0

I have a VPS and I'm trying to gather the best practices in terms of user setup for web services.

I have different services in my server (a cloud app, a streaming app, etc).

What I do know is that I create a user for each service, each one having their own home directory, but not possible to log in with it.

That allows me to set up cron command per user, instead of running them as root. It also allows me to do backup per service and have it stored in its own home directory (I know... I should not have my backups on the same disk, even on the same server, but I don't have the resources to buy another server to put my backups on).

Minus the backup thing, is it a good idea to create a new user for each service? Or should I put everything under www-data and that's it?

Creak
  • 101
  • 2
  • 1
    It is a good thing and if it is that easy, go for it. The reason why it is seldomly used for bare-servers is because it depends on the Runtime User of the Webserver process (like `www`), so not all technologies allow it (requires fcgi-per-app or sudoexec-per-vhost modules) – eckes Mar 18 '18 at 17:10

1 Answers1

1

The main advantage in using separate accounts is the ability to limit access to the data of other services. That may mean read access on sensitive data or write access in order to limit consequences, if one app gets compromised.

Separating the user accounts alone may not be enough, if you are running all PHP scripts with the privileges of user www-data. You can avoid this by creating a separate PHP-FPM pool for each user, having the privileges of that user alone.

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Thanks for the answer, that's what I thought too. I have created pools but not systematically.. I'm wondering if the number of pools has an impact on performance. – Creak Mar 18 '18 at 16:59
  • 1
    Compared to the former solution of using suphp and running every script as a new process the PHP-FPM pools are very efficient. By adjusting the pool parameters you also have ultimate power in prioritizing apps over one another. – Esa Jokinen Mar 18 '18 at 17:04