115 lines
3 KiB
Markdown
115 lines
3 KiB
Markdown
# Users
|
|
|
|
It might be nice to add a user to your system.
|
|
|
|
## Doas
|
|
|
|
Before creating the user install `doas` for when root is requiered:
|
|
|
|
```
|
|
# apk add doas
|
|
```
|
|
|
|
Also configure `doas` through `/etc/doas.d/main.conf`:
|
|
|
|
```
|
|
permit persist :wheel as root
|
|
permit nopasss :_power cmd poweroff
|
|
permit nopasss :_power cmd reboot
|
|
```
|
|
|
|
And create a `_power` group for user's to be able to poweroff the system without root:
|
|
|
|
```
|
|
# addgroup -S _power
|
|
```
|
|
|
|
## Adding a user
|
|
|
|
Adding a user in alpine can be done using the `setup-user` script. Here we can specify the name, fullname, groups and more:
|
|
|
|
```
|
|
# setup-user -g wheel,plugdev,_seatd,nix,_power -f "<Full Name>" <username>
|
|
# passwd <username>
|
|
```
|
|
|
|
And you (might) have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
|
|
|
|
```
|
|
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
|
|
```
|
|
|
|
> It's also recommended to have an "admin" account which is the only one in the wheel group.
|
|
|
|
Don't login yet if you want to encrypt the directory.
|
|
|
|
If you have checked that `doas` works with the user then you can lock the root account because it's insecure to keep open. This can be done with:
|
|
|
|
```
|
|
# passwd -l root
|
|
```
|
|
|
|
And editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:
|
|
|
|
```
|
|
root:x:0:0:root:/root:/sbin/nologin
|
|
```
|
|
|
|
### Encrypting the home directory
|
|
|
|
If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.
|
|
|
|
> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.
|
|
|
|
#### Setting up fscrypt
|
|
|
|
First install the `fscrypt`, `e2fsprogs-extra` and `util-linux-login` packages:
|
|
|
|
```
|
|
# apk add fscrypt e2fsprogs-extra util-linux-login
|
|
```
|
|
|
|
Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:
|
|
|
|
```
|
|
# tune2fs -O encrypt /dev/vg<m>/home<n>
|
|
# fscrypt setup
|
|
# fscrypt setup /home
|
|
```
|
|
|
|
And edit `/etc/pam.d/login` and adding these lines to their corresponding sections:
|
|
|
|
```
|
|
auth optional pam_fscrypt.so
|
|
...
|
|
session optional pam_fscrypt.so
|
|
```
|
|
|
|
#### Encrypting a user's home
|
|
|
|
Encrypt the directory with:
|
|
|
|
```
|
|
# fscrypt encrypt /home/<username> --user=<username>
|
|
[Create a new login protector]
|
|
[Enter 1 so that it unlocks the directory when the user logs in]
|
|
```
|
|
|
|
Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:
|
|
|
|
```
|
|
$ fscrypt status /home/<username>
|
|
```
|
|
|
|
## TLDR
|
|
|
|
If you have already set up a system with a user but want to add another do this:
|
|
|
|
```
|
|
# setup-user -g (wheel,)plugdev,_seatd,nix,_power -f "<Full Name>" <username>
|
|
# passwd <username>
|
|
[Change shell in /etc/passwd]
|
|
# fscrypt encrypt /home/<username> --user=<username>
|
|
[Create a new login protector]
|
|
[Enter 1 so that it unlocks the directory when the user logs in]
|
|
```
|