NOTE: This is a general guide but some commands are specific to debian.

Introduction

When running a program as a service using the systemd utility in Linux, proper configuration is essential. Many applications, like Tomcat, require setting up systemd for better management. A general rule when working with such services is that “no service should have root privileges”.

For example, if a web server is running as root and gets compromised, an attacker could gain unauthorized access to the entire system. A better approach is to create a dedicated user for the service with a nologin shell. This ensures that the user cannot log in directly, and if the service is compromised, it cannot spawn an interactive shell or be used to launch surface-level attacks.

Creating a dedicated user for the service

First, we create a separate user for the service with the /sbin/nologin shell and no home directory.

sudo useradd -r -s /usr/sbin/nologin myservice

Replace myservice with your service name.

Installing and preparing service

Install the necessary service files and move them to the /opt/myservice directory.

cp ./* /opt/myservice

Setting up the permissions

Since we want only myservice user to interact with our service files, we can change the user owner and group owner of the /opt/myservice directory.

chown -R myservice:myservice /opt/myservice

Setting up systemd files

Systemd files are used to define, manage and control the services in linux. These files tell systemd how to start, stop, restart, and monitor a service.

A systemd file is made up of three parts

• [Unit]: Defines metadata and dependencies, specifying when and how the service should start.

• [Service]: Specifies the execution details, including the user, commands, restart policies, and runtime behavior.

• [Install]: Determines how the service is enabled, defining the target run levels where it should start automatically.

A sample systemd file is

[Unit]
Description=My Custom Linux Service
After=network.target
Wants=network-online.target

[Service]
Type=simple
User=myservice
Group=myservice
WorkingDirectory=/opt/myservice
ExecStart=/opt/myservice/start.sh
ExecStop=/opt/myservice/stop.sh
Restart=always
RestartSec=5
StandardOutput=journal
StandardError=journal
SyslogIdentifier=myservice
NoNewPrivileges=true
ProtectSystem=full
ProtectHome=true

[Install]
WantedBy=multi-user.target

Here, User and Group ensure the service runs with the specified user and group privileges instead of root, improving security.

This file is created like this

vim /etc/systemd/system/myservice.service

Setting permission for Systemd file

We need to setup the permission for newly created systemd file so it can be executed without any issue

chmod 644 /etc/systemd/system/myservice.service

Reloading Systemd and restarting service

We need to reload systemd so it registers our newly created service file.

systemctl daemon-reload

Starting the service and enabling it on restart

After this we can control our service as a normal service using systemd.

systemctl start myservice # it will start the service
systemctl stop myservice # it will stop the service
systemctl enable myservice # it will automatically start service on restart

Conclusion

Setting up a Linux service properly makes sure it runs securely and without issues. By creating a dedicated user with nologin, we reduce security risks and prevent attackers from gaining full system access if the service gets compromised. Systemd makes it easy to manage services—handling automatic restarts, dependencies, and logs.

If something goes wrong, check the service status and logs:

systemctl status myservice  
journalctl -u myservice --no-pager --since "10 minutes ago"

With this setup, your service will start, stop, and restart automatically without needing root access, making it more stable and secure.