documentation/docs/alpine-desktop-setup/post-install/users.md
2023-12-28 15:09:21 +01:00

2.2 KiB

Users

It might be nice to add a user to your system.

Doas

Before creating the user install doas for when root is requiered:

# apk add doas

Also configure doas through /etc/doas.d/main.conf:

permit persist :wheel as root
permit nopasss :wheel cmd poweroff
permit nopasss :wheel cmd reboot

Adding a user

Adding a user in alpine can be done using the setup-user script. Here we can specify the name, fullname, groups and more:

# setup-user -g wheel,plugdev,_seatd,nix -f <"Full Name"> <username>
# passwd <username>

It's also recommended to only have an "admin" account which is in the wheel group.

Don't login yet if you want to encrypt the directory.

If you have checked that doas works with the user then you can lock the root account because it's insecure to keep open. This can be done with:

# passwd -l root

And editing /etc/passwd to change the login shell from /bin/ash to /sbin/nologin:

root:x:0:0:root:/root:/sbin/nologin

Encrypting the home directory

If you are running a system with multiple users or if you want an extra layer of protection then it's possible to encrypt every user's home directory.

Do note that a second layer of encryption can lead to lower disk performance so in the case where this is important it might be preferred not to encrypt.

Setup

First install the fscrypt, e2fsprogs-extra and util-linux-login packages:

# apk add fscrypt e2fsprogs-extra util-linux-login

Then make sure our filesystem has the encrypt feature enabled and setup fscrypt on the home directory:

# tune2fs -O encrypt /dev/vg<m>/home<n>
# fscrypt setup
# fscrypt setup /home

And edit /etc/pam.d/login and adding these lines to their corresponding sections:

auth     optional    pam_fscrypt.so
...
session  optional    pam_fscrypt.so

Encrypting a user's home

Encrypt the directory with:

# fscrypt encrypt /home/<username> --user=<username>
[Enter 1 so that it's unlocks when the user logs in]

Then login with the user to check if it worked. It should also have given you a recovery password which should be stored somewhere safely (like Bitwarden). To check the status of the directory run:

$ fscrypt status /home/<username>