Majic Projects ~ [CLOSED] MAR-59 - Use dedicated administrator account wsgi_website and php

Majic Projects

Majic Ansible Roles

Projects
Wiki
- Quick links
- Wiki
- Project wikis
- Conntrackt
- Django Pydenticon
- Gimmecert
- Majic Ansible Roles
- Pydenticon
- Scripts
- Global content

Majic Ansible Roles / Closed Feature request MAR-59 Use dedicated administrator account wsgi_website and php_website roles

Votes

This issue has been closed with status "Closed" and resolution "RESOLVED".

- No additional actions available

Issue basics

Type of issue

Feature request Unknown issue type
Issue label

No label set
Category

Security Not determined
Targetted for

1.0.0 Not determined
Status

Closed

Status not determined
Progress
Priority

Must fix before next release Not determined

Affected by this issue (0)

There are no items

People involved

Posted by
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 23, 2024 - 13:56

Show user details
Owned by

Not owned by anyone
Assigned to
branko (@branko)

Branko Majic
@branko

Last seen online at Apr 23, 2024 - 13:56

Show user details
Not assigned to anyone
Subscribers

0 subscriber(s)

Click here to show the list of subscribers

Times and dates

Posted at

Jun 14, 2016
Last updated

Jun 16, 2016
Estimated time

2 hours Not estimated
Time spent

No time spent

Click here to see time logged against this issue

Issue details

Resolution

RESOLVED Not determined
Reproducability

Not determined
Severity

Not determined

Attachments (0)

There is nothing attached to this issue

Child issues (0)

This issue does not have any child issues

Duplicate issues (0)

This issue does not have any duplicates

Show / hide more details »

Description

Currently the '''php_website''' and '''wsgi_website''' roles allow the user to specify website administrator that will be granted write permissions on website files.

This can have possible security repercussions in cases where the specified administrator is used also for administering other websites or even worse has sudo privileges. For example, with '''wsgi_website''' role the administrator would be activating the virtual environment with a lot of different packages, and some of those might be malicious.

It would be better to instead have dedicated administrator users for each website.

For example, if the website user/group is '''web-test_example_com''', the role could create an administrator user that belongs to group '''web-test_example_com''' with username '''admin-test_example_com'''. The admin should only be created if user has not explicitly specified an administrator.

A tiny enhancement for the wsgi_website role would be to auto-activate the virtual environment when switching to the administrator user as well.

Todos (0 / 0)

Options

Issue created

Welcome to The Bug Genie

Log in with your username and password