"Deploying MediaGoblin" manual tells to "adduser --system", meaning no shell, then to "su -" without specifying a shell → cannot log in.

[kumo]

There's something in ​the docs that doesn't make much sense for me:

"No password will be assigned to this account, and you will not be able to log in as this user. To switch to this account, enter either:"

and then sudoes to mediagoblin user. Also, it says:

"Unless otherwise noted, the remainder of this document assumes that all operations are performed using this unpriviledged account."

In my opinion, user mediagoblin should get shell permissions and when finished remove them. Otherwise, do everything as another user and at the end chown it all, but it may break something.

[Christopher Allan Webber]

I understand what you're saying, but I believe this is a feature. What this means isn't that you can't have shell permissions (when you sudo over, you are in the shell) it means that the user can't be logged into *as that user*. And there's good reason for that: you don't want to have to manage authentication stuff and possibly have a security breach by someone logging into a user that nobody actually ever logs in as directly. I believe that's the reason for the documentation's wording above... does that make sense?

(In the meanwhile I'm closing this ticket, but that doesn't mean discussion is over.)

[Aleksej]

Reopening. The documentation is talking about "su - mediagoblin", while "sudo" is used only to get root permissions so that su works. The problem is that "su" does nothing visible unless you specify a shell with "-s".

After this:
adduser --system testuser4

This (which documentation suggests) does not work for me and at least two other Debian users:
su - testuser4

These do work:
su - testuser4 -s /bin/bash
sudo -u testuser4 /bin/bash

[Aleksej]

Changing to critical, because it has probably stopped multiple people trying to try GMG.

[Christopher Allan Webber]

Done.