It would seem that it could be easier than adding a user to the server? I typed the adduser
command in the console, answered a couple of questions about the password and other information, and here, you can log in with the received login and password, place files, etc.
Then, manually, you have to create folders. For example, one for the site. The other is for temporary files, so as not to drop them into general / tmp for protection purposes. One more - for sessions if the caching in Redis is not configured. You also need to copy the necessary configuration files, such as the public ssh key for authentication .
All this becomes not too convenient process when users have to create often, if not constantly. Fortunately, we can customize a lot, including the primary parameters during creation (the location of the home folder, a group), and the secondary ones - the necessary folders, settings files.
The initial settings that are determined using the adduser
command are taken from the /etc/adduser.conf file.
Change home folder
Initially, the home folders of all users are located in the / home section. But we can override the location in advance using any other folder, for example / var / www. To do this, edit the parameter DHOME
.
DHOME = / var / www
Pay attention to the parameter SKEL=/etc/skel
. It determines where the settings files and folders for each user will be copied from. Surely you saw .profile , .bashrc files in the folders of your server users. They are just copied from this source. :)
Add users to a single group
With the default parameters, a separate group of the same name is created for each user. But for a web server, you can add different users to the same group in order to better manage your security policy.
When a user is created to host sites, the right to edit / delete files should belong only to him. The web server, be it nginx or apache, should be launched on behalf of another user who can only read files. Other users should not have any rights.
Adding all users in one group, we, then, can set permissions for this group only for reading. And run the web server on behalf of this group. It’s better than adding a web server user to the user groups where the sites are located.
The general group will be the user group www-data . It is specially created for launching web servers, has the most limited rights and cannot use the shell.
In the adduser.conf file, we first need to disable the creation of the group of the same name when creating a user.
USERGROUPS = no
And then indicate the ID of the www-data group.
USERS_GID = 33
As a rule, the identifier is 33. But you should double-check with a command run as root: id www-data
.
And the last parameter to change in this configuration file:
DIR_MODE = 0710
It defines the rights to the home directory of the user / var / www / username . Here we allow all actions to the owner of the files, only execution for the group and do not give any rights to everyone else.
Rights for a specific user and additional files
Now we need to continue to issue the correct rights, but within one user. So that when creating files and folders, they were immediately assigned the necessary rights, edit the umask
parameter in the .bashrc and .profile files accordingly.
umask 027
For folders, these rights will be interpreted as 0750, which allows any actions with files for the owner, reading and execution for the group.
And for files 0640: read / modify for the owner and only read for the group. I recommend to study independently article about access rights in Linux.
Also, do not forget in the / etc / skel directory to update the rights to existing files and folders with the chmod command.
Finally, we create additional folders: for websites, temporary files, sessions, etc. The authorized_keys file with your public key for ssh needs to be located in the user's .ssh folder. As a result, the structure will look something like this:
/ etc / skel -.ssh / --authorized_keys -sessions / -tmp / -www / -.bashrc -.profile
All this will be copied to the user's home directory when it is created.