User Management (Wheezy)

At best, there's me, and one or two people I'm training, who actually have shell access.

So I make my user settings pretty global.

Users and Groups
Some of this stuff is discussed in various relevant sections as well.

addgroup --gid 70 wheel addgroup --gid 72 hugepager addgroup --gid 999 vmail useradd -d /var/vmail -s /usr/sbin/nologin -g 999 -r -u 999 --disabled-password --gecos "" vmail usermod -a -G adm,cdrom,audio,src,staff,games,users,wheel adminusernamehere usermod -a -G wheel root Adding wheel to root for stuff like ninja.

/etc/bash.bashrc
shopt -s histappend HISTCONTROL=ignoreboth HISTFILESIZE=65536 HISTSIZE=256
 * 1) Enable completion
 * 1) There is a point at which either just typing it
 * 2) again or looking through the file is more productive...

/etc/profile.d/ls.sh
[ -z "$BASH_VERSION" -o -z "$PS1" ] && return if [ -x /usr/bin/dircolors ]; then test -r ~/.dircolors && eval "$(dircolors -b ~/.dircolors)" || eval "$(dircolors -b)" alias ls='ls --color=auto -A' alias l='ls --color=auto -la' else alias ls='ls -A' alias l='ls -la' fi
 * 1) Colors and aliasing
 * 2) Prefer to set this up as an 'include' instead. Easier to make
 * 3) alias changes that I may be using across a large number of accounts.
 * 4) Check for interactive bash

Default /etc/skel
mkdir /etc/skel/.ssh touch /etc/skel/authorized_keys chmod 640 /etc/skel/.bash_logout /etc/skel/.bashrc /etc/skel/.profile /etc/skel/.toprc /etc/skel/.ssh/authorized_keys chmod 750 /etc/skel/.ssh/ /etc/skel/

I also add my own public key to authorized_keys here.

/etc/skel/.toprc
RCfile for "top with windows"          # shameless braggin' Id:a, Mode_altscr=0, Mode_irixps=1, Delay_time=0.500, Curwin=2 Def    fieldscur=ABEGHIOPSQTNWKMcdfJLrUVYZX winflags=64808, sortindx=0, maxtasks=0 summclr=1, msgsclr=1, headclr=3, taskclr=1 Job    fieldscur=ABcefgjlrstuvyzMKNHIWOPQDX winflags=64825, sortindx=0, maxtasks=0 summclr=6, msgsclr=6, headclr=7, taskclr=1 Mem    fieldscur=ABGCNOPQRSTUVdefJlMyzWHIKX winflags=64808, sortindx=2, maxtasks=0 summclr=2, msgsclr=1, headclr=6, taskclr=1 Usr    fieldscur=ABDECGfhijlopqrstuvyzMKNWX winflags=62777, sortindx=4, maxtasks=0 summclr=3, msgsclr=3, headclr=2, taskclr=3

I am addicted to my personal top settings. Maybe should see a therapist.

/etc/skel/.bashrc
case $- in    *i*) ;;       *) return;; esac if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi if [ -f /usr/games/fortune ]; then if [ -f /usr/games/cowsay ]; then /usr/games/fortune -a | /usr/games/cowsay -W 75 -p else /usr/games/fortune -a fi fi
 * 1) ~/.bashrc: executed by bash(1) for non-login shells.
 * 2) see /usr/share/doc/bash/examples/startup-files (in the package bash-doc)
 * 3) for examples
 * 4) If not running interactively, don't do anything
 * 1) Alias definitions.
 * 2) You may want to put all your additions into a separate file like
 * 3) ~/.bash_aliases, instead of adding them here directly.
 * 4) See /usr/share/doc/bash-doc/examples in the bash-doc package.
 * 1) Get your fortune cookie!
 * 2) Place here so user can nuke/edit as desired.
 * 3) Probably should fix cowsay to handle line breaks better.

/root/.bashrc
While I copy other skeleton files to root/admin users, a separate .bashrc file is nice even if some of the reason for it is legacy. The talking cow does get a bit annoying bouncing in and out of root all the time.

ulimit -l 33554432 ulimit -n 65536 case $- in    *i*) ;;       *) return;; esac alias sub="su -s /bin/bash" if [ -f ~/.bash_aliases ]; then . ~/.bash_aliases fi
 * 1) ~/.bashrc: executed by bash(1) for non-login shells.
 * 2) When restarting mysql, the memlock value gets taken from root's limits, so if we
 * 3) are more restrictive, hugepage allocation will fail.
 * 1) If not running interactively, don't do anything further
 * 1) Alias definitions.
 * 2) I like using nologin for most users, but this can make maintenance difficult, so...
 * 1) You may want to put all your additions into a separate file like
 * 2) ~/.bash_aliases, instead of adding them here directly.
 * 3) See /usr/share/doc/bash-doc/examples in the bash-doc package.

/etc/webskel
A web skeleton file to help simplify site deployment.

cp -R /etc/skel /etc/webskel mkdir /etc/webskel/logs mkdir /etc/webskel/docs mkdir /etc/webskel/priv touch /etc/webskel/.viminfo chmod 640 /etc/webskel/.viminfo chmod 750 /etc/webskel/logs /etc/webskel/docs /etc/webskel/priv


 * /etc/webskel/.ssh/authorized_keys
 * add no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding before ssh-rsa for each key, as well as when you add user keys.

cp /etc/adduser.conf /etc/webuser.conf


 * /etc/webuser.conf:
 * DSHELL=/usr/sbin/nologin
 * SKEL=/etc/webskel

User adding scripts
Because it's all about typing fewer characters.

/root/secadd.sh
if [ $1 ] ; then /usr/sbin/adduser --gecos "" $1 /bin/chmod 0750 /home/$1 else echo "Usage: secadd.sh username" fi
 * 1) !/bin/sh
 * 2) This is for adding other administrative users, special
 * 3) accounts (e.g. for minecraft or git) and so on.

/root/webadd.sh
if [ $1 ] ; then /usr/sbin/adduser --shell /usr/sbin/nologin --disabled-password --gecos "" --conf /etc/webuser.conf $1 /bin/sed "s/USERNAME/$1/g" /root/fpmnginx.conf > /etc/nginx/sites/$1.conf /bin/sed "s/USERNAME/$1/" /root/fpmpool.conf > /etc/php5/fpm/pool.d/$1.conf /bin/chmod 0751 /home/$1 /bin/chown root /home/$1 /bin/chown root /home/$1/.ssh /bin/chown root /home/$1/.ssh/authorized_keys /bin/chgrp www-data /home/$1/docs /etc/init.d/php5-fpm reload else echo "Usage: webadd.sh username" fi
 * 1) !/bin/sh
 * 2) This still doesn't do everything it should. Need to flesh it out more.

This makes use of the templates we make in other parts of the guide, applying them accordingly. It prepares the account for chrooted sftp access, but you still need to add

Match User accountname ChrootDirectory /home/accountname AllowTCPForwarding no   X11Forwarding no    ForceCommand internal-sftp

to /etc/ssh/sshd_config accordingly. Have not gotten around to properly automating this.

While the nginx config is connected to fpm properly, you still need to assign an IP address and call it.