Setting up a new user: Difference between revisions

From Alpine Linux
m (fixed typo on the service name)
(reverted some sentence to avoid confusion)
 
(33 intermediate revisions by 2 users not shown)
Line 1: Line 1:
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins, and how to grant admin access to such accounts if needed.
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins, and how to grant admin access to such accounts if needed. The inbuilt '''[[#root account|root account]]''' should be used only for local administrative purposes that require elevated access permissions. [[Diskless Mode|Diskless]] mode users may want to refer to the section [[#Persistent home directory|Persistent Home directory]].
== User management ==


== Overview ==
Creating regular or non-privileged user accounts provides users with their own {{path|$HOME}} directory and [[#Group management|adding to appropriate groups]] allows '''[[#root account|root account]]''' to limit the access those user accounts have to the operating system configuration files. Using them increases security, because they limit possible actions and thus possible damage even from accidental errors. Refer to [[#Groups for desktop usage|Groups for desktop usage]] section, if applicable.
Creating user accounts provides users with their own {{path|$HOME}} directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.


Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).
{{Tip| The {{ic|setup-user}} script provides a quick and simple way to setup [[#setup-user|regular]] and [[#Admin user|Admin]] user accounts in Alpine Linux.}}


{{Note|If you are using a '''"diskless" or "data" disk mode''' installation, refer to the section [[#Persistent Home directory|Persistent Home directory]] before proceeding further.}}
To create an user <username> issue the command: {{Cmd|# adduser [-g <Full Name>] <username>}}
 
=== Creating a new user ===
 
The <code>root</code> account should be used only for local administrative purposes that require elevated access permissions. Regular or non-privileged user accounts can be created in two ways:
 
=== setup-user ===
The [[Alpine_setup_scripts#setup-user|setup-user]] script allows quick and simple setup of user accounts. To create a regular user account using the above script:
{{Cmd|# setup-user}}
 
User will be prompted for options. This script uses [[#adduser|adduser]] in the backend.
 
=== adduser ===
{{Cmd|# adduser [-g "<Full Name>"] <username>}}


By default, <code>adduser</code> will:
By default, <code>adduser</code> will:
* prompt you to set a password for the new user
* prompt you to set a password for the new user
* create a home directory in {{Path|/home/<username>}}
* create a home directory in {{Path|/home/<username>}}
* set the shell to the one used by the <code>root</code> account (ash by default)
* set the shell to the one used by the <code>root</code> account ([[BusyBox#Ash_shell|ash]] by default)
* assign user ID and group ID starting at 1000
* assign user ID and group ID starting at 1000
* set the GECOS (full name) field to "Linux User,,,"
* set the GECOS field to <username>, if '''-g <Full Name>''' is not specified
 
{{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field.
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.}}
 
Usage (from "man busybox"):
 
<pre><nowiki>adduser [OPTIONS] USER [GROUP]


Create new user, or add USER to GROUP
{{Tip| Setting the optional GECOS field using {{ic|-g <Full Name>}} can be very useful.  Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a [[Display manager]].}}


    -h --home DIR          Home directory
For complete options, issue {{Codeline|adduser --help}}.
    -g --gecos GECOS        GECOS field
    -s --shell SHELL        Login shell named SHELL by example /bin/bash
    -G --ingroup GRP        Group (by name)
    -S --system            Create a system user
    -D --disabled-password  Don't assign a password, so cannot login
    -H --no-create-home    Don't create home directory
    -u --uid UID            User id
    -k SKEL                Skeleton directory (/etc/skel)
</nowiki></pre>


The new user gets listed at the last line:
The new user gets listed at the last line: {{Cat|/etc/passwd|<nowiki>root:x:0:0:root:/root:/bin/ash
{{Cat|/etc/passwd|<nowiki>
root:x:0:0:root:/root:/bin/ash
...
...
<username>:x:1000:1000:<username>:/home/<username>:/bin/ash
<username>:x:1000:1000:<username>:/home/<username>:/bin/ash
</nowiki>}}
</nowiki>}}


Now you should be able to issue the command <code>exit</code> and login to the newly created account.
Now you should be able to issue the command <code>exit</code> to logout from a TTY and login to the newly created account.


== Group management ==
To delete an user <username> from the system, issue the command:{{Cmd|# deluser [--remove-home] <username>}}
Using the option {{ic|--remove-home}} deletes home directory {{Path|/home/<username>}}.


To see what group(s) you belong to, use the following command:
=== setup-user ===
{{Cmd|$ groups}}


To add your user to a group (for e.g '''seat''') you can use the following commands:
To create a regular user account, use the [[Alpine_setup_scripts#setup-user|setup-user]] script and follow the prompts for options:{{Cmd|# setup-user}}


{{Cmd|# adduser '<username>' seat}}
== Group management ==
 
The above command is a variation of [[#adduser|adduser]].
 
To add your user to a group you can also use the following command:


Usage (from "man busybox"):  
To see what group(s) one belong to, command {{ic|$ groups}} can be used. To check what group(s) another user belongs to:{{Cmd|$ groups <username>}}


<pre><nowiki>addgroup [-g GID] [-S] [USER] GROUP
Adding an user to a group can be done in the following ways using the inbuilt tools:


Create a group or add a user to a group
* To add an user <username> to a group (for e.g '''seat'''), use the following command: {{Cmd|# addgroup <username> seat}}
* To add the currently logged in user to a group (for e.g '''seat''') using [[#doas|doas]], issue the command: {{Cmd|$ doas addgroup $USER seat}}
* Using a variation of [[#adduser|adduser]] command, the same can be done as follows:
{{Cmd|# adduser <username> seat  (or)
$ doas adduser $USER seat}}


    -g --gid GID    Group id
Removing an user from a group can be done in the following ways using the inbuilt tools:
    -S --system    Create a system group
* To remove an user <username> from a group (for e.g '''seat'''), use the following command: {{Cmd|# delgroup <username> seat}}
</nowiki></pre>
* To remove the currently logged in user from a group (for e.g '''seat''') Using [[#doas|doas]], issue the command: {{Cmd|$ doas delgroup $USER seat}}


{{Note|You need to log out and log in again for the group change(s) to take effect.}}
{{Note|You need to log out and log in again for the group change(s) to take effect.}}


== root account ==  
=== Groups for desktop usage ===


The '''[https://tldp.org/LDP/lame/LAME/linux-admin-made-easy/root-account.html root account]''' is the most privileged account on a Unix system. The "root" account has no security restrictions imposed upon it. This means it is easy to perform administrative duties without hassle. However, the system assumes you know what you are doing, and will do exactly what you request -- no questions asked. Therefore it is easy, with a mistyped command, to wipe out crucial system files.
'''audio''', '''input''', '''video''' and  '''netdev''' are the groups a user gets added to by the [[Alpine_setup_scripts#setup-alpine|{{ic|setup-alpine}}]] script during installation.  


When you are signed in as, or acting as "root", the shell prompt displays '#' as the last character. This is to serve as a warning to you of the absolute power of this account.  
For desktop users not using elogind as Seat manager and need PipeWire to access a webcam, the user needs to be in video group. For users that want a X11 based desktop without a Seat manager, the user needs to be in both input and video groups to ensure proper keyboard, mouse, and display functionality.  
As noted in {{Issue|15409}}, adding users to the '''video''' has negative security concerns.


=== Admin user ===
To add all newly created users to groups that may come in handy for desktop usage, you can run the below command as root: {{cmd|# for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done}}


'''If a user ''really must'' be allowed to have access to the root account''', the [[#wheel group|wheel group]] provides a mechanism to grant users administrator-level privileges without them needing to log in as the root user directly. The <username> that needs to be provided with Admin privileges must be added to the '''[[#wheel group|wheel group]]''' and ensure that [[#doas|doas]] utility is available.
Please pay attention to the groups in above command and proceed only if you want to add all the users in your system to above groups.


=== SSH root login ===
== root account ==  


For security reasons, once the Alpine Linux [[Installation]] is completed, the [[Setting_up_a_SSH_server|SSH]] root login is disabled by default. To change this, edit the file {{Path|/etc/ssh/sshd_config}} and add '''PermitRootLogin yes'''. [[OpenRC|Restart]] the {{ic|sshd service}} for the change to take effect immediately.
The '''[https://tldp.org/LDP/lame/LAME/linux-admin-made-easy/root-account.html root account]''' is the most privileged account on a Unix system. The "root" account has no security restrictions imposed upon it. When you are signed in as, or acting as "root", the shell prompt displays '#' as the last character. This is to serve as a warning to you of the absolute power of this account.  


=== Securing root account ===
=== Wheel group ===


It's recommended to '''not''' run complete applications, like editors, as root just to modify administrative files.
The wheel group provides a mechanism to grant users administrator-level i.e '''root''' privileges without them needing to log in as the root user directly. The [[#doas|doas]] utility must be installed and configured, so that [[#Admin user|admin users]] i.e members of the wheel group, can execute commands that require '''root''' privileges without needing to know the root password.


* Use <code>doasedit</code> from {{Pkg|doasedit}} available in the [[Repositories#Testing|testing]] repository. It can be safely installed by following the [[Repositories#Using_testing_repository|guidelines]].
=== SSH root login ===
* If using [[#sudo|sudo]], <code>sudoedit</code> can be used.
These tools enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, <code>doasedit /etc/apk/lbu.conf</code>
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount.


Once [[#doas|doas]] or [[#sudo|sudo]] is properly configured and tested thoroughly, root account can be disabled by locking it.
For security reasons, '''root account''' is provided with local log-in access only and [[Setting_up_a_SSH_server|SSH]] login is disabled by default.  


{{Warning| Do not lock your root without testing thoroughly your [[#Admin user|admin user]] with either [[#doas|doas]] or [[#sudo|sudo]].}}
To change this default setting, edit the file {{Path|/etc/ssh/sshd_config}} and add an entry as follows:{{Cat|/etc/ssh/sshd_config|...
PermitRootLogin  yes
}}  


To lock the root account you need to log into your '''root''' account and then lock it using the <code>passwd</code> command: {{cmd|# passwd -l root}}
[[OpenRC|Restart]] the {{ic|sshd service}} for the change to take effect immediately.


== wheel group ==
== Securing root account ==


The [[Alpine_setup_scripts#setup-user|setup-user]] script allows quick and simple setup of admin user accounts. To Create a new user as admin user, using the above script: {{Cmd|# setup-user -a <username>}}
Creating [[#Admin user|admin user]] is recommended to enable logging of administrative actions.


The above command will create an admin user, by adding the user to wheel group and installs <code>{{Pkg|doas}}</code>, if not already installed.
=== Admin user ===


To add an existing user as admin user: {{Cmd| # adduser <username> wheel}}  
A regular user can be considered as an '''Admin user''', if the user belongs to [[#Wheel group|wheel group]]. The [[Alpine_setup_scripts#setup-user|setup-user]] script allows setup of new admin user accounts by adding the ''<username>'' to [[#Wheel group|wheel group]] and also installs {{pkg|doas}} package, if not already installed: {{Cmd|# setup-user -a <username>}}  


After adding the user as to wheel group using <code>adduser</code>, remember to install and configure [[#doas|doas]], if not already done.
To provide admin user privileges to an existing user, add him to the '''[[#Wheel group|wheel group]]''' as follows: {{Cmd|# adduser <username> wheel}}


=== doas ===
=== doas ===


The doas command provides a way to perform commands as another user. It aims to be a simplified and lightweight replacement for [[#sudo|sudo]]. As mentioned earlier, the [[#setup-user|setup-user]] script automatically installs {{Pkg|doas}} package.
{{ic|doas}} is a simplified and lightweight utility that provides a way to execute commands as another user. Install the {{Pkg|doas}} package: {{Cmd| # apk add {{Pkg|doas}} }}


{{Cmd| # apk add {{Pkg|doas}} }}
For more information about doas configuration details, check out the {{ic|doas(1)}}, {{ic|doas.conf(5)}} and {{ic|doas.d(5)}} manpages, which you can install with the {{Pkg|doas-doc}} package.
You will want to allow members of the '''wheel''' group to use root privileges with <code>doas</code>. To do this, your <code>doas</code> config file should be as follows:
{{Cat|/etc/doas.d/doas.conf|<nowiki># See doas.conf(5) and doas.d(5) for configuration details.
# Configuration here may be overridden by /etc/doas.d/*.conf if files exist.
# Uncomment to allow group "wheel" to become root.
permit persist :wheel</nowiki>}}


=== sudo ===
Configuration in the default config file {{path|/etc/doas.conf}} may be overridden by {{path|/etc/doas.d/*.conf}} if files exist.
{{Note| Sudo has been deprecated in favour of <code>doas</code> in Alpine Linux since [[Release_Notes_for_Alpine_3.15.0#Move_from_sudo_to_doas|v3.15.0]]}}


Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
To allow the members of the [[#Wheel group|wheel]] group to use root privileges with {{ic|doas}} command, a config file {{Path|/etc/doas.d/20-wheel.conf}} can be created as follows: {{Cat|/etc/doas.d/20-wheel.conf|<nowiki>permit persist :wheel</nowiki>}}


The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package.
=== sudo ===
{{Note| Sudo has been deprecated in favour of [[#doas|doas]] in Alpine Linux since [[Release_Notes_for_Alpine_3.15.0#Move_from_sudo_to_doas|v3.15.0]]. Consider using {{pkg|doas-sudo-shim}}, as it provides a shim for the sudo command that utilizes doas.}}
Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.  


It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades. {{Cmd|<nowiki># apk add sudo
Sudo may be used as follows:{{Cmd|<nowiki># apk add sudo
# NEWUSER='yourUserName'
# NEWUSER='yourUserName'
# adduser -g "${NEWUSER}" $NEWUSER
# adduser -g "${NEWUSER}" $NEWUSER
# echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER</nowiki>}}
# echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER</nowiki>}}
Here a custom user configuration file i.e {{Path|/etc/sudoers.d/$NEWUSER}} is used to avoid having to deal with manually changing configuration files later during package upgrades.
=== Editing administrative files ===
It's recommended to '''not''' run complete applications, like editors, as root just to modify administrative files.
* If [[#doas|doas]] is used, use <code>doasedit</code> utility from the {{Pkg|doasedit}} package available in the [[Repositories#Testing|testing]] repository. It can be safely installed by following the [[Repositories#Using_testing_repository|guidelines]].
* If using [[#sudo|sudo]], <code>sudoedit</code> can be used.
These tools enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, <code>doasedit /etc/apk/lbu.conf</code>
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount.
=== Locking the root account ===
Once an [[#Admin user|admin user]] is created with either [[#doas|doas]] or [[#sudo|sudo]] properly configured and tested thoroughly, root account can be disabled by locking it.
{{Warning| Do not lock your root without thoroughly testing your [[#Admin user|admin user]] with either [[#doas|doas]] or [[#sudo|sudo]].}}
To lock the root account you need to log into your '''root''' account and then lock it using the <code>passwd</code> command: {{cmd|# passwd -l root}}


== Home directory permissions ==
== Home directory permissions ==


`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed:
`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed: {{Cmd|$ chmod o-rx <path-to-directory>}}   
 
{{Cmd| chmod o-rx <path-to-directory>}}   


{{Tip|Multi-user collaboration
{{Tip|Multi-user collaboration
Line 156: Line 136:
}}
}}


== Persistent Home directory ==
== Persistent home directory ==


If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent:
If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent:
Line 164: Line 144:
{{Cmd| # lbu include /home
{{Cmd| # lbu include /home
  # lbu commit
  # lbu commit
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home).
}}  
{{Note|This option is not recommended, as reverting to an older [[Diskless_Mode#Apkovl|.apkovl]] will also revert the files in '''home''' directory.}}


== Common permission groups ==
== Common permission groups ==


The following groups are needed for certain operations on your system. The group names were taken from https://git.alpinelinux.org/alpine-baselayout/tree/group
The following groups are needed for certain operations on your system. The group names were taken from https://git.alpinelinux.org/alpine-baselayout/tree/group
{{Note|Refer [https://wiki.debian.org/SystemGroups Debian/wiki SystemGroups] to understand about the security implications of all these groups.}}


{{Cmd|adm        Used for system monitoring tasks.
{{Cmd|adm        Used for system monitoring tasks.
Line 179: Line 159:
cdrom      For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user.
cdrom      For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user.
dialout    Full and direct access to serial ports.
dialout    Full and direct access to serial ports.
input      Access to input devices.
input      Privileged access to input devices (not recommended on Wayland desktops).
seat        Access to input and output devices via seatd.
tape        Needed to give a set of users access to a tape drive.
tape        Needed to give a set of users access to a tape drive.
video      Access to video capture devices (like a webcam).
video      Access to video capture devices (like a webcam) and privileged access to GPU devices.
netdev      For network connections management as normal user.
netdev      For network connections management as normal user.
kvm        Needed to use the KVM acceleration of virtual machines.
kvm        Needed to use the KVM acceleration of virtual machines.
Line 187: Line 168:
cdrw        Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device.
cdrw        Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device.
usb        Needed to access special USB devices, deprecated group.
usb        Needed to access special USB devices, deprecated group.
users      Needed if you plan to used common files for all users, mandatory as desktop usage.}}
users      Needed if you plan to used common files for all users, mandatory for desktop usage.}}


<!--
Refer [https://wiki.debian.org/SystemGroups Debian/wiki SystemGroups] to understand about the security implications of all these groups.
== Old newbie notes ==
=== User creation and defaults ===


The following commands will set up root environment login, then assign a new password:
== See also ==
 
<pre><nowiki>
cat > /root/.cshrc << EOF
unsetenv DISPLAY || true
HISTCONTROL=ignoreboth
EOF
 
cp /root/.cshrc /root/.profile
 
echo "secret_new_root_password" | chpasswd
</nowiki></pre>
 
By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.
 
Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users:
 
<pre><nowiki>
mkdir -p /etc/skel/
 
cat > /etc/skel/.logout << EOF
history -c
/bin/rm -f /opt/remote/.mysql_history
/bin/rm -f /opt/remote/.history
/bin/rm -f /opt/remote/.bash_history
EOF
 
cat > /etc/skel/.cshrc << EOF
set autologout = 30
set prompt = "$ "
set history = 0
set ignoreeof
EOF
 
cp /etc/skel/.cshrc /etc/skel/.profile
 
adduser -D --home /opt/remote --shell /bin/ash remote
 
echo "secret_new_remote_user_password" | chpasswd
 
adduser -D --shell /bin/bash general
 
echo "secret_new_general_user_password" | chpasswd
</nowiki></pre>


{{Tip|"'''general'''" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols}}
-->
== Desktop usage ==
If [[setup-desktop]] is used to install your desktop environment [[elogind]] is up and running automatically. If you installed your desktop manually and facing difficulties in using desktop or if [[seatd]] is used, then users that want a graphical environment need to be added to the  '''video''' and '''seat''' groups. 
Refer {{Issue|15409}} to understand about the security concerns regarding the video group.
To add newly created users to groups that may come in handy for desktop usage, you can run the below command as root:
{{cmd|# for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done}}
Please pay attention to the groups in above command and proceed only if you want to add all the users in your system to above groups.
== See also ==
* [https://wiki.archlinux.org/title/Users_and_groups Users and groups - Archwiki]
* [https://wiki.archlinux.org/title/Users_and_groups Users and groups - Archwiki]
* [https://wiki.debian.org/SystemGroups SystemGroups]
* [https://wiki.debian.org/SystemGroups SystemGroups]
* [https://github.com/jirutka/doas-sudo-shim doas-sudo-shim]
[[Category: System_Administration]]
[[Category: System_Administration]]
[[Category: Security]]
[[Category: Security]]

Latest revision as of 19:30, 21 September 2025

This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins, and how to grant admin access to such accounts if needed. The inbuilt root account should be used only for local administrative purposes that require elevated access permissions. Diskless mode users may want to refer to the section Persistent Home directory.

User management

Creating regular or non-privileged user accounts provides users with their own $HOME directory and adding to appropriate groups allows root account to limit the access those user accounts have to the operating system configuration files. Using them increases security, because they limit possible actions and thus possible damage even from accidental errors. Refer to Groups for desktop usage section, if applicable.

Tip: The setup-user script provides a quick and simple way to setup regular and Admin user accounts in Alpine Linux.

To create an user <username> issue the command:

# adduser [-g <Full Name>] <username>

By default, adduser will:

  • prompt you to set a password for the new user
  • create a home directory in /home/<username>
  • set the shell to the one used by the root account (ash by default)
  • assign user ID and group ID starting at 1000
  • set the GECOS field to <username>, if -g <Full Name> is not specified
Tip: Setting the optional GECOS field using -g <Full Name> can be very useful. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a Display manager.

For complete options, issue adduser --help.

The new user gets listed at the last line:

Contents of /etc/passwd

root:x:0:0:root:/root:/bin/ash ... <username>:x:1000:1000:<username>:/home/<username>:/bin/ash

Now you should be able to issue the command exit to logout from a TTY and login to the newly created account.

To delete an user <username> from the system, issue the command:

# deluser [--remove-home] <username>

Using the option --remove-home deletes home directory /home/<username>.

setup-user

To create a regular user account, use the setup-user script and follow the prompts for options:

# setup-user

Group management

To see what group(s) one belong to, command $ groups can be used. To check what group(s) another user belongs to:

$ groups <username>

Adding an user to a group can be done in the following ways using the inbuilt tools:

  • To add an user <username> to a group (for e.g seat), use the following command:

    # addgroup <username> seat

  • To add the currently logged in user to a group (for e.g seat) using doas, issue the command:

    $ doas addgroup $USER seat

  • Using a variation of adduser command, the same can be done as follows:

# adduser <username> seat (or) $ doas adduser $USER seat

Removing an user from a group can be done in the following ways using the inbuilt tools:

  • To remove an user <username> from a group (for e.g seat), use the following command:

    # delgroup <username> seat

  • To remove the currently logged in user from a group (for e.g seat) Using doas, issue the command:

    $ doas delgroup $USER seat

Note: You need to log out and log in again for the group change(s) to take effect.

Groups for desktop usage

audio, input, video and netdev are the groups a user gets added to by the setup-alpine script during installation.

For desktop users not using elogind as Seat manager and need PipeWire to access a webcam, the user needs to be in video group. For users that want a X11 based desktop without a Seat manager, the user needs to be in both input and video groups to ensure proper keyboard, mouse, and display functionality. As noted in #15409, adding users to the video has negative security concerns.

To add all newly created users to groups that may come in handy for desktop usage, you can run the below command as root:

# for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done

Please pay attention to the groups in above command and proceed only if you want to add all the users in your system to above groups.

root account

The root account is the most privileged account on a Unix system. The "root" account has no security restrictions imposed upon it. When you are signed in as, or acting as "root", the shell prompt displays '#' as the last character. This is to serve as a warning to you of the absolute power of this account.

Wheel group

The wheel group provides a mechanism to grant users administrator-level i.e root privileges without them needing to log in as the root user directly. The doas utility must be installed and configured, so that admin users i.e members of the wheel group, can execute commands that require root privileges without needing to know the root password.

SSH root login

For security reasons, root account is provided with local log-in access only and SSH login is disabled by default.

To change this default setting, edit the file /etc/ssh/sshd_config and add an entry as follows:

Contents of /etc/ssh/sshd_config

... PermitRootLogin yes

Restart the sshd service for the change to take effect immediately.

Securing root account

Creating admin user is recommended to enable logging of administrative actions.

Admin user

A regular user can be considered as an Admin user, if the user belongs to wheel group. The setup-user script allows setup of new admin user accounts by adding the <username> to wheel group and also installs doas package, if not already installed:

# setup-user -a <username>

To provide admin user privileges to an existing user, add him to the wheel group as follows:

# adduser <username> wheel

doas

doas is a simplified and lightweight utility that provides a way to execute commands as another user. Install the doas package:

# apk add doas

For more information about doas configuration details, check out the doas(1), doas.conf(5) and doas.d(5) manpages, which you can install with the doas-doc package.

Configuration in the default config file /etc/doas.conf may be overridden by /etc/doas.d/*.conf if files exist.

To allow the members of the wheel group to use root privileges with doas command, a config file /etc/doas.d/20-wheel.conf can be created as follows:

Contents of /etc/doas.d/20-wheel.conf

permit persist :wheel

sudo

Note: Sudo has been deprecated in favour of doas in Alpine Linux since v3.15.0. Consider using doas-sudo-shim, as it provides a shim for the sudo command that utilizes doas.

Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.

Sudo may be used as follows:

# apk add sudo # NEWUSER='yourUserName' # adduser -g "${NEWUSER}" $NEWUSER # echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER

Here a custom user configuration file i.e /etc/sudoers.d/$NEWUSER is used to avoid having to deal with manually changing configuration files later during package upgrades.

Editing administrative files

It's recommended to not run complete applications, like editors, as root just to modify administrative files.

  • If doas is used, use doasedit utility from the doasedit package available in the testing repository. It can be safely installed by following the guidelines.
  • If using sudo, sudoedit can be used.

These tools enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, doasedit /etc/apk/lbu.conf

  • Many desktop environments and file browsers support using admin:/// in their address bars, to access files through a local gvfs-admin mount.

Locking the root account

Once an admin user is created with either doas or sudo properly configured and tested thoroughly, root account can be disabled by locking it.

Warning: Do not lock your root without thoroughly testing your admin user with either doas or sudo.


To lock the root account you need to log into your root account and then lock it using the passwd command:

# passwd -l root

Home directory permissions

`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed:

$ chmod o-rx <path-to-directory>

Tip: Multi-user collaboration

If --ingroup isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.

This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.

Persistent home directory

If using a "diskless" or "data" disk mode installation, it's important to make the /home directory persistent:

  • Either the /home filesystem needs to be mounted from a writable partition, or
  • the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:

# lbu include /home # lbu commit

Note: This option is not recommended, as reverting to an older .apkovl will also revert the files in home directory.

Common permission groups

The following groups are needed for certain operations on your system. The group names were taken from https://git.alpinelinux.org/alpine-baselayout/tree/group

adm Used for system monitoring tasks. disk Raw access to disks. Mostly equivalent to root access. lp Members of this group can enable and use printers. wheel Administrator group, members can use doas to run commands as root if enabled in the doas configuration. floppy Access to floppy drives and other removable (non-optical) drives (like USB flash drives). audio Direct access to sound hardware (the soundcard or a microphone). cdrom For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user. dialout Full and direct access to serial ports. input Privileged access to input devices (not recommended on Wayland desktops). seat Access to input and output devices via seatd. tape Needed to give a set of users access to a tape drive. video Access to video capture devices (like a webcam) and privileged access to GPU devices. netdev For network connections management as normal user. kvm Needed to use the KVM acceleration of virtual machines. games Access to some game software. cdrw Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device. usb Needed to access special USB devices, deprecated group. users Needed if you plan to used common files for all users, mandatory for desktop usage.

Refer Debian/wiki SystemGroups to understand about the security implications of all these groups.

See also

Retrieved from "https://wiki.alpinelinux.org/w/index.php?title=Setting_up_a_new_user&oldid=30955"