Hi everyone 🙂
TLDR
How do you work with debian and su permission and what’s the best way to do it for better security?
- Add an user in the sudoers?
- Give special permissions to a group? User?
- Always connect to su - (default root)?
- Add users to groups?
The story is unrelated to the question, but is a direct cause
This is rookie question even though I use linux (ubuntu and recently debian) regularly and have alot of selfhosted docker containers on an old spare laptop.
While this is probably one of the basics you need to know right away when playing arround with sudo or su I wasn’t aware of how you can f#ck everything up with a single command
chmod -R xxx /home/$USER
chown -R …
Why would you do that? Because I’m stupid and how sometimes no idea what I’m doin? I was actually trying to change some permission to create a samba share (that’s another story xD).
Trying to revert everything, alot of my docker containers, certificates and special files were unreadable, unexecutable… That broke my nextcloud instance, synchthing functionalities, linkding http shortcut…
With that big incident, I learned how users, root, sudo/su permission work and recently found out you can add users to groups, like docker so you don’t have to ‘sudo docker’ everytime.
My question
How do you work with debian and su permission and what’s the best way to do it for better security?
- Add an user in the sudoers?
- Give special permissions to a group? User?
- Always connect to su - (default root)?
- Add users to groups?
Because this is in a homelab environment, there is a minimal risk compared to exposed instances, but I’m interested to learn the best practice right away !
Thank you 😊
Being bad at a thing is the first step to being kinda good at a thing.
First, many distros ship with sudo so its pretty ubiquitous, anything you learn about managing sudo will apply to most if not all distros, not just debian. (Great choice though ❤️)
The correct answer is “it depends”.
In a production environment you’ll typically have some external authentication source like IdM, FreeIPA or active directory set up. In this case its common to just give full sudo access to the group that comprise your admin team, as in most cases you have to trust that they know what they’re doing.
Ideally you want to follow the priciple of least access and avoid privilege escalation as much as possible. For example, there may be specific instances where a non-priv user needs to run $x as a super user, in which case, you should only grant the ability to ‘sudo’ for that executable as opposed to ‘ALL’.
As you’ve already discovered, with great power comes great responsibility. 😉
Thank you for your great insight !!!