Re: separate user per website?

To: debian-user <debian-user@lists.debian.org>
Subject: Re: separate user per website?
From: Lars Nielsen <lars@lfweb.dk>
Date: Sun, 19 Jun 2011 22:29:53 +0200
Message-id: <[🔎] 1308515393.2951.10.camel@mp.fullrate.dk>
In-reply-to: <[🔎] 4DF61ACB.1080209@affinityvision.com.au>
References: <[🔎] 1307962207.2551.3.camel@mp.fullrate.dk> <[🔎] 4DF61ACB.1080209@affinityvision.com.au>

tir, 14 06 2011 kl. 00:12 +1000, skrev Andrew McGlashan:
> Hi,
> 
> Lars Nielsen wrote:
> > I am running my own server with lenny, apache and php. Now I have
> > several websites that only I are going to update. Is it fine to run
> > those under the same userlogin and use virtualhosts or should I create a
> > separate user for each website?
> > Is it posible to maintain a secure server using a single user with
> > several websites?
> 
> Most of that which is below is probably irrelevant if only you are going 
> to manage each website's files, but if you want different people to be 
> responsible for _their_ own website, then I suggest doing as follows:
> 
>       -- create a chroot user area for each website
> 
>       -- sym link the website to the chroot area
> 
>       -- have the user create a private key with a good pass phrase and 
> provide you with the public key data [or you could create it for them].
> 
>       -- if possible limit remote login of the chroot user via IP 
> address, insist on them having static IP access only if possible so you 
> can restrict this properly.
> 
>       -- add user to a group that is allowed to ssh into the server and 
> setup ssh sever appropriately ... [AllowGroup in /etc/ssh/sshd_config 
> file and restart ssh daemon], don't allow ANY user to ssh without them 
> belonging to the specially created ssh user group.
> 
> With the user having their own private key and providing you with the 
> public key data for the ~/.ssh/authorized_keys file, you can give the 
> user a very long and cryptic random password that cannot be used for 
> access (no-one needs this password anyway).  You _may_ also want to 
> disallow password login via ssh as well.
> 
> Doing the above at least segregates the areas of each website and will 
> give more security than most setups around these days whilst still 
> allowing those that require access to manage their own website areas 
> (their own document root) as needed.
> 
> -- 
> Kind Regards
> AndrewM
> 
> Andrew McGlashan
> Broadband Solutions now including VoIP
> 
> Current Land Line No: 03 9912 0504
> Mobile: 04 2574 1827 Fax: 03 9012 2178
> 
> National No: 1300 85 3804
> 
> Affinity Vision Australia Pty Ltd
> http://www.affinityvision.com.au
> http://adsl2choice.net.au
> 
> In Case of Emergency --  http://www.affinityvision.com.au/ice.html
> 
> 
Thank you for all your comments. It is good inspiration.
I think i will work towards a solution with chroot'ed users with SCP
access and I will look closer at suPHP.

:-) Thanks

Reply to:

References:
- separate user per website?
  - From: Lars Nielsen <lars@lfweb.dk>
- Re: separate user per website?
  - From: Andrew McGlashan <andrew.mcglashan@affinityvision.com.au>

Prev by Date: Re: debian-user-digest Digest V2011 #1180
Next by Date: Re: Almost everyday a new issue: this time Amarok
Previous by thread: Re: separate user per website?
Next by thread: Re: separate user per website?
Index(es):
- Date
- Thread