Tuesday, April 30, 2024
Homepage · ssh
 Popular · Latest · Hot · Upcoming
1
rated 0 times [  1] [ 0]  / answers: 1 / hits: 857  / 3 Years ago, sat, august 7, 2021, 12:37:56

I've set up Ubuntu 20.xx as a web server in the cloud provided by Digital Ocean and wish to install Node, Express, Mongo and possibly NginX.
In several articles there is mention of disabling root user to improve security and create a new user with administration access.
In order, I created a new user and then used this to set-up all applications but ran into issue with nginx.


Should I instead use root user to set-up all applicatons first, and allow applications to run under root ?
Then create a second admin user with ssh access and then disable ssh for root?


UPDATE1: Thanks for your assistance all, I've updated the question and added its a cloud install.


UPDATE2:


Thanks for the detailed explanation. As I understand it :



  1. A Sudo user has the same privileges as root

  2. A Sudo user can be tracked who performed actions (of relevance when multiple users are concerned)

  3. Web applications (node, pm2, mongo) can be installed EITHER with
    root account and/or sudo user accounts, because these applications should run with their own default user accounts.

  4. Disable root ssh in due course to protect against brute force attacks


More From » ssh
 Answers
4

The reason for "disabling root" and using sudo with a regular account instead has multiple purposes, none of which affect the answer to your question.


System software is always installed as root. Sometimes application software is installed as an application specific user, but typically not. Disabling login for the root account doesn't change this, and it doesn't change how applications are started at boot.


The point of disabling the root account is so that you log in as a normal user and do user session like things as a normal user and not root. Then you use sudo to elevate to root to install software and do other dangerous things. This also has the side effect that when you use sudo, the user account that did this is also logged, which is not that interesting unless there are multiple user accounts that can use sudo, in which case, it is easier to assign blame when a mistake is made. So installing software is still done as root -- just via sudo instead of direct login.


When an application (like NginX, mysql, mogodb, etc.) is configured to start at boot, typically the systemd (or initd) boot scripts start the application as a special application user. This user is created when the application is installed. You should not be starting the application by hand, but allowing the installed system scripts to start it (for instance with systemctl start ...) so that it runs with the correct permissions in the correct environment. The design philosophy behind this is that the application is isolated within its own user, and security issues with the application will (hopefully) be trapped in that user id. Most applications should not be run as root directly.


Having said all this, on a system with a single administrator, logging who uses sudo is less interesting, and if you have cloud images that you can just zap and reload from a fresh copy, what user you run things as inside the container is also less important. This is probably why your cloud image comes with root enabled and no separate administrative user.


[#905] Saturday, August 7, 2021, 3 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
ongdiligenc
Add To Favorites
Follow
Total Points: 452
Total Questions: 111
Total Answers: 107
Location: Ukraine
Member since Sun, Dec 13, 2020
3 Years ago
ongdiligenc questions
Wed, Apr 13, 22, 10:34, 2 Years ago
Tue, Jun 7, 22, 00:54, 2 Years ago
Sat, May 22, 21, 03:06, 3 Years ago
Tue, Mar 1, 22, 10:05, 2 Years ago
Sun, May 16, 21, 18:09, 3 Years ago
View All
;