Download your favorite Linux distribution at LQ ISO.
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 03-30-2005, 10:35 PM   #1
Registered: Mar 2005
Distribution: Ubuntu 12.04 LTS
Posts: 249

Rep: Reputation: 16
Why can't a Linux web server have only one user?


Let's say I'm learning Linux to try to administer a web server for a website...why can my Linux system not have just one user (me) in addition to the root superuser, which would solve so many security problems, wouldn't it?

Members of the website would not have actual accounts on the Linux server and their own directories under /home, but instead their 'accounts' would just be managed through PHP and they would have directories under htdocs/ in Apache.

Perhaps as a newbie I am highly uninformed and naive, but why don't other small-to-medium scale websites use a similar approach? Wouldn't this save so much security hassle, and keep things like permissions and everything so neat, tidy, simple, and secure?

I'm very eager to know! Thanks!
Old 03-30-2005, 10:48 PM   #2
Senior Member
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,284

Rep: Reputation: 371Reputation: 371Reputation: 371Reputation: 371
Think about it a minute ... suppose there are only two users on the system. Therefore, when anything at all runs, it runs with either your privileges or root's. What I'm getting at is that user accounts are a way to partition people/services off from one another. It doesn't always work so great, which is why there are enhanced security products like SELinux or GRSecurity. But the principle is sound, partition off priviliges. Think of it another way: Suppose many processes are running as user "tim" (hey, that's me). Suppose one of them has a hole in it.. Well then all of them can be easily compromised, since "tim" controls them all. This becomes the case when you are a web host with many customers. All of them can write PHP scripts. All those scripts run as apache ... see the problem? This is why I run PHP as a CGI with suexec so that PHP scripts run as the individual user, not the Web server.

However, you're not totally on the wrong track, though. Many Web content management systems do allow you to create users within their system and edit various parts of your Web site maintained by the CMS. But this is not terribly flexible if you want/need to give everyone complete control over their own little chunk of the server.
Old 03-30-2005, 11:12 PM   #3
Registered: Mar 2005
Distribution: Ubuntu 12.04 LTS
Posts: 249

Original Poster
Rep: Reputation: 16
Thanks for the response.

So what about creating a user for each process that you know you will be running as a Linux web server. You, the web admin, would still be the only one who can log into each one, and each user is really just a different 'you' on the system to prevent the vulnerability you described above.

I guess my question from before could be better stated as the following: Can you run a fully-functional, effective Linux web server with every user on the system being only root or you?

Old 03-31-2005, 02:39 AM   #4
LQ Newbie
Registered: Mar 2005
Posts: 7

Rep: Reputation: 0
No, you can not.

Certain services and applications that are installed on your computer, by architecture of the code, are associated with a certain user account. Most of the time these user accounts have little to no rights at all over anything except the folders and files that are needed for that program to run. Since everything has an owner, it seems right to create a user that has the rights over the files it uses. So, for one program, I can create user1... he has control over all the files needed for this service and possibly NO rights for anything else. That's good enough security for most. If you, root, have control over all of these things solo, that is a receipe for disaster. The great thing about rights of these "built-in" user accounts is the limitation of scope and so they can NEVER screw up something else that they're not supposed to. With all the processes running, there is no way that you could ever see and control them all at the same time incase anything were to go wrong.

"everything has its owner, and they all own something" is a nice quote someone gave me once, even if something is "nothing" lol

try this...

cat /etc/passwd

this might give you an understanding on how all of these services need their own account.


a butcher prepares raw food.
a cook prepares the meal.
a baker prepares the dessert.

they all have their own function, and their own workspace, the shop, the stove, and the oven.
they know their areas and limitations very well and do their job very well.
but if you fired them all and tried to do all of it yourself before your banquet... you'd be S.O.L. my friend while you burn one hand, some farm animal is bitin off the other... ok, so that's a little off topic but you get the point

(why do I feel hungry now.... ^_^ )

Last edited by selfxplanatory; 03-31-2005 at 02:42 AM.
Old 03-31-2005, 03:03 AM   #5
Senior Member
Registered: Nov 2002
Location: Edmonton AB, Canada
Distribution: Gentoo x86_64; Gentoo PPC; FreeBSD; OS X 10.9.4
Posts: 3,760
Blog Entries: 4

Rep: Reputation: 78
Thanks for that selfxplanatory,
very well put.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Multi-user web server problem frgtn Linux - Security 15 04-13-2005 09:58 AM
can we configure a Linux server with mail server,file server and web server kumarx Linux - Newbie 5 09-09-2004 06:21 AM
Web Server to able to Access by Authorise User. Kitara Red Hat 0 06-04-2004 01:52 PM
Setup a linux server, DNS, WEB, FTP, and Mail Server Help watermelon_lee Linux - Networking 1 08-26-2003 03:09 AM
Can't access Linux web server web pages from LAN client jaydave Linux - Networking 4 03-16-2003 02:38 AM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:01 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration