Linux Server Setup: Part 8 - Users, Websites, and Accounts

Updated: September 20, 2010

Users and Accounts

By default, most Linux distributions will come with several user accounts. Your user account, created during installation, will have its own home directory and permissions limited to that directory. There will also be an administrative account, called "root" that has complete access to the server and can add or delete anything. Normally, the root password will be different from your user password, and you will need to become root to perform administrative tasks. You can become root using the "su" command.

Linux also has a number of other user accounts that run system services. The "nobody" account, for example, may run Apache processes and other services that require certain permissions but not the full access available to root. Another example is the "mysql" user which runs the mysqld process. Because these users often run important processes, it is important that you do not change them in any way and not assign passwords and other normal user features to them.

When a new user is created, it will receive its own directory in the /home path and will also have its own user group. A group determines the access a user has to certain programs and files. A typical user may belong to several groups, but some groups consist of only single users, such as the "root" group.

If you have elected to use a web-based control panel, you will usually create and delete users from within the panel, but it is still a good idea to know how to manually create a user, in the event that you need one that is not tied to a hosting account.

To create a user:

1.Login as root

$ su

2. Enter the adduser command, followed by the username you want to create:

# adduser tester

3. It will prompt you for a password. Enter it.

4. It will ask for the user's full name, room number, etc. All of this is optional.

5. It will then ask if all the information is correct. Press "y" for yes.

Websites

Depending on the operating system and control panel, your server may handle user/website interaction in a number of ways. A common method is to store the website information within the user's /home directory. For example, the path to their web pages may be: /home/username/www/html. Files in the "www" directory may be used by the web server, but only files in the "html" directory will be live and viewable by outsiders.

The number of websites a server can hold is not determined by operating system or by the number of users, but by the hardware. As long as there is still enough space for more, you can continue adding websites.

The files within a website are typically owned by the user, although the root user always has the ability to access, change, or even delete them. That is why it is critical that no other user can even attempt to login as root, that the root password is secure, and that hackers cannot use exploits in web applications to gain root access. Although root can have its own website, this is generally not desirable or necessary.

Ownership and Permissions

In Linux, you can manipulate file permissions with the "chmod" command. For example, a script that requires write access to a temporary directory, may instruct for you to chmod the directory to 777. What this means is that anyone can read, write, and execute commands to the directory, including complete strangers. While such permissions might be necessary for a public repository, they are not for most web-based scenarios.

If the server or a particular authenticated user needs write access for a directory, chmod it 664. This means that the owner and the user group will be able to write to that directory, but others will only be able to read its contents. If you ever need something to be completely locked down and not readable by the outside world, make the last digit a "0".

Here are some common settings for file permissions.

(r = read, w = write, x = execute) (Owner, Group, Other)

1. Executables - CGI files - Perl scripts, for example, often need to be executable. 755 (rwx r-x r-x)

2. Regular HTML and PHP files - These only need to be read by the outside world. 644 (rw- r-- r--)

3. Private files - Sometimes text data files are stored on the server but do not need to be seen. 600 (rw- --- ---)

4. World writable - use these only if absolutely required by the application. 666 (rw- rw- rw-)

5. Full permissions - almost never necessary and could cause security problems. 777 (rwx rwx rwx)

There are other combinations, but these are the commonly used permissions for files on most Linux dedicated servers.

Files also have ownership settings. A file with permissions for owner only (i.e. 600) means that only the user assigned to that file can use it. Ownership is manipulated with a command called "chown". For example, to change the ownership of a file to the user "bob" and his group "bob", type the command:

# chown bob:bob filename

Related Categories
Featured Research