Create a new user
sudo adduser --disabled-password newuser
Most users do not have passwords and instead use SSH keys for authentication. If you need to add or change a password, try
sudo passwd newuser
To revoke a user's access to the server, simply revoke their SSH access (see below). If for some reason you need to delete a user account and delete that user's home directory, use
sudo userdel -r olduser
We assign all new users membership to the group epi:
sudo usermod -a -G epi newuser
If epi group does not already exist, you can create it with sudo addgroup epi.
All users have a projects/ folder in their home directory where they should store their work, which is backed up nightly (see backups, below)
To create a group-writable folder,
- create a folder in new user's home directory
- assign it to epi
- add group-writable permissions
- set the setgid bit so that new files will have group teamgroup
- set default ACL so that new files created in this directory are group-writable
- confirm that a new file you create in directory has group epi.
sudo su - newuser
cd ~
mkdir projects
chgrp epi projects
chmod g+w projects
chmod g+s projects
setfacl -d -m u::rwx,g::rwx,o::r-x projects
touch projects/test
ls -l projects
rm projects/test
Sometimes an uploaded file will not have the best permissions for team user. We run the script /root/bin/fix_perms.sh as a cron job to ensure that files in team folders always have kosher permissions. Edit the script to include the new team folder, and then run the script to ensure it works. After editing the contents of the script should look like
## ensure correct group permissions for user-specific projects directories
dirlist="/home/user1/projects/
/home/user2/projects/"
groupname="epi"
for dir in $dirlist
do
(find -L $dir -type f ! -perm -g=w -print0) | xargs -0 -i chmod g+w {}
(find -L $dir -type f ! -perm -g=r -print0) | xargs -0 -i chmod g+r {}
(find -L $dir -type f ! -group $groupname -print0) | xargs -0 -i chgrp $groupname {}
(find -L $dir -type d ! -perm 775 -print0) | xargs -0 -i chmod 775 {}
(find -L $dir -type d ! -group $groupname -print0) | xargs -0 -i chgrp $groupname {}
done;
Add Stata to newuser's path by adding the following to /home/newuser/.profile:
## Stata
alias xstata='xstata-mp'
alias stata='stata-mp'
export PATH=/usr/local/stata14:$PATH
Create ssh private and public keys. When prompted, save the file as myserver-newuser and leave passphrase empty. Then rename the public key as authorized_keys, rename the private key with a .pem extension, and assign appropriate permissions. The private key doesn't need to remain on the server, but the following leaves it there.
sudo su - newuser
mkdir .ssh
chmod 700 .ssh
cd .ssh
ssh-keygen -t rsa -b 4096 -v
mv myserver-newuser.pub authorized_keys
mv myserver-newuser myserver-newuser.pem
chmod 600 authorized_keys
chmod 400 myserver-newuser.pem
exit
From a machine other than myserver, use the private key and test that you can ssh into myserver as newuser (copy the key and make sure you own it with the correct permission). Remember to delete the key after this works successfully. Also confirm that stata works.
sudo chown $USER:$USER myserver-newuser.pem
chmod 400 myserver-newuser.pem
ssh -i myserver-newuser.pem newuser@myserver
stata
exit
To revoke ssh access to myserver for a user, all you need to do is remove authorized_keys from that user's .ssh directory.
To allow nomachine access for a user, copy that user's public key to /home/newuser/.nx/config/authorized.crt:
sudo su - newuser
mkdir -p ~/.nx/config
cp ~/.ssh/authorized_keys ~/.nx/config/authorized.crt
To update nomachine with a new subscription replace the files
/usr/NX/etc/server.lic
/usr/NX/etc/node.lic
Use XFCE. Disable screensaver. Add icons for Rstudio, Stata, Atom; mark exectuable and confirm they work.
Set preferred applications
- Browser -> chromium
- Terminal -> gnome-terminal
- File Browser -> nautilus
Load chromium and set blank passphrase.
Install the atom packages:
apm install stata-exec@1.5.2
apm install language-stata
apm install platformio-ide-terminal
Run Auto-key, close Auto-key, then follow instructions here for stata-exec (ln -s ~/.atom/packages/stata-exec/linux/stata-exec.py ~/.config/autokey/data/My\ Phrases/) then set up Autokey to start at login (Session and Startup-> use command autokey-gtk); confirm stata-exec works.
Install platform-ide-terminal and add to the ~/.atom/config.cson file the settings
"platformio-ide-terminal":
ansiColors:
normal:
black: "#282c34"
blue: "#61afef"
cyan: "#56b6c2"
green: "#98c379"
magenta: "#c678dd"
red: "#e06c75"
white: "#abb2bf"
yellow: "#e5c07b"
zBright:
brightBlack: "#454c59"
brightBlue: "#69bbff"
brightCyan: "#66d9e8"
brightGreen: "#b5e890"
brightMagenta: "#e48aff"
brightRed: "#ff7a85"
brightWhite: "#cfd7e6"
brightYellow: "#ffd68a"
core: {}
iconColors:
blue: "#61afef"
cyan: "#56b6c2"
green: "#98c379"
magenta: "#c678dd"
orange: "#d19965"
pink: "#c578dd"
purple: "#d682f0"
red: "#df6b75"
yellow: "#e2c08d"
style:
fontFamily: "DejaVu Sans Mono"
theme: "one-dark"
toggles:
selectToCopy: false
The /usr/local/stataXX/stata_pdf script that loads Stata manuals within xstata needs modification in order to use evince instead of acroread. Change the pdf viewer cmd to evince and modify the page and section options:
case "$PDFVIEWER" in
"") cmd="evince"
;;
*) cmd="$PDFVIEWER"
;;
esac
case "$1" in
"-page") pagenum=$2
fname=$3
wharg="--page-label=$pagenum"
;;
"-section") section=$2
fname=$3
wharg="--named-dest=$section"
;;
*) fname="$1"
wharg=""
;;
esac
exec $cmd $wharg "$fname"
We use two backup systems: crashplan (off-site) and borg (local).
Make sure that Crashplan is backing up /home/newuser/teamdir. Easiest way to do this is to run CrashPlanDesktop from the user account that is managing Crashplan.
Had segfaults with GTK apps (gnome-terminal, evince, firefox, nautilus) only through x2go. Fixed the problem with this solution. In the folder /usr/lib/x86_64-linux-gnu used the command
sudo ln -s /usr/lib/nvidia-375/libGLX_indirect.so.0
Crashplan takes up a lot of memory, so only run it at specified times (only do this after your initial seed of the disks being backed up, since that may take a while). Use CrashPlanDesktop to specify run and verification times (say, verify at 1am, run from 1am-6am). Then stop crash plan with /usr/local/crashplan/bin/./CrashPlanEngine stop, disable the service from starting at boot using sudo systemctl disable crashplan.service, and add to the root crontab with sudo crontab -e the following:
# CrashPlan stop and start
45 0 * * * root /usr/local/crashplan/bin/./CrashPlanEngine start
15 6 * * * root /usr/local/crashplan/bin/./CrashPlanEngine stop
To assign a static IP address, edit the appropriate network interface info in /etc/network/interfaces, then reboot. Source: https://michael.mckinnon.id.au/2016/05/05/configuring-ubuntu-16-04-static-ip-address/
easy to install dropbox headless using instructions here: https://github.com/joeroback/dropbox
just download the client according to dropbox's instructions, make sure it works for a user. probably best to set up selective sync for that user, which can be done via dropbox.py utility available from dropbox, but is frankly easiest to use x2go, add a notification panel, run .dropbox-dist/dropboxd, select the system tray element, pause syncing, and enable selective sync, and stop the service.
then download from https://github.com/joeroback/dropbox and enable and start dropbox@.service
sudo systemctl enable dropbox@newuser
sudo systemctl start dropbox@newuser
http://brunogirin.blogspot.com/2010/03/shared-folders-in-ubuntu-with-setgid.html http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/managing-users.html