Home / server / Questions / 93457
Accepted
meder omuraliev
Asked: 2009-12-12 08:41:43 +0800 CST

Best practices for users/groups in Debian servers

  • 772

On my server/vps after I initially get the credentials I:

adduser meder
visudo

in visudo, at the far bottom:

meder    ALL=(ALL) ALL

And from then on I use meder, along with the sudo command. Is this pretty much how I should be doing it?

And on the topic of creating a user group such that www-data and meder can access the same files, what specific privileges should I give, how should I set it up so both can touch the same files ( would be great if sample code was provided as I'm not that fluent yet ).

debian

3 Answers

  1. Best Answer

    Yes, adding a new non-root user, then sudoing from it is the "best-practice". If you have a lot of commands to run at once many people say to run sudo su -. However, sudo has a -i option that is used to give you a root shell.

    Also, if you want to disable interactive logins for root, you can change the password in /etc/shadow to '!'.

    To have two users access the same files, you would create a new group (lets call it 'shared'):

    $ sudo groupadd shared

    Then you would add your users to it:

    $ sudo usermod -a -G shared meder
$ sudo usermod -a -G shared www-data

    Then on any file or directory you want both to access, you would change the group ownership of the file/directory:

    $ sudo chgrp share [path-to-file]

    If you want user's in the group to have full permissions to the files you may have to change the file permissions as well:

    $ sudo chmod g+w [path-to-file]

    or

    $ sudo chmod 775 [path-to-dir]

    Read man chmod for a description of the various permission syntaxes.

    Finally, you will often want to set the group bit so that new files created are created with the group owning the directory instead of your default group. For example, when you create the user 'meder' useradd will create a "user private group" that will be called 'meder' and user 'meder' will be the only member. This means when you create new files they will be owned by meder:meder (user meder and group meder). If you want them to be owned by the group shared, you must set the group id bit on the directory. To do that, you need:

    $ sudo chown g+s [path-to-dir]

    A full example would be:

    $ sudo -i
# mkdir /opt/shared
# groupadd shared
# usermod -a -G shared meder
# usermod -a -G shared www-data
# chgrp shared /opt/shared
# chmod 775 /opt/shared
# chmod g+s /opt/shared
# exit

    The only issue I've come across with this is that most files are created with 755 or 644 permissions, which means you always have to manually add group write permissions to files in the shared folder. There's probably a way around this, I just don't know it.

    Lastly, you don't have to create the shared group. You could just add 'meder' to the www-data group and do the rest with that group.

    • 8

  2. If www-data is an account (probably the one that apache runs as?), then you need to either add meder into the appropriate group in /etc/group or you can create a new group with both meder and www-data (by using groupadd).

    Once you do that, when you login, you can run "newgrp " to make that your "current" group, and then all the files you create will have a group ownership of the shared group.

    • 2

  3. In Debian, usually you don't need to worry about creating www-data, since in most cases, Debian packager will provide maintainer scripts to automate setup when installing deb packages.

    • 0