Debian Planet










Welcome to Debian Planet

Search

All your woody are (not quite, but very very very soon) belong to us.
Main Menu

  • Home

  • Topics

  • Web Links

  • Your Account

  • Submit News

  • Stats

  • Top 10

  • Debian

    These are important Debian sites one should not be without!

  • Official Debian site

  • Package search

  • Mailing list archives

  • Bug reports

  • Debian on CD

  • Unofficial woody CD ISOs

  • Unofficial APT sources

  • Developers' Corner

    Other great Debian news sources:

  • Debian Weekly News

  • Kernel Cousin Debian

    (Debian mailing lists digested)
  • Community Groups

    Need help? You're not alone on this planet.

  • debianHELP

    (User support site)

  • Debian International

  • DebianForum.de

    (Deutsch)

  • EsDebian

    (español)

  • DebianWorld

    (français)

  • MaximumDebian

    (Italiano)

  • DebianUsers

    (Korean)

  • Debian-BR

    (Português)

  • IRC

    The place to get help on a Debian problem (after reading docs) or to just chat and chill is #debian on irc.debian.org.

    Many of the Debian Planet staff live there so pop by and say hello.

    Wanna write?

    Got that latest or greatest scoop? Perhaps you have some important news for the Debian community? Submit a news item!

    Or perhaps you've written a rather ground breaking insight into some aspect of Debian and you feel compelled to share it with others? Knock up a longer editorial article and send it to the editors.

    Sponsorship

    DP is sponsored by Xinit Systems and kieser.net.

    Domains paid for and hosted by uklinux.net.

    Buy your Debian merchandise at DebianShop.com.

    Who's Online

    There are currently, 102 guest(s) and 8 member(s) that are online.

    You are Anonymous user. You can register for free by clicking here.

      
    Corporate Web Server
    Contributed by mandreko on Friday, November 09 @ 06:13:25 GMT

    Ask Debianplanet
    I have recently been put in charge of creating a linux webserver (since I had always told my bosses that linux is superior to NT4). I have setup many websites before on linux, my personal site runs on my debian server. However, we're speaking about a company server, and I'm not really sure how to go about it. How should users be managed? How can we facilitate adding users to those who don't know linux (all but me here...)? Are there any guides to setting up a *nix server for multiple users in a working environment, securely?

    DanielS: I was faced with much the same situation. Your best idea is to only add accounts for those who know Linux well - get the company to buy a very good book, and get the people to come to you and somehow prove they know how to use Linux, and well, and then give them logins. Only install what you *need*, and keep up to speed with updates, but don't be too hasty - you might introduce more bugs.

     
    Related Links

  • More about Ask Debianplanet
  • News by DanielS

    Most read story about Ask Debianplanet:
    XFree86 4.2.0

    Last news about Ask Debianplanet:

    Printer Friendly Page  Send this Story to a Friend
  • "Corporate Web Server" | Login/Create Account | 4 comments
    Threshold


    The comments are owned by the poster. We aren't responsible for their content.

    Re: Corporate Web Server (Score: 1)
    by purcell on Friday, November 09 @ 08:43:30 GMT
    (User Info) http://advogato.org/person/purcell

    In a corporate Windows-biased environment, there are usually a set of private 'network drives' for users' mail etc., and a further set of public network drives so that users can share information with colleagues.

    If there is one public folder on the network for each user, you can mount those folders onto the webserver using samba, and institute a convention that a 'public_html' (or similar) directory within that folder will be made visible via the web server. You can almost certainly leave CGI disabled for those folders, and the performance hit of serving pages from a network file system should be irrelevant for a typical intranet.

    Another option would be to set up web folders using WebDAV (apt-get install libapache-mod-dav) for each user, and hook the authentication into the corporate network auth (e.g. via samba with libpam-smb, or via LDAP).

    The first option is probably the better (though less exciting) one.

    [ Reply ]


    Re: Corporate Web Server (Score: 1)
    by gloryhack on Friday, November 09 @ 08:59:50 GMT
    (User Info)

    First things first: If it's a web server, it needs very few user accounts on it. The ultimate reality (though impractical in most cases) is just two users: root (you) and webmaster.

    Give the user(s) access via FTP only (something like ProFTP that can be chrooted) with no shell at all (/bin/false). This limits the harm that can be done -- if you can, you should firewall port 21 so that the wild and woolly internet cannot reach your FTP server's control port, to keep things nicely under control. Better yet, firewall all except port 80, and 443 if you need SSL. Install SSH, then yank telnetd out by its roots. Make sure that no shell account has any reason to send a password in plaintext across the network.

    If you have to allow for multiple users, so that, say, different departments get their own place in the sun, just take advantage of ProFTP's chrooting to keep them from clobbering one another's stuff. If you need to provide mail, I recommend installing qmail but only allowing for delivery by forwarding to the users' primary accounts, and not allowing for relaying.

    As for Apache, make sure you have a plan for keeping users' stuff segregated, without making them jump through hoops. Only allow overrides on a case-by-case basis -- instead of allowing every user on the box to install formmail, instead install cgiemail for them.

    If you have to provide email, use qmail. It's weird until you get used to it, but it's easy and apparently very secure. If you must provide DNS, use djbdns -- BIND has a lousy security track record, is hard to get along with, and is best left to those who enjoy that kind of pain. The best bet, though, is to avoid providing any services that can be shoved off on, I mean, provided by, someone else.

    The more services you offer, the more time you will have to spend adminning the thing. Of course, install tripwire and logcheck (or whatever other, similar things you're comfy with) so the machine can tell you if it's unhappy, and it should be a set it and forget it installation.

    Provide documentation for every service the machine provides to the clueless, er, uh, web authors. Write it yourself if it doesn't exist.

    When it comes to updates, my advice is to, whenever possible, wait a few days before implementing them, and search for references to the affected packages in the mailing list archives before installing. I use one criterion to determine if the update goes in before other users have had time to discover brokenness: Is the bug or hole this update fixes so outrageous that I'd think it wise to shut the machine down if there were no fix available? If the answer is yes (leaking company secrets, exposing the LAN to attack, those kinds of things) then cross your fingers and apt-get. If the answer is no, then let the other users out in the world find the new bugs.

    Remember to smile a lot and speak very little when listening to users... it makes ignorance look a lot like wisdom 🙂

    [ Reply ]


    Re: Corporate Web Server (Score: 1)
    by owen on Friday, November 09 @ 10:29:57 GMT
    (User Info)

    You may find Zope is a usefull web hosting envireonment. Users don't have to learn any *NIX (shame!) but it does make it easier for windows users to learn. Almost all the admin configureation is done with a browser and ALL the user level interaction is done with a browser.

    Worth investigating!

    Alex

    apt-get install zope

    [ Reply ]


    Re: Corporate Web Server (Score: 0)
    by Anonymous on Friday, November 09 @ 15:48:02 GMT

    It all depends on how this server will actually be used. If it's purely a web server, do you really need to give many people access? Or just the (perhaps few) web developers, webmasters and the Admins. Additionally, as others have mentioned, for most there is no reason to give them system level access (ability to login whether locally or at the console). WebDAV, Samba, FTP, SSH (Using Putty on the Windows desktops) are viable options for user access, depending on requirements. Web based content management systems are also handy, if you have the time to set one up for your needs.

    At my work place, I found the best solution was a combination of Samba and WebDAV, according to the needs of the developer. I'm progressively training my Boss how to Admin the box using Webmin. Once she's mastered that, I'll show her the commond line tools.

    With a little work and RTM, you can use Samba to handle most of the access, authenticating the users with your current WinNT PDC.

    [ Reply ]


    Based on: PHP-Nuke

    All logos and trademarks in this site are property of their respective owner. The comments are property of their posters, all the rest © 2000 by Debian Planet

    You can syndicate our news using the file backend.php.