Ubuntu for clients

Notes for preparing a Ubuntu web server for use by a client.

Table of contents

• Introduction
• Install HNM custom utilities
• Set up and delete user account
• Configure vhost for the client
• Set up private file system
• Repos
• Final word

Introduction

First set up a DO droplet as I would for one of my own projects.

The following names will be used in exmples. Replace with actual values for the client:

• clientuser – user name of the first client superuser. Will also be the name of the client group.
• clientadmin – alias set up to make phpMyAdmin directory harder to find for threat agents.
• client.org – Client vhost domain name.

Example input is used where appropriate.

Install HNM custom utilities

Install purge and fixperms.

• /usr/local/bin/purge

Edit fixperms.c and set STAFF and PHPMA to suitable values:

#define STAFF "clientuser"
#define PHPMA "clientadmin"

Compile and install fixperms:

$ make
gcc -o fixperms fixperms.c
$ make setuid
sudo chown root fixperms; sudo chmod +s fixperms
$ make install
sudo chown root fixperms; sudo chmod +s fixperms
sudo mv fixperms /usr/local/bin/fixperms
$ fixperms -h
fixperms version 2.0.0
   Will traverse the file tree below siteroot and set group to "clientuser" for
   each file and directory except subdirectory "clientadmin". Will make sure all
   has read access to everything, and will make the public file directory and
   subdirectories writeable.
   If siteroot is not given on the command line, current directory will be
   used.
   Will not fix SELinux permissions.
   Will abort (-1) on first failure.
usage: fixperms [-hv -s siteroot]
   -h=help, -v=verbose, -w=siteroot
example:
   fixperms -s /var/www/example.org/html

Set up and delete user account

Create user accout for client user. Only the password is required, but it is nice to have the full name and work phone as part of the user profile. Avoid non-ASCII characters in any field.

$ sudo adduser clientuser
Enter new UNIX password: password
Retype new UNIX password: password
passwd: password updated successfully
Changing the user information for username
Enter the new value, or press ENTER for the default
	Full Name []: Bob Doe
	Room Number []: 
	Work Phone []: 12345678
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n]  Y

This will add the user, set up the user's home directory and also create a group with the same name.

Then add the clientusers public key to .ssh/authorized_keys in the clientuser's home directory. The procedure is described in another chapter about the Unix shell.

Next, configure group membership. Two groups matter:

• sudo – users with sudo privileges. Not all clients have staff that is suitable for this.
• staffgroup – the group that all client staff should belong to. Shared files are writeable by this user.

One of the following commands in the directory /etc will show current membership to both groups:

$ grep -e sudo -e staffgroup group
$ egrep "sudo|staffgroup" group

To see the groups a particular user is memeber of, use:

$ groups clientuser
clientuser : staffgroup sudo

Users that shall have sudo must be placed in sudo. The first following commands will make the user “bob” a member of the group sudo. The second will add the user to two groups: sudo and geeks. The option -a appends this to any groups the user is already a member of.

$ sudo usermod -a -G sudo bob
$ sudo usermod -a -G sudo,geeks bob

Source: howtogeek.com.

The following will make the user “bob” member of no group.

$ sudo usermod -G "" bob

To delete a user account and related files for user “bob”, use:

$ sudo deluser -r bob

Source: websiteforstudents.com.

After removing the user from the login, you should check that the user's directory under /home is gone.

The following files should not be edited directly:

• /etc/passwd – user login names and profile
• /etc/group – groups and membership
• /etc/shadow – encrypted login passwords
• /etc/gshadow – encrypted group passwords

File names ending with a dash (-) or tilde (~) are just automatic backups created when the original files are altered.

Configure vhost for the client

Allow the user to edit apache configuration.

$ cd /etc/apache2/sites-available
$ sudo chgrp clientuser client.org.conf
$ sudo chmod g+w client.org.conf

Set up the Drupal site for the client, and fix permissions.

$ cd /var/www/client.org/web
$ fixperms
fixperms version 2.0.0
fixperms: Fixing file permissions for file tree in and below '/var/www/client.org/web'.
fixperms: Fixing file permissions for file tree in and below '/var/…/default/files'.
Done!

Set up private file system path

This is a local file system path for storing private files. It must be writable by the web server group and not accessible over the web. It is used for backup and migration. To set the path, first create its directory, and adjust group permisssions:

$ cd var
$ sudo mkdir private
$ sudo chgrp www-data private
$ sudo chmod g+w private

You should now be able to configure the “Private file system path” on a Drupal 7 site (e.g “/var/private/client”) and let the web server create the directory.

On Drupal 8, to set the private files system path, edit the following entry in settings.php:

$settings['file_private_path'] = '/var/private/client';

Repos

To see what externals repos are subscribed:

$ grep ^[^#] /etc/apt/sources.list /etc/apt/sources.list.d/*

[Sould be aliased to "repolist" to emulate RHEL7.]

Source: AskUbuntu.com.

Final word

[TBA]

---

Last update: 2020-10-06 [gh].