HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Tips/Tricks/Mods (http://www.howtoforge.com/forums/forumdisplay.php?f=29)
-   -   One SSH user for all sites (http://www.howtoforge.com/forums/showthread.php?t=46765)

PerudoIS 25th June 2010 13:59

One SSH user for all sites
 
We are using ISPConfig 3 on our servers of our webdevelopment company. We are the only user on the server, customers don't have access to their websites. Does ISPConfig 3 has an option to add a SSH user which can access all sites on the server ?

till 25th June 2010 14:05

Thats not possible as every site runs under its own Linux user. The only user that has access to all files on a server is the root user.

manarak 11th July 2010 16:34

well, I guess it is possible to manually create a user that has access to everything under var/www ?

till 11th July 2010 16:54

Quote:

well, I guess it is possible to manually create a user that has access to everything under var/www ?
No, at least not one that will work. You can create a user with root priveliges that has access to all files or use the root user. But as soon as you use the user to upload files, you will have to chown every file and folder to the owner of the web afterwards. If you dont do this, then suexec and suphp wil deny access to these files.

BorderAmigos 12th July 2010 17:37

I regularly work on my sites as root simply because I work on multiple sites at the same time. Have written some small scripts that chown the appropriate files as needed.

tuxfan 14th September 2012 20:48

We just
chown -R user:www-data web12
or whatever the directory name is. Works great.

The problem is that updates on the site in ispconfig often results in a change back to the default directory owner. The web directory usualy stays the same and its not that big a deal to repeat the action.

It would be nice removing that chown on site update - but I havent find that line in the code.

till 14th September 2012 21:33

Thats makes the sites insecure, if a site gets hacked then the hacker can damage the whole server easily and each customer has access to all other customers sites. I wont do that on a server that is connected to the internet. For a intranet or local dev system it miht be ok.

Regarding the permission updates, thats configurable under system > server config.

tuxfan 16th September 2012 12:18

That realy depends on how you do it.

Since youre not giving the group www-data write access, any php-injections and so on can not harm the system. Only "user"(in my example) has writing permisions.

We usualy dont give clients shell access - but if we would they would not be a part of the www-data group, so even if they would get out of the root-jail they would not acces the sites controled by "user". A normal ipsconfig account could coexist with such webmaster-controled accounts - and in fact the ownership can be reverted even if it has never been requested.

Of course is the webmasteraccount ("user") a weak point - I admit that. But the alternative is using the root account a lot - and that is even worse - and with proper security routines that should not be a problem.

The permisions updates - I don't find them. I guess they are under "system > server config> my.server -> Webb" - but I dont find such variable.


All times are GMT +2. The time now is 00:36.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.