One SSH user for all sites

Discussion in 'Tips/Tricks/Mods' started by PerudoIS, Jun 25, 2010.

  1. PerudoIS

    PerudoIS New Member

    We are using ISPConfig 3 on our servers of our webdevelopment company. We are the only user on the server, customers don't have access to their websites. Does ISPConfig 3 has an option to add a SSH user which can access all sites on the server ?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats not possible as every site runs under its own Linux user. The only user that has access to all files on a server is the root user.
  3. manarak

    manarak Member

    well, I guess it is possible to manually create a user that has access to everything under var/www ?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    No, at least not one that will work. You can create a user with root priveliges that has access to all files or use the root user. But as soon as you use the user to upload files, you will have to chown every file and folder to the owner of the web afterwards. If you dont do this, then suexec and suphp wil deny access to these files.
  5. BorderAmigos

    BorderAmigos New Member

    I regularly work on my sites as root simply because I work on multiple sites at the same time. Have written some small scripts that chown the appropriate files as needed.
  6. tuxfan

    tuxfan New Member

    We just
    chown -R user:www-data web12
    or whatever the directory name is. Works great.

    The problem is that updates on the site in ispconfig often results in a change back to the default directory owner. The web directory usualy stays the same and its not that big a deal to repeat the action.

    It would be nice removing that chown on site update - but I havent find that line in the code.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Thats makes the sites insecure, if a site gets hacked then the hacker can damage the whole server easily and each customer has access to all other customers sites. I wont do that on a server that is connected to the internet. For a intranet or local dev system it miht be ok.

    Regarding the permission updates, thats configurable under system > server config.
  8. tuxfan

    tuxfan New Member

    That realy depends on how you do it.

    Since youre not giving the group www-data write access, any php-injections and so on can not harm the system. Only "user"(in my example) has writing permisions.

    We usualy dont give clients shell access - but if we would they would not be a part of the www-data group, so even if they would get out of the root-jail they would not acces the sites controled by "user". A normal ipsconfig account could coexist with such webmaster-controled accounts - and in fact the ownership can be reverted even if it has never been requested.

    Of course is the webmasteraccount ("user") a weak point - I admit that. But the alternative is using the root account a lot - and that is even worse - and with proper security routines that should not be a problem.

    The permisions updates - I don't find them. I guess they are under "system > server config> my.server -> Webb" - but I dont find such variable.
    Last edited: Sep 16, 2012
  9. tuxfan

    tuxfan New Member

    Patch for no-users option

    Im waking this old thread instead of starting a new one.

    As I wrote earlier we have no need for clients accessing the server. The whole point of the suExec/user for each account model does not apply for those like us - witch clients that owns (an get billed for, owns mail addresses and so forth) is important - but when file-ownership on the server get messed up making site-management a mess there must be another way.

    Im considering making a patch for the apache2-module making it possible to have a option of a standard user+group for all virtual webservers. When turning suExec off your group have to be www-data but the user might be the website manager account for example. Browsing the code I dont think its so complicated.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    That should be possible, but you have to be aware of the details e.g. when you use one central user, then you have to take care that it does not get deleted when a website or ssh user gets removed.
  11. tuxfan

    tuxfan New Member

    I made a patch making an option for a standard web owner. (I placed the options at web/permissions). This is a patch for the apache2 plugin - I do not have any nginx servers. Works as far as I can tell. The operations web_folder_user, web_folder_delete and web_folder_update has not been altered - perhaprs theys should but I have not been able to generate any faults jet.

    Keeping the "user" (web1) and "group" (client1) in the database seem to bee the only way to keep the client/site hierarachy working - i change the user/group in the plugin instead. This makes the Website->Options saying Linus user web1 and Linux Group client1. In this case those are more of designators.

    Any feedbacks or testing would be appreciated

    Attached Files:

    till likes this.
  12. tuxfan

    tuxfan New Member

    Made a new version. Now the user+group is in the database. That resulted in some errors that I disposed of by setting the test of the username to false in the server_config.tform.php - a test of a uneditable value didn´t seem that important. Then the Linus user and Linus Group is correct. This should also make updates more stable.

    Attached Files:

  13. tuxfan

    tuxfan New Member

    Im continue on the in database solution. Now I have added support for cron jobs (the cron jobs for sites with standar-user belongs to the standard-user) and a block for creation of ssh-users (in the interface the vhosts on servers with the fixed-owner: on are omited from the list of sites to chose from).

    Attached Files:

Share This Page