User Management (Bullseye)
Jump to navigation
Jump to search
At best, there's me, and one or two people I'm training, who actually have shell access.
So I make my user settings pretty global.
Users and Groups
Some of this stuff is discussed in various relevant sections as well.
addgroup --gid 70 wheel addgroup --gid 72 hugepager addgroup --gid 99 websites addgroup --gid 900 vmail useradd -d /var/vmail -s /usr/sbin/nologin -g 900 -r -u 900 vmail usermod -a -G adm,cdrom,audio,src,staff,games,users,wheel adminusernamehere usermod -a -G wheel root
Adding wheel to root for stuff like ninja.
/etc/bash.bashrc
# Enable completion shopt -s histappend HISTCONTROL=ignoreboth HISTFILESIZE=65536 HISTSIZE=256 # There is a point at which either just typing it # again or looking through the file is more productive...
/etc/profile.d/ls.sh
# Colors and aliasing
# Prefer to set this up as an 'include' instead. Easier to make
# alias changes that I may be using across a large number of accounts.
# Check for interactive bash
[ -z "$BASH_VERSION" -o -z "$PS1" ] && return
if [ -x /usr/bin/dircolors ]; then
test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)"
alias ls='ls --color=auto -A'
alias l='ls --color=auto -la'
else
alias ls='ls -A'
alias l='ls -la'
fi
Default /etc/skel
mkdir /etc/skel/.ssh touch /etc/skel/.ssh/authorized_keys touch /ect/skel/.viminfo touch /ect/skel/.toprc chmod 640 /etc/skel/.bash_logout /etc/skel/.bashrc /etc/skel/.profile /etc/skel/.toprc /etc/skel/.ssh/authorized_keys /etc/skel/.viminfo chmod 750 /etc/skel/.ssh/ /etc/skel/
I also add my own public key to authorized_keys here.
/etc/skel/.toprc
RCfile for "top with windows" # shameless braggin'
Id:a, Mode_altscr=0, Mode_irixps=1, Delay_time=0.500, Curwin=2
Def fieldscur=ABEGHIOPSQTNWKMcdfJLrUVYZX
winflags=64808, sortindx=0, maxtasks=0
summclr=1, msgsclr=1, headclr=3, taskclr=1
Job fieldscur=ABcefgjlrstuvyzMKNHIWOPQDX
winflags=64825, sortindx=0, maxtasks=0
summclr=6, msgsclr=6, headclr=7, taskclr=1
Mem fieldscur=ABGCNOPQRSTUVdefJlMyzWHIKX
winflags=64808, sortindx=2, maxtasks=0
summclr=2, msgsclr=1, headclr=6, taskclr=1
Usr fieldscur=ABDECGfhijlopqrstuvyzMKNWX
winflags=62777, sortindx=4, maxtasks=0
summclr=3, msgsclr=3, headclr=2, taskclr=3
I am addicted to my personal top settings.
/etc/skel/.bashrc
# ~/.bashrc: executed by bash(1) for non-login shells.
# see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
# for examples
# If not running interactively, don't do anything
case $- in
*i*) ;;
*) return;;
esac
# Alias definitions.
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
# Get your fortune cookie!
# Place here so user can nuke/edit as desired.
# Probably should fix cowsay to handle line breaks better.
if [ -f /usr/games/fortune ]; then
if [ -f /usr/games/cowsay ]; then
/usr/games/fortune -a | /usr/games/cowsay -W 75 -p
else
/usr/games/fortune -a
fi
fi
/root/.bashrc
While I copy other skeleton files to root/admin users, a separate .bashrc file is nice even if some of the reason for it is legacy. The talking cow does get a bit annoying bouncing in and out of root all the time.
# ~/.bashrc: executed by bash(1) for non-login shells.
#When restarting mysql, the memlock value gets taken from root's limits, so if we
#are more restrictive, hugepage allocation will fail.
ulimit -l 33554432
ulimit -n 65536
# If not running interactively, don't do anything further
case $- in
*i*) ;;
*) return;;
esac
# Alias definitions.
# I like using nologin for most users, but this can make maintenance difficult, so...
alias sub="su -s /bin/bash"
# You may want to put all your additions into a separate file like
# ~/.bash_aliases, instead of adding them here directly.
# See /usr/share/doc/bash-doc/examples in the bash-doc package.
if [ -f ~/.bash_aliases ]; then
. ~/.bash_aliases
fi
/etc/webskel
A web skeleton file to help simplify site deployment.
cp -R /etc/skel /etc/webskel mkdir /etc/webskel/logs mkdir /etc/webskel/docs mkdir /etc/webskel/priv chmod 750 /etc/webskel/logs /etc/webskel/docs /etc/webskel/priv
- /etc/webskel/.ssh/authorized_keys
- add no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding before ssh-rsa for each key, as well as when you add user keys.
cp /etc/adduser.conf /etc/webuser.conf
- /etc/webuser.conf:
- DSHELL=/usr/sbin/nologin
- SKEL=/etc/webskel
User adding scripts
Because it's all about typing fewer characters.
/root/secadd.sh
#!/bin/sh # This is for adding other administrative users, special # accounts (e.g. for minecraft or git) and so on. if [ $1 ] ; then /usr/sbin/adduser --gecos "" $1 /bin/chmod 0750 /home/$1 else echo "Usage: secadd.sh username" fi
/root/webadd.sh
#!/bin/sh # This still doesn't do everything it should. Need to flesh it out more. if [ $1 ] ; then /usr/sbin/adduser --shell /usr/sbin/nologin --disabled-password --gecos "" --conf /etc/webuser.conf $1 /bin/sed "s/USERNAME/$1/g" /root/fpmnginx.conf > /etc/nginx/sites/$1.conf /bin/sed "s/USERNAME/$1/" /root/fpmpool.conf > /etc/php5/fpm/pool.d/$1.conf /bin/chmod 0751 /home/$1 /bin/chown root /home/$1 /bin/chown root /home/$1/.ssh /bin/chown root /home/$1/.ssh/authorized_keys /bin/chgrp www-data /home/$1/docs /usr/sbin/usermod -a -G websites $1 /usr/bin/systemctl restart php-fpm else echo "Usage: webadd.sh username" fi
This makes use of the templates we make in other parts of the guide, applying them accordingly. It also sets up a locked down sftp access, from our /etc/ssh/sshd_config
While the nginx config is connected to fpm properly, you still need to assign an IP address and call it.