Question Should Web Files be assigned the 'Root' User or should the Domain's Subscriber be assigned the role?

[Craig1986]

I run a VPS that hosts a variety of Domains, owned by different people. Though they have their own Plesk and FTP Login credentials, I am the one who takes responsibility for the web files. Backups, SFTP Uploads etc.

In the interest of ease, I have been accessing Plesk via my Root credentials as well as using my Root credentials to upload content to the VPS via SFTP.

As such, all of the Web Files have been assigned the 'Root' User when viewing the files within Plesk's File Manager. I have not experienced any major issues with this, to date, but wondering if this is the standard way of dealing with Web Files.

Upon thinking about the topic, my incline is that Web Files should be assigned the User of the individual Subscriber and not that of Root. Is my thinking correct or should I leave the User roles as 'Root'?

I have had a look around but would appreciate further clarification on any issues that could arise (mainly security), in using Root over the individual Subscriber as the User Role for Web Files.

 

[Ales]

The apparent downside of the current situation is that your customers aren't able to use their FTP or their Plesk's File Manager to manage these files, apart from reading them.

The web server itself also isn't able to modify the files - which can be a plus as far as security is concerned, but it might also hinder certain functions of the web pages.

For the customers to have full access, the owner of the files should be their system user and the group should be psacln. I suppose that would be considered to be the norm on Plesk servers.

As for the security considerations, the web pages might actually be more secure as they are now (assuming the file permissions are correct)... but it's entirely up to you to judge which approach better suits yours and the needs of your customers, as it largely depends on the web pages themselves.

 

[Craig1986]

Have I understood it right that when a Website is assigned the User Role of 'Root', the improved security comes from the fact that the Web Files are better protected in the event that a Subscriber's Account becomes compromised?

 

[Ales]

Yes, e.g. if the code of a web site would be vulnerable in a way that would allow an attacker to modify an existing file and add some malicious code of his own to it, having files owned by user/group root makes such an attack impossible. On the other hand, a possible SQL injection would not be prevented...

Basically, what I'm saying is that instead of having all customer files set to <customer user>:<group psacln> and permission 644, subtle changes to permissions and even ownership can prevent certain common attacks.