Setting up a new user: Difference between revisions
Kevinthomas0 (talk | contribs) (Grammar and wording fixes) |
|||
Line 2: | Line 2: | ||
The <code>root</code> account should only be used for local administrative purposes that require its elevated access permissions. | The <code>root</code> account should only be used for local administrative purposes that require its elevated access permissions. | ||
This page shows the creation of regular user accounts | This page shows the creation of regular user accounts that may be used for daily work, including desktop usage and remote logins. | ||
= Overview = | = Overview = | ||
Line 8: | Line 8: | ||
Creating user accounts provides the users their own $HOME directory and allows you (the root administrator) to limit the access that these user accounts have to the operating system's configuration. | Creating user accounts provides the users their own $HOME directory and allows you (the root administrator) to limit the access that these user accounts have to the operating system's configuration. | ||
Using them increases | Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors). | ||
= Creating a new user = | = Creating a new user = | ||
{{Warning|If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory | {{Warning|If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent. | ||
<br> | <br> | ||
* Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or | * Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or | ||
Line 19: | Line 19: | ||
{{Cmd| # lbu include /home | {{Cmd| # lbu include /home | ||
# lbu commit | # lbu commit | ||
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home. | }} (Not recommended, as reverting to an older .apkovl will also revert the files in /home). | ||
}} | }} | ||
Line 27: | Line 27: | ||
By default, adduser will: | By default, adduser will: | ||
* prompt to set a password for the new user | * prompt to set a password for the new user | ||
* create a home directory in {{Path|/home/<username>}} | * create a home directory in {{Path|/home/<username>}} | ||
* set the shell to the one used by the <code>root</code> account (ash by default) | * set the shell to the one used by the <code>root</code> account (ash by default) | ||
* assign user ID and group ID at 1000+ | * assign user ID and group ID at 1000+ | ||
* set the GECOS (full name) field to "Linux User,,," | * set the GECOS (full name) field to "Linux User,,," | ||
{{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field. | {{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field. | ||
Line 39: | Line 39: | ||
'''If a user ''really must'' be allowed to have access to the root account''', the <username> can be added to the wheel group, <code>doas</code> ("do as") may be installed, and the group "wheel" be allowed to become root: | '''If a user ''really must'' be allowed to have access to the root account''', the <username> can be added to the wheel group, <code>doas</code> ("do as") may be installed, and the group "wheel" can be allowed to become root: | ||
adduser -g "<username>" <username> | adduser -g "<username>" <username> | ||
adduser <username> wheel | adduser <username> wheel | ||
Line 46: | Line 46: | ||
nano /etc/doas.conf | nano /etc/doas.conf | ||
{{Warning| | {{Warning|It's recommended to not run complete applications, like editors, as root just to modify administrative files. | ||
<br> | <br> | ||
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount | * Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount | ||
* | * <code>doasedit</code> or <code>sudoedit</code> allows starting an editor for a temporary copy of a file, which overwrites the original file after the user modifies and closes it. For example, <code>sudoedit /etc/apk/lbu.conf</code> | ||
}} | }} | ||
The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package. | The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package. | ||
It may be used as follows | It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades. | ||
apk add sudo | apk add sudo | ||
NEWUSER='yourUserName' | NEWUSER='yourUserName' | ||
adduser -d "${NEWUSER}" $NEWUSER | adduser -d "${NEWUSER}" $NEWUSER | ||
echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER | echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER | ||
Line 192: | Line 187: | ||
Note that those users are created with minimal settings. | Note that those users are created with minimal settings. | ||
== | == User management and system access == | ||
By default, a newly created user will not have enough privileges for most desktop purposes. | |||
To add newly created users with home directories setup to groups that may come in handy for desktop useage, you can run this command as root: | |||
<pre><nowiki> | <pre><nowiki> | ||
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done | for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done | ||
</nowiki></pre> | </nowiki></pre> |
Revision as of 17:18, 16 June 2021
The root
account should only be used for local administrative purposes that require its elevated access permissions.
This page shows the creation of regular user accounts that may be used for daily work, including desktop usage and remote logins.
Overview
Creating user accounts provides the users their own $HOME directory and allows you (the root administrator) to limit the access that these user accounts have to the operating system's configuration.
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).
Creating a new user
/home
directory persistent.
- Either the
/home
filesystem needs to be mounted from a writable partition, or - the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
# lbu include /home # lbu commit
(Not recommended, as reverting to an older .apkovl will also revert the files in /home).
Regular user accounts can be created with:
# adduser [-g "<Full Name>"] <username>
By default, adduser will:
- prompt to set a password for the new user
- create a home directory in /home/<username>
- set the shell to the one used by the
root
account (ash by default) - assign user ID and group ID at 1000+
- set the GECOS (full name) field to "Linux User,,,"
-g "<Full Name>"
above sets the GECOS field.
This can be very useful to specify. Setting this string --at least equal to the username-- makes the users distinguishable, e.g. when they are listed at the login screen of a display manager.
If a user really must be allowed to have access to the root account, the <username> can be added to the wheel group, doas
("do as") may be installed, and the group "wheel" can be allowed to become root:
adduser -g "<username>" <username> adduser <username> wheel apk add doas apk add nano nano /etc/doas.conf
- Many desktop environments and file browsers support using
admin:///
in their address bars, to access files through a local gvfs-admin mount doasedit
orsudoedit
allows starting an editor for a temporary copy of a file, which overwrites the original file after the user modifies and closes it. For example,sudoedit /etc/apk/lbu.conf
The sudo
package is an alternative to using the BSD-like doas
, but is a much larger package.
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.
apk add sudo NEWUSER='yourUserName' adduser -d "${NEWUSER}" $NEWUSER echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER
The new user gets listed in
Contents of /etc/passwd
And it's now possible to exit
and login to the new account.
Options
adduser
Usage (from "man busybox"):
adduser [OPTIONS] USER [GROUP] Create new user, or add USER to GROUP -h --home DIR Home directory -g --gecos GECOS GECOS field -s --shell SHELL Login shell named SHELL by example /bin/bash -G --ingroup GRP Group (by name) -S --system Create a system user -D --disabled-password Don't assign a password so cannot login in -H --no-create-home Don't create home directory -u --uid UID User id -k SKEL Skeleton directory (/etc/skel)
If --ingroup isn't set (default) the new user is assigned a new GID that matches the UID. And if the GID corresponding to a provided UID already exists, adduser will fail.
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permissive umask (002), with which new files are automatically created group-writable but to just the user's private group. And which allows that in special set-group-id group (collaboration) directories, new files can automatically be created writable by the directory's group.
addgroup
Usage (from "man busybox"):
addgroup [-g GID] [-S] [USER] GROUP Create a group or add a user to a group -g --gid GID Group id -s --system Create a system group
Legacy
Common permission groups
(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)
- disk:x:6:root,adm Only if need usage vith virtual machines and access to other partitions over new disks for
- lp:x:7:lp IF will need to use printing services and printers management
- wheel:x:10:root Administrators group, members can use
sudo
to run commands as root if enabled in sudo configuration. - floppy:x:11:root Backguard compatible group, use only if need access to external special devices
- audio:x:18: Need for audio listening and management of sound volumes as normal user
- cdrom:x:19: For access to disck writers and mounting DVD, BR or CD rom disk as normal user
- dialout:x:20:root Need for dial private connections and use of modems as normal users
- tape:x:26:root Need have into this if plan to use special devices for backup.. rarelly in no servers
- video:x:27:root For usage of cameras, mor thant one GPU special features, as normal user
- netdev:x:28: For network connections management as normal user
- kvm:x:34:kvm Only if as normal user will manage graphically virtual machines.. rarelly on no servers
- games:x:35: Need if you want to play games also specially need if will share score between users
- cdrw:x:80: To write RW-DVD, RW-BR or RW-CD disk on a disk writing device
- apache:x:81: Need if you will perfom development as normal user and want to publish locally on web server
- usb:x:85: Need to access to special usb devices, deprecated group
- users:x:100:games If you plan to used common files for all users, mandatory as desktop usage
Old newbie notes
Users creation and defaults
So the following commands will first setup root environment login and then assing a new password:
cat > /root/.cshrc << EOF unsetenv DISPLAY || true HISTCONTROL=ignoreboth EOF cp /root/.cshrc /root/.profile echo "secret_new_root_password" | chpasswd
The remote management cannot be done with root directly by default, due ssh security, so we need to setup an remote connection account to made "su" once connected.
The most recommended it's having a access user here named "remote" and normal general usage user here named "general" for convenience, in the next commands we will setup a very hardened limited environment for any new user and created those two users:
mkdir -p /etc/skel/ cat > /etc/skel/.logout << EOF history -c /bin/rm -f /opt/remote/.mysql_history /bin/rm -f /opt/remote/.history /bin/rm -f /opt/remote/.bash_history EOF cat > /etc/skel/.cshrc << EOF set autologout = 30 set prompt = "$ " set history = 0 set ignoreeof EOF cp /etc/skel/.cshrc /etc/skel/.profile adduser -D --home /opt/remote --shell /bin/ash remote echo "secret_new_remote_user_password" | chpasswd adduser -D --shell /bin/bash general echo "secret_new_general_user_password" | chpasswd
Note that those users are created with minimal settings.
User management and system access
By default, a newly created user will not have enough privileges for most desktop purposes.
To add newly created users with home directories setup to groups that may come in handy for desktop useage, you can run this command as root:
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done