+42

Per site user

JONIK NSK 5 years ago • updated by Vishal Kute 1 year ago 17
When create new web-site with Ajenti-V panel for example - create new OS user - owner of site files and grant him privileges to configure site settings with Ajenti-V.
Example:
1. When creating site ask for creating user: username [thesiteuser], password [default is empty] and shell [drop-down: sh/bash/ftp]
2. Create system-user thesiteuser with main group www-data with homedir /srv/website
 with corresponding shell from list.
3. Change owner recursivelly thesiteuser:www-data /srv/website
4. php-fpm workers runs as thesiteuser:www-data
5. webserver user (apache or nginx) has additional group www-data for serving user's content.
6. Ajenti-V uses for administration web-site:
- internal created user thesiteuser with specified password
- system-user thesiteuser (if sync panel users with system users checked)
7. additionally may be implemented Apache mod_ruid2 or mpm-itk user permissions to vhosts.
This provides account isolation/security? 
Preventing infected websites/accounts from affecting others?
Both! :)  This case allows create isolated environment per user (f.e. chrooted shell), and also set up filesystem's quotas per user\site.
https://en.wikipedia.org/wiki/Cgroups

This enables resource limitation by user (used on CoreOS, gaining popularity among hosts) and security (Namespace section)
Know of anyone working on this concept here or elsewhere? It's a great idea.
I'm also very interested in this. What is the status for this enhancement? Is there a way to get this into Ajenti-V soon? Cheers!
Hi! What is the status for this feature?
+1
I would like to know if the approach for this would be to create a plugin that gives the user access to that plugin, which in and of itself would be a restricted panel and that plugin would be like "websites" but isolated to /srv/http/thisusersite (controlled by a higher power) somehow. If anyone thinks this is a valid scheme I will pursue, but if it's not would like input on alternative approaches.
+2
excellent idea!
but the way I read the original post there would be a single user for each and every website.
It would be far more useful if we were able to simply create "restricted" control panel users,
that can only create websites, DBs, ftp accounts, and the like, within their assigned homedir.
+1

It would be far more useful if we were able to create per site users and "restricted" control panel users.

are this solution still works on latest ajenti version ?

Someone is going to have to pick this one up and develop it separately. It's outside the developers interest as it's been discussed here and on other threads for over a year. I believed first that docker containers might be the answer but that's only one persons assessment.

I've been looking at this for a while now in consideration of transitioning my current hosting cluster over to Ajenti V.


I would be willing to develop a plugin for this, assuming the community has enough interest for it. It can be achieved fairly easily with jailkit and I'm honestly surprised it hasn't been implemented into Ajenti yet.


The dev team should take note though: this is a necessary feature. When hosting webspace, your more advanced clients will need to be able to work in the terminal, especially when working with Laravel projects and other currently unsupported frameworks. As the sysadmin, you'll find you don't have time to go in and run a bunch of symlink and templating scripts to fit each use case. It's easy to let the user to it themselves.

@keyton_stanier - That's a very generous proposition. We have developed a python plugin that integrates Cloudflare into the panel (limited for A/CNAME/TXT records, client onboarding etc) instead of using BIND, and are pursuing a more robust version as we have now integrated their railgun product in a test Data Center (VM). I always thought that either ACL or Jailkit would be worth looking into but found that time and a few barriers to becoming expert at.


Moving forward would like to know if you want a beta tester I would put up a server to evaluate for 6 months or whatever it takes.

@Wrrr I'd be more than happy to take whatever help I can get with beta testing. After playing around with Ajenti some and going through all the docs, I've decided that I'm go to develop and test the plugin against 2.x and maybe port back to 1.x once I know it's working.


What version have you been using for your set-up? If you have any basic requirements for a Jailkit implementation (in-browser kit config, integrated file explorer, etc.) I'd be happy to try and work on them.

What version have you been using for your set-up?

Sounds great. Were in Ajenti v1.2.23.3 as of the last update. We're not using jailkit if that's the question. We're building VPS's (tuned for WP Delivery) in our own leased space (data center), Ubuntu 14.04.4. So, we would have to meet (virtually/hangout) and then get on with making you a SSH/user into a test VM and move forward.

Can anyone please provide me how to create per site users and "restricted" control panel users in Ajenti 1.x with Ajenti V? Please provide me the docs if available with you or steps.

I've added the website and created the system user but unable to login with Ajenti Control panel.