On UNIX-like systems it is considered best practice to run daemons and other automated/resident/specialized software under their own, restricted user accounts. This makes it easier to curtail unwanted or unexpected behaviors, whether due to stupidity (bugs) or malice (attack), as the fundamental unit of permissions and access control is the user account. Filesystem permissions, for instance, are determined wholesale at the user and group level. This remains true across flavours and regardless of finer-grained solutions operating at a higher level (RBACs like SELinux, AppArmour, Linux capabilities, etc.) - though they should not be disregarded where enforced.

Conventionally, daemons are assigned a UID below 1000 - where actual, human-operated UIDs begin. It is also common practice to assign no password (represented by an asterisk (*) in the password hash field of the /etc/passwd flatfile. The default post-authentication shell is typically set to /usr/sbin/nologin or /usr/bin/false. In some cases one may wish to specify a home directory where a daemon commits most of its writes to, or where a relative path might be expected to descend from. Most of the time, however, specifying a home directory is pointless and creating one simply to go unused (particularly under the default /home, where one expects to only find fully-fledged user home directories) is untidy. Therefore, by convention one will generally specify the special, virtual directory /nonexistent, which adduser will catch and decline to create a new directory for the account - contrary to its default behaviour. Alternatively, the /var/empty directory tends to be used where a chroot jail is implemented.

To line these conditions up with FreeBSD's adduser binary one may use the following command; note that unless you are providing a complete user record in colon-delimited format with the -f flag, this is an interactive operation.

adduser -d /nonexistent -D -u 0 -w no -s /usr/sbin/nologin Username: username Full name: username Daemon Uid [6]: Login group [username]: Login group is username. Invite username into other groups? []: Login class [default]: Shell (csh sh tcsh bash git-shell opnsense-shell opnsense-installer nologin) [nologin]: Home directory [/nonexistent/username]: Home directory permissions (Leave empty for default): Use password-based authentication? [no]: Lock out the account after creation? [no]: Username : username Password : <disabled> Full Name : username Daemon Uid : 6 Class : Groups : username Home : /nonexistent/username Home Mode : Shell : /usr/sbin/nologin Locked : no OK? (yes/no): yes adduser: INFO: Successfully added (username) to the user database. Add another user? (yes/no): no Goodbye!

Flags employed:

• -d /nonexistent - home directory "partition" - create a directory of the same name as the new account under this path.
• -D - do not create a corresponding home directory. This is obviated when specifying /nonexistent with the -d flag.
• -u 0 - assign a UID from available numbers beginning at the specified number; the default value is 1000 which is conventionally used to delineate system/unprivileged accounts from fully-fledged, human users. Specifying 0 will select the soonest available UID starting from root.
• -w no - disables the password function of the account, effectively rendering it usable but not login-able.
• -s /usr/sbin/nologin - specifies the login shell, in the case of an unprivileged user either nologin or false - either immediately rejects the login if, for whatever reason or misimplementation, it became possible to log in.