Setting up a new user: Difference between revisions

From Alpine Linux
(link to new users creation)
m (→‎adduser: renmiove some format)
(One intermediate revision by the same user not shown)
Line 1: Line 1:
{{TOC right}}
{{TOC right}}


Creating a user is an important step when first configuring a Linux system. Generally ''root'' account is used for administration only as it has access to the operating system and its configuration.
Creating a user is an important step when first configuring a Linux system. Generally ''root'' account is used for administration only as it has access to the operating system and its configuration. This are not a good practice, so the recommendation are creation of accounts for specific purposes like remote connection or desktop usage.


= Overview =
This document will show first basic usage overview and later detailed cases of user management in Alpine linux.


When Alpine Linux is first installed by default it comes with the user ''root'' with no password set. For security reasons it's always a good idea to either set a password to the user ''root'' or disabling the login to the user, which its why is suggested to run <code>[[setup-alpine]]</code> to change ''root'' password.
= Overview and new users accounts =


Creating an account allows it to have it's own $HOME directory and allows you to limit access to the configuration of the operating system for security reasons.
Creating an account allows it to have it's own $HOME directory and allows you to limit access to the configuration of the operating system for security reasons.


= Creating a new user =
== Creating a new user ==


Using the command '''adduser''' will allow you to create a new user in the system.
Using the command '''adduser''' will allow you to create a new user in the system.
Line 31: Line 31:
test:x:1000:1000:Linux User,,,:/home/test:/bin/ash}}
test:x:1000:1000:Linux User,,,:/home/test:/bin/ash}}


You can now ''exit'' and login to the new account.
You can now ''exit'' and login to the new account. The follwing section [[#management_of_users_and_logins]] next here have better detailed usage and its recommended to read!


== User management commands ==
== User management commands ==
Line 60: Line 60:
*  -k SKEL Skeleton directory (/etc/skel)
*  -k SKEL Skeleton directory (/etc/skel)


One thing to note is that if <pre>--ingroup</pre> isn't set then the GID is assigned to match the UID. If the GID corresponding to the provided UID already exists adduser will fail.
One thing to note is that if <nowiki>--ingroup</nowiki> isn't set then the GID is assigned to match the UID. If the GID corresponding to the provided UID already exists adduser will fail.


=== addgroup ===
=== addgroup ===
Line 73: Line 73:
*  --system  Create a system group
*  --system  Create a system group


Alpine base groups permissions, check for base layout package:
Where the most common Alpine base groups permissions are:


https://git.alpinelinux.org/alpine-baselayout/tree/group
* '''disk''':x:6:root,adm  Only if need usage vith virtual machines and access to other partitions over new disks for
* '''lp''':x:7:lp  IF will need to use printing services and printers management
* '''floppy''':x:11:root  Backguard compatible group, use only if need access to external special devices
* '''audio''':x:18:  Need for audio listening and management of sound volumes as normal user
* '''cdrom''':x:19:  For access to disck writers and mounting DVD, BR or CD rom disk as normal user
* '''dialout''':x:20:root  Need for dial private connections and use of modems as normal users
* '''tape''':x:26:root  Need have into this if plan to use special devices for backup.. rarelly in no servers
* '''video''':x:27:root  For usage of cameras, mor thant one GPU special features, as normal user
* '''netdev''':x:28:  For network connections management as normal user
* '''kvm''':x:34:kvm Only if as normal user will manage graphically virtual machines.. rarelly on no servers
* '''games''':x:35:  Need if you want to play games also specially need if will share score between users
* '''cdrw''':x:80:  To write RW-DVD, RW-BR or RW-CD disk on a disk writing device
* '''apache''':x:81: Need if you will perfom development as normal user and want to publish locally on web server
* '''usb''':x:85: Need to access to special usb devices, deprecated group
* '''users''':x:100:games If you plan to used common files for all users, mandatory as desktop usage
 
A more complete list are in : https://git.alpinelinux.org/alpine-baselayout/tree/group more detailed user and group management are in the sections below:
 
= management of users and logins =
 
When Alpine Linux is first installed by default it comes with the user ''root'' with no password set '''so the first step after boot into alpine fresh install are set a password to the user ''root''''', if during isntall was run setup-alpine to change root password, that will be already assigned and can be changed with those setup steps described here. More info in the [[Setting up a new user|Setting users]] wiki page.
 
== Users creation and defaults ==
 
'''Only ''root'' can manage users'''. Creating an account allows it to have it's own <code><nowiki>$HOME</nowiki></code> directory and allows you to limit access to the configuration of the operating system for security reasons. So the following commands will first setup root environment login and then assing a new password:
 
<pre><nowiki>
cat > /root/.cshrc << EOF
unsetenv DISPLAY || true
HISTCONTROL=ignoreboth
EOF
 
cp /root/.cshrc /root/.profile
 
echo "secret_new_root_password" | chpasswd
</nowiki></pre>
 
The remote management cannot be done with root directly by default, due ssh security, so we need to setup an remote connection account to made "su" once connected.
 
The most recommended it's having a access user here named "remote" and normal general usage user here named "general" for convenience, in the next commands we will setup a very hardened limited environment for any new user and created those two users:
 
<pre><nowiki>
mkdir -p /etc/skel/
 
cat > /etc/skel/.logout << EOF
history -c
/bin/rm -f /opt/remote/.mysql_history
/bin/rm -f /opt/remote/.history
/bin/rm -f /opt/remote/.bash_history
EOF
 
cat > /etc/skel/.cshrc << EOF
set autologout = 30
set prompt = "$ "
set history = 0
set ignoreeof
EOF
 
cp /etc/skel/.cshrc /etc/skel/.profile
 
adduser -D --home /opt/remote --shell /bin/ash remote
 
echo "secret_new_remote_user_password" | chpasswd
 
adduser -D --shell /bin/bash general
 
echo "secret_new_general_user_password" | chpasswd
</nowiki></pre>
 
{{Tip|"'''general'''" are the name of the user, that name MUST be only lowercase letters and no spaces with no symbols}}
 
Note that those users are created with minimal settings.
 
== Users management and system access ==
 
But this user will not have enough privileges for a desktop made purposes, Alpine comes with high security so administrator (the ''root'' account owner) must perform the management of that user. Take care, for a server made there's no similar procedure!
 
Now we can changes some defaults and added to proper groups to access devices or perform connections so, those are the recommended groups where the user must have in:
 
<pre><nowiki>
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done
</nowiki></pre>
 
Management of users can be made with the default '''busybox''', but there's some packages that makes the life easy of the admins, lest use the '''libuser''' package now from testing repository:
 
<pre><nowiki>
cat > /etc/apk/repositories << EOF
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
http://mirror.math.princeton.edu/pub/alpinelinux/edge/testing/
EOF
 
apk update
 
apk add libuser
 
cat > /etc/apk/repositories << EOF
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF
 
apk update
 
touch /etc/login.defs
 
touch /etc/default/useradd
</nowiki></pre>
 
Now we have ''libuser'' also '''can change default shell''':
 
* If you want to change the current user's shell, log in as that user and then inside their terminal session execute:: <pre>lchsh</pre>
* If you want to change a different user's shell, run as administration or as '''''root''''': <pre><nowiki>lchsh general</nowiki></pre>
 
Where "general" was the name of a created user login in previous sections.


== See also: ==
== See also: ==

Revision as of 15:13, 27 January 2020

Creating a user is an important step when first configuring a Linux system. Generally root account is used for administration only as it has access to the operating system and its configuration. This are not a good practice, so the recommendation are creation of accounts for specific purposes like remote connection or desktop usage.

This document will show first basic usage overview and later detailed cases of user management in Alpine linux.

Overview and new users accounts

Creating an account allows it to have it's own $HOME directory and allows you to limit access to the configuration of the operating system for security reasons.

Creating a new user

Using the command adduser will allow you to create a new user in the system.

adduser <username>

It will prompt to set a password for the new user, by example let's create a new user with session name "test"

# adduser test
Changing password for test
New password: 
Retype password: 
passwd: password for test changed by root

The new user can be seen in

Contents of /etc/passwd

root:x:0:0:root:/root:/bin/ash . . . test:x:1000:1000:Linux User,,,:/home/test:/bin/ash

You can now exit and login to the new account. The follwing section #management_of_users_and_logins next here have better detailed usage and its recommended to read!

User management commands

Alpine at install comes only with busybox user management commands and the following are standar for all linux distributions

If no OPTIONS is set, by default when creating a new user, it will create a home directory in /home/<username>, with the shell set that uses the root account (ash by default), user ID and group ID 1000+, and the GECOS field Linux User,,,.

adduser

Usage:

adduser [OPTIONS] USER [GROUP]

Create new user, or add USER to GROUP

  • --home DIR Home directory
  • --gecos GECOS GECOS field
  • --shell SHELL Login shell named SHELL by example /bin/bash
  • --ingroup GRP Group (by name)
  • --system Create a system user
  • --disabled-password Don't assign a password so cannot login in
  • --no-create-home Don't create home directory
  • --uid UID User id

Those options only work for newer versions:

  • -k SKEL Skeleton directory (/etc/skel)

One thing to note is that if --ingroup isn't set then the GID is assigned to match the UID. If the GID corresponding to the provided UID already exists adduser will fail.

addgroup

Usage:

addgroup [-g GID] [-S] [USER] GROUP

Add a group or add a user to a group

  • --gid GID Group id
  • --system Create a system group

Where the most common Alpine base groups permissions are:

  • disk:x:6:root,adm Only if need usage vith virtual machines and access to other partitions over new disks for
  • lp:x:7:lp IF will need to use printing services and printers management
  • floppy:x:11:root Backguard compatible group, use only if need access to external special devices
  • audio:x:18: Need for audio listening and management of sound volumes as normal user
  • cdrom:x:19: For access to disck writers and mounting DVD, BR or CD rom disk as normal user
  • dialout:x:20:root Need for dial private connections and use of modems as normal users
  • tape:x:26:root Need have into this if plan to use special devices for backup.. rarelly in no servers
  • video:x:27:root For usage of cameras, mor thant one GPU special features, as normal user
  • netdev:x:28: For network connections management as normal user
  • kvm:x:34:kvm Only if as normal user will manage graphically virtual machines.. rarelly on no servers
  • games:x:35: Need if you want to play games also specially need if will share score between users
  • cdrw:x:80: To write RW-DVD, RW-BR or RW-CD disk on a disk writing device
  • apache:x:81: Need if you will perfom development as normal user and want to publish locally on web server
  • usb:x:85: Need to access to special usb devices, deprecated group
  • users:x:100:games If you plan to used common files for all users, mandatory as desktop usage

A more complete list are in : https://git.alpinelinux.org/alpine-baselayout/tree/group more detailed user and group management are in the sections below:

management of users and logins

When Alpine Linux is first installed by default it comes with the user root with no password set so the first step after boot into alpine fresh install are set a password to the user root, if during isntall was run setup-alpine to change root password, that will be already assigned and can be changed with those setup steps described here. More info in the Setting users wiki page.

Users creation and defaults

Only root can manage users. Creating an account allows it to have it's own $HOME directory and allows you to limit access to the configuration of the operating system for security reasons. So the following commands will first setup root environment login and then assing a new password:

cat > /root/.cshrc << EOF
unsetenv DISPLAY || true
HISTCONTROL=ignoreboth
EOF

cp /root/.cshrc /root/.profile

echo "secret_new_root_password" | chpasswd

The remote management cannot be done with root directly by default, due ssh security, so we need to setup an remote connection account to made "su" once connected.

The most recommended it's having a access user here named "remote" and normal general usage user here named "general" for convenience, in the next commands we will setup a very hardened limited environment for any new user and created those two users:

mkdir -p /etc/skel/

cat > /etc/skel/.logout << EOF
history -c
/bin/rm -f /opt/remote/.mysql_history
/bin/rm -f /opt/remote/.history
/bin/rm -f /opt/remote/.bash_history
EOF

cat > /etc/skel/.cshrc << EOF
set autologout = 30
set prompt = "$ "
set history = 0
set ignoreeof
EOF

cp /etc/skel/.cshrc /etc/skel/.profile

adduser -D --home /opt/remote --shell /bin/ash remote

echo "secret_new_remote_user_password" | chpasswd

adduser -D --shell /bin/bash general

echo "secret_new_general_user_password" | chpasswd
Tip: "general" are the name of the user, that name MUST be only lowercase letters and no spaces with no symbols

Note that those users are created with minimal settings.

Users management and system access

But this user will not have enough privileges for a desktop made purposes, Alpine comes with high security so administrator (the root account owner) must perform the management of that user. Take care, for a server made there's no similar procedure!

Now we can changes some defaults and added to proper groups to access devices or perform connections so, those are the recommended groups where the user must have in:

for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done

Management of users can be made with the default busybox, but there's some packages that makes the life easy of the admins, lest use the libuser package now from testing repository:

cat > /etc/apk/repositories << EOF
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
http://mirror.math.princeton.edu/pub/alpinelinux/edge/testing/
EOF

apk update

apk add libuser

cat > /etc/apk/repositories << EOF
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/main
http://mirror.math.princeton.edu/pub/alpinelinux/v$(cat /etc/alpine-release | cut -d'.' -f1,2)/community
EOF

apk update

touch /etc/login.defs

touch /etc/default/useradd

Now we have libuser also can change default shell:

  • If you want to change the current user's shell, log in as that user and then inside their terminal session execute::
    lchsh
  • If you want to change a different user's shell, run as administration or as root:
    lchsh general

Where "general" was the name of a created user login in previous sections.

See also:

Alpine_newbie_apk_packages#Users_creation_and_defaults