diff options
Diffstat (limited to 'nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml')
-rw-r--r-- | nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml | 88 |
1 files changed, 88 insertions, 0 deletions
diff --git a/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml b/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml new file mode 100644 index 000000000000..4b1710f3a2b1 --- /dev/null +++ b/nixpkgs/nixos/doc/manual/configuration/user-mgmt.xml @@ -0,0 +1,88 @@ +<chapter xmlns="http://docbook.org/ns/docbook" + xmlns:xlink="http://www.w3.org/1999/xlink" + xmlns:xi="http://www.w3.org/2001/XInclude" + version="5.0" + xml:id="sec-user-management"> + <title>User Management</title> + <para> + NixOS supports both declarative and imperative styles of user management. In + the declarative style, users are specified in + <filename>configuration.nix</filename>. For instance, the following states + that a user account named <literal>alice</literal> shall exist: +<programlisting> +<xref linkend="opt-users.users"/>.alice = { + <link linkend="opt-users.users._name__.isNormalUser">isNormalUser</link> = true; + <link linkend="opt-users.users._name__.home">home</link> = "/home/alice"; + <link linkend="opt-users.users._name__.description">description</link> = "Alice Foobar"; + <link linkend="opt-users.users._name__.extraGroups">extraGroups</link> = [ "wheel" "networkmanager" ]; + <link linkend="opt-users.users._name__.openssh.authorizedKeys.keys">openssh.authorizedKeys.keys</link> = [ "ssh-dss AAAAB3Nza... alice@foobar" ]; +}; +</programlisting> + Note that <literal>alice</literal> is a member of the + <literal>wheel</literal> and <literal>networkmanager</literal> groups, which + allows her to use <command>sudo</command> to execute commands as + <literal>root</literal> and to configure the network, respectively. Also note + the SSH public key that allows remote logins with the corresponding private + key. Users created in this way do not have a password by default, so they + cannot log in via mechanisms that require a password. However, you can use + the <command>passwd</command> program to set a password, which is retained + across invocations of <command>nixos-rebuild</command>. + </para> + <para> + If you set <xref linkend="opt-users.mutableUsers"/> to false, then the + contents of <literal>/etc/passwd</literal> and <literal>/etc/group</literal> + will be congruent to your NixOS configuration. For instance, if you remove a + user from <xref linkend="opt-users.users"/> and run nixos-rebuild, the user + account will cease to exist. Also, imperative commands for managing users and + groups, such as useradd, are no longer available. Passwords may still be + assigned by setting the user's + <link linkend="opt-users.users._name__.hashedPassword">hashedPassword</link> + option. A hashed password can be generated using <command>mkpasswd -m + sha-512</command> after installing the <literal>mkpasswd</literal> package. + </para> + <para> + A user ID (uid) is assigned automatically. You can also specify a uid + manually by adding +<programlisting> +uid = 1000; +</programlisting> + to the user specification. + </para> + <para> + Groups can be specified similarly. The following states that a group named + <literal>students</literal> shall exist: +<programlisting> +<xref linkend="opt-users.groups"/>.students.gid = 1000; +</programlisting> + As with users, the group ID (gid) is optional and will be assigned + automatically if it’s missing. + </para> + <para> + In the imperative style, users and groups are managed by commands such as + <command>useradd</command>, <command>groupmod</command> and so on. For + instance, to create a user account named <literal>alice</literal>: +<screen> +# useradd -m alice</screen> + To make all nix tools available to this new user use `su - USER` which opens + a login shell (==shell that loads the profile) for given user. This will + create the ~/.nix-defexpr symlink. So run: +<screen> +# su - alice -c "true"</screen> + The flag <option>-m</option> causes the creation of a home directory for the + new user, which is generally what you want. The user does not have an initial + password and therefore cannot log in. A password can be set using the + <command>passwd</command> utility: +<screen> +# passwd alice +Enter new UNIX password: *** +Retype new UNIX password: *** +</screen> + A user can be deleted using <command>userdel</command>: +<screen> +# userdel -r alice</screen> + The flag <option>-r</option> deletes the user’s home directory. Accounts + can be modified using <command>usermod</command>. Unix groups can be managed + using <command>groupadd</command>, <command>groupmod</command> and + <command>groupdel</command>. + </para> +</chapter> |