When a new Pool is setup with based on the Guild Operators Documentation or through the article of Alexd How to set up a POOL in a few minutes - and register using CNTOOLS in the forum, by default the user who installed CNODE is also running it as a service.
This is not optimal from a security perspective because the same user is typically used to SSH into the machine. To avoid attack vectors like privildedge escalation the following steps show how to degrade the original installation user to a non-sudoer, while creating a new user which is used for SSH in future.
Please note that after those steps you’ll always need to SSH and then impersonate as the Service user (OLDUSER). Also any later updates or execution of scripts which require SUDO permission will require temporary re-granting SUDO permissions to the OLDUSER.
Further comment: I know that it would be more convenient to just have 2 users. But this leads to issues regarding availability of environment variables and port access of Prometheus. This does not mean it is not possible - let me know if you found a better way
OLDUSER = User which was used during the installation.
maint-user = New User which will be used for future SSH connectivity.
#Create another Login User which you will use in future for maintenance SSH Connections sudo adduser maint-user #Make the new user a sudoer sudo usermod -aG sudo maint-user #Impersonate with the new user sudo su - maint-user #Configure appropriate login mechanism (re-do what you did for yor original user, e.g. authorized_key for Public Key Auth), in my case copy the old authorized_key mkdir -p ~/.ssh sudo cp /home/OLDUSER/.ssh/authorized_keys ~/.ssh/ sudo chown -R maint-user /home/maint-user/.ssh #Set the user as allowed user for SSH sudo nano /etc/ssh/sshd_config AllowUsers OLDUSER maint-user #Restart SSHD sudo systemctl restart sshd #Login with that new user through SSH directly #The new user is now able login and also run commands in context of the original install user #Please note that the user is not able to run any script in context of himself since the Cardano Binaries and Environment Variables are only available to the original install user sudo su - OLDUSER #run gLiveView to verify if everything is fine /opt/cardano/cnode/scripts/gLiveView.sh #Exit back go get out to the maint-user again exit #Reduce permissions of the user which was initally used to install Cardano and will in future still run the service #Remove SUDO sudo deluser OLDUSER sudo #Delete authenticated_key sudo shred -uvz /home/OLDUSER/.ssh/authorized_keys #Unset Password sudo passwd --delete OLDUSER #remove old user from ssh_config (note: only maint-user remains) sudo nano /etc/ssh/sshd_config AllowUsers maint-user #Restart SSHD sudo systemctl restart sshd