documentation/docs/alpine-desktop-setup/post-install/users.md
2023-12-28 16:05:29 +01:00

115 lines
3 KiB
Markdown

# Users
It might be nice to add a user to your system.
## Doas
Before creating the user install `doas` for when root is requiered:
```
# apk add doas
```
Also configure `doas` through `/etc/doas.d/main.conf`:
```
permit persist :wheel as root
permit nopasss :_power cmd poweroff
permit nopasss :_power cmd reboot
```
And create a `_power` group for user's to be able to poweroff the system without root:
```
# addgroup -S _power
```
## Adding a user
Adding a user in alpine can be done using the `setup-user` script. Here we can specify the name, fullname, groups and more:
```
# setup-user -g wheel,plugdev,_seatd,nix,_power -f "<Full Name>" <username>
# passwd <username>
```
And you (might) have to change the shell of the user in `/etc/passwd` from `/sbin/nologin` to a shell from `/etc/shells`. Alpine Linux comes with `/bin/ash` by default:
```
<username>:x:1234:1234:<Full Name>:/home/<username>:/bin/<shell>
```
> It's also recommended to have an "admin" account which is the only one in the wheel group.
Don't login yet if you want to encrypt the directory.
If you have checked that `doas` works with the user then you can lock the root account because it's insecure to keep open. This can be done with:
```
# passwd -l root
```
And editing `/etc/passwd` to change the login shell from `/bin/ash` to `/sbin/nologin`:
```
root:x:0:0:root:/root:/sbin/nologin
```
### Encrypting the home directory
If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.
> Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.
#### Setting up fscrypt
First install the `fscrypt`, `e2fsprogs-extra` and `util-linux-login` packages:
```
# apk add fscrypt e2fsprogs-extra util-linux-login
```
Then make sure our filesystem has the `encrypt` feature enabled and setup `fscrypt` on the home directory:
```
# tune2fs -O encrypt /dev/vg<m>/home<n>
# fscrypt setup
# fscrypt setup /home
```
And edit `/etc/pam.d/login` and adding these lines to their corresponding sections:
```
auth optional pam_fscrypt.so
...
session optional pam_fscrypt.so
```
#### Encrypting a user's home
Encrypt the directory with:
```
# fscrypt encrypt /home/<username> --user=<username>
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```
Then reboot and login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:
```
$ fscrypt status /home/<username>
```
## TLDR
If you have already set up a system with a user but want to add another do this:
```
# setup-user -g (wheel,)plugdev,_seatd,nix,_power -f "<Full Name>" <username>
# passwd <username>
[Change shell in /etc/passwd]
# fscrypt encrypt /home/<username> --user=<username>
[Create a new login protector]
[Enter 1 so that it unlocks the directory when the user logs in]
```