Setting up a new user: Difference between revisions

From Alpine Linux
(Adding information about Xorg groups.)
(added the locking root account from Daily driver guide page)
 
(31 intermediate revisions by 16 users not shown)
Line 1: Line 1:
 
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins, and how to grant admin access to such accounts if needed.
The <code>root</code> account should only be used for local administrative purposes that require its elevated access permissions.
 
This page shows the creation of regular user accounts that may be used for daily work, including desktop usage and remote logins.


= Overview =
= Overview =


Creating user accounts provides the users their own $HOME directory and allows you (the root administrator) to limit the access that these user accounts have to the operating system's configuration.
Creating user accounts provides users with their own {{path|$HOME}} directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.


Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).
{{Warning|If you are using a '''"diskless" or "data" disk mode''' installation, refer to the section [[#Persistent Home directory|Persistent Home directory]] before proceeding further.}}


= Creating a new user =
= Creating a new user =


The <code>root</code> account should be used only for local administrative purposes that require elevated access permissions. Regular or non-privileged user accounts can be created in two ways:


{{Warning|If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent.
== setup-user ==
<br>
The [[Alpine_setup_scripts#setup-user|setup-user]] script allows quick and simple setup of user accounts. To create a regular user account using the above script:
* Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or
{{Cmd|# setup-user}}  
* the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
{{Cmd| # lbu include /home
# lbu commit
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home).
}}


User will be prompted for options. This script uses [[#adduser|adduser]] in the backend.


Regular user accounts can be created with:
== adduser ==
{{Cmd|# adduser [-g "<Full Name>"] <username>}}
{{Cmd|# adduser [-g "<Full Name>"] <username>}}


By default, adduser will:
By default, <code>adduser</code> will:
* prompt to set a password for the new user
* prompt you to set a password for the new user
* create a home directory in {{Path|/home/<username>}}
* create a home directory in {{Path|/home/<username>}}
* set the shell to the one used by the <code>root</code> account (ash by default)
* set the shell to the one used by the <code>root</code> account (ash by default)
* assign user ID and group ID at 1000+
* assign user ID and group ID starting at 1000
* set the GECOS (full name) field to "Linux User,,,"
* set the GECOS (full name) field to "Linux User,,,"


{{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field.
{{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field.
This can be very useful to specify. Setting this string --at least equal to the username-- makes the users distinguishable, e.g. when they are listed at the login screen of a display manager.
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.
}}
}}


Usage (from "man busybox"):


Users which must be able to access an Xorg instance must be added to the <code>video</code> and <code>input</code> groups:
<pre><nowiki>adduser [OPTIONS] USER [GROUP]
adduser 'yourUserName' video
adduser 'yourUserName' input


Create new user, or add USER to GROUP


'''If a user ''really must'' be allowed to have access to the root account''', the <username> can be added to the wheel group,  <code>doas</code> ("do as") may be installed, and the group "wheel" can be allowed to become root:
    -h --home DIR          Home directory
adduser -g "<username>" <username>
    -g --gecos GECOS        GECOS field
  adduser <username> wheel
    -s --shell SHELL        Login shell named SHELL by example /bin/bash
apk add doas
    -G --ingroup GRP        Group (by name)
apk add nano
    -S --system            Create a system user
nano /etc/doas.conf
    -D --disabled-password Don't assign a password, so cannot login
    -H --no-create-home    Don't create home directory
    -u --uid UID            User id
    -k SKEL                Skeleton directory (/etc/skel)
</nowiki></pre>


{{Warning|It's recommended to not run complete applications, like editors, as root just to modify administrative files.
The new user gets listed at the last line:
{{Cat|/etc/passwd|<nowiki>
root:x:0:0:root:/root:/bin/ash
...
<username>:x:1000:1000:<username>:/home/<username>:/bin/ash
</nowiki>}}
 
Now you should be able to issue the command <code>exit</code> and login to the newly created account.
<br>
<br>
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount
{{Note| If you used [[setup-desktop]] to install your desktop environment, you will be able to use your desktop without issues, as [[elogind]] is up and running automatically for you. In other cases, if you are facing difficulties your user may need to be added to certain [[#Group management|groups]]. }}
* <code>doasedit</code> or <code>sudoedit</code> allows starting an editor for a temporary copy of a file, which overwrites the original file after the user modifies and closes it. For example, <code>sudoedit /etc/apk/lbu.conf</code>
 
= Group management =
 
To see what group(s) you belong to, use the following command:
{{Cmd|$ groups}}
 
If you installed your desktop manually and facing difficulties in using desktop or if [[seatd]] is used, then users that want a graphical environment need to be added to the '''video''' and '''seat''' groups.
Refer {{Issue|15409}} regarding security concerns.
 
To add your user to a group (for e.g '''video''' and '''seat''') you can use the following commands:
 
# adduser '<username>' video
# adduser '<username>' seat
 
The above command is a variation of [[#adduser|adduser]].
 
To add your user to a group you can also use the following command:
 
Usage (from "man busybox"):  
 
<pre><nowiki>addgroup [-g GID] [-S] [USER] GROUP
 
Create a group or add a user to a group
 
    -g --gid GID    Group id
    -S --system    Create a system group
</nowiki></pre>
 
{{Note|You need to log out and log in again for the group change(s) to take effect.}}
 
= Admin user =
 
'''If a user ''really must'' be allowed to have access to the root account''', the <username> must be added to the '''wheel''' group. Also ensure that either [[#doas|doas]] or [[#sudo|sudo]] is available.
 
== wheel group ==
 
The [[Alpine_setup_scripts#setup-user|setup-user]] script allows quick and simple setup of admin user accounts. To Create a new user as admin user, using the above script:
 
{{Cmd|# setup-user -a <username>}}
 
The above command will create an admin user, by adding the user to wheel group and installs <code>{{Pkg|doas}}</code>, if not already installed.
 
To add an existing user as admin user:
{{Cmd| # adduser <username> wheel}}
 
After adding the user as to wheel group using <code>adduser</code>, remember to install and configure [[#doas|doas]], if not already done.
 
== doas ==
The doas command provides a way to perform commands as another user. It aims to be a simplified and lightweight replacement for [[#sudo|sudo]].
 
{{Cmd| # apk add {{Pkg|doas}} }}
You will want to allow members of the '''wheel''' group to use root privileges with <code>doas</code>. To do this, your <code>doas</code> config file should be as follows:
{{Cat|/etc/doas.d/doas.conf|<nowiki>
permit persist :wheel
</nowiki>
}}
}}
== sudo ==
Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package.
The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package.
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.
  apk add sudo
  apk add sudo
  NEWUSER='yourUserName'
  NEWUSER='yourUserName'
  adduser -d "${NEWUSER}" $NEWUSER
  adduser -g "${NEWUSER}" $NEWUSER
  echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER
  echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER


<br>


The new user gets listed in
= Securing root account =


{{Cat|/etc/passwd|root:x:0:0:root:/root:/bin/ash
It's recommended to '''not''' run complete applications, like editors, as root just to modify administrative files.
.
<br>
.
* [https://github.com/AN3223/scripts/blob/master/doasedit <code>doasedit</code>] or <code>sudoedit</code>([https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.15.0#Move_from_sudo_to_doas being deprecated in favour of <code>doas</code>]) enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, <code>sudoedit /etc/apk/lbu.conf</code>
.
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount.
<username>:x:1000:1000:Linux User,,,:/home/<username>:/bin/ash}}


And it's now possible to <code>exit</code> and login to the new account.


= Options =
Once [[#doas]] or [[#sudo]] is properly configured and tested thoroughly, root account can be disabled by locking it.


=== adduser ===
{{Warning| Do not lock your root without testing thoroughly your [[#Admin user|admin user]] with either [[#doas]] or [[#sudo]].}}


Usage (from "man busybox"):
To lock the root account you need to log into your '''root''' account and then lock it using the <code>passwd</code> command: {{cmd|# passwd -l root}}


<pre><nowiki>adduser [OPTIONS] USER [GROUP]
= Home directory permissions =


Create new user, or add USER to GROUP
`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed:


    -h --home DIR          Home directory
{{Cmd| chmod o-rx <path-to-directory>}}  
    -g --gecos GECOS        GECOS field
    -s --shell SHELL        Login shell named SHELL by example /bin/bash
    -G --ingroup GRP        Group (by name)
    -S --system            Create a system user
    -D --disabled-password Don't assign a password so cannot login in
    -H --no-create-home    Don't create home directory
    -u --uid UID            User id
    -k SKEL                Skeleton directory (/etc/skel)
</nowiki></pre>


{{Tip|Multi-user collaboration
{{Tip|Multi-user collaboration
If <nowiki>--ingroup</nowiki> isn't set (default) the new user is assigned a new GID that matches the UID. And if the GID corresponding to a provided UID already exists, adduser will fail.
If <nowiki>--ingroup</nowiki> isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.


This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permissive umask (002), with which new files are automatically created group-writable but to just the user's private group. And which allows that in special set-group-id group (collaboration) directories, new files can automatically be created writable by the directory's group.
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.
}}
}}


=== addgroup ===
= Persistent Home directory =


Usage (from "man busybox"):
If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent


<pre><nowiki>addgroup [-g GID] [-S] [USER] GROUP
<br>
 
* Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or
Create a group or add a user to a group
* the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
 
{{Cmd| # lbu include /home
    -g --gid GID    Group id
# lbu commit
    -s --system    Create a system group
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home).
</nowiki></pre>


= Legacy =


=== Common permission groups ===
= Common permission groups =


(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)
{{Draft|Need to note a few security implications outlined on [https://wiki.debian.org/SystemGroups debian/wiki SystemGroups]}}
 
* '''disk''':x:6:root,adm  Only if need usage vith virtual machines and access to other partitions over new disks for
* '''lp''':x:7:lp  IF will need to use printing services and printers management
* '''wheel''':x:10:root  Administrators group, members can use <code>sudo</code> to run commands as root if enabled in sudo configuration.
* '''floppy''':x:11:root  Backguard compatible group, use only if need access to external special devices
* '''audio''':x:18:  Need for audio listening and management of sound volumes as normal user
* '''cdrom''':x:19:  For access to disck writers and mounting DVD, BR or CD rom disk as normal user
* '''dialout''':x:20:root  Need for dial private connections and use of modems as normal users
* '''tape''':x:26:root  Need have into this if plan to use special devices for backup.. rarelly in no servers
* '''video''':x:27:root  For usage of cameras, mor thant one GPU special features, as normal user
* '''netdev''':x:28:  For network connections management as normal user
* '''kvm''':x:34:kvm Only if as normal user will manage graphically virtual machines.. rarelly on no servers
* '''games''':x:35:  Need if you want to play games also specially need if will share score between users
* '''cdrw''':x:80:  To write RW-DVD, RW-BR or RW-CD disk on a disk writing device
* '''apache''':x:81: Need if you will perfom development as normal user and want to publish locally on web server
* '''usb''':x:85: Need to access to special usb devices, deprecated group
* '''users''':x:100:games If you plan to used common files for all users, mandatory as desktop usage


Groups are needed for certain operations on your system.


(Names taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)


{{Cmd|adm        Used for system monitoring tasks.
disk        Raw access to disks.  '''Mostly equivalent to root access.'''
lp          Members of this group can enable and use printers.
wheel      Administrator group, members can use '''doas''' to run commands as root if enabled in the doas configuration.
floppy      Access to floppy drives and other removable (non-optical) drives (like USB flash drives).
audio      Direct access to sound hardware (the soundcard or a microphone).
cdrom      For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user.
dialout    Full and direct access to serial ports.
input      Access to input devices.
tape        Needed to give a set of users access to a tape drive.
video      Access to video capture devices (like a webcam).
netdev      For network connections management as normal user.
kvm        Needed to use the KVM acceleration of virtual machines.
games      Access to some game software.
cdrw        Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device.
usb        Needed to access special USB devices, deprecated group.
users      Needed if you plan to used common files for all users, mandatory as desktop usage.}}


= Old newbie notes =
= Old newbie notes =
=== User creation and defaults ===


=== Users creation and defaults ===
The following commands will set up root environment login, then assign a new password:
 
So the following commands will first setup root environment login and then assing a new password:


<pre><nowiki>
<pre><nowiki>
Line 155: Line 211:
</nowiki></pre>
</nowiki></pre>


The remote management cannot be done with root directly by default, due ssh security, so we need to setup an remote connection account to made "su" once connected.  
By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.


The most recommended it's having a access user here named "remote" and normal general usage user here named "general" for convenience, in the next commands we will setup a very hardened limited environment for any new user and created those two users:
Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users:


<pre><nowiki>
<pre><nowiki>
Line 187: Line 243:
</nowiki></pre>
</nowiki></pre>


{{Tip|"'''general'''" are the name of the user, that name MUST be only lowercase letters and no spaces with no symbols}}
{{Tip|"'''general'''" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols}}


Note that those users are created with minimal settings.
To add newly created users to groups that may come in handy for desktop usage, you run this command as root:


== User management and system access ==
{{cmd|for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done}}


By default, a newly created user will not have enough privileges for most desktop purposes.
== See also ==


To add newly created users with home directories setup to groups that may come in handy for desktop useage, you can run this command as root:
* [https://wiki.archlinux.org/title/Users_and_groups Users and groups - Archwiki]


<pre><nowiki>
[[Category: System_Administration]]
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done
</nowiki></pre>

Latest revision as of 06:31, 13 August 2024

This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins, and how to grant admin access to such accounts if needed.

Overview

Creating user accounts provides users with their own $HOME directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.

Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).

Warning: If you are using a "diskless" or "data" disk mode installation, refer to the section Persistent Home directory before proceeding further.


Creating a new user

The root account should be used only for local administrative purposes that require elevated access permissions. Regular or non-privileged user accounts can be created in two ways:

setup-user

The setup-user script allows quick and simple setup of user accounts. To create a regular user account using the above script:

# setup-user

User will be prompted for options. This script uses adduser in the backend.

adduser

# adduser [-g "<Full Name>"] <username>

By default, adduser will:

  • prompt you to set a password for the new user
  • create a home directory in /home/<username>
  • set the shell to the one used by the root account (ash by default)
  • assign user ID and group ID starting at 1000
  • set the GECOS (full name) field to "Linux User,,,"
Tip: The optional -g "<Full Name>" above sets the GECOS field.

This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.

Usage (from "man busybox"):

adduser [OPTIONS] USER [GROUP]

Create new user, or add USER to GROUP

     -h --home DIR           Home directory
     -g --gecos GECOS        GECOS field
     -s --shell SHELL        Login shell named SHELL by example /bin/bash
     -G --ingroup GRP        Group (by name)
     -S --system             Create a system user
     -D --disabled-password  Don't assign a password, so cannot login
     -H --no-create-home     Don't create home directory
     -u --uid UID            User id
     -k SKEL                 Skeleton directory (/etc/skel)

The new user gets listed at the last line:

Contents of /etc/passwd

root:x:0:0:root:/root:/bin/ash ... <username>:x:1000:1000:<username>:/home/<username>:/bin/ash

Now you should be able to issue the command exit and login to the newly created account.

Note: If you used setup-desktop to install your desktop environment, you will be able to use your desktop without issues, as elogind is up and running automatically for you. In other cases, if you are facing difficulties your user may need to be added to certain groups.

Group management

To see what group(s) you belong to, use the following command:

$ groups

If you installed your desktop manually and facing difficulties in using desktop or if seatd is used, then users that want a graphical environment need to be added to the video and seat groups. Refer #15409 regarding security concerns.

To add your user to a group (for e.g video and seat) you can use the following commands:

# adduser '<username>' video
# adduser '<username>' seat

The above command is a variation of adduser.

To add your user to a group you can also use the following command:

Usage (from "man busybox"):

addgroup [-g GID] [-S] [USER] GROUP

Create a group or add a user to a group

    -g --gid GID    Group id
    -S --system     Create a system group
Note: You need to log out and log in again for the group change(s) to take effect.

Admin user

If a user really must be allowed to have access to the root account, the <username> must be added to the wheel group. Also ensure that either doas or sudo is available.

wheel group

The setup-user script allows quick and simple setup of admin user accounts. To Create a new user as admin user, using the above script:

# setup-user -a <username>

The above command will create an admin user, by adding the user to wheel group and installs doas, if not already installed.

To add an existing user as admin user:

# adduser <username> wheel

After adding the user as to wheel group using adduser, remember to install and configure doas, if not already done.

doas

The doas command provides a way to perform commands as another user. It aims to be a simplified and lightweight replacement for sudo.

# apk add doas

You will want to allow members of the wheel group to use root privileges with doas. To do this, your doas config file should be as follows:

Contents of /etc/doas.d/doas.conf

permit persist :wheel


sudo

Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

The sudo package is an alternative to using the BSD-like doas, but is a much larger package.

It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.

apk add sudo
NEWUSER='yourUserName'
adduser -g "${NEWUSER}" $NEWUSER
echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER


Securing root account

It's recommended to not run complete applications, like editors, as root just to modify administrative files.

  • doasedit or sudoedit(being deprecated in favour of doas) enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, sudoedit /etc/apk/lbu.conf
  • Many desktop environments and file browsers support using admin:/// in their address bars, to access files through a local gvfs-admin mount.


Once #doas or #sudo is properly configured and tested thoroughly, root account can be disabled by locking it.

Warning: Do not lock your root without testing thoroughly your admin user with either #doas or #sudo.


To lock the root account you need to log into your root account and then lock it using the passwd command:

# passwd -l root

Home directory permissions

`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed:

chmod o-rx <path-to-directory>

Tip: Multi-user collaboration

If --ingroup isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.

This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.

Persistent Home directory

If using a "diskless" or "data" disk mode installation, it's important to make the /home directory persistent


  • Either the /home filesystem needs to be mounted from a writable partition, or
  • the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:

# lbu include /home # lbu commit

(Not recommended, as reverting to an older .apkovl will also revert the files in /home).


Common permission groups

This material is work-in-progress ...

Need to note a few security implications outlined on debian/wiki SystemGroups
(Last edited by Prabuanand on 13 Aug 2024.)

Groups are needed for certain operations on your system.

(Names taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)

adm Used for system monitoring tasks. disk Raw access to disks. Mostly equivalent to root access. lp Members of this group can enable and use printers. wheel Administrator group, members can use doas to run commands as root if enabled in the doas configuration. floppy Access to floppy drives and other removable (non-optical) drives (like USB flash drives). audio Direct access to sound hardware (the soundcard or a microphone). cdrom For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user. dialout Full and direct access to serial ports. input Access to input devices. tape Needed to give a set of users access to a tape drive. video Access to video capture devices (like a webcam). netdev For network connections management as normal user. kvm Needed to use the KVM acceleration of virtual machines. games Access to some game software. cdrw Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device. usb Needed to access special USB devices, deprecated group. users Needed if you plan to used common files for all users, mandatory as desktop usage.

Old newbie notes

User creation and defaults

The following commands will set up root environment login, then assign a new password:

cat > /root/.cshrc << EOF
unsetenv DISPLAY || true
HISTCONTROL=ignoreboth
EOF

cp /root/.cshrc /root/.profile

echo "secret_new_root_password" | chpasswd

By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.

Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users:

mkdir -p /etc/skel/

cat > /etc/skel/.logout << EOF
history -c
/bin/rm -f /opt/remote/.mysql_history
/bin/rm -f /opt/remote/.history
/bin/rm -f /opt/remote/.bash_history
EOF

cat > /etc/skel/.cshrc << EOF
set autologout = 30
set prompt = "$ "
set history = 0
set ignoreeof
EOF

cp /etc/skel/.cshrc /etc/skel/.profile

adduser -D --home /opt/remote --shell /bin/ash remote

echo "secret_new_remote_user_password" | chpasswd

adduser -D --shell /bin/bash general

echo "secret_new_general_user_password" | chpasswd
Tip: "general" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols

To add newly created users to groups that may come in handy for desktop usage, you run this command as root:

for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done

See also