Problem Statement
What are service accounts and how should they be managed? Explain best practices for creating and securing service accounts.
Explanation
Service accounts are special user accounts for running services, applications, or automated processes rather than for human login. They typically have /sbin/nologin or /bin/false as shell preventing interactive login, and UIDs in system range (often 1-999). Examples: www-data for web servers, mysql for MySQL database, nobody for unprivileged operations.
Create service accounts with useradd -r -s /sbin/nologin -c 'Service Description' servicename. The -r flag creates system account with UID in system range. Assign minimal necessary permissions following least privilege principle - service accounts should only access files/directories needed for their function. Use dedicated groups for service account permissions rather than giving broad access.
Security best practices: disable password login (service accounts shouldn't have passwords), use SSH keys or other authentication mechanisms if remote access needed, restrict sudo access (service accounts rarely need sudo), set proper file ownership (service should own its files), use SELinux or AppArmor to confine service processes, regularly audit service account permissions, document each service account's purpose, and remove unused service accounts.
For containerized environments, avoid root in containers - use USER directive in Dockerfile to run as non-root service account. For Kubernetes, use ServiceAccount resources with RBAC for permissions. For cloud platforms, use IAM roles instead of long-lived credentials. Never share service accounts across different services - each service should have dedicated account for auditing and isolation.
Monitoring: track service account activity in logs, alert on unexpected access patterns (service accounts have predictable behavior), audit file access, and regularly review permissions. Use configuration management tools (Ansible, Puppet) to ensure consistent service account setup across systems. Document which human administrator is responsible for each service account.