A Hacker's Journey: from Cook to Chef

12 How to set up application deployment environment on Linux (part III)

Now we've pretty much made the decision to deploy the application on centOS platform using a VMware virtual machine environment or a dedicated hosting service environment, which allows us to have the highest flexibility and best security control.

But before we can start to deploy our application, we need to go over some basic system settings, create necessary users and groups, grant privileges, maybe install vsftpd server and turn on firewall.

Linux OS, like a unix system, has a robust security mechanism built in via the Linux kernal. SELinux provides another layer of security enhancement to it. We'll discuss advanced security issues on both the sytsem level and application level including SELinux and SSL later. Now let's focus on the minimum requirement for us to run our application on a secure hosting environment.

Be noted that FTP, telnet and rlogin (rsh) are insecure. Use SSH, SCP or SFTP instead. It's highly recommend that not to install FTP and Telnet server, except vsftp (very secure FTP).

Below are some interesting examples showing that you must be very careful about the Linux administration operation, especially when you are not familiar with it.

1) When you try to add a user to a particular group, be careful to check whether this user is belonged to some other groups other than his primary group. If the the user is currently a member of a group which is not listed in the command below, the user will be removed from the that particular group:

# usermod -G group1 user1

So if 'user1' was belonged to the root group, by running the above command, user1 will be added to the group1 but removed from the root group.Then he will lose the root privilege, which may not be something expected.

This behaviour can be changed via the -a option, which appends the user to the current supplementary group list.

# usermod -a -G group1 user1

2) If 'user2' was not in the root group, and you just added him to the root group so that 'user2' can access the resources available to the root group. But if you have disabled root SSH login for security reason and forgot to create another normal user, you may not be able to remotely login to the system any more. So be careful when you add users to the root group, rather to add them into sudoers list if necessary. By using the following command, you can easily track the tasks being executed by which user. If a normal user who is not in the sudoers list wants to run program as super user, his request will be rejected, and the insident will be reported.

$ sudo <command>

When you are a normal user, the correct way to execute the command with root privilege is:

$ su -c "<command>"

Below are some handy notes for how to do the basic system settings on centOS 6.