Re: separate user per website?

Mon, 13 Jun 2011 07:14:02 -0700 

Hi,

Lars Nielsen wrote:

I am running my own server with lenny, apache and php. Now I have
several websites that only I are going to update. Is it fine to run
those under the same userlogin and use virtualhosts or should I create a
separate user for each website?
Is it posible to maintain a secure server using a single user with
several websites?



Most of that which is below is probably irrelevant if only you are going 
to manage each website's files, but if you want different people to be 
responsible for _their_ own website, then I suggest doing as follows:


     -- create a chroot user area for each website

     -- sym link the website to the chroot area


     -- have the user create a private key with a good pass phrase and 
provide you with the public key data [or you could create it for them].



     -- if possible limit remote login of the chroot user via IP 
address, insist on them having static IP access only if possible so you 
can restrict this properly.



     -- add user to a group that is allowed to ssh into the server and 
setup ssh sever appropriately ... [AllowGroup in /etc/ssh/sshd_config 
file and restart ssh daemon], don't allow ANY user to ssh without them 
belonging to the specially created ssh user group.



With the user having their own private key and providing you with the 
public key data for the ~/.ssh/authorized_keys file, you can give the 
user a very long and cryptic random password that cannot be used for 
access (no-one needs this password anyway).  You _may_ also want to 
disallow password login via ssh as well.



Doing the above at least segregates the areas of each website and will 
give more security than most setups around these days whilst still 
allowing those that require access to manage their own website areas 
(their own document root) as needed.


--
Kind Regards
AndrewM

Andrew McGlashan
Broadband Solutions now including VoIP

Current Land Line No: 03 9912 0504
Mobile: 04 2574 1827 Fax: 03 9012 2178

National No: 1300 85 3804

Affinity Vision Australia Pty Ltd
http://www.affinityvision.com.au
http://adsl2choice.net.au

In Case of Emergency --  http://www.affinityvision.com.au/ice.html


--

To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Archive: http://lists.debian.org/4df61acb.1080...@affinityvision.com.au























					Reply via email to