9

I have an apache2 server running on ubuntu 16.04, for now everytime i access my project files inside a specific folder i use root user for running php function and edit some files, after i finish i need to run chown -R www-data:www-data . inside a terminal, because after i run my php function the file owner will become user:user (root:root). what i need is:

  1. Create new user for my server
  2. When access my server using ssh this user will be inside a specific folder automatically
  3. Grant this user a permission to do anything inside this specific folder

For example, Create a user named tonya, when someone access server using user tonya ssh sonya@server.com, he will be redirected to /var/www/specific_folder, user tonya can do anything inside this folder and when tonya set the php file owner or folder to tonya:www-data it will work like when i set the file owner to www-data:www-data

simple guy
  • 201

1 Answers1

9

You should be able to accomplish this with

adduser --home /var/www/specific_folder --shell /bin/bash --no-create-home --ingroup www-data --ingroup ssh tonya

  • adduser is used to add a user

  • --home specifies home directory which is where the user will be when they log in

  • --shell is to specify the shell, by default it is usually just /bin/sh which is not as user friendly as /bin/bash

  • --no-create-home will not create the home directory so you must use one that already exists

  • --ingroup adds the user to specified group

  • the last argument is the username

You could make the user jailed using this guide:

Please remember that even if you jail a user, it is very possible to escape a jail. If you're giving a user access to your system, you may as well be giving them root access because once they have shell access, it's almost always possible to gain root. Setting up a jail will most likely keep a basic user from doing anything too harmful but will do little to nothing to stop a malicious user from doing harmful stuff.

pa4080
  • 29,831
Desultory
  • 281
  • why there's 2 ingroup? how can this user get my root access? – simple guy Mar 09 '18 at 04:17
  • one ingroup for ssh and one for www-data, and I'm not saying that they will be able to get root access but you should never allow a user on your system if you don't trust them because once they have shell access on your system, they're 50% the way to root basically. New exploits are discovered daily and because of that, you can never consider a system to be secure. – Desultory Mar 09 '18 at 15:48
  • @Desultroy when i change my php file owner from www-data:www-data to tonya:www-data it gives me a file permission error , when i try to access the php from browser – simple guy Mar 14 '18 at 06:41
  • You should probably change the permissions of the file so that it is group based and not owner based. I don't know if php requires the execute permission but it definitely needs the read permission. Permissions can be explained here: https://help.ubuntu.com/community/FilePermissions – Desultory Mar 15 '18 at 00:41