Setting up a new user: Difference between revisions

From Alpine Linux
mNo edit summary
No edit summary
(38 intermediate revisions by 7 users not shown)
Line 1: Line 1:


The <code>root</code> account should only be used for administrative purposes that require its elevated access permissions.
The <code>root</code> account should be used only for local administrative purposes that require elevated access permissions.


This page shows the creation of separate user accounts, e.g. for remote connections or desktop usage.
This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins.


= Overview =
= Overview =


Creating user accounts provides the users their own $HOME directory and allows you (the root administrator) to limit the access that these user accounts have to the operating system's configuration.
Creating user accounts provides users with their own $HOME directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.


Using them increases the security, because they limit possible actions and thus the possible damage (even from accidental errors).
Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).


= Creating a new user =
= Creating a new user =


To create a regular user account execute:
 
{{Cmd|# adduser <username>}}
{{Warning|If using a '''"diskless" or "data" disk mode''' installation, it's important to make the <code>/home</code> directory persistent.
<br>
* Either the <code>/home</code> filesystem needs to be mounted from a writable partition, or
* the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:
{{Cmd| # lbu include /home
# lbu commit
}} (Not recommended, as reverting to an older .apkovl will also revert the files in /home).
}}
 
 
Regular user accounts can be created with:
{{Cmd|# adduser [-g "<Full Name>"] <username>}}


By default, adduser will:
By default, adduser will:
* prompt to set a password for the new user.
* prompt you to set a password for the new user
* create a home directory in {{Path|/home/<username>}}
* create a home directory in {{Path|/home/<username>}}
* set the shell to the one used by the <code>root</code> account (ash by default)
* set the shell to the one used by the <code>root</code> account (ash by default)
* assign user ID and group ID at 1000+
* assign user ID and group ID starting at 1000
* set GECOS field to "Linux User,,,".
* set the GECOS (full name) field to "Linux User,,,"


{{Tip|The optional <code>-g "<Full Name>"</code> above sets the GECOS field.
This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.
}}




'''If using a "diskless" or "data" disk mode installation''', the home directories should probably be added to the lbu captures:
'''Only''' if <code>elogind</code> is not being used and running, then X users would need to be added to the video and input groups to be able to work with a graphical display.
{{Cmd|# lbu include /home}}
adduser 'UserName' video
adduser 'UserName' input




'''If a user ''really must'' be allowed to have access to the root account''', add the <username> to the wheel group, install doas ("do as"), and allow group "wheel" to become root:
'''If a user ''really must'' be allowed to have access to the root account''', the <username> can be added to the wheel group, <code>doas</code> ("do as") may be installed, and the group "wheel" can be allowed to become root:
adduser -g "<username>" <username>
  adduser <username> wheel
  adduser <username> wheel
  apk add doas
  apk add doas
Line 34: Line 50:
  nano /etc/doas.conf
  nano /etc/doas.conf


 
{{Warning|It's recommended to '''not''' run complete applications, like editors, as root just to modify administrative files.
 
<br>
 
* Many desktop environments and file browsers support using <code>admin:///</code> in their address bars, to access files through a local gvfs-admin mount
* [https://github.com/AN3223/scripts/blob/master/doasedit <code>doasedit</code>] or <code>sudoedit</code> enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, <code>sudoedit /etc/apk/lbu.conf</code>
}}
The <code>sudo</code> package is an alternative to using the BSD-like <code>doas</code>, but is a much larger package.
It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.
apk add sudo
NEWUSER='yourUserName'
adduser -d "${NEWUSER}" $NEWUSER
echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER




Line 47: Line 71:
<username>:x:1000:1000:Linux User,,,:/home/<username>:/bin/ash}}
<username>:x:1000:1000:Linux User,,,:/home/<username>:/bin/ash}}


And it's now possible to <code>exit</code> and login to the new account.
Now you should be able to issue the command <code>exit</code> and login to the new account.
 
 
 
 
 


= Options =
= Options =
Line 58: Line 77:
=== adduser ===
=== adduser ===


Usage:
Usage (from "man busybox"):


<pre><nowiki>adduser [OPTIONS] USER [GROUP]</nowiki></pre>
<pre><nowiki>adduser [OPTIONS] USER [GROUP]


Create new user, or add USER to GROUP
Create new user, or add USER to GROUP


*    --home DIR Home directory
    -h --home DIR           Home directory
*    --gecos GECOS GECOS field
    -g --gecos GECOS       GECOS field
*    --shell SHELL Login shell named SHELL by example /bin/bash
    -s --shell SHELL       Login shell named SHELL by example /bin/bash
*    --ingroup GRP Group (by name)
    -G --ingroup GRP       Group (by name)
*    --system Create a system user
    -S --system             Create a system user
*    --disabled-password Don't assign a password so cannot login in
    -D --disabled-password Don't assign a password, so cannot login
*    --no-create-home Don't create home directory
    -H --no-create-home     Don't create home directory
*    --uid UID User id
    -u --uid UID           User id
-k SKEL Skeleton directory (/etc/skel)
    -k SKEL                 Skeleton directory (/etc/skel)
 
</nowiki></pre>


{{Tip|Multi-user collaboration
{{Tip|Multi-user collaboration
If <nowiki>--ingroup</nowiki> isn't set (default) the new user is assigned a new GID that matches the UID. And if the GID corresponding to a provided UID already exists, adduser will fail.
If <nowiki>--ingroup</nowiki> isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.


This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permissive umask (002), with which new files are automatically created group-writable but to just the user's private group. And which allows that in special set-group-id group (collaboration) directories, new files can automatically be created writable by the directory's group.
This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.
}}
}}


=== addgroup ===
=== addgroup ===


Usage:  
Usage (from "man busybox"):  


<pre><nowiki>addgroup [-g GID] [-S] [USER] GROUP</nowiki></pre>
<pre><nowiki>addgroup [-g GID] [-S] [USER] GROUP


Create a group or add a user to a group
Create a group or add a user to a group


* --gid GID Group id
    -g --gid GID   Group id
--system   Create a system group
    -s --system     Create a system group
 
</nowiki></pre>
 


= Legacy =
= Legacy =
Line 100: Line 118:
(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)
(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)


* '''disk''':x:6:root,adm  Only if need usage vith virtual machines and access to other partitions over new disks for
* '''disk''':x:6:root,adm  needed only for use vith virtual machines and access to other partitions.
* '''lp''':x:7:lp  IF will need to use printing services and printers management
* '''lp''':x:7:lp  needed for printing services and printers management.
* '''wheel''':x:10:root  Administrators group, members can use <code>sudo</code> to run commands as root if enabled in sudo configuration.
* '''wheel''':x:10:root  Administrator group, members can use <code>sudo</code> to run commands as root if enabled in the sudo configuration.
* '''floppy''':x:11:root  Backguard compatible group, use only if need access to external special devices
* '''floppy''':x:11:root  Backward compatible group. Use only if access to special external devices is needed.
* '''audio''':x:18:  Need for audio listening and management of sound volumes as normal user
* '''audio''':x:18:  Needed for audio listening and management of sound volume as normal user.
* '''cdrom''':x:19:  For access to disck writers and mounting DVD, BR or CD rom disk as normal user
* '''cdrom''':x:19:  For access to CD/DVD/BR writers and mounting DVD, BR or CD rom disk as normal user.
* '''dialout''':x:20:root  Need for dial private connections and use of modems as normal users
* '''dialout''':x:20:root  Needed for dialing private connections and use of modems as normal user.
* '''tape''':x:26:root  Need have into this if plan to use special devices for backup.. rarelly in no servers
* '''tape''':x:26:root  Needed if you're planning to use special devices for backup. Rare. Ususally used only on servers.
* '''video''':x:27:root  For usage of cameras, mor thant one GPU special features, as normal user
* '''video''':x:27:root  For usage of cameras, more than one GPU special features, as normal user.
* '''netdev''':x:28:  For network connections management as normal user
* '''netdev''':x:28:  For network connections management as normal user.
* '''kvm''':x:34:kvm Only if as normal user will manage graphically virtual machines.. rarelly on no servers
* '''kvm''':x:34:kvm Only if a normal user will manage virtual machines via a GUI. Rare. Ususally used only on servers.
* '''games''':x:35:  Need if you want to play games also specially need if will share score between users
* '''games''':x:35:  Needed if you want to play games. Especially if sharing scores between users.
* '''cdrw''':x:80:  To write RW-DVD, RW-BR or RW-CD disk on a disk writing device
* '''cdrw''':x:80:  Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device.
* '''apache''':x:81: Need if you will perfom development as normal user and want to publish locally on web server
* '''apache''':x:81: Needed if you do development as normal user and want to publish locally on web server.
* '''usb''':x:85: Need to access to special usb devices, deprecated group
* '''usb''':x:85: Needed to access to special usb devices. Deprecated group.
* '''users''':x:100:games If you plan to used common files for all users, mandatory as desktop usage
* '''users''':x:100:games Needed if you plan to use common files for all users. Mandatory for desktop usage.




Line 122: Line 140:
= Old newbie notes =
= Old newbie notes =


=== Users creation and defaults ===
=== User creation and defaults ===


So the following commands will first setup root environment login and then assing a new password:
The following commands will set up root environment login, then assign a new password:


<pre><nowiki>
<pre><nowiki>
Line 137: Line 155:
</nowiki></pre>
</nowiki></pre>


The remote management cannot be done with root directly by default, due ssh security, so we need to setup an remote connection account to made "su" once connected.  
By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.


The most recommended it's having a access user here named "remote" and normal general usage user here named "general" for convenience, in the next commands we will setup a very hardened limited environment for any new user and created those two users:
Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users:


<pre><nowiki>
<pre><nowiki>
Line 169: Line 187:
</nowiki></pre>
</nowiki></pre>


{{Tip|"'''general'''" are the name of the user, that name MUST be only lowercase letters and no spaces with no symbols}}
{{Tip|"'''general'''" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols}}


Note that those users are created with minimal settings.
Note that those users are created with minimal privilege settings.


== Users management and system access ==
== User management and system access ==


But this user will not have enough privileges for a desktop made purposes, Alpine comes with high security so administrator (the ''root'' account owner) must perform the management of that user. Take care, for a server made there's no similar procedure!
By default, a newly created user will not have enough privileges for most desktop purposes.


Now we can changes some defaults and added to proper groups to access devices or perform connections so, those are the recommended groups where the user must have in:
To add newly created users to groups that may come in handy for desktop useage, you run this command as root:


<pre><nowiki>
<pre><nowiki>
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done
for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done
</nowiki></pre>
</nowiki></pre>

Revision as of 20:04, 28 July 2021

The root account should be used only for local administrative purposes that require elevated access permissions.

This page shows how to create non-privileged user accounts. i.e. those used for daily work, including desktop use and remote logins.

Overview

Creating user accounts provides users with their own $HOME directory and allows you (the root user) to limit the access those user accounts have to the operating system configuration files.

Using them increases security, because they limit possible actions and thus possible damage (even from accidental errors).

Creating a new user

Warning: If using a "diskless" or "data" disk mode installation, it's important to make the /home directory persistent.


  • Either the /home filesystem needs to be mounted from a writable partition, or
  • the /home directories have to be added to the lbu backup, and a new local backup needs to be committed after creating the user:

# lbu include /home # lbu commit

(Not recommended, as reverting to an older .apkovl will also revert the files in /home).



Regular user accounts can be created with:

# adduser [-g "<Full Name>"] <username>

By default, adduser will:

  • prompt you to set a password for the new user
  • create a home directory in /home/<username>
  • set the shell to the one used by the root account (ash by default)
  • assign user ID and group ID starting at 1000
  • set the GECOS (full name) field to "Linux User,,,"
Tip: The optional -g "<Full Name>" above sets the GECOS field.

This can be very useful to specify. Setting this string - at least equal to the username - makes the user distinguishable, e.g. when they are listed at the login screen of a display manager.


Only if elogind is not being used and running, then X users would need to be added to the video and input groups to be able to work with a graphical display.

adduser 'UserName' video
adduser 'UserName' input


If a user really must be allowed to have access to the root account, the <username> can be added to the wheel group, doas ("do as") may be installed, and the group "wheel" can be allowed to become root:

adduser -g "<username>" <username>
adduser <username> wheel
apk add doas
apk add nano
nano /etc/doas.conf
Warning: It's recommended to not run complete applications, like editors, as root just to modify administrative files.


  • Many desktop environments and file browsers support using admin:/// in their address bars, to access files through a local gvfs-admin mount
  • doasedit or sudoedit enables starting an editor with a temporary copy of a file, which overwrites the original file after the user modifies and saves it. For example, sudoedit /etc/apk/lbu.conf


The sudo package is an alternative to using the BSD-like doas, but is a much larger package. It may be used as follows: adding a custom user configuration file to avoid having to deal with manually changing configuration files later during package upgrades.

apk add sudo
NEWUSER='yourUserName'
adduser -d "${NEWUSER}" $NEWUSER
echo "$NEWUSER ALL=(ALL) ALL" > /etc/sudoers.d/$NEWUSER && chmod 0440 /etc/sudoers.d/$NEWUSER


The new user gets listed in

Contents of /etc/passwd

root:x:0:0:root:/root:/bin/ash . . . <username>:x:1000:1000:Linux User,,,:/home/<username>:/bin/ash

Now you should be able to issue the command exit and login to the new account.

Options

adduser

Usage (from "man busybox"):

adduser [OPTIONS] USER [GROUP]

Create new user, or add USER to GROUP

     -h --home DIR           Home directory
     -g --gecos GECOS        GECOS field
     -s --shell SHELL        Login shell named SHELL by example /bin/bash
     -G --ingroup GRP        Group (by name)
     -S --system             Create a system user
     -D --disabled-password  Don't assign a password, so cannot login
     -H --no-create-home     Don't create home directory
     -u --uid UID            User id
     -k SKEL                 Skeleton directory (/etc/skel)
Tip: Multi-user collaboration

If --ingroup isn't set, (default) the new user is assigned a new GID that matches the UID. If the GID corresponding to a provided UID already exists, adduser will fail.

This ensures new users default to having a "user's private group" (UPG) as primary group. These allow the system to use a permission umask (002), which creates new files automatically as group-writable, but only by the user's private group. In special set-group-id (collaboration) directories, new files can be automatically created writable by the directory's group.

addgroup

Usage (from "man busybox"):

addgroup [-g GID] [-S] [USER] GROUP

Create a group or add a user to a group

    -g --gid GID    Group id
    -s --system     Create a system group

Legacy

Common permission groups

(Taken from https://git.alpinelinux.org/alpine-baselayout/tree/group)

  • disk:x:6:root,adm needed only for use vith virtual machines and access to other partitions.
  • lp:x:7:lp needed for printing services and printers management.
  • wheel:x:10:root Administrator group, members can use sudo to run commands as root if enabled in the sudo configuration.
  • floppy:x:11:root Backward compatible group. Use only if access to special external devices is needed.
  • audio:x:18: Needed for audio listening and management of sound volume as normal user.
  • cdrom:x:19: For access to CD/DVD/BR writers and mounting DVD, BR or CD rom disk as normal user.
  • dialout:x:20:root Needed for dialing private connections and use of modems as normal user.
  • tape:x:26:root Needed if you're planning to use special devices for backup. Rare. Ususally used only on servers.
  • video:x:27:root For usage of cameras, more than one GPU special features, as normal user.
  • netdev:x:28: For network connections management as normal user.
  • kvm:x:34:kvm Only if a normal user will manage virtual machines via a GUI. Rare. Ususally used only on servers.
  • games:x:35: Needed if you want to play games. Especially if sharing scores between users.
  • cdrw:x:80: Needed to write RW-DVD, RW-BR or RW-CD disk on a disk writing device.
  • apache:x:81: Needed if you do development as normal user and want to publish locally on web server.
  • usb:x:85: Needed to access to special usb devices. Deprecated group.
  • users:x:100:games Needed if you plan to use common files for all users. Mandatory for desktop usage.



Old newbie notes

User creation and defaults

The following commands will set up root environment login, then assign a new password:

cat > /root/.cshrc << EOF
unsetenv DISPLAY || true
HISTCONTROL=ignoreboth
EOF

cp /root/.cshrc /root/.profile

echo "secret_new_root_password" | chpasswd

By default, remote management cannot be done directly with the root account. Because of SSH security we need to set up a remote connection account that will be used to switch to the root user via the su command, once connected.

Here's an example: create user named "remote" and a user named "general". We will set up a hardened, limited, user environment and create those two users:

mkdir -p /etc/skel/

cat > /etc/skel/.logout << EOF
history -c
/bin/rm -f /opt/remote/.mysql_history
/bin/rm -f /opt/remote/.history
/bin/rm -f /opt/remote/.bash_history
EOF

cat > /etc/skel/.cshrc << EOF
set autologout = 30
set prompt = "$ "
set history = 0
set ignoreeof
EOF

cp /etc/skel/.cshrc /etc/skel/.profile

adduser -D --home /opt/remote --shell /bin/ash remote

echo "secret_new_remote_user_password" | chpasswd

adduser -D --shell /bin/bash general

echo "secret_new_general_user_password" | chpasswd
Tip: "general" is the name of the user. That name MUST contain ONLY lowercase letters, NO spaces and NO symbols

Note that those users are created with minimal privilege settings.

User management and system access

By default, a newly created user will not have enough privileges for most desktop purposes.

To add newly created users to groups that may come in handy for desktop useage, you run this command as root:

for u in $(ls /home); do for g in disk lp floppy audio cdrom dialout video netdev games users; do addgroup $u $g; done;done