The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Using su/sudo, best practices?

Discussion in 'Security' started by zackw, Dec 23, 2016.

  1. zackw

    zackw Active Member

    Joined:
    Sep 30, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    56
    I have a VPS with WHM/cPanel on InMotion Hosting.

    I set up a user account as usual and gave it access to shell.

    I can log in to shell as the user but of course some commands won't work due to permissions or whatever. Like I can't use Composer or delete some files or run other webdev tools.

    I added the user to the wheel group (which can be done via WHM) but apparently this only allows the 'su' command, when what I really want is just to occasionally sudo a command.

    Here is the problem. In this user account, even when using Composer or whatever, I want all the files in their web folder to belong to the right user. I can log in as root and do what I want but then I have the file ownership issue to deal with. I would rather just stay in my actual user so that file permissions remain correct.

    I could not find out how to enable sudo.

    I've been reading that because I use the wheel group, I should be logging in to shell as my user account, then going 'su root' and working that way, but again I don't want to deal with file ownership issues or continually work as root.

    What is the best technique here? Do I use my root account and su into my user? Or vice versa and log in as the user and add them to wheel and su into root? Do I just have to work in root only and then constantly change ownership of files all the time? Do I somehow allow my user access to the sudo command (which seems to me what the correct method is).
    I couldn't find a tutorial for allowing a user to use sudo based on a WHM account. For example they say to add to sudoers file, but I don't have that, I have a sudoers.d directory with individual files, I don't know how to edit this properly.

    I just want to do this in the most secure way, as well as the way best supported/recommended by cPanel.

    Thanks!
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Could you provide an example of a specific command or action you can't complete as the account username?

    Thank you.
     
  3. zackw

    zackw Active Member

    Joined:
    Sep 30, 2010
    Messages:
    30
    Likes Received:
    0
    Trophy Points:
    56
    I was working with Composer this morning.
    It's possible it could have tried to edit something outside my user folder? But when I switched to root in order to run things, it loaded up all the files as root:root.

    So naturally when I was back in my normal user and needed to delete some files in the public web folder, it couldn't delete anything previously created as root.

    Obviously these are just permission issues with various files, but my underlying concern still stands. How can I just enable using sudo for my user? And if that is an insecure thing to do, how can I use root but not mess up file ownership when using root? A lot of people disable root access anyway, so where does that leave me being able to do anything at all "fancy" on my VPS like install software or whatever.

    I want to be able to have administrative use of my VPS, but I also want to maintain decent security. I just thought having sudo ability on my user account was essentially the "normal" way to do occasional server commands.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    36,995
    Likes Received:
    1,275
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Feel free to open a support ticket using the link in my signature if you'd like us to take a closer look. You can post the ticket number here and we will update this thread with the outcome.

    Thank you.
     
Loading...

Share This Page