How do you share a website amongs multiple users now?


#1

Hi all,

In order to allow a few people to work on my site, I have created separate accounts for them and put them all in the same group. I then changed group ownership and permissions of the areas I want them to access. This has been working fine, up until recently.

Unfortunately I have now discovered that “Enhanced User Security” is becoming the default option for all users, and even if I disable it, it will be turned back on at random.

This option prevents my users from accessing the shared paths in accounts other than their own. The wiki suggests this is possible, however it is not - the home directory has permissions 710 which means only members of the same group can access it, but the group is set to “adm” which none of my users are members of. Thus regardless of the permissions I set within the folder, no user, not even those on my DH account, can get through any home directory.

Since being able to have other users access my account is a big selling point with DH as it avoids the need to share passwords, how do you share a website amongst multiple users now that “Enhanced User Security” is being forced on?


#2

Well, I contacted DH support and the answer is unfortunately that this feature is being removed :frowning: The “Enhanced User Security” option will be available for a little while, before being taken out entirely. At that time only one user will be able to access the files on a given domain, and it will no longer be possible to delegate out areas of your web space to others to help you maintain your site. The VPS option will continue to have this option enabled, at least for the time being.

Does anyone have any suggestions about how to handle this, apart from switching to another web host? I have experimented with installing a web-based file manager (eXtplorer in my case) which works quite well, but it only accesses files as the web server user (the same as the domain’s user) which means in order to work across multiple domains I would have to install it separately on every single domain.

Are there any other options that don’t involve sharing the password of the domain’s account?


#3

The key here is that you are discussing an option that deals with low cost shared hosting and management of the server through the dreamhost panel.

If in fact you have a VPS or dedicated server it’s possible to turn off dreamhost management (panel functions) and set things up more precisely to your likes or needs. If you wish to stay with shared hosting, you could come up with some custom scripts that run on a periodic basis through cron to ‘publish’ new files submitted by a different user. (basically one user “logging in” to another on the same machine, and pulling files over.) This would be a server side solution.

For a local based solution, there are also options available to you. For example: I have winscp set up on a local machine in a mode that “watches” for changes to local files in a certain directory structure, when a file changes it is automatically SFTP’d to the server immediately. I could expand this on my local network by giving access to different users on the local network to various “folders” or directories within that structure being “watched” by winscp, when a user moved a new or changed a file within the “folder”, winscp would then immediately upload the file. The key here being that winscp knows the credentials to the website, other users don’t need them, they just need access to the folder or directory that winscp is watching. If this was the only method any user could use to publish a change to a file on the server, then you would also have the added benefit of always having an accurate local backup of the entire website at any given time.

The change dreamhost made (or is making) is in fact a necessary one for a shared hosting environment. It helps not only to prevent one shared account that has been compromised from the outside from potentially being used to compromise other accounts on the same server, but it also helps protect your site from other dreamhost users on the same machine. While we would like to think that other dreamhost customers sharing our shared servers would all respect our privacy and stay out of our stuff, they might just be there to do exactly that… find out what information they can gather about other sites sharing the same machine to hack or compromise the site either from inside or from outside using information gained by being able to other users stuff.


#4

Unfortunately I’m not really keen on the idea of publishing files at regular intervals. The way my sites work is that nothing will happen for many weeks (so checking for changed files is a waste of resources) but then a sudden burst of activity will happen and creating links to files is a pain if you have to wait even five minutes before you can check if your link works.

Your local solution is interesting, but unfortunately my users are spread out over the world so I need something that runs entirely off DH infrastructure.

I disagree that this change is necessary in a shared hosting environment. If we were allowed to change the group of our home directories, then we could use UNIX groups the way they were originally designed - to allow shared access to only those people we want. Other DreamHost users wouldn’t be able to access our files because they don’t belong to the group. This is how all shared UNIX systems I have used work (mostly those at universities.)

I also think the change will lead people to a false sense of security. The web server user still needs to be able to access everyone’s files in order to serve them up to web site visitors, so a malicious user only has to write a PHP script accessed from the web in order to read files from another user’s home directory, instead of using the shell.