Ubuntu_Server_User_Management.txt Created: Sunday 18th March 2012, 10:24 PT, AD Last updated: Saturday 24th March 2012 PT, 8:11 PT, AD Reference: https://help.ubuntu.com/11.10/serverguide/C/user-management.html https://help.ubuntu.com/11.10/index.html This document is an aide-memoire for the author to explain how to set up new student users on the Ubuntu 11.10 Server and set permissions so that the students have write access only to their own directories. SEE SUMMARY AT BOTTOM OF THIS PAGE If you're doing the administration from a remote SSH login via putty, you might want to increase the default connection times as the default cuts you off after a few minutes: Open /etc/ssh/ssh_config (as root) on your (***client***) computer. Add the following line: ServerAliveInterval 5 See "Keep Alive" at the bottom of this page: https://help.ubuntu.com/community/SSHFS (Done on Dell Inspiron 1420 laptop) How to list all your users: http://www.linuxquestions.org/linux/answers/Networking/How_to_list_all_your_USERs # cat /etc/passwd |grep "/home" |cut -d: -f1 The above worked and returned: syslog anne usbmux saned Check uptime of server: # uptime http://www.shanghaiwebhosting.com/choosing-a-web-host/check-for-hosting-server-load-with-linux-ssh-command-uptime Check which users are currently on the server: # w Follow the instructions in here: https://help.ubuntu.com/11.10/serverguide/C/user-management.html to set up the new users to set up new groups and see the bottom of the same page to see how to give ssh access to certain groups. (see also this page on SSH if you need more info: https://help.ubuntu.com/community/SSHFS ) To create a new group: # groupadd student To set up a new user: # adduser student1 you will be prompted for a password for student1 for now, I used "student1password" Check that user student1 is now on the list all users: (http://www.linuxquestions.org/linux/answers/Networking/How_to_list_all_your_USERs) # cat /etc/passwd |grep "/home" |cut -d: -f1 The above worked and returned: syslog anne usbmux saned student1 # When creating a new user, their home directory is /home/username, so for student1, the home directory on the server is /home/student1 # cd /home/student1 # pwd (print working directory) # ls -al (do a long directory list) I now need to change the home login directory for student1 from /home/student1 to /var/www/student1 To modify a student: To modify a student, see: http://manpages.ubuntu.com/manpages/oneiric/man8/usermod.8.html # usermod -d /var/www/student1 student1 (this did not create the student1 directory in /var/www so I did this: # cd /var/www # mkdir student1 # ls -al Change the owner of /var/www/student1 directory to student1: # cd /var/www # chown student1 student1 To add user student1 to group student: # adduser student1 student To allow any users in group "student" SSH access: Restrict SSH access to only user accounts that should have it: See "Restrict SSH access to only user accounts that should have it." in: https://help.ubuntu.com/11.10/serverguide/C/user-management.html # vi /etc/ssh/sshd_config add the line: AllowGroups student ( ******* Actually, when I did this, ssh was permitted for student1, but no longer for myself (user anne) presumably because anne is not a member of student group. So I went back to the actual server machine and had to edit the file again to remove the line AllowGroups student and had to restart the ssh server. On the Ubuntu donumentation, I read that, by default, all users can SSH in to the server: http://knowledgelayer.softlayer.com/questions/295/How+do+I+permit+specific+users+SSH+access%3F Now both anne and student1 can login remotely using putty (ssh) from remote laptop. Now anne can putty and FileZilla into the server. Now student1 can putty and FileZilla into the server. # cd /var/www # ls -al # chgrp student student1 # ls -al see screenshot in email 18 March 2012 Need to change the /var/www directory so that "others" cannot read it, cannot write to it, but CAN execute it Try: # cd /var # chmod o-rw www That seemed to work, when student1 logs in via FileZilla, it is not possible to list the directory www but it is possible to list directory /var Now, I need to change the /var directory so that "others" cannot read it, cannot write to it, but CAN execute it Try: # cd / # chmod o-rw var Seemed to work - access is denied on FileZila Now need to block access to the root / directory: Try: # cd / # chmod o-rw . (the dot meaning current directory) Seems to have worked OK. If I log into the AD4 server as student1 using FileZilla, I can only list the /var/www/student1 directory. The same applies if I log into AD4 server via putty. I can only list the /var/www/student1 directory. I copied a the file 01-01.php to the /var/www/student1 directory. 01-01.php contains this: and since the AD4 server has PHP server running, in a browser, this address: http://50.64.42.85/student1/01-01.php shows the output "Hello World". (If you try to View the Source from a browser, you will only see the ***output*** of the PHP code, not the PHP code itself. IN SUMMARY - Ubuntu Server User Management ****************************************** Note, my users are going to write to the Internet directory on the server: /var/www Each student has their own directory in /var/www, e.g. student1, student2 etc To set up new users with write permissison to only their own directory: # cd /var/www # groupadd student # mkdir student1 # mkdir student2 (etc for as many student users needed) # adduser student1 (you will be prompted for a password for student1, all other questions, accept default) # usermod -d /var/www/student1 student1 (changes the home directory from default /home/student1) # usermod -d /var/www/student2 student2 (etc for each student user) # chown student1 student1 # chown student2 student2 (etc for each student user) # adduser student1 student (puts each student into the group student) # adduser student2 student (etc for each student user) # chgrp student student1 (changes group permissions of ***directory***) # chgrp student student2 (etc for each student user) # cd /var (to get ready to set file permissions on directory www) # chmod o-rw www (others are removed read write access to www) # cd / (to get ready to set file permissions on directory var) # chmod o-rw var (others are removed read write access to var) # cd / (to get ready to set file permissions on root directory /) # chmod o-rw . (the dot meaning current directory) By default, all users have SSH access, but see the main notes above to change that. ************************************************************************************************