![]() Generally speaking I consider this level of isolation to be sufficient to protect the system, though each application is an island of vulnerability (for example if someone installs a vulnerable WordPress plugin all the things Apache has access to (i.e. This is (as last I heard) still Best Current Practice, and the reason behind this is plain and simple paranoia: These services are exposed to the Big Bad Internet, if someone finds a vulnerability and exploits it before I have a chance to patch the software at least I'm confining them to one user account, with only the privileges required to run the single service it's responsible for. ![]() I am generally a fan of "One user for anything that opens listening socket on the network" - One for Apache, one for Mail, one for DNS, etc. Please post your opinions on this, giving your reasons for them.Īlso, if you have any reasons for thinking that the approach taken on a private server or VPS should differ from the approach taken on a shared server, please outline what they are and, again, your reasons for them. What's the best practice? Is it simply a question of reducing the number of hosted sites (or hosted repositories, etc) per user account proportionately to one's level of paranoia? For instance, having one account for each website running WordPress might be overkill. On the other hand, having lots of user accounts could become a bit of a pain to keep track of, especially if some of them have identical requirements in terms of installed software. If that one account becomes compromised, so do all the sites running under it.On Dreamhost servers and many other similarly set-up servers, this could all be done under a single user account, but I can see some drawbacks to that approach: via Dreamhost) and I want to run some websites using WordPress, some using Redmine, some using Ruby on Rails, maybe some using Django, and I'd like to serve Mercurial repositories too. ![]() In general, when should one create a new user account to run a piece of internet-facing software on a server?įor instance, suppose I'm using a shared Debian server (e.g.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |