New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
What is your SOP for installing services?
What is your typical setup for installing daemons that you want to autostart with reboot, but don't want to run as root?
For example, I am planning to install several apps on a VPS (including aria with webui and sandstorm with packages), but am not sure of the best way to do this. Do you install as root, then somehow set the daemons to run at startup as another (non-privileged) user? Do you create one user for different categories of daemons and then install using su? Do you give the daemon accounts sudo permission? Do you create a non-privileged account for each major daemon?
As you can tell, I'm still quite the novice...but I'm trying to get better.
Comments
SOP should be to set ssh rootlogin without-password and install rsa keys for your user account, everything else it up to you
The normal process for linux daemons that need a privileged port below 1024 or to read root owned config files is to start as root then drop down to an unprivileged user, but if you don't need any of those you can run everything in it's own user. If you want to go all the way, set selinux to enforcing and create a security context for each service and it's config files...
@miTgiB @linuxthefish Thanks, guys! So, it would be "acceptable" to do the following: make root login allowed only via authorized key (no password), install everything while logged in as root, then create a sudoer account and only use that sudoer account for everything I do? Or, should I just install everything while logged in as my sudoer login, and then just keep using the sudoer account? Or something else?
@user123 Make a user. Give that user sudoer permissions, then you can install/update/upgrade your box as well as edit sensitive files, but only with sudo command. This user will be fine for executing regular non-sudo commands also. Think of this user as your everyday worker with super privileges for those extra special tasks.
Is it recommended that I create different (non-privileged) users for different daemons (for example - sabnzbd, sandstorm, etc) or don't bother?
No need. The user you made and granted sudo permissions will do fine for all other uses. If an app you install needs special permissions it will add those users with appropriate permissions automagically.
In short, 1 user with sudo privileges will be all you need to do all your tasks. If you need to do something with root privilege the system will tell you, and then just use sudo before bash commands.