documentation/docs/alpine-server-setup/post-install/users.md

# Users

To run containers securely; in an environment with fewer privileges, a user is necessary.

## Wheel

Before creating the user, install `doas`. To be able to "do as" root when it is required:

```
# apk add doas
```

Configure `doas` through `/etc/doas.d/wheel.conf`:

```
permit persist :wheel as root
```

## Adding a user

A user can be added in Alpine Linux with the `setup-user` script. Here we can specify the name, groups and more:

```
# setup-user -g wheel <username>
# passwd <username>
```

You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```

If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

```
# passwd -l root
```

and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

```
root:x:0:0:root:/root:/sbin/nologin
```

## User services

The user will have its own service manager, for the management of user containers and other user services. As service manager `runsvdir` from `runit` will be used. Therefore install

```
# apk add runit
```

Create `/etc/init.d/runsvdir-user`, which will be the openrc-script for the service manager of the user. 

```
#!/sbin/openrc-run

user="${RC_SVCNAME##*.}"
svdir="/home/${user}/.local/service"
pidfile="/run/runsvdir-user.${user}.pid"

command="/usr/bin/runsvdir"
command_args="$svdir"
command_user="$user"
command_background=true

depend()
{
    after network-online
}
```

Make `/etc/init.d/runsvdir-user` an executable

```
# chmod +x /etc/init.d/runsvdir-user
```

Link the user to `/etc/init.d/runsvdir-user`

```
# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>
```

Finally, add the service to the default runlevel

```
# rc-update add runsvdir-user.<username> default
```

> This process can of course be repeated for several users.
Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00			`# Users`

			`To run containers securely; in an environment with fewer privileges, a user is necessary.`

			`## Wheel`

Updated users in post-install of alpine-server setup. 2024-08-11 22:44:17 +02:00			Before creating the user, install `doas`. To be able to "do as" root when it is required:
Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00
			```
			`# apk add doas`
			```

Some updates in alpine-server-setup. 2024-10-07 21:03:01 +02:00			Configure `doas` through `/etc/doas.d/wheel.conf`:
Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00
			```
			`permit persist :wheel as root`
			```

			`## Adding a user`

Updated users in post-install of alpine-server setup. 2024-08-11 22:44:17 +02:00			A user can be added in Alpine Linux with the `setup-user` script. Here we can specify the name, groups and more:
Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00
			```
Updated users in post-install of alpine-server setup. 2024-08-11 22:44:17 +02:00			`# setup-user -g wheel <username>`
Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00			`# passwd <username>`
			```

Added user services and mount-home to users in alpine-server setup. 2024-08-11 22:39:30 +02:00			You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:

			```
			`<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>`
			```

Updated post install section of alpine-server setup. 2024-08-11 17:22:35 +02:00			If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

			```
			`# passwd -l root`
			```

			and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:

			```
			`root:x:0:0:root:/root:/sbin/nologin`
			```

			`## User services`

Changed the install to full pool encryption. 2024-08-12 14:19:14 +02:00			The user will have its own service manager, for the management of user containers and other user services. As service manager `runsvdir` from `runit` will be used. Therefore install
Added user services and mount-home to users in alpine-server setup. 2024-08-11 22:39:30 +02:00
			```
			`# apk add runit`
			```

Changed the install to full pool encryption. 2024-08-12 14:19:14 +02:00			Create `/etc/init.d/runsvdir-user`, which will be the openrc-script for the service manager of the user.
Added user services and mount-home to users in alpine-server setup. 2024-08-11 22:39:30 +02:00
			```
			`#!/sbin/openrc-run`

			`user="${RC_SVCNAME##*.}"`
			`svdir="/home/${user}/.local/service"`
			`pidfile="/run/runsvdir-user.${user}.pid"`

			`command="/usr/bin/runsvdir"`
			`command_args="$svdir"`
			`command_user="$user"`
			`command_background=true`

			`depend()`
			`{`
Changed the install to full pool encryption. 2024-08-12 14:19:14 +02:00			`after network-online`
Added user services and mount-home to users in alpine-server setup. 2024-08-11 22:39:30 +02:00			`}`
			```

			Make `/etc/init.d/runsvdir-user` an executable

			```
			`# chmod +x /etc/init.d/runsvdir-user`
			```

			Link the user to `/etc/init.d/runsvdir-user`

			```
			`# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>`
			```

Changed the install to full pool encryption. 2024-08-12 14:19:14 +02:00			`Finally, add the service to the default runlevel`
Added user services and mount-home to users in alpine-server setup. 2024-08-11 22:39:30 +02:00
			```
Changed the install to full pool encryption. 2024-08-12 14:19:14 +02:00			`# rc-update add runsvdir-user.<username> default`
Added user services and mount-home to users in alpine-server setup. 2024-08-11 22:39:30 +02:00			```

Changed the install to full pool encryption. 2024-08-12 14:19:14 +02:00			`> This process can of course be repeated for several users.`