Working with the default admin sudo user
Last updated: March 19th 2021
The default admin sudo user on Webdock stacks
When you provision a Webdock server with one of our standard LEMP or LAMP stacks we will create a default sudo shell user for you with the username "admin". You may want to SSH in with this user and work in your web root, but you may be encountering problems with permissions. This article outlines the typical workflow for succesfully working in your Web Root using the admin sudo shell user and doing things like git pull and using Composer.
What you would typically do is:
1. Provision a server :)
2. Add one or more public keys to your admin shell user, or enable password based authentication, so you can log in
For more information on how to gain access to your server, please see our guide on Shell Users
3. Enable Passwordless Sudo! This will save you some headache. Find it on the Shell Users screen for your Server.
4. Connect to server via. SSH
5. Change your directory to /var/www/html (or whatever your web root is, if you have changed it)
$ cd /var/www/html
6. Add www-data to the admin user groups:
$ sudo usermod -a -G www-data,sudo admin
7. Make www-data the primary group for the admin user:
$ sudo usermod -g www-data admin
Now if you try executing id admin, you will see everything correct and accounted for:
$ id admin uid=1001(admin) gid=33(www-data) groups=33(www-data),27(sudo)
However! This does not kick in untill you logout and log in again, or do:
$ su admin
Now you are safe to work as the admin user in /var/www/html and you can do things like
$ git pull
DO NOT run this command as sudo - we are now working as the admin user with correct group assignment in the web root :) Git will now download your repo to a subfolder to /var/www/html and you might want to change web root in Webdock web interface potentially, or just move all your files one level up so they are in /var/www/html
But! You are getting permission errors when loading up your site... Why? Because group users are not allowed to read/write yet to files and folders in /var/www/html, so simply execute (still as admin user):
sudo chmod -R g+rw /var/www/html
Or simply run the Allows Group Read/Write in /var/www/html script from the Script Library against your server.
Set up your database and config if need be or whatever else you need to do normally to get your app working... And now your stuff will work.
You may want to make a shell script for when you pull from git that issues the sudo chmod -R g+rw /var/www/html command after a pull, but in most cases this should not be needed ...
For working with Composer, just run Composer as the admin user (do not use sudo) and everything should be fine :)
Changing Passwordless Sudo behavior
If you turn on Passwordless Sudo in the Webdock dashboard, this takes effect for all users which are part of the sudo user group. While convenient, you will potentially be decreasing the security of your server by doing this. Webdock achieves the Passwordless Sudo behavior by adding some configuration to /etc/sudoers namely this line:
%sudo ALL=(ALL) NOPASSWD: ALL
If you want to limit passwordless sudo to just a single user, you should change this to become something like:
admin ALL=(ALL) NOPASSWD: ALL
Where we are, in this example, granting the admin user Passwordless Sudo and no other users on the system.