Results 1 to 7 of 7

Thread: Howto define "super users"

  1. #1

    Default Howto define "super users"

    As a business consultant, I've set up my own business and hired 2 java developers who will be developing internal applications.

    Can you advise me how I should give access to the developers to our server?

    We are in the process of buying a small server that will be used for serving MySQL, Apache, Tomcat, subversion, ... Those apps will be for internal use only. The developers would like to have root access to the server to start up and shutdown those services, to change the settings (mostly in /etc) and to look at the logs.

    I'm planning to install opensuse 11.3 on this hardware, XEN and a virtual machine based on opensuse 11.3 (but without any GUI) that will host those apps.

    Should I define 3 users with root access (me + 2 developers) or 1 root (me) and 2 users that will have be part of the mysql, apache, ... group or 1 root for all?

    Do you have any other suggestions to set up my server?

    Ivan

  2. #2

    Default Re: Howto define "super users"

    On 11/15/2010 11:36 AM, eulaersivan wrote:

    > Should I define 3 users with root access (me + 2 developers) or 1 root
    > (me) and 2 users that will have be part of the mysql, apache, ... group
    > or 1 root for all?


    You should set up a normal user account for yourself and the developers
    and one root account.
    When you go through the installation process it will prompt you to
    create a user account. This will be a normal user. Make that your
    account. It should also prompt your for a root password, and should
    make the root account automatically.

    After all's installed, you can add the other two accounts. Do not make
    them part of the root group, however they should probably have sudo
    access. Learn about that in 'man sudoers'. When they need root level
    access to run a command they can just enter 'sudo <COMMAND>' and it will
    execute with root permissions.

    I believe by default openSUSE sets the sudoers to use the administrator
    password. It's probably better to change that so they have to enter
    their own passwords, which is more the norm in other distributions.

    HTH...

    ....Kevin
    --
    Kevin Miller
    Juneau, Alaska
    http://www.alaska.net/~atftb
    In a recent poll, seven out of ten hard drives preferred Linux.

  3. #3
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Howto define "super users"

    OP, being in group mysql, etc, gives nothing. To start and stop services, root equivalent privilege is required. So pay attention to what Kevin wrote about using sudo. You can also restrict them to specific commands in sudoers.

    Generally they will not need to restart things like mysql, Apache, etc. Just leave those running. However they may need to restart the tomcat server, and that only if the WAR deployment method is insufficient.

  4. #4

    Default Re: Howto define "super users"

    Tx, I'll take a look at sudo.

    Can I limit sudo access so that certain directories are not visible or accessible for the 2 developers but only for me (as business owner)?

  5. #5
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,686
    Blog Entries
    4

    Default Re: Howto define "super users"

    You'll want to limit the commands they can do in sudo then. If sudo allows a user to run any command as root, then for all purposes they can become root. For example they can just do

    sudo bash

    and they have a root shell and they can do anything.

  6. #6
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Howto define "super users"

    On 2010-11-15 22:36, eulaersivan wrote:
    >
    > Tx, I'll take a look at sudo.
    >
    > Can I limit sudo access so that certain directories are not visible or
    > accessible for the 2 developers but only for me (as business owner)?


    In that case, you need two machines: one for them, one for you. Don't give
    them access to your machine. Which is god for other reason: while
    developing, you can make a bad mistake and destroy data... better if that's
    not the real data.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.2 x86_64 "Emerald" at Telcontar)

  7. #7
    Join Date
    Jun 2008
    Location
    Earth - Denmark
    Posts
    10,730

    Default Re: Howto define "super users"

    Carlos E. R. wrote:
    > In that case, you need two machines: one for them, one for you. Don't give
    > them access to your machine. Which is god for other reason: while
    > developing, you can make a bad mistake and destroy data... better if that's
    > not the real data.


    +1
    never let anyone develop software on the machine with the only copy of
    real data..

    (unless you _want_ to hear: We had a little hiccup, and . . .")

    --
    DenverD
    CAVEAT: http://is.gd/bpoMD [posted via NNTP w/openSUSE 10.3]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •