FAQ: How can a create another OnionOS user instead of root
-
While OpenWrt is a single user system, you can create additional users so you don't have to disclose the root user password. You can add the user by editing /etc/passwd and /etc/shadow or you can install the useradd package:
opkg install shadow-useradd
Now add a new user named "admin", but we don't want them to have shell access:
useradd admin -d /var -M -s /bin/false -p mytemporarypassword
The password is added in cleartext so you need to change it using the command:
passwd admin
Follow the prompts to set your password then you can confirm the new user has been added as required:
cat /etc/passwd cat /etc/shadow
Since OnionOS uses ubus via rpc we need to add the user to the rpc user list. The configuration file is /etc/config/rcpd, but you can use uci commands to add the user:
uci add rpcd login uci set rpcd.@login[-1].username='admin' uci set rpcd.@login[-1].password='$p$admin' uci add_list rpcd.@login[-1].read='*' uci add_list rpcd.@login[-1].write='*' uci commit rpcd
The username must match the username we just created and the structure of the password field causes the rpc daemon to use the system password we just created.
The "read" and "write" fields is set to an asterisk indicating that the user will have unrestricted access, the same as the root user.
You can confirm the new user had been added using a uci command:
uci show rpcd rpcd.@login[0]=login rpcd.@login[0].username='root' rpcd.@login[0].password='$p$root' rpcd.@login[0].read='*' rpcd.@login[0].write='*' rpcd.@login[1]=login rpcd.@login[1].username='admin' rpcd.@login[1].password='$p$admin' rpcd.@login[1].read='*' rpcd.@login[1].write='*'
Now restart the rpc daemon:
service rpcd restart
You can now login to OnionOS with the same functionality as the root user has, but the user has no console access.