0

I have a LAMP running on Ubuntu. I want to grant access to some colleagues and friends to use my machine to upload their websites and do whatever they want in their home directories to which I have added virtual hosts. However, almost everything in the system can be read by anyone (apparently that is the default for ubuntu), this means that they can also read my projects where I have put all of my MySQL passwords and what not, which means that they can easily log into my server, since they have ssh access already. I know I can make my files with passwords only readable by me but that is not an absolute fix to the problem, perhaps in future I can forget to do that or I can somehow change the permissions unknowingly and this will still be a problem.

Perhaps if I do not allow users to use mysql unless they are using sudo will be sufficient IMO, but is it possible?

php_nub_qq
  • 379
  • 3
  • 9
  • 1
    Short answer, **if you do not trust people, you shouldn't share access** to your server with them. **Setting proper filesystem permissions is the answer.** Or at least a main part of it. You can also setup chroots, and other things, but the specific requirements of your environment will dictate what you should do. – Zoredache Dec 20 '16 at 20:04
  • IT is maybe the time to fragment your PC with VM. Your users are in a VM, your MySQL in another one. You can access to MySQL only by SSH, if you have the credentials, and your users don't have them. Personnaly, I prefer do not provide SSH access to anyone as the user can install a rootkit and be root in my place. – Dom Dec 20 '16 at 20:16

1 Answers1

1

Ubuntu makes things a bit easy for the desktop user by applying "easy" permissions for files, directories, groups and umasks. To provision your environment as a multi-user server here are some suggestions:

  • change the default umask for all the user accounts on the system. This allows for permissions such as -rw------- when new files/directories are created instead of something like the default -rw-r--r-- where everyone can read everything.
  • remove all the supplementary groups Ubuntu adds to every new user account (eg: pulse, plugdev, cdrom, etc, etc..)

  • when creating a new user account, create a default group matching their user name eg: # useradd --uid 51000 --create-home --user-groups user133. By default, Ubuntu will start creating users using a uid of 1000. This can be problematic when copying files to a new system where this user id is set for someone else. Using a non-default uid to start creating your users at can save you some hassle later down the road. Creating matching user group names allow the permissions on the user home directory to be set exclusively for the user.

  • create a supplementary group to allow for sharing of files which all users will belong to eg: # groupadd --gid 60001 webfiles. This will allow you to assign permissions for shared files and directories for anyone in the group webfiles group. User's who need elevated access to restart the webserver or something can be placed in /etc/sudoers.

  • lastly, for mysql, the security partitioning you apply will kind of depend on how hammer-fisted you need to get. If you just want to keep accidents from happening, simply giving each user a password protected database to work in would be enough.

Community
  • 1
Server Fault
  • 3,714
  • 12
  • 54
  • 89