Hi everyone 🙂

TLDR

How do you work with debian and su permission and what’s the best way to do it for better security?

  • Add an user in the sudoers?
  • Give special permissions to a group? User?
  • Always connect to su - (default root)?
  • Add users to groups?

The story is unrelated to the question, but is a direct cause

This is rookie question even though I use linux (ubuntu and recently debian) regularly and have alot of selfhosted docker containers on an old spare laptop.

While this is probably one of the basics you need to know right away when playing arround with sudo or su I wasn’t aware of how you can f#ck everything up with a single command

chmod -R xxx /home/$USER

chown -R …

Why would you do that? Because I’m stupid and how sometimes no idea what I’m doin? I was actually trying to change some permission to create a samba share (that’s another story xD).

Trying to revert everything, alot of my docker containers, certificates and special files were unreadable, unexecutable… That broke my nextcloud instance, synchthing functionalities, linkding http shortcut…

With that big incident, I learned how users, root, sudo/su permission work and recently found out you can add users to groups, like docker so you don’t have to ‘sudo docker’ everytime.

My question

How do you work with debian and su permission and what’s the best way to do it for better security?

  • Add an user in the sudoers?
  • Give special permissions to a group? User?
  • Always connect to su - (default root)?
  • Add users to groups?

Because this is in a homelab environment, there is a minimal risk compared to exposed instances, but I’m interested to learn the best practice right away !

Thank you 😊

  • jsveiga
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    1 year ago

    In my home pc, I don’t use sudo because my wife is the main user, and in the ultra rare occasion I need to be root in the command line (for example, if she didn’t update packages from the GUI for long, I’ll update but I like aptitude better), then I use su. It’s a LTS 18.04 Kubuntu btw. Real users don’t need root. Distro hoppers and tinkerers (nothing wrong with it) do.

    On servers, I also use su. I ssh as a normal user (root ssh is usually disabled), then often immediately su, as if I’m logging into the server, it’s for root work. I sometimes su - down to some specific “service” user to do that user’s tasks (such as git on a gitlab server, or ndbadm on a HANA DB server).

    I only tinker with sudo if I want to create users that will have one single purpose, which needs root permissions, such as restarting a service. In this case that user will be in the sudoers file, with permission for a single script or command, and often that command will be its default shell in /etc/passwd, and someone can ssh (pre shared key) to trigger it if necessary.

    PS: It happened sometimes that I was given a user with full sudo permissions to do root work in someone else’s server, but no root password. Then the first thing I do after logging in is “sudo su -” :-)