142 lines
2.9 KiB
Markdown
142 lines
2.9 KiB
Markdown
# Users
|
|
|
|
To run containers securely; in an environment with fewer privileges, a user is necessary.
|
|
|
|
## Wheel
|
|
|
|
Before creating the user, install `doas`. To be able to "do as" root when it is required:
|
|
|
|
```
|
|
# apk add doas
|
|
```
|
|
|
|
Configure `doas` through `/etc/doas.d/main.conf`:
|
|
|
|
```
|
|
permit persist :wheel as root
|
|
```
|
|
|
|
## Adding a user
|
|
|
|
A user can be added in Alpine Linux with the `setup-user` script. Here we can specify the name, groups and more:
|
|
|
|
```
|
|
# setup-user -g wheel <username>
|
|
# passwd <username>
|
|
```
|
|
|
|
> Make sure that the home dataset is decrypted and mounted, before creating a user.
|
|
|
|
You may have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
|
|
|
|
```
|
|
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
|
|
```
|
|
|
|
If you have checked that `doas` works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:
|
|
|
|
```
|
|
# passwd -l root
|
|
```
|
|
|
|
and editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:
|
|
|
|
```
|
|
root:x:0:0:root:/root:/sbin/nologin
|
|
```
|
|
|
|
## User services
|
|
|
|
The user will have its own init system, for the management of user containers and other user services. The `runsvdir` command of the `runit` init system will be used to create a local init system for the user.
|
|
|
|
```
|
|
# apk add runit
|
|
```
|
|
|
|
Create `/etc/init.d/runsvdir-user`, which will be the init script for the local init system of the user.
|
|
|
|
```
|
|
#!/sbin/openrc-run
|
|
|
|
user="${RC_SVCNAME##*.}"
|
|
svdir="/home/${user}/.local/service"
|
|
pidfile="/run/runsvdir-user.${user}.pid"
|
|
|
|
command="/usr/bin/runsvdir"
|
|
command_args="$svdir"
|
|
command_user="$user"
|
|
command_background=true
|
|
|
|
depend()
|
|
{
|
|
after mount-home
|
|
}
|
|
```
|
|
|
|
Make `/etc/init.d/runsvdir-user` an executable
|
|
|
|
```
|
|
# chmod +x /etc/init.d/runsvdir-user
|
|
```
|
|
|
|
Link the user to `/etc/init.d/runsvdir-user`
|
|
|
|
```
|
|
# ln -s /etc/init.d/runsvdir-user /etc/init.d/runsvdir-user.<username>
|
|
```
|
|
|
|
Finally, add the service to the manual runlevel
|
|
|
|
```
|
|
# rc-update add runsvdir-user.<username> manual
|
|
```
|
|
|
|
> This process can of course be repeated for several users.
|
|
|
|
### Mounting home
|
|
|
|
Before the user init system can be started, the home dataset should be decrypted and mounted. This process will be partially automated by adding it to the manual runlevel.
|
|
|
|
Create `/etc/init.d/mount-home`
|
|
|
|
```
|
|
#!/sbin/openrc-run
|
|
|
|
depend()
|
|
{
|
|
need localmount
|
|
}
|
|
|
|
start()
|
|
{
|
|
zfs load-key -L prompt tank/home
|
|
zfs mount tank/home
|
|
}
|
|
|
|
stop()
|
|
{
|
|
zfs unmount tank/home
|
|
zfs unload-key tank/home
|
|
}
|
|
```
|
|
|
|
Make `/etc/init.d/mount-home` an executable
|
|
|
|
```
|
|
# chmod +x /etc/init.d/mount-home
|
|
```
|
|
|
|
Add the service to the manual runlevel
|
|
|
|
```
|
|
# rc-update add mount-home manual
|
|
```
|
|
|
|
Now the scripts can be started accordingly with
|
|
|
|
```
|
|
# openrc -n manual
|
|
```
|
|
|
|
> Note that after a reboot this command should be performed to decrypt the home partition and to start the user services.
|
|
|