Separate Users Are Good

When you create a new domain on DreamHost, you can chose to make a ‘new’ user to ‘own’ the site, or use an existing one. There are pros and cons to both, but for anyone who comes from the cPanel world (where separate accounts are de rigueur), it’s pretty normal to expect your separate site to have a separate login name and password.

Explaining how all this works on DreamHost is a little different, because we have users and then we have users and … well let me explain.

There’s more than one kind of user

The first type of ‘user’ you have at DreamHost is your panel user. This user is the one you make when you sign up, and it’s usually your email. Don’t share this password with anyone, okay?

Next we have your ‘users’ which you can find in your panel. Those users are the ones who have access to things like ‘shell’ and ‘sftp’ and so on.

Then there are also those ‘other’ users you think of, like the login accounts on your blog, or your email, or maybe even the billing account for DreamHost.

When I talk about separate users, I’m only talking about the ones who have access to shell and stuff.

Users own sites

Those user accounts own sites. That means I have a specific user who ‘owns’ the folder on the server where all my web code lives. And you can see it’s that user because there it is, in the path: /home/USERID/domain.com/

Only one user can own, and access, a domain. However a user can own multiple domains.

So here’s what this looks likes. One user owning multiple domains:

one user multiple domains

And only one user can access the domain, user two cannot:

User 2 has no access

This is cool because if there’s a domain under User 2, and it gets hacked, there’s no way for User 1 to get hacked, even if both users are you! 1

Logical User/Domain Groups

If you own 50 domains (and I’ve seen users with 200!), having them all owned by one user sure seems easier, but it means if that user gets hacked, they’re all vulnerable, and you’ll probably end up having to de-hack 50 domains at the same time. Instead, it’s wiser to group your domains ‘logically.’ For example, my elftest.net domains have subdomains, all of which are owned by the same user. However my other top-level domains are each owned by their own user. But that doesn’t work for everyone.

Recently I was helping a customer with a hacked site, and he complained that the sites he hosted for his clients were being hacked, and his clients were pissed off. I took a look and saw that all his client sites were under one user ID. I asked him if the clients had more than one domain, or if they all had their own, and he replied that each client had 4 or 5 of the domains. After cleaning up the hack, together we made new user accounts, one for each client, and moved the domains to those accounts. If possible, I always clean before moving, but in one case the customer had 75+ hacked sites, so we moved and then cleaned each one, prioritizing the accounts on the way. It took a very long time.

109649_D_0989 The extra benefit to this is the clients can now have FTP access to their domains and do wild and crazy stuff! But we don’t want them to have FTP.

Moving The Domain

Obviously first you need to setup users. When I set up a new user, the first thing I do is make it secure. That means I turn off FTP, forcing SFTP only, and if needed, give them Shell access. Personally? I love shell access, so I always leave it available. If you’re using DreamPress, we have Shell turned off by default, but you can activate it.

Secure User Settings

There is a downside, which is that the WebFTP app won’t work. Personally? I find 99.999% of WebFTP apps to be total drek. They’re messy, kludgy, and there are some great free apps like Cyberduck which even let you connect with DreamObjects!

Now that you have the user, we want to move the domain. This is so easy, anyone can do it. Go into Panel, click on domains, click on edit for the domain. Go to “Users, Files, and Paths” and change the user in “Run this domain under the user:”

Changing Users

Really, it is that simple.

About these ads

Notes:

  1. Unless there’s a server wide security flaw, which yes, can happen, but we spend a lot of time trying to prevent that.
StudioPress Theme of the Month

Comments

  1. Note #2 – make sure you don’t leave any directories under these users writable by users other than the user that owns them.

    and a p.s. = more on “DreamHost users” at http://wiki.dreamhost.com/Users

  2. Great article Mika. It can never be explained enough about the way “users” work, and how DreamHost offer unlimited users on every account, enabling us to lock-down and customise each an every domain environment (and even sub-domains, too if we want!). The images are fantastic, too — they really help in visualising how accounts are made more secure at the user level, which is something that is often hard to get across in text-only explanations.

    p.s. Is that an old photo of Robert? Must have been back in the J! v1.0 days mate ;-)

    • I am not responsible for RL’s gravatars ;)

      I’ll probably port a lot of this over to the wiki sooner or later, but sometimes it’s nice to write it as Me.

  3. Just came across this, Mika, from going down the rabbithole of clicking your name on the DreamObjects Connection plugin page. Great stuff you share, and that plugin has been working great for me.

    But have a big question here about not the technical or security-by-organization of this articlle, but the concept of multiple clients on one account. Clients, not “users”, as in your mention of helping a DH customer with “the sites he hosted for his clients”.

    Recently DreamHost support, management, forum or wiki posts (I don’t recall the specific links but it was within the past month or two on one or more of DH communication channels) have been saying that if a DH customer hosts her cients in her DH account, it is against the AUP, and always has been! It was somewhere on a question to DH about whether they would offer reseller hosting. The DH Employee responding made it clear, no, not ever, and if you are doing it on your own you are in violation of DH TOS.

    Yeah, right. People have been doing that all along. The multiple-domains-unlimited account, back a decade ago when you offered less than that as an option, used to be called the “pro” or similar verbiage and pretty much encouraged that usage. I have some support tickets going back to 2004 or so where I was clearly talking about a site for a client, used the term, and never heard a thing that it was against TOS/AUP.

    Now your colleagues, on official channels, are starting to tell people they can lose their accounts if they do. Based on the old language of the AUP about forbidden to “share with the general public”. In the followup there were some weasel-word clarifications that “if they are a close business relationship” or “you have personal knowledge of them…” (paraphrased from porous memory) it would probably be ok.

    “Probably” is not good enough to make me or others continue entrusting doing reasonable-volume small biz client sites via an informal reseller arrangement – which works great for technophobic clients who would not know a cPanel nor a DH custom Panel if it crawled up their leg, so just want “the web guy to take care of it all.”

    Yet you here, in more or less the same cusp-of-2013-14 timeframe, are helping folks out with examples on

    I had a 2-day outage just last week after DH support botched a server move tht I requested and they agreed to do because of a 3-month history of that particlular server “twiddle” on botetourt slowing the site badly at least when CloudFlare via DH Panel via RailGun (the dedicated DH-to-CF) connection was in use. It was for a client. I was terrified to mention it was for a client after having read that. I ended up expanding on of my Gandi Simple Hosting instances (simple compared to what, heh-heh), spun up a vhost and manual WordPress install, did a db dump and ftp of the wp-* and root collateral while Apache for my new DH location was still messed up, and swapped DNS to make Gandi primary, before DH had it together.

    I would have made a bigger deal about “hey, this is a client site” – but now it seems like that is against the Law of DreamHost. Yet you are giving tips on the right way to handle client sites in a DH account. I realize you are wriitng here in a non-DH-official capacity but stii, kinda owning being a Happy DreamHost Half-Elf, right?

    Could you please give me, and by extension other readers, any perspective on what is and isn’t ok at DH these days? I get that the company is getting bigger, I get very much that it has new products to monetize (hey did I mention I use your DO plugin and also just started using DO for a boatload more with a 2 orders of magnitude increase in my bucket size billing?) I definitely want DH to remain strong and independent from the Orc hordes of EIG that are takng over many once-good hosting companies and dumbing them down. So sure, I get the increased concern and nastygrams about excess disk usage that never used to go out for a GB or so. Buy DO. OK, I did.

    But what about hosting a bunch, for small values of bunch, of sites for small-biz non-heavy-vol clients who otherwise would never be at DH at all (they would be sucked into GoDaddy’s all-seeing eye, because, hype)? Yes, each on separate Linux users, not all under one, but all in my Panel account and my one hosting account?

    Is that still ok? Or do I and many others need to find a new company?

    In any event many thanks for the great info and the great DO plugin. Which I can report is working fine in Gandi Simple Hosting to back up to my DH buckets.

    Cheers,
    Mark

    • Ipstenu says:

      Someone steered ya wrong and I’d love to know who/where!

      http://wiki.dreamhost.com/Reselling is pretty clear. Yes, you can resell, but on your head be it. So if you sell space to Bob and Bob hosts child porn, you and ALL YOUR CLIENTS can lose their sites too. Yaaaaay.

      Now I know we also say this: http://www.dreamhost.com/unlimited-policy/

      Here are some specific examples of things not allowed:
      Copyrighted content to which you do not hold usage or distribution rights.
      File upload / sharing / archive / backup / mirroring / distribution sites.
      A site created primarily to drive traffic to another site.
      Making your account resources available (whether for free or pay) to the general public.

      It was explained to me this way:

      The prohibition in our Terms of Service against “making your account resources available (whether for free or pay) to the general public” applies to all features that we make available as part of your hosting account, not just to disk space and bandwidth. We specifically mention those two because they’re the ones that come up as an issue most frequently, but other features such as email are included in that statement too.

      [...]

      The term “general public” does not exclude users who have registered an account on your web site, either. The intent here is to allow customers to provide their account resources, on a limited scale, to individuals with whom they have a significant personal or business relationship. A user who just found your web site and registered an account is not included.

      We realize that this policy is a little bit vague, and we do intend to clarify it in the future.

  4. Great post! Question: If I want to do this, and the site under the domain is a WordPress site, does it work all easy-breezy, or am I going to screw the pooch? I have three 4 domains under a user that I want to spread out and give their own user, but don’t want to make a mess. This seems too good to be true and so easy that I figured I’d better ask the expert.

    Thanks!
    Jebb

Half-Elf? Try Half OFF WordPress ebooks!