Adding new users to Ubuntu with reduced permissions

Zone · May 20, 2015, 3:10am

Greetings, it’s been a while!
I’m trying to work out a system of adding new users to the Ubuntu Linux server. Currently I’m crating a new Modpack in collaboration with a small group of individuals. I’m trying to work out a system of adding new users or a group of users to the Ubuntu Linux server.

My goals are for the new users:
Web UI: Access only Test_Live map (which should be able to be selected through the UI but I don’t see the new user I added)
SFTP access: read write access only to the config folder ‘/var/games/minecraft/servers/Test_Live/config’
SSH: restrict users from SSH. I believe I found adequate documentation for this already.

I created a new user but it has equal privileges to MC user. Thus it can read write files owned by MC. I want to make the new user or group of users have less privileges MC user. Basically I don’t want them to have read access to any part of the server except for what is necessary for the goals outlined above. Meantime I will continue to search for the how to properly manage permissions on linux.

Greenwave_1 · May 20, 2015, 1:30pm

I could be very wrong, (still learning how Linux works) but I believe that you could make a group, add those users to that group, and assign it to that server, then remove those users from the other servers. This is only a guess at what to do, so if I am wrong, feel free to respond to me in all caps saying that I’m doing it wrong.

hexparrot · May 20, 2015, 6:29pm

Adding new users to Ubuntu with reduced permissions

You shouldn’t look at this task as creating a new user with reduced permissions–because you’re actually just aiming to have a normal user with similar, but separate permissions.

Upon installing Ubuntu, you have your first non-root user, such as will. If you create an additional user, bob–you’re not likely wanting to create him with reduced permissions, but instead just non-overlapping permissions with will.

The same applies to your goals. Let’s say I just newly installed Ubuntu:

will@willonubuntu:~$ groups will
will : will adm cdrom sudo dip plugdev lpadmin sambashare

Now I add an additional user bob:

will@willonubuntu:~$ sudo adduser bob
[sudo] password for will:
Adding user `bob' ...
Adding new group `bob' (1001) ...
Adding new user `bob' (1001) with group `bob' ...
...
Is the information correct? [Y/n] 
will@willonubuntu:~$ groups bob
bob : bob

Since MineOS uses the group permission system in managing servers, I could create a server in the webui as bob and that would be the end of it. Bob should in fact only have access to his own self-created servers (as defined by “owned by bob, or owned by a group bob is part of”)

If you wanted other people to have access to this server Test_Live, either you could add user steve to group bob…or you be a little bit more precise by making another, third group champs.

Add steve and bob to group champs, have bob–the owner of Test_Live–change the group ownership in the webui to champs and now both should have access.

will@willonubuntu:~$ sudo addgroup champs
Adding group `champs' (GID 1003) ...
Done.
will@willonubuntu:~$ sudo usermod -a -G champs bob
will@willonubuntu:~$ groups bob
bob : bob champs
will@willonubuntu:~$ sudo usermod -a -G champs steve
will@willonubuntu:~$ groups steve
steve : steve champs

As you’ll see, Bob still remains the owner of the server–somebody does have to be the owner–but Bob and Steve will have otherwise equal access to managing the server from the web-ui through the use of a third group.

Zone · November 2, 2015, 1:48am

Thank you for the detailed explanation. First off since has a lower number bob' (1001) thenSteve’ (1002) does Bob have access to Steve’s content? I assume this works the same way with groups. Users are assigned to a group then the permissions are not separate therefore they can access the same content? Does users a group that has a lower number have access to groups content that has a higher number similar to as I explained with users in the beginning of the paragraph?

Last but not least I’ve added the group ‘mineos_admins’ which contains one user. Unfortunately “mineos_admins” does not show up in the drop-down list in the web UI.

Yeah it’s been a while I haven’t had time to do much with MineOS until recently.

hexparrot · November 2, 2015, 3:08am

Unless the number is 0, the numbers have no relevance. 0 refers to root, and everything else is non-root. So user 1001 has no permissions over 1002 or vice versa.

Can you relay to me the commands you did to create and add mineos_admins? Also, can you let me know which webui (python or node) you’re using and what commit you’re on?

Zone · November 2, 2015, 5:38am

sudo addgroup mineos_admins

sudo usermod -a -G champs user

node
commit a1f30d476b7f85b405833203d0d1f4c2b96ed41e

hexparrot · November 2, 2015, 3:10pm

You created a user called mineos_admins but then added user to group champs.

Zone · November 3, 2015, 5:59am

Whoops let me clarify.

sudo addgroup mineos_admins
sudo usermod -a -G mineos_admins Ben

Zone · November 7, 2015, 11:23pm

Don’t mean to pester you but do you have any ideas?

hexparrot · November 8, 2015, 5:04am

Can you confirm the user is part of the group?

At the command-line, type groups

Zone · November 9, 2015, 7:59pm

node
commit b19f851e5aa94eb53234ccd99e3509ea5c0441a2

ben@MineOS:~$ groups
ben mineos_admins

hexparrot · November 10, 2015, 3:34pm

I really don’t have any idea. I can’t reproduce the issue at all. I’ve tried under 14.04, 15.04, and even FreeBSD. My test suites pass and the webui works as I expect it to. I need to be able to see/experience the broken issue.

Zone · November 10, 2015, 5:06pm

If you’re comfortable I don’t mind giving you the credentials to SSH and to the web UI. There’s absolutely nothing important on the server and I can always re-image the machine with new credentials.

hexparrot · November 10, 2015, 5:07pm

I’m fine with this; go ahead and email me at my wdchromium@gmail.com email.

Zone · November 10, 2015, 7:00pm

You’ll be receiving an email shortly with the an encrypted 7zip file attachment.
The password

X0Aywn1qVbEH0U4rzIN6S46Jy5Pt3GBBW6RPj9zuZPJmYxoHYAQImiGeUf0tXY7S1F3Y97vN5hlBTeCnjHhab2OBjfbCIXIervX4

Post or email when you get a chance to verify that you received what you needed.

hexparrot · November 12, 2015, 3:52pm

Alright, so I found out the issue with this. Here is what mc looked like to start with:

Then I did the following command sudo usermod -a -G mineos_admins mc

However, the group doesn’t even show up! Apparently there is a functional difference between groups and groups mc, most of which is one is “groups you were part of at login” and “groups you are part of according to the files right now”. So after simply adding the user to the group, mineos_admin still does not appear. But it does appear after the webui is restarted, because apparently the node.js module that reads group memberships works on the former method–or “groups the user was part of at time of webui startup”

Zone · November 12, 2015, 4:44pm

Excellent, so technically performing sudo addgroup <Group> and restart of the server box or webui the it should appear.

I could’ve swore I rebooted the server box at least once which should’ve done the trick. When I reimage I’ll report back with the results.

hexparrot · November 12, 2015, 5:51pm

A reboot is overkill. Restarting the web-ui should be more than enough since it will refresh all users and groups. And as far as finding out what groups you’re part of, just never use “groups” and replace it with “groups <user>”.