LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Why can't a Linux web server have only one user? (https://www.linuxquestions.org/questions/linux-newbie-8/why-can%27t-a-linux-web-server-have-only-one-user-308048/)

veeruk101 03-30-2005 10:35 PM
Why can't a Linux web server have only one user?
 
Hello,

Let's say I'm learning Linux to try to administer a web server for a website...why can my Linux system not have just one user (me) in addition to the root superuser, which would solve so many security problems, wouldn't it?

Members of the website would not have actual accounts on the Linux server and their own directories under /home, but instead their 'accounts' would just be managed through PHP and they would have directories under htdocs/ in Apache.

Perhaps as a newbie I am highly uninformed and naive, but why don't other small-to-medium scale websites use a similar approach? Wouldn't this save so much security hassle, and keep things like permissions and everything so neat, tidy, simple, and secure?

I'm very eager to know! Thanks!

btmiller 03-30-2005 10:48 PM
Think about it a minute ... suppose there are only two users on the system. Therefore, when anything at all runs, it runs with either your privileges or root's. What I'm getting at is that user accounts are a way to partition people/services off from one another. It doesn't always work so great, which is why there are enhanced security products like SELinux or GRSecurity. But the principle is sound, partition off priviliges. Think of it another way: Suppose many processes are running as user "tim" (hey, that's me). Suppose one of them has a hole in it.. Well then all of them can be easily compromised, since "tim" controls them all. This becomes the case when you are a web host with many customers. All of them can write PHP scripts. All those scripts run as apache ... see the problem? This is why I run PHP as a CGI with suexec so that PHP scripts run as the individual user, not the Web server.

However, you're not totally on the wrong track, though. Many Web content management systems do allow you to create users within their system and edit various parts of your Web site maintained by the CMS. But this is not terribly flexible if you want/need to give everyone complete control over their own little chunk of the server.

veeruk101 03-30-2005 11:12 PM
Thanks for the response.

So what about creating a user for each process that you know you will be running as a Linux web server. You, the web admin, would still be the only one who can log into each one, and each user is really just a different 'you' on the system to prevent the vulnerability you described above.

I guess my question from before could be better stated as the following: Can you run a fully-functional, effective Linux web server with every user on the system being only root or you?

Thanks.

selfxplanatory 03-31-2005 02:39 AM
No, you can not.

Certain services and applications that are installed on your computer, by architecture of the code, are associated with a certain user account. Most of the time these user accounts have little to no rights at all over anything except the folders and files that are needed for that program to run. Since everything has an owner, it seems right to create a user that has the rights over the files it uses. So, for one program, I can create user1... he has control over all the files needed for this service and possibly NO rights for anything else. That's good enough security for most. If you, root, have control over all of these things solo, that is a receipe for disaster. The great thing about rights of these "built-in" user accounts is the limitation of scope and so they can NEVER screw up something else that they're not supposed to. With all the processes running, there is no way that you could ever see and control them all at the same time incase anything were to go wrong.

"everything has its owner, and they all own something" is a nice quote someone gave me once, even if something is "nothing" lol

try this...

cat /etc/passwd

this might give you an understanding on how all of these services need their own account.

Analogy:

a butcher prepares raw food.
a cook prepares the meal.
a baker prepares the dessert.

they all have their own function, and their own workspace, the shop, the stove, and the oven.
they know their areas and limitations very well and do their job very well.
but if you fired them all and tried to do all of it yourself before your banquet... you'd be S.O.L. my friend while you burn one hand, some farm animal is bitin off the other... ok, so that's a little off topic but you get the point

(why do I feel hungry now.... ^_^ )

bulliver 03-31-2005 03:03 AM
Thanks for that selfxplanatory,
very well put.


All times are GMT -5. The time now is 06:01 AM.