add "client" in ISPconfig can increase security?

Discussion in 'Installation/Configuration' started by skysky, Nov 14, 2020.

  1. skysky

    skysky Member

    I am the only one using the ISPconfig to manage server and websites (many).
    I wonder if adding "client" in ISPconfig can increase security for poor written or out-dated php scripts website ? or it is same to put all websites under the default client0 ?
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I would create a client for every use that is distinct from other "clients", whether they are paying clients or just a group or project or similar. That way the separate entities are distictinct in ISPConfig, and you can for example give the client login password for someone else if they want to maintain their stuff themselves.
    ahrasis likes this.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Each website you create will have it's own user, but they will all end up in the "client0" group as you mention. To my knowledge there is nothing special about the client0 group, but it does allow more cross-site permissions that being in different groups. I have seen different permissions at different places/times, but checking a 3.2 box here, having group membership would allow you a lot of read and some write access in directories of another website, if allowed to operate outside the website root - ie. not using jailkit chroot.

    So - use jailkit, and don't allow any non-jailkit shell users or cronjobs, and run php-fpm in chroot mode. And don't run non-php sites like python, perl, etc. ;)

    On that note, there is a security benefit in putting all your sites under a client and operate as that client rather than your admin account, which is you can configure limits on the client that your admin account won't have. Like restricting shell users to only jailkit, etc. - when you operate as admin you could unintentionally eg. create a cronjob that operates outside the site chroot, whereas a properly configured client could not.

    The other option to fix the group access is to create a separate client for every website, so each gets their own group id as well - not very friendly, though if you could automate it, it could be doable. You would probably want to use the new 3.2 feature to disable the "client protection" mode, in case you accidentally opened something as the admin user and saved it, you won't have to go dig through db settings to change the permissions back where the client can manage things.
    ahrasis likes this.

Share This Page