Something I have been wanting to do for more than a year was done this week. Till now the only account that was “operatable” on the students server which hosts http://students.iitm.ac.in and a couple of other sites was the root account. So if anyone needed to access the student server they need the root password! Another bad practice (that carried over from our predecessors ) was that all the websites which needed to access a database used the root user of mysql.
Since it was the beginning of a new (academic) year and the time for welcoming a new team of webops coordinators. We (Ramanthan and myself) decided to do some cleaning up and put some rules in place to ensure sustainable development. This is an account of how it was done.
The first thing to do was to make the backups readable only by the superuser. This made sure I did not have to go about securing mysql passwords in the old code. Those of you who are familiar with web development will know that it is common practice to store the DB access details (username, password etc) in a php file which I will from now refer to as ‘conn.php’. For those who are only used to seeing websites on browsers conn.php is a file that I wanted to secure. This file must be readable only by the superuser. But this data is needed for PHP to access the database hence the user apache should also be able to read this file.
Step1: Finding all the places where conn.php is present on the server. The following command helped find all the places where conn.php was present.
locate conn.php
Step2: Setting the owner and group users as needed in my case the owner was root and group was the apache user.
chown root:apache conn.php
Step3: Set the right permissions.
chmod 750 conn.php
Step4 :Steps 1-3 ensures the mysql passwords are now secure. Now was the time to add a newuser dev which will henceforth be used for all development purposes. This was easily done by the command:
adduser -m dev
Finally I had setup a new a/c and the root password of mysql was secure. Atleast thats what I thought, till I tried to ssh to the server as the new user. To my surprise it was not possible to do so. After checking a couple of times if I entered the password correctly, realisation that a file called sshd_config exists and it defines which users are allowed/denied to ssh to the server dawned on me. So I added the user to the config file and the a/c was up and working 
