4

I'm trying to make a web interface for a game server.

I have a user/group "gameserver" that has game files and configurations (not a sudoer). And a user/group "www-data" that you all know is for web application.

Now I've unfortunately seen posts of people asking or suggesting adding www-data to "sudo" group, to allow it to modify files elsewhere. A very bad practice for security reasons.

I want to enable www-data to modify files inside files/folders of user "gameserver" without "root" privileges.

There are several ways of doing it as far as I know:

  1. Change file/folder permissions to be read/write globally.
  2. Change file/folder group ownership to "www-data".
  3. Add user "www-data" to group "gameserver".

The first two would require changing permissions or ownership for every new file or folder being newly created. Therefore, the last way seems the most plausible. However, after executing:

usermod -a -G gameserver www-data

to add user "www-data" to group "gameserver", I can no longer SSH to user "gameserver". And get an error:

Permission denied (publickey).

This post seem to have a similar issue: SSH broken pipe error after adding user to group

But does not really solve the issue.

Why does adding another user to my user group prevents me from accessing my user via SSH? And how can I solve this issue?

Note that "www-data" was indeed able to write to files belonging to user "gameserver".

To reverse the effect, I SSH to "root" and execute:

gpasswd -d www-data gameserver

To remove user "www-data" from group "gameserver"

Edit 01:

As Ryan Babchishin indicated in the 1st comment, it is working for him. I tried on another server and it works. This problem is specific to OVH servers at the moment. They indicated that they are using a custom kernel in response to an earlier issue where I was unable to use SystemV commands to start, stop or restart a service. I filed another ticket now. But still don't understand what does this has to do with Linux permissions.

Community
  • 1
0x00FE
  • 61
  • 1
  • 4
  • 2
    I tested this on my Ubuntu system with no problems. Funny issue. Check sshd logs. – Ryan Babchishin Jul 10 '16 at 02:34
  • That is very interesting indeed. I tried on my home server and it works. As for the sshd logs it says "Authentication refused: bad ownership or modes for directory /home/gameserver/.ssh" ... This is the not the first time OVH servers give me strange behavior. – 0x00FE Jul 10 '16 at 17:14

1 Answers1

2

What are the permissions on ~gameserver/.ssh/authorized_keys? If they are group-writable, an SSH server will refuse to use them, because someone other than the target user could add arbitrary keys. I can make my home computer refuse to accept my keypair with chmod g+w .ssh/authorized_keys.

Now, in your case you haven't changed the permission bits (presumably), but perhaps your custom kernel, or just a different sshd implementation than my computer uses, will accept group-writable keys as long as there are no other users in the group? Then if you do have weird permissions like 664, sshd would accept logins until you change the group memberships. A bit of a stab in the dark here, but sounds halfway plausible.

amalloy
  • 121
  • 3