2014-08-24 10:18:18 -07:00
|
|
|
|
<chapter xmlns="http://docbook.org/ns/docbook"
|
|
|
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
|
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
|
|
|
version="5.0"
|
|
|
|
|
xml:id="sec-user-management">
|
|
|
|
|
|
|
|
|
|
<title>User Management</title>
|
|
|
|
|
|
|
|
|
|
<para>NixOS supports both declarative and imperative styles of user
|
|
|
|
|
management. In the declarative style, users are specified in
|
|
|
|
|
<filename>configuration.nix</filename>. For instance, the following
|
|
|
|
|
states that a user account named <literal>alice</literal> shall exist:
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
2017-11-22 08:46:22 -08:00
|
|
|
|
users.users.alice =
|
2014-08-30 01:04:02 -07:00
|
|
|
|
{ isNormalUser = true;
|
2014-08-24 10:18:18 -07:00
|
|
|
|
home = "/home/alice";
|
|
|
|
|
description = "Alice Foobar";
|
|
|
|
|
extraGroups = [ "wheel" "networkmanager" ];
|
|
|
|
|
openssh.authorizedKeys.keys = [ "ssh-dss AAAAB3Nza... alice@foobar" ];
|
|
|
|
|
};
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
Note that <literal>alice</literal> is a member of the
|
|
|
|
|
<literal>wheel</literal> and <literal>networkmanager</literal> groups,
|
|
|
|
|
which allows her to use <command>sudo</command> to execute commands as
|
|
|
|
|
<literal>root</literal> and to configure the network, respectively.
|
|
|
|
|
Also note the SSH public key that allows remote logins with the
|
|
|
|
|
corresponding private key. Users created in this way do not have a
|
|
|
|
|
password by default, so they cannot log in via mechanisms that require
|
|
|
|
|
a password. However, you can use the <command>passwd</command> program
|
|
|
|
|
to set a password, which is retained across invocations of
|
|
|
|
|
<command>nixos-rebuild</command>.</para>
|
|
|
|
|
|
|
|
|
|
<para>If you set users.mutableUsers to false, then the contents of /etc/passwd
|
|
|
|
|
and /etc/group will be congruent to your NixOS configuration. For instance,
|
2017-11-22 08:46:22 -08:00
|
|
|
|
if you remove a user from users.users and run nixos-rebuild, the user
|
2014-08-24 10:18:18 -07:00
|
|
|
|
account will cease to exist. Also, imperative commands for managing users
|
2017-02-13 03:44:22 -08:00
|
|
|
|
and groups, such as useradd, are no longer available. Passwords may still be
|
|
|
|
|
assigned by setting the user's <literal>hashedPassword</literal> option. A
|
|
|
|
|
hashed password can be generated using <command>mkpasswd -m sha-512</command>
|
|
|
|
|
after installing the <literal>mkpasswd</literal> package.</para>
|
2014-08-24 10:18:18 -07:00
|
|
|
|
|
|
|
|
|
<para>A user ID (uid) is assigned automatically. You can also specify
|
|
|
|
|
a uid manually by adding
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
|
|
|
|
uid = 1000;
|
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
to the user specification.</para>
|
|
|
|
|
|
|
|
|
|
<para>Groups can be specified similarly. The following states that a
|
|
|
|
|
group named <literal>students</literal> shall exist:
|
|
|
|
|
|
|
|
|
|
<programlisting>
|
2017-11-22 08:46:22 -08:00
|
|
|
|
users.groups.students.gid = 1000;
|
2014-08-24 10:18:18 -07:00
|
|
|
|
</programlisting>
|
|
|
|
|
|
|
|
|
|
As with users, the group ID (gid) is optional and will be assigned
|
|
|
|
|
automatically if it’s missing.</para>
|
|
|
|
|
|
|
|
|
|
<para>In the imperative style, users and groups are managed by
|
|
|
|
|
commands such as <command>useradd</command>,
|
|
|
|
|
<command>groupmod</command> and so on. For instance, to create a user
|
|
|
|
|
account named <literal>alice</literal>:
|
|
|
|
|
|
|
|
|
|
<screen>
|
2016-06-01 07:23:32 -07:00
|
|
|
|
# useradd -m alice</screen>
|
2014-08-24 10:18:18 -07:00
|
|
|
|
|
2017-11-22 08:46:22 -08:00
|
|
|
|
To make all nix tools available to this new user use `su - USER` which
|
|
|
|
|
opens a login shell (==shell that loads the profile) for given user.
|
2015-02-28 06:30:06 -08:00
|
|
|
|
This will create the ~/.nix-defexpr symlink. So run:
|
|
|
|
|
|
|
|
|
|
<screen>
|
2016-06-01 07:23:32 -07:00
|
|
|
|
# su - alice -c "true"</screen>
|
2015-02-28 06:30:06 -08:00
|
|
|
|
|
|
|
|
|
|
2014-08-24 10:18:18 -07:00
|
|
|
|
The flag <option>-m</option> causes the creation of a home directory
|
|
|
|
|
for the new user, which is generally what you want. The user does not
|
|
|
|
|
have an initial password and therefore cannot log in. A password can
|
|
|
|
|
be set using the <command>passwd</command> utility:
|
|
|
|
|
|
|
|
|
|
<screen>
|
2016-06-01 07:23:32 -07:00
|
|
|
|
# passwd alice
|
2014-08-24 10:18:18 -07:00
|
|
|
|
Enter new UNIX password: ***
|
|
|
|
|
Retype new UNIX password: ***
|
|
|
|
|
</screen>
|
|
|
|
|
|
|
|
|
|
A user can be deleted using <command>userdel</command>:
|
|
|
|
|
|
|
|
|
|
<screen>
|
2016-06-01 07:23:32 -07:00
|
|
|
|
# userdel -r alice</screen>
|
2014-08-24 10:18:18 -07:00
|
|
|
|
|
|
|
|
|
The flag <option>-r</option> deletes the user’s home directory.
|
|
|
|
|
Accounts can be modified using <command>usermod</command>. Unix
|
|
|
|
|
groups can be managed using <command>groupadd</command>,
|
|
|
|
|
<command>groupmod</command> and <command>groupdel</command>.</para>
|
|
|
|
|
|
|
|
|
|
</chapter>
|