New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Is giving permission for all website's folder to one user vulnerable
Hi,
I'm running PHP-FPM and almost managed to seperate directory on each website's user account which is /home/[user]/[domain]/
Now, I've chown all these directory to a sudo user for access to these application from one user instead root. Will this neutral the benefits of seperating jail accounts for each website?
Comments
yes, also with separate user, you could jail ftp login to their home directory/website
I actually mean which having a user having access to all these directories vanish benefit of seperating users per website?
If that single user is you, that might not be too bad, but it's not how I'd run it (as I'll comment later on). If this single user is going to be some client logging in, then this is a horrible idea.
If you are the only user, it's still a security issue because a compromise of one site leads to a compromise of all sites that the user owns. If you use separate users (pretty easy to do in PHP-FPM) then even without a chroot/jail, the compromise is limited to the files owned by that user.
I typically have files owned by a user that is not running the web server (e.g. not www-data) and then I grant read access to the files necessary for the user running the web server. Multiple sites are run separately and chroot'ed. This way the web server user cannot write or read any files outside their scope.
Thanks for the detailed info. The user is me of course! I cannot utilize root user for all purpose and other users will have access to their home directory. So made a sudo user and gave it access to all the user's home directory.
>
Once you have sudo access, you can run
sudo -u targetusername -ito login as the user.You don't need to give your user access to the user's home directories.
Yes , It could cause security issue. Sometimes hacker upload script using your own script and they try to change the permission of the files for further attacks.
Seems like you could use a control panel.
learning is always better, I'm using control panel on many of them but this one is experimental.
I create a new user/group for each website (login set to /bin/false) and chown the web folder to that user/group and then have a separate php-fpm pool that runs under that user/group and set openbase directories and all that. You can also lock down things further with systemd service settings.
That's exactly my configuration but I just want to create a sudo user with chown to all these directory.