Why create seperate accounts for each website?
Some guides advocate creating seperate user accounts for each web site you host, and then having the docroot under the individual home directory. Others place all sites under /srv/www or /var/www.
I can understand why seperate accounts are obviously neccessary if you are working with clients and they need to login, but in my case, I am the only person that ever logs in. Is there any reason to consider the seperate account strategy? Is there any security advantage to consider? what am I missing?
I'd love to hear from anyone! Cheers.
6 Replies
@tacitus:
If I am managing 50 web sites, then there is no way I am going to be able to remember 50 logins and passwords
Get them tattooed on your wrist? Honestly I have trouble with just two separate accounts sometimes, but that's why I maintain the highest level of security everywhere else I possibly can.
When it comes down to sites to users, I usually use a group by statement; personal sites are all under one account, my development sites under another, and anything that reaches a certain amount of exposure gets its own.
@tacitus:
Separate accounts are only practical up to a certain point. If I am managing 50 web sites, then there is no way I am going to be able to remember 50 logins and passwords, thus I will become dependent on either a password manager or a common login/password (or a scheme that could be figured out), both of which have their risks.
…Or you just copy your public ssh key to each of those accounts. That way you can use the same password for every account while maintaining proper user permissions. Not to mention the added benefit that brute force password attacks would become impossible.
@Benio - also keep in mind even if your websites are divided into separate accounts, you only get full web security if the webserver is executing those sites as that user. So research mpm_itk, apparmor, fastcgi, php-fpm, etc.
Firstly it saves profiles to files which can store passwords as well as ssh keys.
It has a built in sftp program meaning you don't have to mess with different programs.
It supports ftp bridging, meaning programs that use ftp, can just upload to localhost:21 and that will be mapped to the current ssh connection.
And for minor maintenance there is also su….