I saw a recommendation in an article on website security that separate websites running on a web server should be running under separate users for containment, and to limit a breach on one site leading to infection of the other sites.
I am running an Ubuntu 20.04 LAMP server with public internet exposed personal websites. They are set up as virtual hosts in Apache under /var/www/, but all are running using the standard www-data:www-data user and group. How would it work to run them under different user accounts?
Do I simply create a new user & group, then chown the /var/www/directory to be owned by that user? How would that work with allowing Apache permissions to write to the sub-dirs then for patches, uploads, etc?
Apache has it's own user and group (www-data or others according to the distribution it's runnin on). To achieve what you want, you need to create a user for each virtualhost and make sure apache can read/write file/folders owned by this new user for example putting apache group into the new user's group (or the other way around, according to how you want to handle permissions).
The logic "behind" is exactly the same you use to handle linux users and group permissions.
Related
I run in to this block many times to figure out a way to share cpanel access with another user without having to give them my cpanel admin username/password. Is there a way to create an additional cpanel users. In this case its godaddy.com but I am wondering in general as well.
That way I do not have to share my own access.
Thanks.
As far as I know there is no other way (at least at this moment). This is a cpanel feature that would be available in WHM version 64.x
You can read more details here:
https://features.cpanel.net/topic/multiple-cpanel-logins-cpanel-subusers
For every account in cpanel environment it creates just a single user to access the cpanel administration portal , you can allocate multiple user for it.
However with FTP you can grant the access to the data if needed by creating multiple FTP user account.
As you said you are using shared hosting and in shared hosting you can not create another cpanel username/password.
But, my friend you can do one thing to (that is allow some limited access) you can create ftp account as number of ftp account allowed by hosting provider.
Your user can add/update/delete file for particular assigned directory.
Thanks
Hope! this will help you
On a fresh CentOS application;
How can I create a separate user other than root, to store the
website hosting files?
How can I lock this user down to prevent malicious or bad things from happening?
How can I further protect the php file containing the DB connection strings?
What other security measures shall I take to protect a such server which is only used to server a web-app? (or two)
What other ways shall I employ for sand-boxing the web-app?
I am running Centos on a VPS and want to use Apache or Lighttpd as the web server.
Thank you.
One best practice is always to only run services you actually need on a box facing the internet. So if you only need apache and a database, run only apache and the database on that machine. Long, random passwords for maintenance user, do not allow direct root login.
Regarding the user: add a user with useradd and block shell access for that user (usermod -s, set login shell to /sbin/nologin). Usually a service account for running the web server is created after installing the web server. If you restrict permissions for that account to the web server home and logging directories, you should be fine.
Regarding protecting the database: you can create a db user account that doesn't have drop or create privileges, but as your application needs access to the database, someone acting with the privileges of your web server or application will have access to the data in the database as well.
Is there a way to set up a user group that has permissions to administrate IIS services (use the IIS plugin in MMC) without being a 'Administrator' on the box?
Unfortunately, if it's IIS6, then you need to be local admin. If it's IIS7 then things are significantly more granular. If you're planning to move to IIS7 (or currently use it) then there's a good blog post here that takes you through it.
We are using a dedicated hosting provider to host several of our public websites. There are two development teams/divisions within our company who each maintain public websites on these same servers. Is there a way through ACLs or some sort of rights management (e.g. individual logins) that I would only be able to see and maintain only my public sites and the other development team could only see and maintain their sites?
Thanks!
Chris
Sure - File ACLS is probably the way to go, if you've got access to the server.
You can set up a directory called Site1 and ACL Change rights to a local Group "LG-Site1" with the appropriate users, and directory Site2 with change rights for group "LG-Site2".
You do state that you want to only see your site, not the other site - the challenge with this is that if you are logging in to the server, you probably have admin rights, or at least rights up to the point where anything you do to lock yourself out of the Site2 directory can be reversed - either by temporarily granting your self rights or adding your self to LG-Site2. Not necessarily a show stopper, but certainly a consideration.
You can also set up FTP so that each dev team can publish to their directory, but not get in to the other.
I have a SharePoint virtual machine in one active directory domain (for example domain1) and I want to transfer all the sites it has to another active directory domain (domain2).
I don’t know which could be the best procedure to do this, if I detach and attach my virtual machine from domain1 to domain2 it probably didn’t work since all the accounts used by SharePoint are no longer valid. (Both domain are not in the same network and didn’t trust each other).
Additionally I could export the sites in domain1 and import them on domain2 using stsadm, but if I use this technique I have to manually install all the features, solutions and personalization I made on my original server.
Does anybody know the best approach to “move” the sites from one domain to another?
There is a STSADM Custom Extension: move web that should be what you are looking for:
C:>stsadm -help gl-moveweb
stsadm -o gl-moveweb
Moves a web.
Parameters:
-url
-parenturl
[-haltonwarning (only considered if moving to a new site collection)]
[-haltonfatalerror (only considered if moving to a new site collection)]
[-includeusersecurity (only considered if moving to a new site collection)]
[-retainobjectidentity (only considered if moving to a new site collection)]
You may have some sucess by adding a local account to the administrators group and joining the server to the new domain. Then manualy updateing all of the AD accounts that are used in the server. I sould note that all of your users will then have new accounts that are not related to the old ones.
You sould ask your domain admins about an SID update to the new accounts so they also have the SID's from the old domain.