Sunday, January 23, 2011

Setting up linux server with multiple access rights

I am a graduate student and want to set up a linux server (preferably Ubuntu) in my office. I also want to give my friends SSH access to that box.

My question is can I set up my server such that I can give one of my friends rights to install software on my machine but he cannot brows around outside the directory he is allowed to?

Can I set up multiple apache instances (on different ports) for different people? so each has access to their own apache instance?

From serverfault Mark

  • you can do this with finely controlled access in the /etc/sudoers file. as root, you will want to run the command visudo and add something along the lines of:

    username         ALL =  (root) /usr/bin/apt-get update,        \
                               /usr/bin/apt-get install

    or:

    username         ALL =  (root) /path/to/yum install

    depending on if you're using centos or some other distribution that uses yum or debian/ubuntu, which uses apt and apt-get

    those lines, in the /etc/sudoers file would allow username to run the commands /usr/sbin/apt-get update and /usr/sbin/apt-get install [packagenamex] or /path/to/yum install [packagenamex] as the root user, and they will be prompted for /their/ password, not root's. they will have no other privileged access to the machine.

    beyond that, most packages can be compiled from source with commands like:

    ./configure --prefix=/home/username
make
make install

    which will install the package to their home directory, usually creating a ~/bin ~/lib and ~/usr, etc directories.

    so maybe ./configure --prefix=/home/username/local or something would be more appropriate.

    for setting up apache httpd, to allow each user their own control over their own virtualhost, etc, without running multiple instances, you can add an option to the apache configuration, something like /etc/apache2/apache2.conf, a line that says:

    Include /home/*/httpd/user.conf

    the configuration file can be named whatever you want, whatever might be more appropriate, but what this tells apache is to look in /home/*/httpd/ (where * is translated as a glob to whatever subdirectories are under /home) for a file called user.conf where you can permit your users to add information about VirtualHosts

    a normal user could install or configure apache to run out of their home directory on a non-privileged port, if you wanted to grant them access in that way. a non-priv port being anything over 1024, they would have to add a directive to their personal apache configuration saying something like Listen ip.add.re.ss:8888 starting an apache httpd server running on port 8888

    to be sure they cannot browse into your, or anyone else's home directories, make sure they are set chmod 700 or chmod 711 (to allow apache httpd access to execute their directory, to get through to /home/username/public_html if you want to have user dirs in apache) you can test this by doing ls -ld /home/username it should show:

    drwx------ 185 username users 36864 May 18 17:05 /home/username/

    for permissions 700, and drwx--x--x for 711. if it shows up drwxr-xr-x then you will need to run chmod 700 /home/username or chmod 711 /home/username

    cpbills : added information about apache and allowing multiple users personalized access.
    From cpbills
Posted by Mu Cat at 7:33 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)