Answer the question
In order to leave comments, you need to log in
How to set up sudo for programmer users?
Virtual machines with Ubuntu 14.04.3 LTS Server.
Task: to give them access to third-party contractors (freelancers, studio employees), so that they can:
— install software, configure the environment, run the software being developed, read the necessary logs;
- but at the same time , if possible, limit them as much as possible in installing malware and misusing machines (sending spam, for example).
It is also desirable to restrict user access to other user directories.
What groups need to be created, how to set up sudoers?
It is clear that if we give the opportunity to install software and run it, then this is a direct way to install shells and other trash. And yes, of course, people must be trusted, especially those with whom you cooperate (why otherwise cooperate).
Risks need to be reduced , not eliminated entirely.
Answer the question
In order to leave comments, you need to log in
It seems to me that you have a contradiction: "give them the opportunity to install software" and "restrict them in installing malware."
Setting up the VPS and the basic environment is up to you. There are many tools for this - Ansible, Puppet, etc.
And in sudoers you give the user the right to manage certain services only (nginx, mysql, php-fpm). Let all other actions be done under the local user. For nginx, for example, you define include files that are placed in user folders. Well, with many services, this is also possible.
Well, let the addition of non-core software be on request.
Why would third-party contractors install software?
To read the logs, it is completely controlled by the group that the user is a member of, and they will not fall into other people's hamsters either.
If you decide why all of a sudden third-party people install software, then we will offer something else, for example, lock them in their own lxc-basins.
I advise each group to allocate an LXC container and let them tinker inside, if some common resources are needed - forward ports to the necessary containers.
I think to issue rights only on demand. I think you just need to set the rights correctly. Create a group and change the group for the necessary directories and files. Read logs - read access. I don't know about installing programs - in theory, you can install locally from sources or give the group write permissions to /var/lib/dpkg/ :): In lunux, everything is a file!
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question