Ubuntu for clients
Notes for preparing a Ubuntu web server for use by a client.
Table of contents
- Introduction
- Install HNM custom utilities
- Set up and delete user account
- Configure vhost for the client
- Set up private file system
- Repos
- Final word
Introduction
First set up a DO droplet as I would for one of my own projects.
The following names will be used in exmples. Replace with actual values for the client:
- clientuser – user name of the first client superuser. Will also be the name of the client group.
- clientadmin – alias set up to make phpMyAdmin directory harder to find for threat agents.
- client.org – Client vhost domain name.
Example input is used where appropriate.
Install HNM custom utilities
Install purge and fixperms.
/usr/local/bin/purge
Edit fixperms.c and set STAFF
and PHPMA
to suitable values:
#define STAFF "clientuser" #define PHPMA "clientadmin"
Compile and install fixperms:
$ make gcc -o fixperms fixperms.c $ make setuid sudo chown root fixperms; sudo chmod +s fixperms $ make install sudo chown root fixperms; sudo chmod +s fixperms sudo mv fixperms /usr/local/bin/fixperms $ fixperms -h fixperms version 2.0.0 Will traverse the file tree below siteroot and set group to "clientuser" for each file and directory except subdirectory "clientadmin". Will make sure all has read access to everything, and will make the public file directory and subdirectories writeable. If siteroot is not given on the command line, current directory will be used. Will not fix SELinux permissions. Will abort (-1) on first failure. usage: fixperms [-hv -s siteroot] -h=help, -v=verbose, -w=siteroot example: fixperms -s /var/www/example.org/html
Set up and delete user account
Create user accout for client user. Only the password is required, but it is nice to have the full name and work phone as part of the user profile. Avoid non-ASCII characters in any field.
$ sudo adduser clientuser Enter new UNIX password: password Retype new UNIX password: password passwd: password updated successfully Changing the user information for username Enter the new value, or press ENTER for the default Full Name []: Bob Doe Room Number []: Work Phone []: 12345678 Home Phone []: Other []: Is the information correct? [Y/n] Y
This will add the user, set up the user's home directory and also create a group with the same name.
Then add the clientusers public key to .ssh/authorized_keys
in the clientuser's home directory. The procedure is described
in another chapter about the Unix shell.
Next, configure group membership. Two groups matter:
- sudo – users with sudo privileges. Not all clients have staff that is suitable for this.
- staffgroup – the group that all client staff should belong to. Shared files are writeable by this user.
One of the following commands in the directory /etc
will show current membership to both groups:
$ grep -e sudo -e staffgroup group $ egrep "sudo|staffgroup" group
To see the groups a particular user is memeber of, use:
$ groups clientuser clientuser : staffgroup sudo
Users that shall have sudo must be placed
in sudo. The first following commands will make the user “bob” a
member of the group sudo. The second will add the user to two groups: sudo and geeks.
The option -a
appends this to any groups the user is
already a member of.
$ sudo usermod -a -G sudo bob $ sudo usermod -a -G sudo,geeks bob
Source: howtogeek.com.
The following will make the user “bob” member of no group.
$ sudo usermod -G "" bob
To delete a user account and related files for user “bob”, use:
$ sudo deluser -r bob
Source: websiteforstudents.com.
After removing the user from the login, you should check that the
user's directory under /home
is gone.
The following files should not be edited directly:
/etc/passwd
– user login names and profile/etc/group
– groups and membership/etc/shadow
– encrypted login passwords/etc/gshadow
– encrypted group passwords
File names ending with a dash (-
) or tilde
(~
) are just automatic backups created when the original
files are altered.
Configure vhost for the client
Allow the user to edit apache configuration.
$ cd /etc/apache2/sites-available $ sudo chgrp clientuser client.org.conf $ sudo chmod g+w client.org.conf
Set up the Drupal site for the client, and fix permissions.
$ cd /var/www/client.org/web $ fixperms fixperms version 2.0.0 fixperms: Fixing file permissions for file tree in and below '/var/www/client.org/web'. fixperms: Fixing file permissions for file tree in and below '/var/…/default/files'. Done!
Set up private file system path
This is a local file system path for storing private files. It must be writable by the web server group and not accessible over the web. It is used for backup and migration. To set the path, first create its directory, and adjust group permisssions:
$ cd var $ sudo mkdir private $ sudo chgrp www-data private $ sudo chmod g+w private
You should now be able to configure the “Private file system path”
on a Drupal 7 site (e.g “/var/private/client
”) and let
the web server create the directory.
On Drupal 8, to set the private files system path, edit the
following entry in settings.php
:
$settings['file_private_path'] = '/var/private/client';
Repos
To see what externals repos are subscribed:
$ grep ^[^#] /etc/apt/sources.list /etc/apt/sources.list.d/*
[Sould be aliased to "repolist" to emulate RHEL7.]
Source: AskUbuntu.com.
Final word
[TBA]
Last update: 2020-10-06 [gh].