Setting up a new user: Difference between revisions
Eddsalkield (talk | contribs) |
m (Use uppercase letter in addgroup -S option) |
||
Line 112: | Line 112: | ||
-g --gid GID Group id | -g --gid GID Group id | ||
- | -S --system Create a system group | ||
</nowiki></pre> | </nowiki></pre> | ||
Revision as of 19:27, 10 February 2022
The root
account should be used only for local administrative purposes that require elevated access permissions.
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins.
Overview
Creating user accounts provides users with their own $HOME directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).
Creating a new user
/home
directory persistent.
- Either the
/home
filesystem needs to be mounted from a writable partition, or - the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
# lbu include /home # lbu commit
(Not recommended, as reverting to an older .apkovl will also revert the files in /home).
Regular user accounts can be created with:
# adduser [-g "<Full Name>"] <username>
By default, adduser will:
- prompt you to set a password for the new user
- create a home directory in /home/<username>
- set the shell to the one used by the
root
account (ash by default) - assign user ID and group ID starting at 1000
- set the GECOS (full name) field to "Linux User,,,"
-g "<Full Name>"
above sets the GECOS field.
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.
Only if elogind
is not being used and running, then X users would need to be added to the video and input groups to be able to work with a graphical display.
adduser 'UserName' video adduser 'UserName' input
If a user really must be allowed to have access to the root account, the <username> can be added to the wheel group, doas
("do as") may be installed, and the group "wheel" can be allowed to become root:
adduser -g "<username>" <username> adduser <username> wheel apk add doas apk add nano nano /etc/doas.conf
Ensure that this file contains
permit persist :wheel
- Many desktop environments and file browsers support using
admin:///
in their address bars, to access files through a local gvfs-admin mount doasedit
orsudoedit
(being deprecated in favour ofdoas
) enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example,sudoedit /etc/apk/lbu.conf
The sudo
package is an alternative to using the BSD-like doas
, but is a much larger package.
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.
apk add sudo NEWUSER='yourUserName' adduser -d "${NEWUSER}" $NEWUSER echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER
The new user gets listed in
Contents of /etc/passwd
Now you should be able to issue the command exit
and login to the new account.
Options
adduser
Usage (from "man busybox"):
adduser [OPTIONS] USER [GROUP] Create new user, or add USER to GROUP -h --home DIR Home directory -g --gecos GECOS GECOS field -s --shell SHELL Login shell named SHELL by example /bin/bash -G --ingroup GRP Group (by name) -S --system Create a system user -D --disabled-password Don't assign a password, so cannot login -H --no-create-home Don't create home directory -u --uid UID User id -k SKEL Skeleton directory (/etc/skel)
If --ingroup isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.
addgroup
Usage (from "man busybox"):
addgroup [-g GID] [-S] [USER] GROUP Create a group or add a user to a group -g --gid GID Group id -S --system Create a system group
Legacy
Common permission groups
(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)
- disk:x:6:root,adm needed only for use vith virtual machines and access to other partitions.
- lp:x:7:lp needed for printing services and printers management.
- wheel:x:10:root Administrator group, members can use
sudo
to run commands as root if enabled in the sudo configuration. - floppy:x:11:root Backward compatible group. Use only if access to special external devices is needed.
- audio:x:18: Needed for audio listening and management of sound volume as normal user.
- cdrom:x:19: For access to CD/DVD/BR writers and mounting DVD, BR or CD rom disk as normal user.
- dialout:x:20:root Needed for dialing private connections and use of modems as normal user.
- tape:x:26:root Needed if you're planning to use special devices for backup. Rare. Ususally used only on servers.
- video:x:27:root For usage of cameras, more than one GPU special features, as normal user.
- netdev:x:28: For network connections management as normal user.
- kvm:x:34:kvm Only if a normal user will manage virtual machines via a GUI. Rare. Ususally used only on servers.
- games:x:35: Needed if you want to play games. Especially if sharing scores between users.
- cdrw:x:80: Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device.
- apache:x:81: Needed if you do development as normal user and want to publish locally on web server.
- usb:x:85: Needed to access to special usb devices. Deprecated group.
- users:x:100:games Needed if you plan to use common files for all users. Mandatory for desktop usage.
Old newbie notes
User creation and defaults
The following commands will set up root environment login, then assign a new password:
cat > /root/.cshrc << EOF unsetenv DISPLAY || true HISTCONTROL=ignoreboth EOF cp /root/.cshrc /root/.profile echo "secret_new_root_password" | chpasswd
By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.
Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users:
mkdir -p /etc/skel/ cat > /etc/skel/.logout << EOF history -c /bin/rm -f /opt/remote/.mysql_history /bin/rm -f /opt/remote/.history /bin/rm -f /opt/remote/.bash_history EOF cat > /etc/skel/.cshrc << EOF set autologout = 30 set prompt = "$ " set history = 0 set ignoreeof EOF cp /etc/skel/.cshrc /etc/skel/.profile adduser -D --home /opt/remote --shell /bin/ash remote echo "secret_new_remote_user_password" | chpasswd adduser -D --shell /bin/bash general echo "secret_new_general_user_password" | chpasswd
Note that those users are created with minimal privilege settings.
User management and system access
By default, a newly created user will not have enough privileges for most desktop purposes.
To add newly created users to groups that may come in handy for desktop useage, you run this command as root:
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done