WebFaction
Community site: login faq

Hi, I'm wondering if it is possibile to create, on webfaction, multiple websites under the same account, while keeping the maximum security against hacking.

For example, I just created 2 different websites, and I noticed that the SSH file owner is the same for both of them. In this way, if I grant someone with access to a single website (e.g. admin privileges of a wordpress installation), he could possibly harm my server by executing a PHP script that delete all my other websites files.

Are there any best practice with webfaction to avoid this kind of situation, and make each website separated from the others, so that, if one is attacked, the hacker can not harm all the other websites on the server?

Thank you,

Gabriele

asked 14 Dec '13, 06:00

gabriele
113
accept rate: 0%


I normaly run my application under a different user on a custom port. E.g. python with uwsgi and php with an own apache.

Apache with fastcgi for php

http://community.webfaction.com/questions/14339/installing-a-private-instance-of-the-shared-apache

Uwsi for python

http://moinmo.in/MarcelH%C3%A4fner/Work#Hosting

Bye Marcel

permanent link

answered 15 Dec '13, 04:51

marcel
671717
accept rate: 0%

Hi Marcel,

thank you very much for your answer.

Actually, before posting my question, I saw the first link you posted, but that solution seemed quite complicated to me and I was afraid of loosing control of what I was doing. However, if it is the only viable solution, I will try to implement it.

Thank you again and cheers,

Gabriele

(23 Dec '13, 01:54) gabriele

Hi gabriele,

You can create additional SSH/SFTP users and then choose how much access they have. Any additional user will have their own username and password, as well as their own home directory on your server. You can grant them access to specific files, directories, and applications. These articles in our documentation have more information:

  • http://docs.webfaction.com/user-guide/access.html#additional-users
  • http://docs.webfaction.com/software/general.html#granting-access-to-specific-users

Please let us know if you have any more questions. If you run into an issue, file a support ticket via your Control Panel and we will be happy to assist you.

permanent link

answered 14 Dec '13, 08:29

yulian
27214
accept rate: 24%

Hi Yulian,

thank you for your answer. I'm afraid that this solution would not fully solve my problem, since it would still be possibile to harm all the websites on my server exploiting the fact that the file owner is the same for all of them, regardless of the fact that I create different users on the webserver.

For example, I tried to upload through the wordpress theme editor a PHP file with shell commands, like "shell_exec ('rm ../../other-website/other-file.php'), and unfortunately it perfectly worked!

So, as far as I understand, if a wordpress user with admin privileges is hacked, the hacker will be able to do whatever he wants to all the websites on the server.

However, I'm not an expert in webservers administration, so if I said something uncorrect, please tell me.

(23 Dec '13, 02:06) gabriele
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×69
×6
×4
×1

question asked: 14 Dec '13, 06:00

question was seen: 3,622 times

last updated: 23 Dec '13, 02:12

                              
WEBFACTION
REACH US
SUPPORT
LEGAL
© COPYRIGHT 2003-2021 SWARMA LIMITED - WEBFACTION IS A SERVICE OF SWARMA LIMITED
REGISTERED IN ENGLAND AND WALES 5729350 - VAT REGISTRATION NUMBER 877397162
5TH FLOOR, THE OLD VINYL FACTORY, HAYES, UB3 1HA, UNITED KINGDOM