89 lines
4.2 KiB
XML
89 lines
4.2 KiB
XML
|
<chapter xmlns="http://docbook.org/ns/docbook"
|
|||
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|||
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|||
|
version="5.0"
|
|||
|
xml:id="sec-user-management">
|
|||
|
<title>User Management</title>
|
|||
|
<para>
|
|||
|
NixOS supports both declarative and imperative styles of user management. In
|
|||
|
the declarative style, users are specified in
|
|||
|
<filename>configuration.nix</filename>. For instance, the following states
|
|||
|
that a user account named <literal>alice</literal> shall exist:
|
|||
|
<programlisting>
|
|||
|
<xref linkend="opt-users.users"/>.alice = {
|
|||
|
<link linkend="opt-users.users._name__.isNormalUser">isNormalUser</link> = true;
|
|||
|
<link linkend="opt-users.users._name__.home">home</link> = "/home/alice";
|
|||
|
<link linkend="opt-users.users._name__.description">description</link> = "Alice Foobar";
|
|||
|
<link linkend="opt-users.users._name__.extraGroups">extraGroups</link> = [ "wheel" "networkmanager" ];
|
|||
|
<link linkend="opt-users.users._name__.openssh.authorizedKeys.keys">openssh.authorizedKeys.keys</link> = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
|
|||
|
};
|
|||
|
</programlisting>
|
|||
|
Note that <literal>alice</literal> is a member of the
|
|||
|
<literal>wheel</literal> and <literal>networkmanager</literal> groups, which
|
|||
|
allows her to use <command>sudo</command> to execute commands as
|
|||
|
<literal>root</literal> and to configure the network, respectively. Also note
|
|||
|
the SSH public key that allows remote logins with the corresponding private
|
|||
|
key. Users created in this way do not have a password by default, so they
|
|||
|
cannot log in via mechanisms that require a password. However, you can use
|
|||
|
the <command>passwd</command> program to set a password, which is retained
|
|||
|
across invocations of <command>nixos-rebuild</command>.
|
|||
|
</para>
|
|||
|
<para>
|
|||
|
If you set <xref linkend="opt-users.mutableUsers"/> to false, then the
|
|||
|
contents of <literal>/etc/passwd</literal> and <literal>/etc/group</literal>
|
|||
|
will be congruent to your NixOS configuration. For instance, if you remove a
|
|||
|
user from <xref linkend="opt-users.users"/> and run nixos-rebuild, the user
|
|||
|
account will cease to exist. Also, imperative commands for managing users and
|
|||
|
groups, such as useradd, are no longer available. Passwords may still be
|
|||
|
assigned by setting the user's
|
|||
|
<link linkend="opt-users.users._name__.hashedPassword">hashedPassword</link>
|
|||
|
option. A hashed password can be generated using <command>mkpasswd -m
|
|||
|
sha-512</command> after installing the <literal>mkpasswd</literal> package.
|
|||
|
</para>
|
|||
|
<para>
|
|||
|
A user ID (uid) is assigned automatically. You can also specify a uid
|
|||
|
manually by adding
|
|||
|
<programlisting>
|
|||
|
uid = 1000;
|
|||
|
</programlisting>
|
|||
|
to the user specification.
|
|||
|
</para>
|
|||
|
<para>
|
|||
|
Groups can be specified similarly. The following states that a group named
|
|||
|
<literal>students</literal> shall exist:
|
|||
|
<programlisting>
|
|||
|
<xref linkend="opt-users.groups"/>.students.gid = 1000;
|
|||
|
</programlisting>
|
|||
|
As with users, the group ID (gid) is optional and will be assigned
|
|||
|
automatically if it’s missing.
|
|||
|
</para>
|
|||
|
<para>
|
|||
|
In the imperative style, users and groups are managed by commands such as
|
|||
|
<command>useradd</command>, <command>groupmod</command> and so on. For
|
|||
|
instance, to create a user account named <literal>alice</literal>:
|
|||
|
<screen>
|
|||
|
# useradd -m alice</screen>
|
|||
|
To make all nix tools available to this new user use `su - USER` which opens
|
|||
|
a login shell (==shell that loads the profile) for given user. This will
|
|||
|
create the ~/.nix-defexpr symlink. So run:
|
|||
|
<screen>
|
|||
|
# su - alice -c "true"</screen>
|
|||
|
The flag <option>-m</option> causes the creation of a home directory for the
|
|||
|
new user, which is generally what you want. The user does not have an initial
|
|||
|
password and therefore cannot log in. A password can be set using the
|
|||
|
<command>passwd</command> utility:
|
|||
|
<screen>
|
|||
|
# passwd alice
|
|||
|
Enter new UNIX password: ***
|
|||
|
Retype new UNIX password: ***
|
|||
|
</screen>
|
|||
|
A user can be deleted using <command>userdel</command>:
|
|||
|
<screen>
|
|||
|
# userdel -r alice</screen>
|
|||
|
The flag <option>-r</option> deletes the user’s home directory. Accounts
|
|||
|
can be modified using <command>usermod</command>. Unix groups can be managed
|
|||
|
using <command>groupadd</command>, <command>groupmod</command> and
|
|||
|
<command>groupdel</command>.
|
|||
|
</para>
|
|||
|
</chapter>
|