FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 06-13-2011, 10:50 AM
Lars Nielsen
 
Default separate user per website?

Hi
I am running my own server with lenny, apache and php. Now I have
several websites that only I are going to update. Is it fine to run
those under the same userlogin and use virtualhosts or should I create a
separate user for each website?
Is it posible to maintain a secure server using a single user with
several websites?

Regards Lars


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1307962207.2551.3.camel@mp.fullrate.dk">http://lists.debian.org/1307962207.2551.3.camel@mp.fullrate.dk
 
Old 06-13-2011, 11:00 AM
"Cal Leeming [Simplicity Media Ltd]"
 
Default separate user per website?

Not really the place to be asking this question, you should post on the Apache / PHP forums.
Cal

On Mon, Jun 13, 2011 at 11:50 AM, Lars Nielsen <lars@lfweb.dk> wrote:

Hi

I am running my own server with lenny, apache and php. Now I have

several websites that only I are going to update. Is it fine to run

those under the same userlogin and use virtualhosts or should I create a

separate user for each website?

Is it posible to maintain a secure server using a single user with

several websites?



Regards Lars





--

To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org

with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: http://lists.debian.org/1307962207.2551.3.camel@mp.fullrate.dk
 
Old 06-13-2011, 01:51 PM
Camaleón
 
Default separate user per website?

On Mon, 13 Jun 2011 12:50:07 +0200, Lars Nielsen wrote:

> I am running my own server with lenny, apache and php. Now I have
> several websites that only I are going to update. Is it fine to run
> those under the same userlogin and use virtualhosts or should I create a
> separate user for each website?

I guess you refer to share the sanme SFTP/FTP username/password, right?

If you are the only user that is going to manage them and you foresee no
problems with that policy, it should be fine. The number of users is
mostly a matter of management convenience (because different privileges
can apply to different users).

> Is it posible to maintain a secure server using a single user with
> several websites?

Yep, why not? A secure server is not just about how many users there are,
indeed, the less users -and the less services- the better, but choose a
very good password for it because is someone breaks it, it will have
access to all of the hosted sites ;-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.06.13.13.51.26@gmail.com">http://lists.debian.org/pan.2011.06.13.13.51.26@gmail.com
 
Old 06-13-2011, 01:51 PM
Camaleón
 
Default separate user per website?

On Mon, 13 Jun 2011 12:50:07 +0200, Lars Nielsen wrote:

> I am running my own server with lenny, apache and php. Now I have
> several websites that only I are going to update. Is it fine to run
> those under the same userlogin and use virtualhosts or should I create a
> separate user for each website?

I guess you refer to share the sanme SFTP/FTP username/password, right?

If you are the only user that is going to manage them and you foresee no
problems with that policy, it should be fine. The number of users is
mostly a matter of management convenience (because different privileges
can apply to different users).

> Is it posible to maintain a secure server using a single user with
> several websites?

Yep, why not? A secure server is not just about how many users there are,
indeed, the less users -and the less services- the better, but choose a
very good password for it because is someone breaks it, it will have
access to all of the hosted sites ;-)

Greetings,

--
Camaleón


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: pan.2011.06.13.13.51.26@gmail.com">http://lists.debian.org/pan.2011.06.13.13.51.26@gmail.com
 
Old 06-13-2011, 02:12 PM
Andrew McGlashan
 
Default separate user per website?

Hi,

Lars Nielsen wrote:

I am running my own server with lenny, apache and php. Now I have
several websites that only I are going to update. Is it fine to run
those under the same userlogin and use virtualhosts or should I create a
separate user for each website?
Is it posible to maintain a secure server using a single user with
several websites?


Most of that which is below is probably irrelevant if only you are going
to manage each website's files, but if you want different people to be
responsible for _their_ own website, then I suggest doing as follows:


-- create a chroot user area for each website

-- sym link the website to the chroot area

-- have the user create a private key with a good pass phrase and
provide you with the public key data [or you could create it for them].


-- if possible limit remote login of the chroot user via IP
address, insist on them having static IP access only if possible so you
can restrict this properly.


-- add user to a group that is allowed to ssh into the server and
setup ssh sever appropriately ... [AllowGroup in /etc/ssh/sshd_config
file and restart ssh daemon], don't allow ANY user to ssh without them
belonging to the specially created ssh user group.


With the user having their own private key and providing you with the
public key data for the ~/.ssh/authorized_keys file, you can give the
user a very long and cryptic random password that cannot be used for
access (no-one needs this password anyway). You _may_ also want to
disallow password login via ssh as well.


Doing the above at least segregates the areas of each website and will
give more security than most setups around these days whilst still
allowing those that require access to manage their own website areas
(their own document root) as needed.


--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP

Current Land Line No: 03 9912 0504
Mobile: 04 2574 1827 Fax: 03 9012 2178

National No: 1300 85 3804

Affinity Vision Australia Pty Ltd
http://www.affinityvision.com.au
http://adsl2choice.net.au

In Case of Emergency -- http://www.affinityvision.com.au/ice.html


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4DF61ACB.1080209@affinityvision.com.au">http://lists.debian.org/4DF61ACB.1080209@affinityvision.com.au
 
Old 06-13-2011, 02:12 PM
Andrew McGlashan
 
Default separate user per website?

Hi,

Lars Nielsen wrote:

I am running my own server with lenny, apache and php. Now I have
several websites that only I are going to update. Is it fine to run
those under the same userlogin and use virtualhosts or should I create a
separate user for each website?
Is it posible to maintain a secure server using a single user with
several websites?


Most of that which is below is probably irrelevant if only you are going
to manage each website's files, but if you want different people to be
responsible for _their_ own website, then I suggest doing as follows:


-- create a chroot user area for each website

-- sym link the website to the chroot area

-- have the user create a private key with a good pass phrase and
provide you with the public key data [or you could create it for them].


-- if possible limit remote login of the chroot user via IP
address, insist on them having static IP access only if possible so you
can restrict this properly.


-- add user to a group that is allowed to ssh into the server and
setup ssh sever appropriately ... [AllowGroup in /etc/ssh/sshd_config
file and restart ssh daemon], don't allow ANY user to ssh without them
belonging to the specially created ssh user group.


With the user having their own private key and providing you with the
public key data for the ~/.ssh/authorized_keys file, you can give the
user a very long and cryptic random password that cannot be used for
access (no-one needs this password anyway). You _may_ also want to
disallow password login via ssh as well.


Doing the above at least segregates the areas of each website and will
give more security than most setups around these days whilst still
allowing those that require access to manage their own website areas
(their own document root) as needed.


--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP

Current Land Line No: 03 9912 0504
Mobile: 04 2574 1827 Fax: 03 9012 2178

National No: 1300 85 3804

Affinity Vision Australia Pty Ltd
http://www.affinityvision.com.au
http://adsl2choice.net.au

In Case of Emergency -- http://www.affinityvision.com.au/ice.html


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4DF61ACB.1080209@affinityvision.com.au">http://lists.debian.org/4DF61ACB.1080209@affinityvision.com.au
 
Old 06-13-2011, 02:50 PM
Tom Grace
 
Default separate user per website?

Lars Nielsen wrote:
> I am running my own server with lenny, apache and php. Now I have
> several websites that only I are going to update. Is it fine to run
> those under the same userlogin and use virtualhosts or should I create a
> separate user for each website?
> Is it posible to maintain a secure server using a single user with
> several websites?

It is possible, though it's kinda down to how much you trust the code
for each site. Running each under it's own user (using suPHP or similar)
does limit damage if one of the sites turns out to be insecure.


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 4DF623B9.1010704@deathbycomputers.co.uk">http://lists.debian.org/4DF623B9.1010704@deathbycomputers.co.uk
 
Old 06-14-2011, 07:13 PM
Alan Chandler
 
Default separate user per website?

On 13/06/11 11:50, Lars Nielsen wrote:

Hi
I am running my own server with lenny, apache and php. Now I have
several websites that only I are going to update. Is it fine to run
those under the same userlogin and use virtualhosts or should I create a
separate user for each website?
Is it posible to maintain a secure server using a single user with
several websites?


Debian arranges for Apache2 to run under the user www-data
automatically. This is normally fine and can run many web sites each in
their own virtual hosts (you can used named based or ip based virtual
hosting).


Since you say you are updating them all, then that is probably/possibly
sufficient - although you need to ensure that www-data can read the files.


On my home desktop, where I am developing multiple web sites for others,
but need to test locally - I run apache2-mpm-itk version of apache.
This allows you user a directive such as this in the virtual host


AssignUserId alan alan

which makes the server act as my user. This is convenient for editing
the files etc.


NOTE: I develop using git as the version control system and when its
time to fire it off to the the production version I change to the "site"
branch and then merge from my master branch


This kicks of the post-commit/post-merge hook which does something like this

branch=$(git branch | sed -n s/^* //p)
version=$(git describe --tags)

cd "$(git rev-parse --show-cdup)"
if [ "$branch" == "site" ]; then
git clean -f
java -jar /home/alan/dev/yuicompressor-2.4.2.jar app/money.js -o
app/money-yc-$version.js

...
echo "<?php echo '$version';?>" > app/inc/version.inc
rsync -aqz docroot/ www-data@owl:https/
rsync -aqz --delete app/ www-data@owl:money/app/
else
echo "<?php echo '$version';?>" > app/inc/version.inc
fi


This is using rsync over ssh (logging in as www-data) to rsync stuff
from my development directory into the virtual host positions on my
production server.



--
Alan Chandler
http://www.chandlerfamily.org.uk


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Archive: 4DF7B2E2.9040104@chandlerfamily.org.uk">http://lists.debian.org/4DF7B2E2.9040104@chandlerfamily.org.uk
 
Old 06-19-2011, 06:55 AM
Andrei POPESCU
 
Default separate user per website?

On Ma, 14 iun 11, 00:12:27, Andrew McGlashan wrote:
>
> With the user having their own private key and providing you with
> the public key data for the ~/.ssh/authorized_keys file, you can
> give the user a very long and cryptic random password that cannot be
> used for access (no-one needs this password anyway).

# passwd -l SSHUser

Regards,
Andrei
--
Offtopic discussions among Debian users and developers:
http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic
 
Old 06-19-2011, 08:29 PM
Lars Nielsen
 
Default separate user per website?

tir, 14 06 2011 kl. 00:12 +1000, skrev Andrew McGlashan:
> Hi,
>
> Lars Nielsen wrote:
> > I am running my own server with lenny, apache and php. Now I have
> > several websites that only I are going to update. Is it fine to run
> > those under the same userlogin and use virtualhosts or should I create a
> > separate user for each website?
> > Is it posible to maintain a secure server using a single user with
> > several websites?
>
> Most of that which is below is probably irrelevant if only you are going
> to manage each website's files, but if you want different people to be
> responsible for _their_ own website, then I suggest doing as follows:
>
> -- create a chroot user area for each website
>
> -- sym link the website to the chroot area
>
> -- have the user create a private key with a good pass phrase and
> provide you with the public key data [or you could create it for them].
>
> -- if possible limit remote login of the chroot user via IP
> address, insist on them having static IP access only if possible so you
> can restrict this properly.
>
> -- add user to a group that is allowed to ssh into the server and
> setup ssh sever appropriately ... [AllowGroup in /etc/ssh/sshd_config
> file and restart ssh daemon], don't allow ANY user to ssh without them
> belonging to the specially created ssh user group.
>
> With the user having their own private key and providing you with the
> public key data for the ~/.ssh/authorized_keys file, you can give the
> user a very long and cryptic random password that cannot be used for
> access (no-one needs this password anyway). You _may_ also want to
> disallow password login via ssh as well.
>
> Doing the above at least segregates the areas of each website and will
> give more security than most setups around these days whilst still
> allowing those that require access to manage their own website areas
> (their own document root) as needed.
>
> --
> Kind Regards
> AndrewM
>
> Andrew McGlashan
> Broadband Solutions now including VoIP
>
> Current Land Line No: 03 9912 0504
> Mobile: 04 2574 1827 Fax: 03 9012 2178
>
> National No: 1300 85 3804
>
> Affinity Vision Australia Pty Ltd
> http://www.affinityvision.com.au
> http://adsl2choice.net.au
>
> In Case of Emergency -- http://www.affinityvision.com.au/ice.html
>
>
Thank you for all your comments. It is good inspiration.
I think i will work towards a solution with chroot'ed users with SCP
access and I will look closer at suPHP.

:-) Thanks


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 1308515393.2951.10.camel@mp.fullrate.dk">http://lists.debian.org/1308515393.2951.10.camel@mp.fullrate.dk
 

Thread Tools




All times are GMT. The time now is 09:05 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org