Setting up a new user: Difference between revisions
Prabuanand (talk | contribs) (added links, wikilinks and reworded sentence, headings to make the page easier to follow) |
Prabuanand (talk | contribs) m (moved heading) |
||
| Line 82: | Line 82: | ||
The wheel group provides a mechanism to grant users administrator-level privileges without them needing to log in as the root user directly. The [[#doas|doas]] utility must be installed and configured, so that members of the wheel group can execute commands that require '''root''' privileges without needing to know the root password. | The wheel group provides a mechanism to grant users administrator-level privileges without them needing to log in as the root user directly. The [[#doas|doas]] utility must be installed and configured, so that members of the wheel group can execute commands that require '''root''' privileges without needing to know the root password. | ||
=== Admin user === | |||
If a regular user is added to the [[#Wheel group|wheel group]], then that user can be considered as an '''Admin user'''. The [[Alpine_setup_scripts#setup-user|setup-user]] script allows quick and simple setup of admin user accounts by adding the ''<username>'' to wheel group and installs {{pkg|doas}} package, if not already installed: {{Cmd|# setup-user -a <username>}} | |||
To provide admin user privileges to an existing user, add him to the '''[[#Wheel group|wheel group]]''' as follows: {{Cmd|# adduser <username> wheel}} | |||
=== doas === | === doas === | ||
{{ic|doas}} is a simplified and lightweight utility that provides a way to execute commands as another user. Install the {{Pkg|doas}} package: {{Cmd| # apk add {{Pkg|doas}} }} | |||
To allow the members of the [[#Wheel group|wheel]] group to use root privileges with {{ic|doas}}, the config file {{Path|/etc/doas.d/doas.conf}} should be as follows: {{Cat|/etc/doas.d/doas.conf|<nowiki># See doas.conf(5) and doas.d(5) for configuration details. | To allow the members of the [[#Wheel group|wheel]] group to use root privileges with {{ic|doas}}, the config file {{Path|/etc/doas.d/doas.conf}} should be as follows: {{Cat|/etc/doas.d/doas.conf|<nowiki># See doas.conf(5) and doas.d(5) for configuration details. | ||
# Configuration here may be overridden by /etc/doas.d/*.conf if files exist. | # Configuration here may be overridden by /etc/doas.d/*.conf if files exist. | ||
| Line 93: | Line 99: | ||
=== sudo === | === sudo === | ||
{{Note| Sudo has been deprecated in favour of [[#doas|doas]] in Alpine Linux since [[Release_Notes_for_Alpine_3.15.0#Move_from_sudo_to_doas|v3.15.0]]}} | {{Note| Sudo has been deprecated in favour of [[#doas|doas]] in Alpine Linux since [[Release_Notes_for_Alpine_3.15.0#Move_from_sudo_to_doas|v3.15.0]]}} | ||
Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. The {{pkg|sudo}} package is a much larger package than its alternative i.e {{pkg|doas}}. | Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. The {{pkg|sudo}} package is a much larger package than its alternative i.e {{pkg|doas}}. | ||
| Line 101: | Line 106: | ||
# echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER</nowiki>}} | # echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER</nowiki>}} | ||
Here a custom user configuration file i.e {{Path|/etc/sudoers.d/$NEWUSER}} is used to avoid having to deal with manually changing configuration files later during package upgrades. | Here a custom user configuration file i.e {{Path|/etc/sudoers.d/$NEWUSER}} is used to avoid having to deal with manually changing configuration files later during package upgrades. | ||
== Home directory permissions == | == Home directory permissions == | ||
Revision as of 16:34, 8 May 2025
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins, and how to grant admin access to such accounts if needed. The inbuilt root account should be used only for local administrative purposes that require elevated access permissions. Diskless mode users may want to refer to the section Persistent Home directory.
User management
Creating regular or non-privileged user accounts provides users with their own $HOME directory and allows root account to limit the access those user accounts have to the operating system configuration files. Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors). New users can be created in the following ways:
setup-user
The setup-user script allows quick and simple setup of user accounts. To create a regular user account using the above script:
# setup-user
User will be prompted for options. This script uses the below mentioned adduser command.
adduser
# adduser [-g "<Full Name>"] <username>
By default, adduser will:
- prompt you to set a password for the new user
- create a home directory in /home/<username>
- set the shell to the one used by the
rootaccount (ash by default) - assign user ID and group ID starting at 1000
- set the GECOS (full name) field to "Linux User,,,"
-g "<Full Name>" above sets the GECOS field.
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.For complete adduser usage, check out the busybox manpage, which can be installed with the busybox-doc package or view it online
The new user gets listed at the last line:
Contents of /etc/passwd
Now you should be able to issue the command exit to logout from a TTY and login to the newly created account.
Group management
To see what group(s) you belong to, use the following command:$ groups. To check what group(s) another user belongs to use:
$ groups '<username>'
To add a user '<username>' to a group (for e.g seat) you can use the following commands:
# adduser '<username>' seat
The above command is a variation of adduser.
To add your user to a group you can also use the following command:
Usage (from "man busybox"):
addgroup [-g GID] [-S] [USER] GROUP
Create a group or add a user to a group
-g --gid GID Group id
-S --system Create a system group
root account
The root account is the most privileged account on a Unix system. The "root" account has no security restrictions imposed upon it. When you are signed in as, or acting as "root", the shell prompt displays '#' as the last character. This is to serve as a warning to you of the absolute power of this account.
SSH root login
For security reasons, root account is provided with local log-in access only and SSH login is disabled by default. To change this, edit the file /etc/ssh/sshd_config and add PermitRootLogin yes. Restart the sshd service for the change to take effect immediately.
Securing root account
It's recommended to not run complete applications, like editors, as root just to modify administrative files.
- Use
doaseditfrom doasedit available in the testing repository. It can be safely installed by following the guidelines. - If using sudo,
sudoeditcan be used.
These tools enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, doasedit /etc/apk/lbu.conf
- Many desktop environments and file browsers support using
admin:///in their address bars, to access files through a local gvfs-admin mount.
Once an admin user is created with either doas or sudo properly configured and tested thoroughly, root account can be disabled by locking it.
To lock the root account you need to log into your root account and then lock it using the passwd command:
# passwd -l root
Wheel group
The wheel group provides a mechanism to grant users administrator-level privileges without them needing to log in as the root user directly. The doas utility must be installed and configured, so that members of the wheel group can execute commands that require root privileges without needing to know the root password.
Admin user
If a regular user is added to the wheel group, then that user can be considered as an Admin user. The setup-user script allows quick and simple setup of admin user accounts by adding the <username> to wheel group and installs doas package, if not already installed:
# setup-user -a <username>
To provide admin user privileges to an existing user, add him to the wheel group as follows:
# adduser <username> wheel
doas
doas is a simplified and lightweight utility that provides a way to execute commands as another user. Install the doas package:
# apk add doas
To allow the members of the wheel group to use root privileges with doas, the config file /etc/doas.d/doas.conf should be as follows:
Contents of /etc/doas.d/doas.conf
sudo
Sudo (su “do”) allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments. The sudo package is a much larger package than its alternative i.e doas.
Sudo may be used as follows:
# apk add sudo # NEWUSER='yourUserName' # adduser -g "${NEWUSER}" $NEWUSER # echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER
Here a custom user configuration file i.e /etc/sudoers.d/$NEWUSER is used to avoid having to deal with manually changing configuration files later during package upgrades.
Home directory permissions
`adduser` creates home directories with permissions `rwxr-sr-x`. This makes the directory readable by all other users on the system. If you prefer to not allow other users to read your home directory, the permissions can be changed:
$ chmod o-rx <path-to-directory>
If --ingroup isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.
Persistent home directory
If using a "diskless" or "data" disk mode installation, it's important to make the /home directory persistent:
- Either the
/homefilesystem needs to be mounted from a writable partition, or - the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
# lbu include /home # lbu commit
Common permission groups
The following groups are needed for certain operations on your system. The group names were taken from https://git.alpinelinux.org/alpine-baselayout/tree/group
adm Used for system monitoring tasks. disk Raw access to disks. Mostly equivalent to root access. lp Members of this group can enable and use printers. wheel Administrator group, members can use doas to run commands as root if enabled in the doas configuration. floppy Access to floppy drives and other removable (non-optical) drives (like USB flash drives). audio Direct access to sound hardware (the soundcard or a microphone). cdrom For access to disk writers and mounting DVD, BR or CD-ROM disk as normal user. dialout Full and direct access to serial ports. input Privileged access to input devices (not recommended on Wayland desktops). seat Access to input and output devices via seatd. tape Needed to give a set of users access to a tape drive. video Access to video capture devices (like a webcam) and privileged access to GPU devices. netdev For network connections management as normal user. kvm Needed to use the KVM acceleration of virtual machines. games Access to some game software. cdrw Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device. usb Needed to access special USB devices, deprecated group. users Needed if you plan to used common files for all users, mandatory for desktop usage.
Refer Debian/wiki SystemGroups to understand about the security implications of all these groups.
Desktop usage
If setup-desktop is used to install your desktop environment elogind is up and running automatically. If you installed your desktop manually and facing difficulties in using desktop, then users that want a graphical environment need to be added to the video and seat groups. Be warned that adding users to the video has some negative security concerns (See #15409).
To add newly created users to groups that may come in handy for desktop usage, you can run the below command as root:
# for u in $(ls /home); do for g in disk lp input audio cdrom dialout video netdev games users; do addgroup $u $g; done;done
Please pay attention to the groups in above command and proceed only if you want to add all the users in your system to above groups.