Re: separate user per website?
tir, 14 06 2011 kl. 00:12 +1000, skrev Andrew McGlashan:
> Hi,
>
> Lars Nielsen wrote:
> > I am running my own server with lenny, apache and php. Now I have
> > several websites that only I are going to update. Is it fine to run
> > those under the same userlogin and use virtualhosts or should I create a
> > separate user for each website?
> > Is it posible to maintain a secure server using a single user with
> > several websites?
>
> Most of that which is below is probably irrelevant if only you are going
> to manage each website's files, but if you want different people to be
> responsible for _their_ own website, then I suggest doing as follows:
>
> -- create a chroot user area for each website
>
> -- sym link the website to the chroot area
>
> -- have the user create a private key with a good pass phrase and
> provide you with the public key data [or you could create it for them].
>
> -- if possible limit remote login of the chroot user via IP
> address, insist on them having static IP access only if possible so you
> can restrict this properly.
>
> -- add user to a group that is allowed to ssh into the server and
> setup ssh sever appropriately ... [AllowGroup in /etc/ssh/sshd_config
> file and restart ssh daemon], don't allow ANY user to ssh without them
> belonging to the specially created ssh user group.
>
> With the user having their own private key and providing you with the
> public key data for the ~/.ssh/authorized_keys file, you can give the
> user a very long and cryptic random password that cannot be used for
> access (no-one needs this password anyway). You _may_ also want to
> disallow password login via ssh as well.
>
> Doing the above at least segregates the areas of each website and will
> give more security than most setups around these days whilst still
> allowing those that require access to manage their own website areas
> (their own document root) as needed.
>
> --
> Kind Regards
> AndrewM
>
> Andrew McGlashan
> Broadband Solutions now including VoIP
>
> Current Land Line No: 03 9912 0504
> Mobile: 04 2574 1827 Fax: 03 9012 2178
>
> National No: 1300 85 3804
>
> Affinity Vision Australia Pty Ltd
> http://www.affinityvision.com.au
> http://adsl2choice.net.au
>
> In Case of Emergency -- http://www.affinityvision.com.au/ice.html
>
>
Thank you for all your comments. It is good inspiration.
I think i will work towards a solution with chroot'ed users with SCP
access and I will look closer at suPHP.
:-) Thanks
Reply to: