Debian – Best practices for users/groups in Debian servers

debiandebian-lennysudouser-permissions

On my server/vps after I initially get the credentials I:

adduser meder
visudo

in visudo, at the far bottom:

meder    ALL=(ALL) ALL

And from then on I use meder, along with the sudo command. Is this pretty much how I should be doing it?

And on the topic of creating a user group such that www-data and meder can access the same files, what specific privileges should I give, how should I set it up so both can touch the same files ( would be great if sample code was provided as I'm not that fluent yet ).

Best Answer

Yes, adding a new non-root user, then sudoing from it is the "best-practice". If you have a lot of commands to run at once many people say to run sudo su -. However, sudo has a -i option that is used to give you a root shell.

Also, if you want to disable interactive logins for root, you can change the password in /etc/shadow to '!'.

To have two users access the same files, you would create a new group (lets call it 'shared'):

$ sudo groupadd shared

Then you would add your users to it:

$ sudo usermod -a -G shared meder
$ sudo usermod -a -G shared www-data

Then on any file or directory you want both to access, you would change the group ownership of the file/directory:

$ sudo chgrp share [path-to-file]

If you want user's in the group to have full permissions to the files you may have to change the file permissions as well:

$ sudo chmod g+w [path-to-file]

$ sudo chmod 775 [path-to-dir]

Read man chmod for a description of the various permission syntaxes.

Finally, you will often want to set the group bit so that new files created are created with the group owning the directory instead of your default group. For example, when you create the user 'meder' useradd will create a "user private group" that will be called 'meder' and user 'meder' will be the only member. This means when you create new files they will be owned by meder:meder (user meder and group meder). If you want them to be owned by the group shared, you must set the group id bit on the directory. To do that, you need:

$ sudo chown g+s [path-to-dir]

A full example would be:

$ sudo -i
# mkdir /opt/shared
# groupadd shared
# usermod -a -G shared meder
# usermod -a -G shared www-data
# chgrp shared /opt/shared
# chmod 775 /opt/shared
# chmod g+s /opt/shared
# exit

The only issue I've come across with this is that most files are created with 755 or 644 permissions, which means you always have to manually add group write permissions to files in the shared folder. There's probably a way around this, I just don't know it.

Lastly, you don't have to create the shared group. You could just add 'meder' to the www-data group and do the rest with that group.

Related Solutions

Security – creating security groups from scratch – best practices

The way I have implemented it, based on Microsoft's recommendations for Windows Server 2003 (found in the MCSE Self-Paced Training Kit for exam 70-294: Planning, Implementing and Maintaining a Microsoft Windows Server 2003 Active Directory Infrastructure) is:

Create a global security group for each position within the organisation (eg, CEO, Sales Director etc)
Create a domain local security group for each resource (or two groups if you are giving some people read-only premission and others modify permission) (eg, Sales File Modifiers, Marketing Data Readers)
Assign permissions to your resources, using the domain local security groups (eg, Give Modify permissions on the Sales Files to the Sales Files Modifiers groups)
Assign users to the relevant global security groups (eg, make your CEO a member of the CEO security group)
Add the global security groups to the relevant domain local security groups (eg Add the Sales Director group to the Sales Files Modifiers group)

So you have: User Account -> Job Role security group -> Resource Permission security group -> Resource Permissions

Doing it this way, you can end up with a lot of groups, particularly domain local groups, if you have a lot of resources, but it keeps it relatively simple and maintainable. Trying to get clever and having multiple levels of nested groups is a recipe for complexity and disaster, trust me!

It would also be a good idea to ensure that no-one other than Administrators has Full Control of any files. This prevent s users trying to be too clever and configuring their own permissions.

How does Amazon ec2-user get its sudo rights

It's in /etc/sudoers.d/cloud-init. I, too, delete it from my production systems as soon as I can.

It is included by virtue of the line

#includedir /etc/sudoers.d

in the /etc/sudoers file. Note that, as it says, that leading # isn't treated as a comment sign. On some of my servers, it's also in /etc/sudoers.d/90-cloud-init-users; it may be safest to userdel the ec2-user user.

Best Answer

Related Solutions

Security – creating security groups from scratch – best practices

How does Amazon ec2-user get its sudo rights

Related Topic