I do everything as root or create a User su and give permissions to it?

August 17, 2015 3.3k views
Linux Commands Configuration Management Linux Basics

I have a doubt that I carry with me to time .. so I get my root login via email .. I access my server via ssh, already come in as root, I know I create a user and privileges to him. or continue as root to go installing LAMP, wordpress etc ... since I already have all privileges, because the need to create another User and privileges? I have problem with permissions do everything as root? because I have this habit, even in my linux person I already do a sudo su all made that run a terminal.

3 Answers

It could be a matter of personal preference, so that is also what this answer will be.

The following is considered being done with the root user till it's stated otherwise.

I for one always secure my setup - to me this means that you authenticate with SSH keys to your server and not with password authentication.

Please read this great tutorial from the DigitalOcean tutorial archive on how to set it up correctly.

One thing not mentioned in that tutorial is how to disable root login via SSH. This is done to additionally secure your server setup.
To do so, edit your /etc/ssh/sshd_config config file:

  • nano /etc/ssh/sshd_config

... and change the PermitRootLogin setting to no:

PermitRootLogin no

When you're done editing, press CTRL+X and Y to save your changes.

Remember to restart the SSH daemon after you made the changes.

  • service ssh restart

When I have a secure setup, I always add a new user and give this user sudo rights.

For starters, you issue the command (remember to replace username with whatever username you'd like):

  • adduser username

This will create a user with the username your provided as the second argument.
Secondly, you need to give the user some sudo rights. I do this by adding the user to a sudoers.d file

  • nano /etc/sudoers.d/username

Put in the following into that file:

username ALL=(ALL) NOPASSWD: ALL

When you're done editing, press CTRL+X and Y to save your changes.

Now, notice that the user has a NOPASSWD setting which allows the user to use sudo privileges without providing a password. This can be considered unsafe, but with the new secure SSH settings I believe that will suffice.

Now, the sudoers file needs the right permissions:

  • chmod 0440 /etc/sudoers.d/username

Now you should switch to your new user and add your public SSH key to the users authorized_keys file. To switch to that user, use the su command:

  • su username

Now you're working as the new user. The new user doesn't have any local SSH settings, which means we need to create the ~/.ssh/authorized_keys file manually.
Create the directory first:

  • mkdir ~/.ssh

Now, create and edit the authorized_keys file and paste in your public key

  • nano ~/.ssh/authorized_keys

When you're done editing, press CTRL+X and Y to save your changes.

Now you should be able to connect from your local machine with your private key to the new user.

  • ssh username@remote-host

From here you can do sudo installs from your new user.

This is my preferred method of doing it.

SSH, or secure shell, is the most common way of administering remote Linux servers. Although the daemon allows password-based authentication, exposing a password-protected account to the network can open up your server to brute-force attacks. In this guide, we demonstrate how to configure your server with SSH keys, which is the recommended authentication method. These are much more difficult for attackers to work around, giving you a more secure login mechanism.
  • The yes Thanks for the reply Repox. I already do with a habit access via ssh and already destivei root access and also access with passwords, already locked in the cage with my User jailkit. I want to know my installations, it is evil I do everything with the root User (so I create my VPS installation and set up everything with sudo su applied) as it will be the owner of the directories created it? it will not give in future issues? permission for not install and configure file editing that only logged as root?

  • Wether you do it as a sudo user or root it makes no difference. Sudo elevates the current user actions to root level.

Have another answer? Share your knowledge.