Re: separate user per website?
tir, 14 06 2011 kl. 00:12 +1000, skrev Andrew McGlashan: > Hi, > > Lars Nielsen wrote: > > I am running my own server with lenny, apache and php. Now I have > > several websites that only I are going to update. Is it fine to run > > those under the same userlogin and use virtualhosts or should I create a > > separate user for each website? > > Is it posible to maintain a secure server using a single user with > > several websites? > > Most of that which is below is probably irrelevant if only you are going > to manage each website's files, but if you want different people to be > responsible for _their_ own website, then I suggest doing as follows: > > -- create a chroot user area for each website > > -- sym link the website to the chroot area > > -- have the user create a private key with a good pass phrase and > provide you with the public key data [or you could create it for them]. > > -- if possible limit remote login of the chroot user via IP > address, insist on them having static IP access only if possible so you > can restrict this properly. > > -- add user to a group that is allowed to ssh into the server and > setup ssh sever appropriately ... [AllowGroup in /etc/ssh/sshd_config > file and restart ssh daemon], don't allow ANY user to ssh without them > belonging to the specially created ssh user group. > > With the user having their own private key and providing you with the > public key data for the ~/.ssh/authorized_keys file, you can give the > user a very long and cryptic random password that cannot be used for > access (no-one needs this password anyway). You _may_ also want to > disallow password login via ssh as well. > > Doing the above at least segregates the areas of each website and will > give more security than most setups around these days whilst still > allowing those that require access to manage their own website areas > (their own document root) as needed. > > -- > Kind Regards > AndrewM > > Andrew McGlashan > Broadband Solutions now including VoIP > > Current Land Line No: 03 9912 0504 > Mobile: 04 2574 1827 Fax: 03 9012 2178 > > National No: 1300 85 3804 > > Affinity Vision Australia Pty Ltd > http://www.affinityvision.com.au > http://adsl2choice.net.au > > In Case of Emergency -- http://www.affinityvision.com.au/ice.html > > Thank you for all your comments. It is good inspiration. I think i will work towards a solution with chroot'ed users with SCP access and I will look closer at suPHP. :-) Thanks -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1308515393.2951.10.ca...@mp.fullrate.dk
Re: separate user per website?
On Ma, 14 iun 11, 00:12:27, Andrew McGlashan wrote: > > With the user having their own private key and providing you with > the public key data for the ~/.ssh/authorized_keys file, you can > give the user a very long and cryptic random password that cannot be > used for access (no-one needs this password anyway). # passwd -l SSHUser Regards, Andrei -- Offtopic discussions among Debian users and developers: http://lists.alioth.debian.org/mailman/listinfo/d-community-offtopic signature.asc Description: Digital signature
Re: separate user per website?
On 13/06/11 11:50, Lars Nielsen wrote: Hi I am running my own server with lenny, apache and php. Now I have several websites that only I are going to update. Is it fine to run those under the same userlogin and use virtualhosts or should I create a separate user for each website? Is it posible to maintain a secure server using a single user with several websites? Debian arranges for Apache2 to run under the user www-data automatically. This is normally fine and can run many web sites each in their own virtual hosts (you can used named based or ip based virtual hosting). Since you say you are updating them all, then that is probably/possibly sufficient - although you need to ensure that www-data can read the files. On my home desktop, where I am developing multiple web sites for others, but need to test locally - I run apache2-mpm-itk version of apache. This allows you user a directive such as this in the virtual host AssignUserId alan alan which makes the server act as my user. This is convenient for editing the files etc. NOTE: I develop using git as the version control system and when its time to fire it off to the the production version I change to the "site" branch and then merge from my master branch This kicks of the post-commit/post-merge hook which does something like this branch=$(git branch | sed -n s/^\*\ //p) version=$(git describe --tags) cd "$(git rev-parse --show-cdup)" if [ "$branch" == "site" ]; then git clean -f java -jar /home/alan/dev/yuicompressor-2.4.2.jar app/money.js -o app/money-yc-$version.js ... echo "" > app/inc/version.inc rsync -aqz docroot/ www-data@owl:https/ rsync -aqz --delete app/ www-data@owl:money/app/ else echo "" > app/inc/version.inc fi This is using rsync over ssh (logging in as www-data) to rsync stuff from my development directory into the virtual host positions on my production server. -- Alan Chandler http://www.chandlerfamily.org.uk -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4df7b2e2.9040...@chandlerfamily.org.uk
Re: separate user per website?
Lars Nielsen wrote: > I am running my own server with lenny, apache and php. Now I have > several websites that only I are going to update. Is it fine to run > those under the same userlogin and use virtualhosts or should I create a > separate user for each website? > Is it posible to maintain a secure server using a single user with > several websites? It is possible, though it's kinda down to how much you trust the code for each site. Running each under it's own user (using suPHP or similar) does limit damage if one of the sites turns out to be insecure. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4df623b9.1010...@deathbycomputers.co.uk
Re: separate user per website?
Hi, Lars Nielsen wrote: I am running my own server with lenny, apache and php. Now I have several websites that only I are going to update. Is it fine to run those under the same userlogin and use virtualhosts or should I create a separate user for each website? Is it posible to maintain a secure server using a single user with several websites? Most of that which is below is probably irrelevant if only you are going to manage each website's files, but if you want different people to be responsible for _their_ own website, then I suggest doing as follows: -- create a chroot user area for each website -- sym link the website to the chroot area -- have the user create a private key with a good pass phrase and provide you with the public key data [or you could create it for them]. -- if possible limit remote login of the chroot user via IP address, insist on them having static IP access only if possible so you can restrict this properly. -- add user to a group that is allowed to ssh into the server and setup ssh sever appropriately ... [AllowGroup in /etc/ssh/sshd_config file and restart ssh daemon], don't allow ANY user to ssh without them belonging to the specially created ssh user group. With the user having their own private key and providing you with the public key data for the ~/.ssh/authorized_keys file, you can give the user a very long and cryptic random password that cannot be used for access (no-one needs this password anyway). You _may_ also want to disallow password login via ssh as well. Doing the above at least segregates the areas of each website and will give more security than most setups around these days whilst still allowing those that require access to manage their own website areas (their own document root) as needed. -- Kind Regards AndrewM Andrew McGlashan Broadband Solutions now including VoIP Current Land Line No: 03 9912 0504 Mobile: 04 2574 1827 Fax: 03 9012 2178 National No: 1300 85 3804 Affinity Vision Australia Pty Ltd http://www.affinityvision.com.au http://adsl2choice.net.au In Case of Emergency -- http://www.affinityvision.com.au/ice.html -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4df61acb.1080...@affinityvision.com.au
Re: separate user per website?
On Mon, 13 Jun 2011 12:50:07 +0200, Lars Nielsen wrote: > I am running my own server with lenny, apache and php. Now I have > several websites that only I are going to update. Is it fine to run > those under the same userlogin and use virtualhosts or should I create a > separate user for each website? I guess you refer to share the sanme SFTP/FTP username/password, right? If you are the only user that is going to manage them and you foresee no problems with that policy, it should be fine. The number of users is mostly a matter of management convenience (because different privileges can apply to different users). > Is it posible to maintain a secure server using a single user with > several websites? Yep, why not? A secure server is not just about how many users there are, indeed, the less users -and the less services- the better, but choose a very good password for it because is someone breaks it, it will have access to all of the hosted sites ;-) Greetings, -- Camaleón -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/pan.2011.06.13.13.51...@gmail.com
Re: separate user per website?
Not really the place to be asking this question, you should post on the Apache / PHP forums. Cal On Mon, Jun 13, 2011 at 11:50 AM, Lars Nielsen wrote: > Hi > I am running my own server with lenny, apache and php. Now I have > several websites that only I are going to update. Is it fine to run > those under the same userlogin and use virtualhosts or should I create a > separate user for each website? > Is it posible to maintain a secure server using a single user with > several websites? > > Regards Lars > > > -- > To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org > with a subject of "unsubscribe". Trouble? Contact > listmas...@lists.debian.org > Archive: http://lists.debian.org/1307962207.2551.3.ca...@mp.fullrate.dk > >
separate user per website?
Hi I am running my own server with lenny, apache and php. Now I have several websites that only I are going to update. Is it fine to run those under the same userlogin and use virtualhosts or should I create a separate user for each website? Is it posible to maintain a secure server using a single user with several websites? Regards Lars -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1307962207.2551.3.ca...@mp.fullrate.dk