Setting up a new user: Difference between revisions
Prabuanand (talk | contribs) m (fixed caps) |
|||
(48 intermediate revisions by 18 users not shown) | |||
Line 1: | Line 1: | ||
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins, and how to grant admin access to such accounts if needed. | |||
== Overview == | |||
Creating user accounts provides users with their own {{path|$HOME}} directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files. | |||
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors). | |||
{{Note|If you are using a '''"diskless" or "data" disk mode''' installation, refer to the section [[#Persistent Home directory|Persistent Home directory]] before proceeding further.}} | |||
Creating user | === Creating a new user === | ||
The <code>root</code> account should be used only for local administrative purposes that require elevated access permissions. Regular or non-privileged user accounts can be created in two ways: | |||
= | === setup-user === | ||
The [[Alpine_setup_scripts#setup-user|setup-user]] script allows quick and simple setup of user accounts. To create a regular user account using the above script: | |||
{{Cmd|# setup-user}} | |||
User will be prompted for options. This script uses [[#adduser|adduser]] in the backend. | |||
{{ | === adduser === | ||
{{Cmd|# adduser [-g "<Full Name>"] <username>}} | |||
By default, <code>adduser</code> will: | |||
* prompt you to set a password for the new user | |||
* prompt to set a password for the new user | |||
* create a home directory in {{Path|/home/<username>}} | * create a home directory in {{Path|/home/<username>}} | ||
* set the shell to the one used by the <code>root</code> account (ash by default) | * set the shell to the one used by the <code>root</code> account (ash by default) | ||
* assign user ID and group ID at 1000 | * assign user ID and group ID starting at 1000 | ||
* set the GECOS (full name) field to "Linux User,,," | * set the GECOS (full name) field to "Linux User,,," | ||
{{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field. | |||
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.}} | |||
{{ | |||
< | |||
Usage (from "man busybox"): | Usage (from "man busybox"): | ||
Line 89: | Line 42: | ||
-G --ingroup GRP Group (by name) | -G --ingroup GRP Group (by name) | ||
-S --system Create a system user | -S --system Create a system user | ||
-D --disabled-password Don't assign a password so cannot login | -D --disabled-password Don't assign a password, so cannot login | ||
-H --no-create-home Don't create home directory | -H --no-create-home Don't create home directory | ||
-u --uid UID User id | -u --uid UID User id | ||
Line 95: | Line 48: | ||
</nowiki></pre> | </nowiki></pre> | ||
{{ | The new user gets listed at the last line: | ||
{{Cat|/etc/passwd|<nowiki> | |||
root:x:0:0:root:/root:/bin/ash | |||
... | |||
<username>:x:1000:1000:<username>:/home/<username>:/bin/ash | |||
</nowiki>}} | |||
Now you should be able to issue the command <code>exit</code> and login to the newly created account. | |||
== Group management == | |||
To see what group(s) you belong to, use the following command: | |||
{{Cmd|$ groups}} | |||
To add your user to a group (for e.g '''seat''') you can use the following commands: | |||
{{Cmd|# adduser '<username>' seat}} | |||
The above command is a variation of [[#adduser|adduser]]. | |||
To add your user to a group you can also use the following command: | |||
Usage (from "man busybox"): | Usage (from "man busybox"): | ||
Line 110: | Line 77: | ||
-g --gid GID Group id | -g --gid GID Group id | ||
- | -S --system Create a system group | ||
</nowiki></pre> | </nowiki></pre> | ||
{{Note|You need to log out and log in again for the group change(s) to take effect.}} | |||
== | == Admin user == | ||
'''If a user ''really must'' be allowed to have access to the root account''', the <username> must be added to the '''wheel''' group. Also ensure that [[#doas|doas]] is available. | |||
=== wheel group === | |||
The [[Alpine_setup_scripts#setup-user|setup-user]] script allows quick and simple setup of admin user accounts. To Create a new user as admin user, using the above script: | |||
{{Cmd|# setup-user -a <username>}} | |||
The above command will create an admin user, by adding the user to wheel group and installs <code>{{Pkg|doas}}</code>, if not already installed. | |||
To add an existing user as admin user: | |||
{{Cmd| # adduser <username> wheel}} | |||
After adding the user as to wheel group using <code>adduser</code>, remember to install and configure [[#doas|doas]], if not already done. | |||
=== doas === | |||
The doas command provides a way to perform commands as another user. It aims to be a simplified and lightweight replacement for [[#sudo|sudo]]. As mentioned earlier, the [[#setup-user|setup-user]] script automatically installs {{Pkg|doas}} package. | |||
{{Cmd| # apk add {{Pkg|doas}} }} | |||
You will want to allow members of the '''wheel''' group to use root privileges with <code>doas</code>. To do this, your <code>doas</code> config file should be as follows: | |||
{{Cat|/etc/doas.d/doas.conf|<nowiki># See doas.conf(5) and doas.d(5) for configuration details. | |||
# Configuration here may be overridden by /etc/doas.d/*.conf if files exist. | |||
# Uncomment to allow group "wheel" to become root. | |||
permit persist :wheel</nowiki>}} | |||
=== sudo === | |||
{{Note| Sudo has been deprecated in favour of <code>doas</code> in Alpine Linux since [[Release_Notes_for_Alpine_3.15.0#Move_from_sudo_to_doas|v3.15.0]]}} | |||
Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. | |||
The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package. | |||
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades. | |||
{{Cmd|<nowiki># apk add sudo | |||
# NEWUSER='yourUserName' | |||
# adduser -g "${NEWUSER}" $NEWUSER | |||
# echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER | |||
</nowiki>}} | |||
== Securing root account == | |||
It's recommended to '''not''' run complete applications, like editors, as root just to modify administrative files. | |||
* Use <code>doasedit</code> from {{Pkg|doasedit}} available in the [[Repositories#Testing|testing]] repository. It can be safely installed by following the [[Repositories#Using_testing_repository|guidelines]]. | |||
* If using [[#sudo|sudo]], use <code>sudoedit</code>. | |||
These tools enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, <code>doasedit /etc/apk/lbu.conf</code> | |||
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount. | |||
Once [[#doas|doas]] or [[#sudo|sudo]] is properly configured and tested thoroughly, root account can be disabled by locking it. | |||
{{Warning| Do not lock your root without testing thoroughly your [[#Admin user|admin user]] with either [[#doas|doas]] or [[#sudo|sudo]].}} | |||
To lock the root account you need to log into your '''root''' account and then lock it using the <code>passwd</code> command: {{cmd|# passwd -l root}} | |||
== Home directory permissions == | |||
`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed: | |||
{{Cmd| chmod o-rx <path-to-directory>}} | |||
{{Tip|Multi-user collaboration | |||
If <nowiki>--ingroup</nowiki> isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail. | |||
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group. | |||
}} | |||
== Persistent Home directory == | |||
If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent: | |||
* Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or | |||
* the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user: | |||
{{Cmd| # lbu include /home | |||
# lbu commit | |||
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home). | |||
== Common permission groups == | |||
The following groups are needed for certain operations on your system. The group names were taken from https://git.alpinelinux.org/alpine-baselayout/tree/group | |||
{{Note|Refer [https://wiki.debian.org/SystemGroups Debian/wiki SystemGroups] to understand about the security implications of all these groups.}} | |||
{{Cmd|adm Used for system monitoring tasks. | |||
disk Raw access to disks. '''Mostly equivalent to root access.''' | |||
lp Members of this group can enable and use printers. | |||
wheel Administrator group, members can use '''doas''' to run commands as root if enabled in the doas configuration. | |||
floppy Access to floppy drives and other removable (non-optical) drives (like USB flash drives). | |||
audio Direct access to sound hardware (the soundcard or a microphone). | |||
cdrom For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user. | |||
dialout Full and direct access to serial ports. | |||
input Access to input devices. | |||
tape Needed to give a set of users access to a tape drive. | |||
video Access to video capture devices (like a webcam). | |||
netdev For network connections management as normal user. | |||
kvm Needed to use the KVM acceleration of virtual machines. | |||
games Access to some game software. | |||
cdrw Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device. | |||
usb Needed to access special USB devices, deprecated group. | |||
users Needed if you plan to used common files for all users, mandatory as desktop usage.}} | |||
<!-- | |||
== Old newbie notes == | |||
=== User creation and defaults === | |||
The following commands will set up root environment login, then assign a new password: | |||
<pre><nowiki> | <pre><nowiki> | ||
Line 156: | Line 201: | ||
</nowiki></pre> | </nowiki></pre> | ||
By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected. | |||
Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users: | |||
<pre><nowiki> | <pre><nowiki> | ||
Line 188: | Line 233: | ||
</nowiki></pre> | </nowiki></pre> | ||
{{Tip|"'''general'''" | {{Tip|"'''general'''" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols}} | ||
--> | |||
== Desktop usage == | |||
If [[setup-desktop]] is used to install your desktop environment [[elogind]] is up and running automatically. If you installed your desktop manually and facing difficulties in using desktop or if [[seatd]] is used, then users that want a graphical environment need to be added to the '''video''' and '''seat''' groups. | |||
Refer {{Issue|15409}} to understand about the security concerns regarding the video group. | |||
To add newly created users to groups that may come in handy for desktop usage, you can run the below command as root: | |||
{{cmd|# for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done}} | |||
Please pay attention to the groups in above command and proceed only if you want to add all the users in your system to above groups. | |||
== See also == | |||
* [https://wiki.archlinux.org/title/Users_and_groups Users and groups - Archwiki] | |||
* [https://wiki.debian.org/SystemGroups SystemGroups] | |||
[[Category: System_Administration]] | |||
[[Category: Security]] |
Latest revision as of 10:21, 30 December 2024
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins, and how to grant admin access to such accounts if needed.
Overview
Creating user accounts provides users with their own $HOME directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).
Creating a new user
The root
account should be used only for local administrative purposes that require elevated access permissions. Regular or non-privileged user accounts can be created in two ways:
setup-user
The setup-user script allows quick and simple setup of user accounts. To create a regular user account using the above script:
# setup-user
User will be prompted for options. This script uses adduser in the backend.
adduser
# adduser [-g "<Full Name>"] <username>
By default, adduser
will:
- prompt you to set a password for the new user
- create a home directory in /home/<username>
- set the shell to the one used by the
root
account (ash by default) - assign user ID and group ID starting at 1000
- set the GECOS (full name) field to "Linux User,,,"
-g "<Full Name>"
above sets the GECOS field.
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.Usage (from "man busybox"):
adduser [OPTIONS] USER [GROUP] Create new user, or add USER to GROUP -h --home DIR Home directory -g --gecos GECOS GECOS field -s --shell SHELL Login shell named SHELL by example /bin/bash -G --ingroup GRP Group (by name) -S --system Create a system user -D --disabled-password Don't assign a password, so cannot login -H --no-create-home Don't create home directory -u --uid UID User id -k SKEL Skeleton directory (/etc/skel)
The new user gets listed at the last line:
Contents of /etc/passwd
Now you should be able to issue the command exit
and login to the newly created account.
Group management
To see what group(s) you belong to, use the following command:
$ groups
To add your user to a group (for e.g seat) you can use the following commands:
# adduser '<username>' seat
The above command is a variation of adduser.
To add your user to a group you can also use the following command:
Usage (from "man busybox"):
addgroup [-g GID] [-S] [USER] GROUP Create a group or add a user to a group -g --gid GID Group id -S --system Create a system group
Admin user
If a user really must be allowed to have access to the root account, the <username> must be added to the wheel group. Also ensure that doas is available.
wheel group
The setup-user script allows quick and simple setup of admin user accounts. To Create a new user as admin user, using the above script:
# setup-user -a <username>
The above command will create an admin user, by adding the user to wheel group and installs doas
, if not already installed.
To add an existing user as admin user:
# adduser <username> wheel
After adding the user as to wheel group using adduser
, remember to install and configure doas, if not already done.
doas
The doas command provides a way to perform commands as another user. It aims to be a simplified and lightweight replacement for sudo. As mentioned earlier, the setup-user script automatically installs doas package.
# apk add doas
You will want to allow members of the wheel group to use root privileges with doas
. To do this, your doas
config file should be as follows:
Contents of /etc/doas.d/doas.conf
sudo
doas
in Alpine Linux since v3.15.0Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
The sudo
package is an alternative to using the BSD-like doas
, but is a much larger package.
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.
# apk add sudo # NEWUSER='yourUserName' # adduser -g "${NEWUSER}" $NEWUSER # echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER
Securing root account
It's recommended to not run complete applications, like editors, as root just to modify administrative files.
- Use
doasedit
from doasedit available in the testing repository. It can be safely installed by following the guidelines. - If using sudo, use
sudoedit
.
These tools enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, doasedit /etc/apk/lbu.conf
- Many desktop environments and file browsers support using
admin:///
in their address bars, to access files through a local gvfs-admin mount.
Once doas or sudo is properly configured and tested thoroughly, root account can be disabled by locking it.
To lock the root account you need to log into your root account and then lock it using the passwd
command:
# passwd -l root
Home directory permissions
`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed:
chmod o-rx <path-to-directory>
If --ingroup isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.
Persistent Home directory
If using a "diskless" or "data" disk mode installation, it's important to make the /home
directory persistent:
- Either the
/home
filesystem needs to be mounted from a writable partition, or - the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
# lbu include /home # lbu commit
(Not recommended, as reverting to an older .apkovl will also revert the files in /home).
Common permission groups
The following groups are needed for certain operations on your system. The group names were taken from https://git.alpinelinux.org/alpine-baselayout/tree/group
adm Used for system monitoring tasks. disk Raw access to disks. Mostly equivalent to root access. lp Members of this group can enable and use printers. wheel Administrator group, members can use doas to run commands as root if enabled in the doas configuration. floppy Access to floppy drives and other removable (non-optical) drives (like USB flash drives). audio Direct access to sound hardware (the soundcard or a microphone). cdrom For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user. dialout Full and direct access to serial ports. input Access to input devices. tape Needed to give a set of users access to a tape drive. video Access to video capture devices (like a webcam). netdev For network connections management as normal user. kvm Needed to use the KVM acceleration of virtual machines. games Access to some game software. cdrw Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device. usb Needed to access special USB devices, deprecated group. users Needed if you plan to used common files for all users, mandatory as desktop usage.
Desktop usage
If setup-desktop is used to install your desktop environment elogind is up and running automatically. If you installed your desktop manually and facing difficulties in using desktop or if seatd is used, then users that want a graphical environment need to be added to the video and seat groups.
Refer #15409 to understand about the security concerns regarding the video group.
To add newly created users to groups that may come in handy for desktop usage, you can run the below command as root:
# for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done
Please pay attention to the groups in above command and proceed only if you want to add all the users in your system to above groups.