LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-30-2005, 11:35 PM   #1
veeruk101
Member
 
Registered: Mar 2005
Distribution: Ubuntu 12.04 LTS
Posts: 249

Rep: Reputation: 16
Why can't a Linux web server have only one user?


Hello,

Let's say I'm learning Linux to try to administer a web server for a website...why can my Linux system not have just one user (me) in addition to the root superuser, which would solve so many security problems, wouldn't it?

Members of the website would not have actual accounts on the Linux server and their own directories under /home, but instead their 'accounts' would just be managed through PHP and they would have directories under htdocs/ in Apache.

Perhaps as a newbie I am highly uninformed and naive, but why don't other small-to-medium scale websites use a similar approach? Wouldn't this save so much security hassle, and keep things like permissions and everything so neat, tidy, simple, and secure?

I'm very eager to know! Thanks!
 
Old 03-30-2005, 11:48 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Think about it a minute ... suppose there are only two users on the system. Therefore, when anything at all runs, it runs with either your privileges or root's. What I'm getting at is that user accounts are a way to partition people/services off from one another. It doesn't always work so great, which is why there are enhanced security products like SELinux or GRSecurity. But the principle is sound, partition off priviliges. Think of it another way: Suppose many processes are running as user "tim" (hey, that's me). Suppose one of them has a hole in it.. Well then all of them can be easily compromised, since "tim" controls them all. This becomes the case when you are a web host with many customers. All of them can write PHP scripts. All those scripts run as apache ... see the problem? This is why I run PHP as a CGI with suexec so that PHP scripts run as the individual user, not the Web server.

However, you're not totally on the wrong track, though. Many Web content management systems do allow you to create users within their system and edit various parts of your Web site maintained by the CMS. But this is not terribly flexible if you want/need to give everyone complete control over their own little chunk of the server.
 
Old 03-31-2005, 12:12 AM   #3
veeruk101
Member
 
Registered: Mar 2005
Distribution: Ubuntu 12.04 LTS
Posts: 249

Original Poster
Rep: Reputation: 16
Thanks for the response.

So what about creating a user for each process that you know you will be running as a Linux web server. You, the web admin, would still be the only one who can log into each one, and each user is really just a different 'you' on the system to prevent the vulnerability you described above.

I guess my question from before could be better stated as the following: Can you run a fully-functional, effective Linux web server with every user on the system being only root or you?

Thanks.
 
Old 03-31-2005, 03:39 AM   #4
selfxplanatory
LQ Newbie
 
Registered: Mar 2005
Posts: 7

Rep: Reputation: 0
No, you can not.

Certain services and applications that are installed on your computer, by architecture of the code, are associated with a certain user account. Most of the time these user accounts have little to no rights at all over anything except the folders and files that are needed for that program to run. Since everything has an owner, it seems right to create a user that has the rights over the files it uses. So, for one program, I can create user1... he has control over all the files needed for this service and possibly NO rights for anything else. That's good enough security for most. If you, root, have control over all of these things solo, that is a receipe for disaster. The great thing about rights of these "built-in" user accounts is the limitation of scope and so they can NEVER screw up something else that they're not supposed to. With all the processes running, there is no way that you could ever see and control them all at the same time incase anything were to go wrong.

"everything has its owner, and they all own something" is a nice quote someone gave me once, even if something is "nothing" lol

try this...

cat /etc/passwd

this might give you an understanding on how all of these services need their own account.

Analogy:

a butcher prepares raw food.
a cook prepares the meal.
a baker prepares the dessert.

they all have their own function, and their own workspace, the shop, the stove, and the oven.
they know their areas and limitations very well and do their job very well.
but if you fired them all and tried to do all of it yourself before your banquet... you'd be S.O.L. my friend while you burn one hand, some farm animal is bitin off the other... ok, so that's a little off topic but you get the point

(why do I feel hungry now.... ^_^ )

Last edited by selfxplanatory; 03-31-2005 at 03:42 AM.
 
Old 03-31-2005, 04:03 AM   #5
bulliver
Senior Member
 
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
Thanks for that selfxplanatory,
very well put.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Multi-user web server problem frgtn Linux - Security 15 04-13-2005 10:58 AM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 07:21 AM
Web Server to able to Access by Authorise User. Kitara Red Hat 0 06-04-2004 02:52 PM
Setup a linux server, DNS, WEB, FTP, and Mail Server Help watermelon_lee Linux - Networking 1 08-26-2003 04:09 AM
Can't access Linux web server web pages from LAN client jaydave Linux - Networking 4 03-16-2003 03:38 AM


All times are GMT -5. The time now is 11:09 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration