Setting up a new user: Difference between revisions

From Alpine Linux
(removed libuser "testing" package recommendation)
No edit summary
Line 10: Line 10:
Using them increases the security, because they limit possible actions and thus the possible damage (even from accidental errors).
Using them increases the security, because they limit possible actions and thus the possible damage (even from accidental errors).


== Creating a new user ==
= Creating a new user =


A new user is created with:
A new user is created with:
Line 39: Line 39:
test:x:1000:1000:Linux User,,,:/home/test:/bin/ash}}
test:x:1000:1000:Linux User,,,:/home/test:/bin/ash}}


So, now it's possible to ''exit'' and login to the new account.  
So, it's now possible to ''exit'' and login to the new account.  




= Manual page excerpts =


=== adduser ===
=== adduser ===
Line 51: Line 52:
Create new user, or add USER to GROUP
Create new user, or add USER to GROUP


* --home DIR Home directory
*     --home DIR Home directory
*    --gecos GECOS GECOS field
*    --gecos GECOS GECOS field
*    --shell SHELL Login shell named SHELL by example /bin/bash
*    --shell SHELL Login shell named SHELL by example /bin/bash
Line 59: Line 60:
*    --no-create-home Don't create home directory
*    --no-create-home Don't create home directory
*    --uid UID User id
*    --uid UID User id
Those options only work for newer versions:
*  -k SKEL Skeleton directory (/etc/skel)
*  -k SKEL Skeleton directory (/etc/skel)


An important multi-user collaboration thing to note:


{{Tip|Multi-user collaboration:
If <nowiki>--ingroup</nowiki> isn't set (default) the new user is assigned a new GID that matches the UID. And if the GID corresponding to a provided UID already exists, adduser will fail.
If <nowiki>--ingroup</nowiki> isn't set (default) the new user is assigned a new GID that matches the UID. And if the GID corresponding to a provided UID already exists, adduser will fail.


This ensures new users default to having a "user's private group" (UPG) as primary group. They allow using a permissive umask (002), with which new files are automatically created group-writable to just the user's private group. And which allows that in special set-group-id group (collaboration) directories, new files can automatically become writable to the directory's group.
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permissive umask (002), with which new files are automatically created group-writable but to just the user's private group. And which allows that in special set-group-id group (collaboration) directories, new files can automatically be created writable by the directory's group.
}}


=== addgroup ===
=== addgroup ===
Line 81: Line 80:
*  --system  Create a system group
*  --system  Create a system group


Where the most common Alpine base groups permissions are:
=== Common permission groups ===
 
(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)


* '''disk''':x:6:root,adm  Only if need usage vith virtual machines and access to other partitions over new disks for
* '''disk''':x:6:root,adm  Only if need usage vith virtual machines and access to other partitions over new disks for
Line 100: Line 101:
* '''users''':x:100:games If you plan to used common files for all users, mandatory as desktop usage
* '''users''':x:100:games If you plan to used common files for all users, mandatory as desktop usage


A more complete list are in : https://git.alpinelinux.org/alpine-baselayout/tree/group more detailed user and group management are in the sections below:




== Users creation and defaults ==
= Users creation and defaults =


'''Only ''root'' can manage users'''. Creating an account allows it to have it's own <code><nowiki>$HOME</nowiki></code> directory and allows you to limit access to the configuration of the operating system for security reasons. So the following commands will first setup root environment login and then assing a new password:
So the following commands will first setup root environment login and then assing a new password:


<pre><nowiki>
<pre><nowiki>

Revision as of 13:49, 8 May 2021

The root account should only be used for administrative purposes that require its elevated access permissions.

This page shows the creation of separate user accounts, e.g. for remote connections or desktop usage.

Overview

Creating user accounts provides the users their own $HOME directory and allows you (the root administrator) to limit the access that these user accounts have to the operating system's configuration.

Using them increases the security, because they limit possible actions and thus the possible damage (even from accidental errors).

Creating a new user

A new user is created with:

adduser <username>

By default, it will:

  • prompt to set a password for the new user.
  • create a home directory in /home/<username>
  • set the shell set to the one used by the root account (ash by default)
  • assign user ID and group ID at 1000+
  • set GECOS field to Linux User,,,.

For example, if we create a new user with name "test":

# adduser test
Changing password for test
New password: 
Retype password: 
passwd: password for test changed by root

The new user can be seen in

Contents of /etc/passwd

root:x:0:0:root:/root:/bin/ash . . . test:x:1000:1000:Linux User,,,:/home/test:/bin/ash

So, it's now possible to exit and login to the new account.


Manual page excerpts

adduser

Usage:

adduser [OPTIONS] USER [GROUP]

Create new user, or add USER to GROUP

  • --home DIR Home directory
  • --gecos GECOS GECOS field
  • --shell SHELL Login shell named SHELL by example /bin/bash
  • --ingroup GRP Group (by name)
  • --system Create a system user
  • --disabled-password Don't assign a password so cannot login in
  • --no-create-home Don't create home directory
  • --uid UID User id
  • -k SKEL Skeleton directory (/etc/skel)


Tip: Multi-user collaboration:

If --ingroup isn't set (default) the new user is assigned a new GID that matches the UID. And if the GID corresponding to a provided UID already exists, adduser will fail.

This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permissive umask (002), with which new files are automatically created group-writable but to just the user's private group. And which allows that in special set-group-id group (collaboration) directories, new files can automatically be created writable by the directory's group.

addgroup

Usage:

addgroup [-g GID] [-S] [USER] GROUP

Add a group or add a user to a group

  • --gid GID Group id
  • --system Create a system group

Common permission groups

(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)

  • disk:x:6:root,adm Only if need usage vith virtual machines and access to other partitions over new disks for
  • lp:x:7:lp IF will need to use printing services and printers management
  • wheel:x:10:root Administrators group, members can use sudo to run commands as root if enabled in sudo configuration.
  • floppy:x:11:root Backguard compatible group, use only if need access to external special devices
  • audio:x:18: Need for audio listening and management of sound volumes as normal user
  • cdrom:x:19: For access to disck writers and mounting DVD, BR or CD rom disk as normal user
  • dialout:x:20:root Need for dial private connections and use of modems as normal users
  • tape:x:26:root Need have into this if plan to use special devices for backup.. rarelly in no servers
  • video:x:27:root For usage of cameras, mor thant one GPU special features, as normal user
  • netdev:x:28: For network connections management as normal user
  • kvm:x:34:kvm Only if as normal user will manage graphically virtual machines.. rarelly on no servers
  • games:x:35: Need if you want to play games also specially need if will share score between users
  • cdrw:x:80: To write RW-DVD, RW-BR or RW-CD disk on a disk writing device
  • apache:x:81: Need if you will perfom development as normal user and want to publish locally on web server
  • usb:x:85: Need to access to special usb devices, deprecated group
  • users:x:100:games If you plan to used common files for all users, mandatory as desktop usage


Users creation and defaults

So the following commands will first setup root environment login and then assing a new password:

cat > /root/.cshrc << EOF
unsetenv DISPLAY || true
HISTCONTROL=ignoreboth
EOF

cp /root/.cshrc /root/.profile

echo "secret_new_root_password" | chpasswd

The remote management cannot be done with root directly by default, due ssh security, so we need to setup an remote connection account to made "su" once connected.

The most recommended it's having a access user here named "remote" and normal general usage user here named "general" for convenience, in the next commands we will setup a very hardened limited environment for any new user and created those two users:

mkdir -p /etc/skel/

cat > /etc/skel/.logout << EOF
history -c
/bin/rm -f /opt/remote/.mysql_history
/bin/rm -f /opt/remote/.history
/bin/rm -f /opt/remote/.bash_history
EOF

cat > /etc/skel/.cshrc << EOF
set autologout = 30
set prompt = "$ "
set history = 0
set ignoreeof
EOF

cp /etc/skel/.cshrc /etc/skel/.profile

adduser -D --home /opt/remote --shell /bin/ash remote

echo "secret_new_remote_user_password" | chpasswd

adduser -D --shell /bin/bash general

echo "secret_new_general_user_password" | chpasswd
Tip: "general" are the name of the user, that name MUST be only lowercase letters and no spaces with no symbols

Note that those users are created with minimal settings.

Users management and system access

But this user will not have enough privileges for a desktop made purposes, Alpine comes with high security so administrator (the root account owner) must perform the management of that user. Take care, for a server made there's no similar procedure!

Now we can changes some defaults and added to proper groups to access devices or perform connections so, those are the recommended groups where the user must have in:

for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done