On my server/vps after I initially get the credentials I:
adduser meder
visudo
in visudo, at the far bottom:
meder ALL=(ALL) ALL
And from then on I use meder
, along with the sudo
command. Is this pretty much how I should be doing it?
And on the topic of creating a user group such that www-data
and meder
can access the same files, what specific privileges should I give, how should I set it up so both can touch the same files ( would be great if sample code was provided as I'm not that fluent yet ).
Best Answer
Yes, adding a new non-root user, then sudoing from it is the "best-practice". If you have a lot of commands to run at once many people say to run
sudo su -
. However, sudo has a -i option that is used to give you a root shell.Also, if you want to disable interactive logins for root, you can change the password in
/etc/shadow
to '!'.To have two users access the same files, you would create a new group (lets call it 'shared'):
Then you would add your users to it:
Then on any file or directory you want both to access, you would change the group ownership of the file/directory:
If you want user's in the group to have full permissions to the files you may have to change the file permissions as well:
or
Read
man chmod
for a description of the various permission syntaxes.Finally, you will often want to set the group bit so that new files created are created with the group owning the directory instead of your default group. For example, when you create the user 'meder' useradd will create a "user private group" that will be called 'meder' and user 'meder' will be the only member. This means when you create new files they will be owned by meder:meder (user meder and group meder). If you want them to be owned by the group shared, you must set the group id bit on the directory. To do that, you need:
A full example would be:
The only issue I've come across with this is that most files are created with 755 or 644 permissions, which means you always have to manually add group write permissions to files in the shared folder. There's probably a way around this, I just don't know it.
Lastly, you don't have to create the shared group. You could just add 'meder' to the www-data group and do the rest with that group.