide some insight but no way to verify what I’ve read.
That it does not ask you to set a password for the user, but then I can use use
--disabled-password for that.

I then found this post here, I got that its for organization purposes, but does
not help me much either. I’m only a little bit more clearm, yet not confident
enough to explain when to use them.

What's the difference between a normal user and a system user?

Asked By: b01


System users are a like normal users but for are set an organizational purpose.
The only difference is :

  • They don’t have an expiry date ( no aging set )
  • Their uids are below 999 like set on /etc/login.defs (can be changed) :

Also there is Standard System Users which come with the OS or with a package install most of them have the above attributes ( Conventional ):

  • The majority of them have /sbin/nologin or /bin/false as a shell
  • They have "*" or "!!" in /etc/shadow meaning that none can simply use them.
  • And can have attributes that i have shown on the first section.

To check these standard system users list : /usr/share/doc/setup-/uidgid

An example could be by adding mypapp user as a system user ; so in case for example we want to setup Identity Access Management policy in our environment that we can automate for all users ; we have to do it only for system users based on their uids because in case of mypapp account expires the application will stop running.

Answered By: Reda Salih

for alpine linux.adduser -S will create a system user,who user id is starting at 100,and can not be login.

kong:x:100:65533:Linux User,,,:/home/kong:/sbin/nologin

but it is different when adduser without -S

horward:x:1000:1000:Linux User,,,:/home/horward:/bin/ash

Answered By: focus zheng
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.