HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (
-   Tips/Tricks/Mods (
-   -   One SSH user for all sites (

PerudoIS 25th June 2010 14:59

One SSH user for all sites
We are using ISPConfig 3 on our servers of our webdevelopment company. We are the only user on the server, customers don't have access to their websites. Does ISPConfig 3 has an option to add a SSH user which can access all sites on the server ?

till 25th June 2010 15:05

Thats not possible as every site runs under its own Linux user. The only user that has access to all files on a server is the root user.

manarak 11th July 2010 17:34

well, I guess it is possible to manually create a user that has access to everything under var/www ?

till 11th July 2010 17:54


well, I guess it is possible to manually create a user that has access to everything under var/www ?
No, at least not one that will work. You can create a user with root priveliges that has access to all files or use the root user. But as soon as you use the user to upload files, you will have to chown every file and folder to the owner of the web afterwards. If you dont do this, then suexec and suphp wil deny access to these files.

BorderAmigos 12th July 2010 18:37

I regularly work on my sites as root simply because I work on multiple sites at the same time. Have written some small scripts that chown the appropriate files as needed.

tuxfan 14th September 2012 21:48

We just
chown -R user:www-data web12
or whatever the directory name is. Works great.

The problem is that updates on the site in ispconfig often results in a change back to the default directory owner. The web directory usualy stays the same and its not that big a deal to repeat the action.

It would be nice removing that chown on site update - but I havent find that line in the code.

till 14th September 2012 22:33

Thats makes the sites insecure, if a site gets hacked then the hacker can damage the whole server easily and each customer has access to all other customers sites. I wont do that on a server that is connected to the internet. For a intranet or local dev system it miht be ok.

Regarding the permission updates, thats configurable under system > server config.

tuxfan 16th September 2012 13:18

That realy depends on how you do it.

Since youre not giving the group www-data write access, any php-injections and so on can not harm the system. Only "user"(in my example) has writing permisions.

We usualy dont give clients shell access - but if we would they would not be a part of the www-data group, so even if they would get out of the root-jail they would not acces the sites controled by "user". A normal ipsconfig account could coexist with such webmaster-controled accounts - and in fact the ownership can be reverted even if it has never been requested.

Of course is the webmasteraccount ("user") a weak point - I admit that. But the alternative is using the root account a lot - and that is even worse - and with proper security routines that should not be a problem.

The permisions updates - I don't find them. I guess they are under "system > server config> my.server -> Webb" - but I dont find such variable.

tuxfan 11th December 2014 12:06

Patch for no-users option
Im waking this old thread instead of starting a new one.

As I wrote earlier we have no need for clients accessing the server. The whole point of the suExec/user for each account model does not apply for those like us - witch clients that owns (an get billed for, owns mail addresses and so forth) is important - but when file-ownership on the server get messed up making site-management a mess there must be another way.

Im considering making a patch for the apache2-module making it possible to have a option of a standard user+group for all virtual webservers. When turning suExec off your group have to be www-data but the user might be the website manager account for example. Browsing the code I dont think its so complicated.

till 11th December 2014 12:29

That should be possible, but you have to be aware of the details e.g. when you use one central user, then you have to take care that it does not get deleted when a website or ssh user gets removed.

All times are GMT +2. The time now is 15:08.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.