Cannot change ownership of home directory to correct user


#1

Hello,

I have tried to create user and his home directory in an applicaton snap on ubuntucore:

Useradd –m –extrausers user1

At first only account-contro interface is connected. The home directory cannot be created because permission denied for creating a folder in /home.
Then I connect the system-files interface to grant the write permission to /home:
plugs:
config-home:
interface: system-files
write:
- /home

The user account with home directory /home/user1 were then created.

But I still got two problems:

  1. The owner of /home/user1 is root. I tried to change the owner with chown –R user1:user1 /home/user1 and then got error information:
    chown: changing ownership of '/home/user1': Operation not permitted.

  2. I always got error information after “useradd” command executed:
    /sbin/pam_tally2: Permission denied
    useradd: failed to reset the tallylog entry of user "user1"

Is it the right way, use the “system-file” interface for help to create home directory? If yes, what can I do to set the correct ownership of home directory.
How can I handle the error message? If I don’t lock the failed login, can I just ignore this error?

Thanks


#2

typically UbuntuCore is not used as multi-user system but rather headless or with a single user for development …

how this is done is described in:

https://docs.ubuntu.com/core/en/guides/manage-devices/

what is the actual purpose you want to create this user for ?
do you plan to have different people log in to the system ?

note that in general services run as root inside their confined space, so a per-daemon-user is not necessary … yet … if your app really requires a daemon user and you can not actually change it to not do this, there is work going on to support this on a per-snap base, outlined at:


#3

Hello ogra,

Thank you for your reply.

What is the actual purpose you want to create this user for ?
We create multiple user accounts and grant them different permissions to access resources. E.g. log in to web service to view some data.
Sometimes some of these users require sftp connection and home directory to upload/download files. So sftp permission shall be granted to users temporary and dynamically by administrator.

Do you plan to have different people log in to the system ?
Not really.
We do have a system user created through assertion. This system user can login to the system with sudo privileges.
The other users are not real system users. They are created without assertion. They have no sudo privileges so they cannot modify the system or get sensitive data. But they need a home directory for sftp.

Why create extra system user account in /var/lib/extrausers for normal users:

  1. It’s easy to authenticate users through PAM
  2. It’s easy to grant sftp permissions.
  3. Just like the other normal users, the “real” system user (created through assertion) requires also the permission to access resources of applications. It’s convenient that all users locate in the same database.

Here is another question about system user:
If the system user is no more needed, I run the “userdel” command and delete the file “create-user-” from /etc/sudoers.d/ to delete the system user. Is this enough for deleting a system user thoroughly?