documentation/docs/alpine-desktop-setup/post-install/users.md

3 KiB

Users

It might be nice to add a user to your system.

Wheel

Before creating the user install doas, to use when root is required:

# apk add doas

Configure doas through /etc/doas.d/main.conf:

permit persist :wheel as root
permit nopasss :_power cmd /sbin/poweroff
permit nopasss :_power cmd /sbin/reboot

and create a _power group for users to be able to poweroff the system without root:

# addgroup -S _power

Adding a user

Adding a user in Alpine Linux can be done using the setup-user script. Here we can specify the name, full name with -f, groups and more:

# setup-user -g wheel,_power -f "<Full Name>" <username>
# passwd <username>

It is recommended to have an "admin" account which is the sole account in the wheel group.

You may have to change the shell of the user in /etc/passwd from /sbin/nologin to a shell from /etc/shells. Alpine Linux comes with /bin/ash by default:

<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>

Do not log in yet if you want to encrypt the user's home directory.

If you have checked that doas works with the user then you can lock the root account because it imposes security risks if it is kept open. This can be done with:

# passwd -l root

and editing /etc/passwd to change the login shell from /bin/ash to /sbin/nologin:

root:x:0:0:root:/root:/sbin/nologin

Encrypting the home directory

Not yet working, DO NOT FOLLOW.

If you are running a system with multiple users or if you want an extra layer of protection then it is possible to encrypt every user's home directory.

Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.

First install the fscrypt and e2fsprogs-extra packages:

# apk add fscrypt e2fsprogs-extra

Then make sure our filesystem has the encrypt feature enabled and setup fscrypt on the home directory:

# tune2fs -O encrypt /dev/vg<n>/alp_home
# fscrypt setup
# fscrypt setup /home

And in /etc/pam.d/login add these lines to their corresponding sections:

auth     optional    pam_fscrypt.so
...
session  optional    pam_fscrypt.so

Then encrypt the home directory with:

# fscrypt encrypt /home/<username> --user=<username>
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]

Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:

$ fscrypt status /home/<username>

TLDR

If you have already set up a system with a user but want to add another do this:

# setup-user -g (wheel,)nix,_power -f "<Full Name>" <username>
# passwd <username>
[Change shell in /etc/passwd]
# fscrypt encrypt /home/<username> --user=<username> # Doesn't work yet
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]