lnorg/documentation
1
2
Fork 0
Code Issues 30 Pull requests Projects 6 Activity
documentation/docs/alpine-desktop-setup/post-install/users.md

113 lines
3 KiB
Markdown
Raw Permalink Blame History

# Users
It might be nice to add a user to your system.
## Wheel
Before creating the user, install `doas`. To be able to "do as" root when it is required:
```
# apk add doas
```
Configure `doas` through `/etc/doas.d/main.conf`:
```
permit persist :wheel as root
permit nopasss :_power cmd /sbin/poweroff
permit nopasss :_power cmd /sbin/reboot
```
and create a `_power` group for users to be able to power off the system without root:
```
# addgroup -S _power
```
## Adding a user
Adding a user in Alpine Linux can be done using the `setup-user` script. Here we can specify the name, groups and more:
```
# setup-user -g wheel,_power <username>
# passwd <username>
```
> It is recommended to have an "admin" account which is the sole account in the wheel group.
You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```
> Do not log in yet if you want to encrypt the user's home directory.
If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
```
# passwd -l root
```
and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:
```
root:x:0:0:root:/root:/sbin/nologin
```
## Encrypting the home directory
> Not yet working, DO NOT FOLLOW.
If you are running a system with multiple users or if you want an extra layer of protection then it is possible to encrypt every user's home directory.
> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.
First install the `fscrypt` and `e2fsprogs-extra` packages:
```
# apk add fscrypt e2fsprogs-extra
```
Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:
```
# tune2fs -O encrypt /dev/vg<n>/alp_home
# fscrypt setup
# fscrypt setup /home
```
And in `/etc/pam.d/login` add these lines to their corresponding sections:
```
auth optional pam_fscrypt.so
...
session optional pam_fscrypt.so
```
Then encrypt the home directory with:
```
# fscrypt encrypt /home/<username> --user=<username>
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```
Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:
```
$ fscrypt status /home/<username>
```
## TLDR
If you have already set up a system with a user but want to add another do this:
```
# setup-user -g (wheel,)nix,_power -f "<Full Name>" <username>
# passwd <username>
[Change shell in /etc/passwd]
# fscrypt encrypt /home/<username> --user=<username> # Doesn't work yet
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```
Reference in a new issue View git blame Copy permalink