Setting up a new user: Difference between revisions

From Alpine Linux
(→‎addgroup: Added wheel to list of common groups.)
mNo edit summary
(68 intermediate revisions by 16 users not shown)
Line 1: Line 1:
{{TOC right}}


Creating a user is an important step when first configuring a Linux system. Generally ''root'' account is used for administration only as it has access to the operating system and its configuration. This are not a good practice, so the recommendation are creation of accounts for specific purposes like remote connection or desktop usage.
The <code>root</code> account should be used only for local administrative purposes that require elevated access permissions.


This document will show first basic usage overview and later detailed cases of user management in Alpine linux.
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins.


= Overview and new users accounts =
= Overview =


Creating user accounts provides the users their own $HOME directory and allows you (the root administrator) to limit the access that these user accounts have to the operating system's configuration. Using them increases the security, because they limit possible actions and thus the possible damage (even from accidental errors).
Creating user accounts provides users with their own {{path|$HOME}} directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.


== Creating a new user ==
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).


Using the command '''adduser''' will allow you to create a new user in the system.
= Creating a new user =


{{Cmd|adduser <username>}}


It will prompt to set a password for the new user, by example let's create a new user with session name "test"
{{Warning|If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent.
<br>
* Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or
* the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
{{Cmd| # lbu include /home
# lbu commit
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home).
}}


# adduser test
Regular user accounts can be created with:
Changing password for test
{{Cmd|# adduser [-g "<Full Name>"] <username>}}
New password:
Retype password:
passwd: password for test changed by root


The new user can be seen in  
By default, <code>adduser</code> will:
* prompt you to set a password for the new user
* create a home directory in {{Path|/home/<username>}}
* set the shell to the one used by the <code>root</code> account (ash by default)
* assign user ID and group ID starting at 1000
* set the GECOS (full name) field to "Linux User,,,"
 
{{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field.
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.
}}
 
'''If a user ''really must'' be allowed to have access to the root account''', the <username> can be added to the '''wheel''' group and <code>{{Pkg|doas}}</code> ("do as") may be installed:
# adduser -g "<username>" <username>
# adduser <username> wheel
# apk add doas
 
You will want to allow members of the '''wheel''' group to use root privileges with <code>doas</code>. To do this, open the <code>doas</code> config file:
 
{{Cmd|# <editor> /etc/doas.d/doas.conf}}
 
Add the following line and save the file:
{{Cmd|permit persist :wheel}}
 
{{Warning|It's recommended to '''not''' run complete applications, like editors, as root just to modify administrative files.
<br>
* [https://github.com/AN3223/scripts/blob/master/doasedit <code>doasedit</code>] or <code>sudoedit</code>([https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.15.0#Move_from_sudo_to_doas being deprecated in favour of <code>doas</code>]) enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, <code>sudoedit /etc/apk/lbu.conf</code>
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount.
}}
The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package.
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.
apk add sudo
NEWUSER='yourUserName'
adduser -g "${NEWUSER}" $NEWUSER
echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER
 
<br>
 
If no seat manager like [[elogind]] or [[seatd]] is being used and running, then users that want a graphical environment need the '''video''' and '''input''' groups:
# adduser '<username>' video
# adduser '<username>' input
 
The above is highly discouraged. See {{Issue|15409}}.
 
The new user gets listed in  


{{Cat|/etc/passwd|root:x:0:0:root:/root:/bin/ash
{{Cat|/etc/passwd|root:x:0:0:root:/root:/bin/ash
Line 29: Line 74:
.
.
.
.
test:x:1000:1000:Linux User,,,:/home/test:/bin/ash}}
<username>:x:1000:1000:<username>:/home/<username>:/bin/ash}}


You can now ''exit'' and login to the new account. The [[#management_of_users_and_logins]] section has detailed usage and is recommended!
Now you should be able to issue the command <code>exit</code> and login to the new account.


== User management commands ==
= Options =


Alpine at install comes only with busybox user management commands and the following are standard for all Linux distributions
=== adduser ===


If no ''OPTIONS'' is set, by default when creating a new user, it will create a home directory in {{Path|/home/<username>}}, with the shell set that uses the ''root'' account (ash by default), user ID and group ID 1000+, and the GECOS field ''Linux User,,,''.
Usage (from "man busybox"):


=== adduser ===
<pre><nowiki>adduser [OPTIONS] USER [GROUP]
 
Create new user, or add USER to GROUP
 
    -h --home DIR          Home directory
    -g --gecos GECOS        GECOS field
    -s --shell SHELL        Login shell named SHELL by example /bin/bash
    -G --ingroup GRP        Group (by name)
    -S --system            Create a system user
    -D --disabled-password  Don't assign a password, so cannot login
    -H --no-create-home    Don't create home directory
    -u --uid UID            User id
    -k SKEL                Skeleton directory (/etc/skel)
</nowiki></pre>
 
{{Tip|Multi-user collaboration
If <nowiki>--ingroup</nowiki> isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.


Usage:
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.
}}


<pre><nowiki>adduser [OPTIONS] USER [GROUP]</nowiki></pre>
=== addgroup ===


Create new user, or add USER to GROUP
Usage (from "man busybox"):


* --home DIR Home directory
<pre><nowiki>addgroup [-g GID] [-S] [USER] GROUP
*    --gecos GECOS GECOS field
*    --shell SHELL Login shell named SHELL by example /bin/bash
*    --ingroup GRP Group (by name)
*    --system Create a system user
*    --disabled-password Don't assign a password so cannot login in
*    --no-create-home Don't create home directory
*    --uid UID User id


Those options only work for newer versions:
Create a group or add a user to a group


-k SKEL Skeleton directory (/etc/skel)
    -g --gid GID    Group id
    -S --system    Create a system group
</nowiki></pre>


An important multi-user collaboration thing to note:
= Home directory permissions =


If <nowiki>--ingroup</nowiki> isn't set, then the new user is assigned a new GID that matches the UID. And if the GID corresponding to a provided UID already exists, adduser will fail. This makes new users default to having a "user's private group" (UPG) as primary group. It allows using a permissive umask (002) that automatically leaves new files group-writable, only to the user's private group by default, but writable to an actual user group if saving a file in special set-group-id group directories.
`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed:


=== addgroup ===
{{Cmd| chmod o-rx <path-to-directory>}} 


Usage:
= Legacy =


<pre><nowiki>addgroup [-g GID] [-S] [USER] GROUP</nowiki></pre>
=== Common permission groups ===


Add a group or add a user to a group
{{Draft|Need to note a few security implications outlined on [https://wiki.debian.org/SystemGroups debian/wiki SystemGroups]}}


* --gid GID  Group id
Groups are needed for certain operations on your system.
*  --system   Create a system group


Where the most common Alpine base groups permissions are:
(Names taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)


* '''disk''':x:6:root,adm  Only if need usage vith virtual machines and access to other partitions over new disks for
{{Cmd|adm        Used for system monitoring tasks.
* '''lp''':x:7:lp IF will need to use printing services and printers management
disk       Raw access to disks'''Mostly equivalent to root access.'''
* '''wheel''':x:10:root  Administrators group, members can use <code>sudo</code> to run commands as root if enabled in sudo configuration.
lp         Members of this group can enable and use printers.
* '''floppy''':x:11:root  Backguard compatible group, use only if need access to external special devices
wheel      Administrator group, members can use '''doas''' to run commands as root if enabled in the doas configuration.
* '''audio''':x:18:  Need for audio listening and management of sound volumes as normal user
floppy     Access to floppy drives and other removable (non-optical) drives (like USB flash drives).
* '''cdrom''':x:19:  For access to disck writers and mounting DVD, BR or CD rom disk as normal user
audio       Direct access to sound hardware (the soundcard or a microphone).
* '''dialout''':x:20:root  Need for dial private connections and use of modems as normal users
cdrom       For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user.
* '''tape''':x:26:root  Need have into this if plan to use special devices for backup.. rarelly in no servers
dialout     Full and direct access to serial ports.
* '''video''':x:27:root  For usage of cameras, mor thant one GPU special features, as normal user
input      Access to input devices.
* '''netdev''':x:28:  For network connections management as normal user
tape        Needed to give a set of users access to a tape drive.
* '''kvm''':x:34:kvm Only if as normal user will manage graphically virtual machines.. rarelly on no servers
video       Access to video capture devices (like a webcam).
* '''games''':x:35:  Need if you want to play games also specially need if will share score between users
netdev     For network connections management as normal user.
* '''cdrw''':x:80:  To write RW-DVD, RW-BR or RW-CD disk on a disk writing device
kvm         Needed to use the KVM acceleration of virtual machines.
* '''apache''':x:81: Need if you will perfom development as normal user and want to publish locally on web server
games       Access to some game software.
* '''usb''':x:85: Need to access to special usb devices, deprecated group
cdrw       Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device.
* '''users''':x:100:games If you plan to used common files for all users, mandatory as desktop usage
usb         Needed to access special USB devices, deprecated group.
users       Needed if you plan to used common files for all users, mandatory as desktop usage.}}


A more complete list are in : https://git.alpinelinux.org/alpine-baselayout/tree/group more detailed user and group management are in the sections below:
To add your user to a group use the following command:
{{Cmd|# adduser <username> <group>}}
{{Note|You need to log out for the group change(s) to take effect.}}


= management of users and logins =
To see what group(s) a <username> is in, use the following command:
{{Cmd|# id <username>}}


When Alpine Linux is first installed by default it comes with the user ''root'' with no password set '''so the first step after boot into alpine fresh install are set a password to the user ''root''''', if during isntall was run setup-alpine to change root password, that will be already assigned and can be changed with those setup steps described here. More info in the [[Setting up a new user|Setting users]] wiki page.
= Old newbie notes =


== Users creation and defaults ==
=== User creation and defaults ===


'''Only ''root'' can manage users'''. Creating an account allows it to have it's own <code><nowiki>$HOME</nowiki></code> directory and allows you to limit access to the configuration of the operating system for security reasons. So the following commands will first setup root environment login and then assing a new password:
The following commands will set up root environment login, then assign a new password:


<pre><nowiki>
<pre><nowiki>
Line 115: Line 175:
</nowiki></pre>
</nowiki></pre>


The remote management cannot be done with root directly by default, due ssh security, so we need to setup an remote connection account to made "su" once connected.  
By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.


The most recommended it's having a access user here named "remote" and normal general usage user here named "general" for convenience, in the next commands we will setup a very hardened limited environment for any new user and created those two users:
Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users:


<pre><nowiki>
<pre><nowiki>
Line 147: Line 207:
</nowiki></pre>
</nowiki></pre>


{{Tip|"'''general'''" are the name of the user, that name MUST be only lowercase letters and no spaces with no symbols}}
{{Tip|"'''general'''" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols}}
 
Note that those users are created with minimal settings.
 
== Users management and system access ==
 
But this user will not have enough privileges for a desktop made purposes, Alpine comes with high security so administrator (the ''root'' account owner) must perform the management of that user. Take care, for a server made there's no similar procedure!


Now we can changes some defaults and added to proper groups to access devices or perform connections so, those are the recommended groups where the user must have in:
Note that those users are created with minimal privilege settings.


<pre><nowiki>
== User management and system access ==
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done
</nowiki></pre>
 
Management of users can be made with the default '''busybox''', but for easier administration, you can add the '''libuser''' package from the testing repository:
 
<pre><nowiki>
cat > /etc/apk/repositories << EOF
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
http://mirror.math.princeton.edu/pub/alpinelinux/edge/testing/
EOF
 
apk update
 
apk add libuser
 
cat > /etc/apk/repositories << EOF
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF
 
apk update
 
touch /etc/login.defs
 
touch /etc/default/useradd
</nowiki></pre>


Now we have ''libuser'' also '''can change default shell''':
By default, a newly created user will not have enough privileges for most desktop purposes.


* If you want to change the current user's shell, log in as that user and then inside their terminal session execute:: <pre>lchsh</pre>
To add newly created users to groups that may come in handy for desktop useage, you run this command as root:
* If you want to change a different user's shell, run as administration or as '''''root''''': <pre><nowiki>lchsh general</nowiki></pre>


Where "general" was the name of a created user login in previous sections.
{{cmd|for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done}}


== See also: ==
== See also ==


[[Alpine_newbie_apk_packages#Users_creation_and_defaults]]
* [https://wiki.archlinux.org/title/Users_and_groups Users and groups - Archwiki]


[[Category:Newbie]]
[[Category: System_Administration]]

Revision as of 04:29, 19 April 2024

The root account should be used only for local administrative purposes that require elevated access permissions.

This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins.

Overview

Creating user accounts provides users with their own $HOME directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.

Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).

Creating a new user

Warning: If using a "diskless" or "data" disk mode installation, it's important to make the /home directory persistent.


  • Either the /home filesystem needs to be mounted from a writable partition, or
  • the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:

# lbu include /home # lbu commit

(Not recommended, as reverting to an older .apkovl will also revert the files in /home).


Regular user accounts can be created with:

# adduser [-g "<Full Name>"] <username>

By default, adduser will:

  • prompt you to set a password for the new user
  • create a home directory in /home/<username>
  • set the shell to the one used by the root account (ash by default)
  • assign user ID and group ID starting at 1000
  • set the GECOS (full name) field to "Linux User,,,"
Tip: The optional -g "<Full Name>" above sets the GECOS field.

This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.

If a user really must be allowed to have access to the root account, the <username> can be added to the wheel group and doas ("do as") may be installed:

# adduser -g "<username>" <username>
# adduser <username> wheel
# apk add doas

You will want to allow members of the wheel group to use root privileges with doas. To do this, open the doas config file:

# <editor> /etc/doas.d/doas.conf

Add the following line and save the file:

permit persist :wheel

Warning: It's recommended to not run complete applications, like editors, as root just to modify administrative files.


  • doasedit or sudoedit(being deprecated in favour of doas) enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, sudoedit /etc/apk/lbu.conf
  • Many desktop environments and file browsers support using admin:/// in their address bars, to access files through a local gvfs-admin mount.


The sudo package is an alternative to using the BSD-like doas, but is a much larger package. It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.

apk add sudo
NEWUSER='yourUserName'
adduser -g "${NEWUSER}" $NEWUSER
echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER


If no seat manager like elogind or seatd is being used and running, then users that want a graphical environment need the video and input groups:

# adduser '<username>' video
# adduser '<username>' input

The above is highly discouraged. See #15409.

The new user gets listed in

Contents of /etc/passwd

root:x:0:0:root:/root:/bin/ash . . . <username>:x:1000:1000:<username>:/home/<username>:/bin/ash

Now you should be able to issue the command exit and login to the new account.

Options

adduser

Usage (from "man busybox"):

adduser [OPTIONS] USER [GROUP]

Create new user, or add USER to GROUP

     -h --home DIR           Home directory
     -g --gecos GECOS        GECOS field
     -s --shell SHELL        Login shell named SHELL by example /bin/bash
     -G --ingroup GRP        Group (by name)
     -S --system             Create a system user
     -D --disabled-password  Don't assign a password, so cannot login
     -H --no-create-home     Don't create home directory
     -u --uid UID            User id
     -k SKEL                 Skeleton directory (/etc/skel)
Tip: Multi-user collaboration

If --ingroup isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.

This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.

addgroup

Usage (from "man busybox"):

addgroup [-g GID] [-S] [USER] GROUP

Create a group or add a user to a group

    -g --gid GID    Group id
    -S --system     Create a system group

Home directory permissions

`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed:

chmod o-rx <path-to-directory>

Legacy

Common permission groups

This material is work-in-progress ...

Need to note a few security implications outlined on debian/wiki SystemGroups
(Last edited by Vptr on 19 Apr 2024.)

Groups are needed for certain operations on your system.

(Names taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)

adm Used for system monitoring tasks. disk Raw access to disks. Mostly equivalent to root access. lp Members of this group can enable and use printers. wheel Administrator group, members can use doas to run commands as root if enabled in the doas configuration. floppy Access to floppy drives and other removable (non-optical) drives (like USB flash drives). audio Direct access to sound hardware (the soundcard or a microphone). cdrom For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user. dialout Full and direct access to serial ports. input Access to input devices. tape Needed to give a set of users access to a tape drive. video Access to video capture devices (like a webcam). netdev For network connections management as normal user. kvm Needed to use the KVM acceleration of virtual machines. games Access to some game software. cdrw Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device. usb Needed to access special USB devices, deprecated group. users Needed if you plan to used common files for all users, mandatory as desktop usage.

To add your user to a group use the following command:

# adduser <username> <group>

Note: You need to log out for the group change(s) to take effect.

To see what group(s) a <username> is in, use the following command:

# id <username>

Old newbie notes

User creation and defaults

The following commands will set up root environment login, then assign a new password:

cat > /root/.cshrc << EOF
unsetenv DISPLAY || true
HISTCONTROL=ignoreboth
EOF

cp /root/.cshrc /root/.profile

echo "secret_new_root_password" | chpasswd

By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.

Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users:

mkdir -p /etc/skel/

cat > /etc/skel/.logout << EOF
history -c
/bin/rm -f /opt/remote/.mysql_history
/bin/rm -f /opt/remote/.history
/bin/rm -f /opt/remote/.bash_history
EOF

cat > /etc/skel/.cshrc << EOF
set autologout = 30
set prompt = "$ "
set history = 0
set ignoreeof
EOF

cp /etc/skel/.cshrc /etc/skel/.profile

adduser -D --home /opt/remote --shell /bin/ash remote

echo "secret_new_remote_user_password" | chpasswd

adduser -D --shell /bin/bash general

echo "secret_new_general_user_password" | chpasswd
Tip: "general" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols

Note that those users are created with minimal privilege settings.

User management and system access

By default, a newly created user will not have enough privileges for most desktop purposes.

To add newly created users to groups that may come in handy for desktop useage, you run this command as root:

for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done

See also