Any Unbuntu Server guys here - need some basic advice

[Chester11]

Hey guys:

I have been looking at forums all day and my eyes are crossed with Linux permissions. Figured I would try here first, as the Unbuntu forum guys are generally a-holes to new users asking simple questions.

Background: I found a deal on a Virtual Private Server (VPS). So I decided to run a Minecraft server for my kids. Originally I was going to run it out of my house, but rather than deal with port forwarding, it made more sense to have someone else host it.

The setup is this:
1. Root user (password off - no way to log-in from the outside)
2. User 1 (login point)
3. Minecraft user - where the file reside (no login setup).

Everything worked fine, until I tried to add modification files to specific directories with via Filezilla, where my issues with permissions came up.

I've tried to add User 1 and Minecraft user to the same group. However, Filezilla would not allow me to move files from my PC to the VPS. Even setting the directories to wide open via chmod 777 (which is not recommended), I still had to terminal in, made the directories with sudo commands, and then move them via Filezilla.

There has to be an easier way, can someone help? Looking back - I should have just run everything as root, but everything I read said this was unsafe. So basically I outsmarted myself.

I am hesitant to to mess with chown commands, as I am afraid to break things.

 

[DemoFly]

Simple question, but did you do a recursive chmod to the directory and all it's contents? Or just the directory?

 

[ripcord]

chmod -R 0755 /path/to/directory

Owner: Read, Write, Execute
Group: Read, no-write, Execute
User: Read, no-write, Execute

 

[hemioiler]

Looking back - I should have just run everything as root, but everything I read said this was unsafe. So basically I outsmarted myself.

I am hesitant to to mess with chown commands, as I am afraid to break things.

Please don't run it as root

I'm unfamilliar with minecraft, but in addition to the chmod command above you may also need to change the owner of the files to the minecraft user account you created.

Also I'd configure a basic firewall with ufw and also install fail2ban, 2 basic things that should be done to every server. But if you setup ufw make sure you allow access to whatever port the minecraft server requires.

 

[wwillson]

I'm assuming Filezilla uses FTP, does the FTP daemon on the server grant the FTP user write perms? Many FTP servers on Linux restrict writing, unless write is explicitly granted.

An alternative is to use SFTP or SCP.

 

[Chester11]

Simple question, but did you do a recursive chmod to the directory and all it's contents? Or just the directory?

chmod -R 0755 /path/to/directory

Owner: Read, Write, Execute
Group: Read, no-write, Execute
User: Read, no-write, Execute

thanks guys....I was going directory by directory, not using -R. (I was only aware of -R in the context of chown).

for some of the files I lost view rights (directories showed up empty) using the chwon -R, so I was pretty hesitant to mess with -R, but I will give it a shot.

Please don't run it as root

I'm unfamilliar with minecraft, but in addition to the chmod command above you may also need to change the owner of the files to the minecraft user account you created.

Also I'd configure a basic firewall with ufw and also install fail2ban, 2 basic things that should be done to every server. But if you setup ufw make sure you allow access to whatever port the minecraft server requires.

yep - ufw is setup with only 22 and the minecraft port open.

that leads me to another question. most the minecraft files show up as members of root:root. and the minecraft user is a member of the root group. I really don't want anything running root, and may have done this accidentally. the minecraft user does not have a password (login is via user 1).

in one of the walkthroughs I was watching, there is a way to give individual users root access (possibly via a config file in /etc). does this ring a bell with anyone? I can't find the walkthrough again for some reason, and may have given root access by accident.


thanks for the help! I'm always impressed with the breadth of knowledge contained in this site!

 

[Chester11]

I'm assuming Filezilla uses FTP, does the FTP daemon on the server grant the FTP user write perms? Many FTP servers on Linux restrict writing, unless write is explicitly granted.

An alternative is to use SFTP or SCP.

pretty sure it is SFTP, I have port 21 blocked (which I think FTP uses). it asked me to acknowledge a certificate, so I assumed it was SFTP anyway.

 

[wwillson]

pretty sure it is SFTP, I have port 21 blocked (which I think FTP uses). it asked me to acknowledge a certificate, so I assumed it was SFTP anyway.

Yes, FTP would never use PKI.

 

[wwillson]

that leads me to another question. most the minecraft files show up as members of root:root. and the minecraft user is a member of the root group. I really don't want anything running root, and may have done this accidentally. the minecraft user does not have a password (login is via user 1).

You must have installed Mindcraft as root. If it were me, I would delete the whole Mindcraft directory and reinstall as a non-privileged user. It's a really good idea not to do anything as root, unless you really really need to.

 

[Chester11]

You must have installed Mindcraft as root. If it were me, I would delete the whole Mindcraft directory and reinstall as a non-privileged user. It's a really good idea not to do anything as root, unless you really really need to.

thanks...good idea. I'll have to dig further how to do that. my unbuntu terminal skills are basic at best.

here is what make me think the mcserver user is a member of the root group:

[User 1] is the login user I created before locking down the root login.

getent group mcserver
mcserver:x:1001:root,[User 1]

appreciate all the help.

 

[Y_K]

Filezilla does SCP and SFTP

 

[uc50ic4more]

 

[wwillson]

View attachment 166149

I didn’t even notice

 

[Chester11]

got me!

 

[Killer223]

Nothing should need root, root is for the operating system only
the server should be a user of it's own, and users are part of that group.
I would start over, delete the install and start fresh, stay away form root. even the SU shouldnt be needed.

 

[uc50ic4more]

I didn’t even notice

There was a guy about 15 years ago in the Debian support forums who constantly - and intentionally - typed "ubutnut" and I guess I've become acutely attuned to people's deliberate and accidental misspellings of it.

 

[uc50ic4more]

Nothing should need root, root is for the operating system only
the server should be a user of it's own, and users are part of that group.
I would start over, delete the install and start fresh, stay away form root. even the SU shouldnt be needed.

I try this at home a lot and it never works. Maybe I should first "sudo su" and then simply issue the "beer me" command?

 

[wwillson]

Maybe I should first "sudo su" and then simply issue the "beer me" command?

You really have to be a UNIX shell geek to understand this... I've never tried "sudo su" before now, it works. I'm surprised the argument "su" is allowed, as it gives permanent root privileges until you exit the context of su.

 

[Chester11]

thanks for the discussion guys - I think I have it figured out.

I found the setup instructions I was using, and must have missed a chown -R command to that changed ownership of the game files from root to the Minecraft user. I think this fixed the problem for now. I may delete the user and reinstall - but need to figure out how to keep from losing all the things my kids built.

one remaining issue, the game server start script doesn't seem to work right, but this is just a nice to have. scripting is a bit beyond my skills right now, so maybe down the road I will get that figured out.

appreciate it - thanks!

 

[uc50ic4more]

You really have to be a UNIX shell geek to understand this... I've never tried "sudo su" before now, it works. I'm surprised the argument "su" is allowed, as it gives permanent root privileges until you exit the context of su.

There is some granularity to what permissions can be assigned/denied to a user present in the sudoers file; but for the most part anyone who has sudo privileges has, essentially, root privileges.

That said, there are times I have to log into a machine on my very modest network and just do something as my unprivileged user; and if I then decide to do something requiring root privileges I'll just

sudo nano /etc/some/config_file

... and in most other circumstances my entire life is automated with bash scripts, even at the cloud platform level to spin up VM instances, perform updates, conduct scheduled backups, etc. I couldn't care less how many times "sudo" has to be invoked because it's just a script that I run as a cron job or by way of

sh /home/uc50ic4more/some_script_I_need_run.sh

... in which case...

sudo this_command
sudo that_command
sudo the_other_command
cat some/system/file
nerdy-looking code
EOF

... is immaterial. But in times where I have to manually do stuff, especially when I am adding a certificate, where even access to the directory requires root (i.e. the directory is 0400), I do not want to have to type "sudo" a million times; so I just "sudo su" and I have quite literally switched users to root and am at a root prompt ("cd ~/" will even land me at /root/). When I do that, I ALWAYS pause for a moment, take a deep breath and remind myself to be very, very careful!

EDIT: I am a Debian/Ubuntu guy, and this is probably way more common a thing to do in that ecosystem, where, in Ubuntu's case at least, the root user is disabled by default. In RHEL and its derivatives, not only is root enabled, and the only user present after a cloud-based installation; but is even enabled, **if** I recall correctly, for ssh logins. Admins working in RHEL-based systems are also more likely to be logging in to do super-serious stuff and might reside in a root terminal for the bulk of their work anyway and would therefore rarely ever need something like "sudo su".

EDIT #2: Yup: I just went to Google Cloud Platform and spun up a quick Debian VM. Upon login my user was [my Google account name], root ssh login is disabled and there appeared to be no root user. I did the same for a CentOS Stream VM and logged in as root (so obviously possible over ssh) and there were no other users present.