Setting up a new user: Difference between revisions
Prabuanand (talk | contribs) m (→User management and system access: renamed the heading) |
Prabuanand (talk | contribs) (Refactored the page) |
||
Line 9: | Line 9: | ||
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors). | Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors). | ||
{{Warning|If you are using a '''"diskless" or "data" disk mode''' installation, refer to the section [[#Persistent Home directory|Persistent Home directory]] before proceeding further.}} | |||
= Creating a new user = | = Creating a new user = | ||
Regular user accounts can be created with: | Regular user accounts can be created with: | ||
{{Cmd|# adduser [-g "<Full Name>"] <username>}} | {{Cmd|# adduser [-g "<Full Name>"] <username>}} | ||
Line 36: | Line 27: | ||
}} | }} | ||
The new user gets listed in | |||
{{Cat|/etc/passwd|root:x:0:0:root:/root:/bin/ash | |||
. | |||
<username>:x:1000:1000:<username>:/home/<username>:/bin/ash}} | |||
Now you should be able to issue the command <code>exit</code> and login to the newly created account. Refer [[#adduser]] for detailed detailed syntax. | |||
{{Note| If you used [[setup-desktop]] to install your desktop environment, you will be able to use your desktop without issues.}} | |||
{{ | |||
If you chose to install your desktop manually by adding individual packges, and if [[elogind]] is not being used, and instead [[seatd]] is used, then users that want a graphical environment need to be added to the '''video''' and '''seat''' groups: | |||
# adduser '<username>' video | # adduser '<username>' video | ||
# adduser '<username>' | # adduser '<username>' seat | ||
The above is highly discouraged. See {{Issue|15409}}. | The above is highly discouraged. See {{Issue|15409}}. | ||
Refer [[#adduser]] for detailed detailed syntax. | |||
{{ | {{Note|You need to log out for the group change(s) to take effect.}} | ||
. | |||
== adduser == | |||
Usage (from "man busybox"): | Usage (from "man busybox"): | ||
Line 99: | Line 66: | ||
</nowiki></pre> | </nowiki></pre> | ||
== addgroup == | |||
To add your user to a group use the following command: | |||
{{Cmd|# adduser <username> <group>}} | |||
}} | |||
Usage (from "man busybox"): | Usage (from "man busybox"): | ||
Line 116: | Line 79: | ||
-S --system Create a system group | -S --system Create a system group | ||
</nowiki></pre> | </nowiki></pre> | ||
To see what group(s) a <username> is in, use the following command: | |||
{{Cmd|# id <username>}} | |||
= doas and sudo = | |||
'''If a user ''really must'' be allowed to have access to the root account''', the <username> can be added to the '''wheel''' group and <code>{{Pkg|doas}}</code> ("do as") may be installed: | |||
# adduser -g "<username>" <username> | |||
# adduser <username> wheel | |||
== doas == | |||
The doas command provides a way to perform commands as another user. It aims to be a a simplified and lightweight replacement for [[#sudo|sudo]]. | |||
# apk add doas | |||
You will want to allow members of the '''wheel''' group to use root privileges with <code>doas</code>. To do this, open the <code>doas</code> config file: | |||
{{Cmd|# <editor> /etc/doas.d/doas.conf}} | |||
Add the following line and save the file: | |||
{{Cmd|permit persist :wheel}} | |||
{{Warning|It's recommended to '''not''' run complete applications, like editors, as root just to modify administrative files. | |||
<br> | |||
* [https://github.com/AN3223/scripts/blob/master/doasedit <code>doasedit</code>] or <code>sudoedit</code>([https://wiki.alpinelinux.org/wiki/Release_Notes_for_Alpine_3.15.0#Move_from_sudo_to_doas being deprecated in favour of <code>doas</code>]) enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, <code>sudoedit /etc/apk/lbu.conf</code> | |||
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount. | |||
}} | |||
== sudo == | |||
Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. | |||
The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package. | |||
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades. | |||
apk add sudo | |||
NEWUSER='yourUserName' | |||
adduser -g "${NEWUSER}" $NEWUSER | |||
echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER | |||
<br> | |||
= Home directory permissions = | = Home directory permissions = | ||
Line 123: | Line 128: | ||
{{Cmd| chmod o-rx <path-to-directory>}} | {{Cmd| chmod o-rx <path-to-directory>}} | ||
{{Tip|Multi-user collaboration | |||
If <nowiki>--ingroup</nowiki> isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail. | |||
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group. | |||
}} | |||
=== Common permission groups | = Persistent Home directory = | ||
If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent | |||
<br> | |||
* Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or | |||
* the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user: | |||
{{Cmd| # lbu include /home | |||
# lbu commit | |||
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home). | |||
= Common permission groups = | |||
{{Draft|Need to note a few security implications outlined on [https://wiki.debian.org/SystemGroups debian/wiki SystemGroups]}} | {{Draft|Need to note a few security implications outlined on [https://wiki.debian.org/SystemGroups debian/wiki SystemGroups]}} | ||
Line 150: | Line 171: | ||
usb Needed to access special USB devices, deprecated group. | usb Needed to access special USB devices, deprecated group. | ||
users Needed if you plan to used common files for all users, mandatory as desktop usage.}} | users Needed if you plan to used common files for all users, mandatory as desktop usage.}} | ||
= Old newbie notes = | = Old newbie notes = | ||
=== User creation and defaults === | === User creation and defaults === | ||
Line 209: | Line 222: | ||
{{Tip|"'''general'''" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols}} | {{Tip|"'''general'''" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols}} | ||
To add newly created users to groups that may come in handy for desktop usage, you run this command as root: | |||
To add newly created users to groups that may come in handy for desktop | |||
{{cmd|for u in $(ls /home); do for g in disk lp | {{cmd|for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done}} | ||
== See also == | == See also == |
Revision as of 16:32, 12 August 2024
The root
account should be used only for local administrative purposes that require elevated access permissions.
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins.
Overview
Creating user accounts provides users with their own $HOME directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).
Creating a new user
Regular user accounts can be created with:
# adduser [-g "<Full Name>"] <username>
By default, adduser
will:
- prompt you to set a password for the new user
- create a home directory in /home/<username>
- set the shell to the one used by the
root
account (ash by default) - assign user ID and group ID starting at 1000
- set the GECOS (full name) field to "Linux User,,,"
-g "<Full Name>"
above sets the GECOS field.
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.
The new user gets listed in
Contents of /etc/passwd
Now you should be able to issue the command exit
and login to the newly created account. Refer #adduser for detailed detailed syntax.
If you chose to install your desktop manually by adding individual packges, and if elogind is not being used, and instead seatd is used, then users that want a graphical environment need to be added to the video and seat groups:
# adduser '<username>' video # adduser '<username>' seat
The above is highly discouraged. See #15409.
Refer #adduser for detailed detailed syntax.
adduser
Usage (from "man busybox"):
adduser [OPTIONS] USER [GROUP] Create new user, or add USER to GROUP -h --home DIR Home directory -g --gecos GECOS GECOS field -s --shell SHELL Login shell named SHELL by example /bin/bash -G --ingroup GRP Group (by name) -S --system Create a system user -D --disabled-password Don't assign a password, so cannot login -H --no-create-home Don't create home directory -u --uid UID User id -k SKEL Skeleton directory (/etc/skel)
addgroup
To add your user to a group use the following command:
# adduser <username> <group>
Usage (from "man busybox"):
addgroup [-g GID] [-S] [USER] GROUP Create a group or add a user to a group -g --gid GID Group id -S --system Create a system group
To see what group(s) a <username> is in, use the following command:
# id <username>
doas and sudo
If a user really must be allowed to have access to the root account, the <username> can be added to the wheel group and doas
("do as") may be installed:
# adduser -g "<username>" <username> # adduser <username> wheel
doas
The doas command provides a way to perform commands as another user. It aims to be a a simplified and lightweight replacement for sudo.
# apk add doas
You will want to allow members of the wheel group to use root privileges with doas
. To do this, open the doas
config file:
# <editor> /etc/doas.d/doas.conf
Add the following line and save the file:
permit persist :wheel
doasedit
orsudoedit
(being deprecated in favour ofdoas
) enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example,sudoedit /etc/apk/lbu.conf
- Many desktop environments and file browsers support using
admin:///
in their address bars, to access files through a local gvfs-admin mount.
sudo
Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments.
The sudo
package is an alternative to using the BSD-like doas
, but is a much larger package.
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.
apk add sudo NEWUSER='yourUserName' adduser -g "${NEWUSER}" $NEWUSER echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER
Home directory permissions
`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed:
chmod o-rx <path-to-directory>
If --ingroup isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.
Persistent Home directory
If using a "diskless" or "data" disk mode installation, it's important to make the /home
directory persistent
- Either the
/home
filesystem needs to be mounted from a writable partition, or - the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
# lbu include /home # lbu commit
(Not recommended, as reverting to an older .apkovl will also revert the files in /home).
Common permission groups
This material is work-in-progress ... Need to note a few security implications outlined on debian/wiki SystemGroups |
Groups are needed for certain operations on your system.
(Names taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)
adm Used for system monitoring tasks. disk Raw access to disks. Mostly equivalent to root access. lp Members of this group can enable and use printers. wheel Administrator group, members can use doas to run commands as root if enabled in the doas configuration. floppy Access to floppy drives and other removable (non-optical) drives (like USB flash drives). audio Direct access to sound hardware (the soundcard or a microphone). cdrom For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user. dialout Full and direct access to serial ports. input Access to input devices. tape Needed to give a set of users access to a tape drive. video Access to video capture devices (like a webcam). netdev For network connections management as normal user. kvm Needed to use the KVM acceleration of virtual machines. games Access to some game software. cdrw Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device. usb Needed to access special USB devices, deprecated group. users Needed if you plan to used common files for all users, mandatory as desktop usage.
Old newbie notes
User creation and defaults
The following commands will set up root environment login, then assign a new password:
cat > /root/.cshrc << EOF unsetenv DISPLAY || true HISTCONTROL=ignoreboth EOF cp /root/.cshrc /root/.profile echo "secret_new_root_password" | chpasswd
By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.
Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users:
mkdir -p /etc/skel/ cat > /etc/skel/.logout << EOF history -c /bin/rm -f /opt/remote/.mysql_history /bin/rm -f /opt/remote/.history /bin/rm -f /opt/remote/.bash_history EOF cat > /etc/skel/.cshrc << EOF set autologout = 30 set prompt = "$ " set history = 0 set ignoreeof EOF cp /etc/skel/.cshrc /etc/skel/.profile adduser -D --home /opt/remote --shell /bin/ash remote echo "secret_new_remote_user_password" | chpasswd adduser -D --shell /bin/bash general echo "secret_new_general_user_password" | chpasswd
To add newly created users to groups that may come in handy for desktop usage, you run this command as root:
for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done