Admin user management best practices

Hello everyone,

I’m currently facing some problems regarding the administration of my Yunohost instance and its applications.

I’m using a Yunohost server that I installed 7 years ago on a fresh standard Debian, with the “postinstall” procedure. That is, I have a sudoer account that is distinct from my Yunohost users. I use it for system administration, connecting through SSH, becoming root, using administration utilities such as apt or yunohost.

When I connect to the webadmin, I use my main user, which has administrative rights (being a member of the “admins” system group).
That main user usually also has administrative rights on installed apps when needed (Nextcloud, etc.).

It seems a security issue that my main user has system or apps administration rights, since it could be subject to identity theft (its user/password is used in many e-mail/xmpp/nextcloud apps, or in several browsers, and I didn’t see any 2FA settings anywhere).

On the admin page of the documentation, it says that my system should have an “admin” user, which it doesn’t have (no mention in /etc/passwd, nor in /home/).

This morning, my original sudoer account once again lost its ability to connect through SSH after a system upgrade (I suppose the “yunohost“ package has reset SSH’s settings).

I would like to understand how I could fit as much as possible with what the Yunohost project developers expect.

I can’t find any specific documentation, so what would be your advices for me to have a more robust security regarding system/applications administration ?

Thanks in advance.

Hi vetetix,

I have no definitive answer, only “my own practice”.

The page in the documents is outdated since Yunohost 11 :frowning:

My Yunohost is also installed via the Debian + Yunohost route. It did have admin as a user, maybe because on install I agreed to have Yunohost manage SSH. Nevertheless, I removed the admin user a while back (that is mentioned as a best practice, for the same reason as you mention: this single user was available on almost all Yunohosts).

My own server does have the 'my user = first user = main user = has all rights" problem, but for other servers I make sure to have a separate other-user account that does not participate in public conversation and also does not have a name with an easily recognizable ‘admin’ ring to it.

Apart from having more rights, it is a regular Yunohost-user.

When your Yunohost was first installed, it was not easy to give regular users access to SSH ; enabling that is part of the management functions for users now (via group permissions).
I don’t know how you can convert a regular Linux user to a user with an LDAP-account. Maybe the LDAP-management app in the catalog allows to import users? That way your original sudoer account could become a Yunohost user, while keeping your SSH keys and things in order.

Thanks @wbk for your comment. It seems we indeed have the same “problem” with our “first user”.

It probably is possible to create a new user with admin rights to the system and specific apps, and remove those rights from the first user, but I wouldn’t want to break my system when poking around to find how to do that without having asked for advice.

I’m not going to try to restore my original sudoer user’s access to SSH. For now, I can achieve the same result with my “first user”, which has the required rights. I’d rather stay within the boundaries the Yunohost project leaders have set than to try to bend those limits to fit my own practices, which would eventually lead to another breakage some day.

1 Like

One possible risk mitigation solution would be :

  • Disable admin outside of local network (or via VPN only if not home hosted).
  • Add some strengh in the SSH config, by disabling the login/password connexion and force a key.

I think it can limit the risks, and with this, you can use the YunoHost’s user, without risk of the password already used on other services (which is a bad practice, but… users…)

3 Likes