Categories

JavaScriptPHPHTMLCssPythonWordPressWeb developmentLinuxMySQLAndroidWindowsJavaC++ / C#LayoutReactUbuntuYiiDjangoProgramming1C-BitrixLaravelSystem administrationTelegramJSONDebianPostgreSQLIOSGoogleHtaccessWindows ServerGitMacOSGoogle ChromeCMSWooСommerceBootstrapNginxSQLUnityAPI
Make a leaderReport
O
O
Omnorot2016-02-04 14:55:34
linux
Omnorot, 2016-02-04 14:55:34

How to set up sudo for programmer users?

Virtual machines with Ubuntu 14.04.3 LTS Server.
Task: to give them access to third-party contractors (freelancers, studio employees), so that they can:
— install software, configure the environment, run the software being developed, read the necessary logs;
- but at the same time , if possible, limit them as much as possible in installing malware and misusing machines (sending spam, for example).
It is also desirable to restrict user access to other user directories.
What groups need to be created, how to set up sudoers?
It is clear that if we give the opportunity to install software and run it, then this is a direct way to install shells and other trash. And yes, of course, people must be trusted, especially those with whom you cooperate (why otherwise cooperate).
Risks need to be reduced , not eliminated entirely.

Reply
Answer the question

Answer the question

In order to leave comments, you need to log in

6 answer(s)
Report
A
Alexey Yamschikov, 2016-02-04
@mobilesfinks

It seems to me that you have a contradiction: "give them the opportunity to install software" and "restrict them in installing malware."
Setting up the VPS and the basic environment is up to you. There are many tools for this - Ansible, Puppet, etc.
And in sudoers you give the user the right to manage certain services only (nginx, mysql, php-fpm). Let all other actions be done under the local user. For nginx, for example, you define include files that are placed in user folders. Well, with many services, this is also possible.
Well, let the addition of non-core software be on request.

Report
E
Ergil Osin, 2016-02-04
@Ernillew

Why would third-party contractors install software?
To read the logs, it is completely controlled by the group that the user is a member of, and they will not fall into other people's hamsters either.
If you decide why all of a sudden third-party people install software, then we will offer something else, for example, lock them in their own lxc-basins.

Report
B
borodka_lenina, 2016-02-04
@borodka_lenina

I advise each group to allocate an LXC container and let them tinker inside, if some common resources are needed - forward ports to the necessary containers.

Report
I
Ilya, 2016-02-04
@mirspo

I think to issue rights only on demand. I think you just need to set the rights correctly. Create a group and change the group for the necessary directories and files. Read logs - read access. I don't know about installing programs - in theory, you can install locally from sources or give the group write permissions to /var/lib/dpkg/ :): In lunux, everything is a file!

Report
M
Mikhail Konyukhov, 2016-02-06
@piromanlynx

Put them in a chroot. We have such comrades and live.

Report
A
alexander sm1ly, 2016-02-11
@sm1ly

and look towards lshell

Similar questions
D
Danil2020-03-14 19:16:34
How to create custom macros for text in PHP? 7Reply
S
sasvak2017-08-02 20:52:05
How to create and mount a swap file in /swap/9p? 1Reply
A
AlexStolman2015-08-28 01:05:10
What does it mean to switch a repository with a key? 1Reply
A
Alexander Belikov2015-08-28 13:02:02
How to make a file rename loop in bash? 4Reply
A
alexey_efimov2015-08-28 22:22:46
Why is the webserver on port 8080 not visible from the outside? 1Reply

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question