Create `gmn` Account and Configure Permissions¶

Run the following commands to:

Create the gmn user account (with password login disabled)
Add or update permissions allowing the gmn user to
- Create and edit Apache configuration files
- Restart the Apache and Postgres services
- Read Apache and Postgres logs
Prepare the DataONE root directory
Create Postgres role and database

Note

These commands can safely be run multiple times. Any missing permissions will be restored. Existing permissions will not be duplicated.

sudo -H bash -c '
  # Create the gmn user account with password login disabled
  id -u gmn 1>/dev/null 2>&1 || adduser --ingroup www-data \
    --gecos "DataONE Generic Member Node" --disabled-password gmn

  ERR=$(sudo -u postgres createuser gmn 2>&1)
  [[ ${ERR} =~ "already exists" ]] || echo ${ERR}
  ERR=$(sudo -u postgres createdb -E UTF8 gmn3 2>&1)
  [[ ${ERR} =~ "already exists" ]] || echo ${ERR}

  mkdir -p /var/local/dataone
  chown -R gmn:www-data /var/local/dataone
  chmod -R 00755 /var/local/dataone

  # Allow the gmn user to create and edit Apache configuration files
  setfacl -Rm gmn:rwx /etc/apache2 /var/lib/apache2/site/enabled_by_admin/

  # Allow the gmn user to start and stop the Apache and Postgres services
  for s in postgresql apache2; do
    grep -q $s /etc/sudoers \
      || echo "gmn ALL=NOPASSWD:/etc/init.d/$s" >> /etc/sudoers
  done

  # Allow the gmn user to read existing Postgres and Apache logs
  setfacl -Rm gmn:rx /var/log/postgresql /var/log/apache2

  # Allow the gmn user to read future Postgres and Apache logs
  P="/etc/logrotate.d/gmn"
  echo  >$P "postrotate"
  echo >>$P "  setfacl -Rm gmn:rx /var/log/postgresql /var/log/apache2"
  echo >>$P "endscript"
'

Create `gmn` Account and Configure Permissions¶

Previous topic

Next topic

This Page

Create gmn Account and Configure Permissions¶

Create `gmn` Account and Configure Permissions¶