https://wiki.alpinelinux.org/w/api.php?action=feedcontributions&user=Kevinthomas0&feedformat=atomAlpine Linux - User contributions [en]2024-03-29T05:50:54ZUser contributionsMediaWiki 1.40.0https://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_new_user&diff=19603Setting up a new user2021-06-16T17:18:29Z<p>Kevinthomas0: Grammar and wording fixes</p>
<hr />
<div><br />
The <code>root</code> account should only be used for local administrative purposes that require its elevated access permissions.<br />
<br />
This page shows the creation of regular user accounts that may be used for daily work, including desktop usage and remote logins.<br />
<br />
= Overview =<br />
<br />
Creating user accounts provides the users their own $HOME directory and allows you (the root administrator) to limit the access that these user accounts have to the operating system's configuration.<br />
<br />
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).<br />
<br />
= Creating a new user =<br />
<br />
<br />
{{Warning|If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent.<br />
<br><br />
* Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or<br />
* the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:<br />
{{Cmd| # lbu include /home<br />
# lbu commit<br />
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home).<br />
}}<br />
<br />
<br />
Regular user accounts can be created with:<br />
{{Cmd|# adduser [-g "<Full Name>"] <username>}}<br />
<br />
By default, adduser will:<br />
* prompt to set a password for the new user<br />
* create a home directory in {{Path|/home/<username>}}<br />
* set the shell to the one used by the <code>root</code> account (ash by default)<br />
* assign user ID and group ID at 1000+<br />
* set the GECOS (full name) field to "Linux User,,,"<br />
<br />
{{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field.<br />
This can be very useful to specify. Setting this string --at least equal to the username-- makes the users distinguishable, e.g. when they are listed at the login screen of a display manager.<br />
}}<br />
<br />
<br />
<br />
'''If a user ''really must'' be allowed to have access to the root account''', the <username> can be added to the wheel group, <code>doas</code> ("do as") may be installed, and the group "wheel" can be allowed to become root:<br />
adduser -g "<username>" <username><br />
adduser <username> wheel<br />
apk add doas<br />
apk add nano<br />
nano /etc/doas.conf<br />
<br />
{{Warning|It's recommended to not run complete applications, like editors, as root just to modify administrative files.<br />
<br><br />
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount<br />
* <code>doasedit</code> or <code>sudoedit</code> allows starting an editor for a temporary copy of a file, which overwrites the original file after the user modifies and closes it. For example, <code>sudoedit /etc/apk/lbu.conf</code><br />
}}<br />
The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package.<br />
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.<br />
apk add sudo<br />
NEWUSER='yourUserName'<br />
adduser -d "${NEWUSER}" $NEWUSER<br />
echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER<br />
<br />
<br />
The new user gets listed in <br />
<br />
{{Cat|/etc/passwd|root:x:0:0:root:/root:/bin/ash<br />
.<br />
.<br />
.<br />
<username>:x:1000:1000:Linux User,,,:/home/<username>:/bin/ash}}<br />
<br />
And it's now possible to <code>exit</code> and login to the new account.<br />
<br />
= Options =<br />
<br />
=== adduser ===<br />
<br />
Usage (from "man busybox"):<br />
<br />
<pre><nowiki>adduser [OPTIONS] USER [GROUP]<br />
<br />
Create new user, or add USER to GROUP<br />
<br />
-h --home DIR Home directory<br />
-g --gecos GECOS GECOS field<br />
-s --shell SHELL Login shell named SHELL by example /bin/bash<br />
-G --ingroup GRP Group (by name)<br />
-S --system Create a system user<br />
-D --disabled-password Don't assign a password so cannot login in<br />
-H --no-create-home Don't create home directory<br />
-u --uid UID User id<br />
-k SKEL Skeleton directory (/etc/skel)<br />
</nowiki></pre><br />
<br />
{{Tip|Multi-user collaboration<br />
If <nowiki>--ingroup</nowiki> isn't set (default) the new user is assigned a new GID that matches the UID. And if the GID corresponding to a provided UID already exists, adduser will fail.<br />
<br />
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permissive umask (002), with which new files are automatically created group-writable but to just the user's private group. And which allows that in special set-group-id group (collaboration) directories, new files can automatically be created writable by the directory's group.<br />
}}<br />
<br />
=== addgroup ===<br />
<br />
Usage (from "man busybox"): <br />
<br />
<pre><nowiki>addgroup [-g GID] [-S] [USER] GROUP<br />
<br />
Create a group or add a user to a group<br />
<br />
-g --gid GID Group id<br />
-s --system Create a system group<br />
</nowiki></pre><br />
<br />
= Legacy =<br />
<br />
=== Common permission groups ===<br />
<br />
(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)<br />
<br />
* '''disk''':x:6:root,adm Only if need usage vith virtual machines and access to other partitions over new disks for<br />
* '''lp''':x:7:lp IF will need to use printing services and printers management<br />
* '''wheel''':x:10:root Administrators group, members can use <code>sudo</code> to run commands as root if enabled in sudo configuration.<br />
* '''floppy''':x:11:root Backguard compatible group, use only if need access to external special devices<br />
* '''audio''':x:18: Need for audio listening and management of sound volumes as normal user<br />
* '''cdrom''':x:19: For access to disck writers and mounting DVD, BR or CD rom disk as normal user<br />
* '''dialout''':x:20:root Need for dial private connections and use of modems as normal users<br />
* '''tape''':x:26:root Need have into this if plan to use special devices for backup.. rarelly in no servers<br />
* '''video''':x:27:root For usage of cameras, mor thant one GPU special features, as normal user<br />
* '''netdev''':x:28: For network connections management as normal user<br />
* '''kvm''':x:34:kvm Only if as normal user will manage graphically virtual machines.. rarelly on no servers<br />
* '''games''':x:35: Need if you want to play games also specially need if will share score between users<br />
* '''cdrw''':x:80: To write RW-DVD, RW-BR or RW-CD disk on a disk writing device<br />
* '''apache''':x:81: Need if you will perfom development as normal user and want to publish locally on web server<br />
* '''usb''':x:85: Need to access to special usb devices, deprecated group<br />
* '''users''':x:100:games If you plan to used common files for all users, mandatory as desktop usage<br />
<br />
<br />
<br />
<br />
= Old newbie notes =<br />
<br />
=== Users creation and defaults ===<br />
<br />
So the following commands will first setup root environment login and then assing a new password:<br />
<br />
<pre><nowiki><br />
cat > /root/.cshrc << EOF<br />
unsetenv DISPLAY || true<br />
HISTCONTROL=ignoreboth<br />
EOF<br />
<br />
cp /root/.cshrc /root/.profile<br />
<br />
echo "secret_new_root_password" | chpasswd<br />
</nowiki></pre><br />
<br />
The remote management cannot be done with root directly by default, due ssh security, so we need to setup an remote connection account to made "su" once connected. <br />
<br />
The most recommended it's having a access user here named "remote" and normal general usage user here named "general" for convenience, in the next commands we will setup a very hardened limited environment for any new user and created those two users:<br />
<br />
<pre><nowiki><br />
mkdir -p /etc/skel/<br />
<br />
cat > /etc/skel/.logout << EOF<br />
history -c<br />
/bin/rm -f /opt/remote/.mysql_history<br />
/bin/rm -f /opt/remote/.history<br />
/bin/rm -f /opt/remote/.bash_history<br />
EOF<br />
<br />
cat > /etc/skel/.cshrc << EOF<br />
set autologout = 30<br />
set prompt = "$ "<br />
set history = 0<br />
set ignoreeof<br />
EOF<br />
<br />
cp /etc/skel/.cshrc /etc/skel/.profile<br />
<br />
adduser -D --home /opt/remote --shell /bin/ash remote<br />
<br />
echo "secret_new_remote_user_password" | chpasswd<br />
<br />
adduser -D --shell /bin/bash general<br />
<br />
echo "secret_new_general_user_password" | chpasswd<br />
</nowiki></pre><br />
<br />
{{Tip|"'''general'''" are the name of the user, that name MUST be only lowercase letters and no spaces with no symbols}}<br />
<br />
Note that those users are created with minimal settings.<br />
<br />
== User management and system access ==<br />
<br />
By default, a newly created user will not have enough privileges for most desktop purposes.<br />
<br />
To add newly created users with home directories setup to groups that may come in handy for desktop useage, you can run this command as root:<br />
<br />
<pre><nowiki><br />
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done<br />
</nowiki></pre></div>Kevinthomas0