sudoer scheme to allow useful access to another web developer yet retain future control of a virtual server?

linux web-server ubuntu sudo

Background: Virtual Private Server

I have a virtual private server that I'm looking to host multiple websites on, and provide access to another web developer. I don't care about putting too many constraints on him, though I wouldn't mind isolating the site that he'll be developing from other sites on the server that I will develop.

The problem: retain control

Mainly what I want is to make sure that I retain control over the server in the future. I want to reserve the ability to create/promote/demote and other administrative functions that don't deal with web software. If I make him an admin, he can sudo su - and become root and remove root control from me, for example.

I need him not to be able to:

  • take away other admin permissions
  • change the root password
  • have control over other security/administrative functions

I would like him to still be able to:

  • install software (through apt-get)
  • restart apache
  • access mysql
  • configure mysql/apache
  • reboot
  • edit web development configuration type files in /etc/

Other Standard Setups would be happily considered

I've never really set up a good sudoers file, so simple example setups would be very useful, even if they're only somewhat similar to the settings that I'm hoping for above.

Edit: I have not yet finalized permissions, so standard, useful sudo setups are certainly an option, the lists above are more what I'm hoping I can do, I don't know that that setup can be done. I'm sure that people have solved this type of problem before somehow, though, and I'd like to go with something somewhat tested as opposed to something I've homegrown.


Solution 1:

Depending on the amount of applications you want to allow him to perform, an option would be to allow him to execute commands withou even having to sudo. This could prevent you from giving him a root access, while still allowing him to perform his tasks: To do this, add in the sudoers file a line like this one for each application he should be allowed to do:

username ALL=NOPASSWD: /path/to/application

Edit: the virtual machine solution would for sure be the safest option

Solution 2:

If you're not stuck on Debian/Ubuntu (and you have the ability to change/choose your OS), FreeBSD's Jails were built with this in mind and have been in production for years:

http://www.freebsd.org/doc/handbook/jails.html

Related

How do I config postfix to use multiple google apps user accounts?
Is there any way to recover files in /usr/local directory on Ubuntu?
Internet Forwarding With Qemu?
ghettoVCB issue
IIS Strategies for Accessing Secured Network Resources
TCP Proxy with multiple clients?
Flexbox is not breaking the line [duplicate]
How can I use Google default credentials on Heroku without the JSON file?
Error in contrib.url(repos, "source") in R trying to use CRAN without setting a mirror Calls: install.packages -> contrib.url Execution halted
Mac Mountain Lion send notification from CLI app
How to check heap size for a process on Linux
Sending Meeting Invitations With Python