sudoer scheme to allow useful access to another web developer yet retain future control of a virtual server?
Background: Virtual Private Server
I have a virtual private server that I'm looking to host multiple websites on, and provide access to another web developer. I don't care about putting too many constraints on him, though I wouldn't mind isolating the site that he'll be developing from other sites on the server that I will develop.
The problem: retain control
Mainly what I want is to make sure that I retain control over the server in the future. I want to reserve the ability to create/promote/demote and other administrative functions that don't deal with web software. If I make him an admin, he can sudo su - and become root and remove root control from me, for example.
I need him not to be able to:
- take away other admin permissions
- change the root password
- have control over other security/administrative functions
I would like him to still be able to:
- install software (through apt-get)
- restart apache
- access mysql
- configure mysql/apache
- reboot
- edit web development configuration type files in
/etc/
Other Standard Setups would be happily considered
I've never really set up a good sudoers file, so simple example setups would be very useful, even if they're only somewhat similar to the settings that I'm hoping for above.
Edit: I have not yet finalized permissions, so standard, useful sudo setups are certainly an option, the lists above are more what I'm hoping I can do, I don't know that that setup can be done. I'm sure that people have solved this type of problem before somehow, though, and I'd like to go with something somewhat tested as opposed to something I've homegrown.
Solution 1:
Depending on the amount of applications you want to allow him to perform, an option would be to allow him to execute commands withou even having to sudo. This could prevent you from giving him a root access, while still allowing him to perform his tasks: To do this, add in the sudoers file a line like this one for each application he should be allowed to do:
username ALL=NOPASSWD: /path/to/application
Edit: the virtual machine solution would for sure be the safest option
Solution 2:
If you're not stuck on Debian/Ubuntu (and you have the ability to change/choose your OS), FreeBSD's Jails were built with this in mind and have been in production for years:
http://www.freebsd.org/doc/handbook/jails.html