Hey @PawelP, thanks.
Fantastic question. Great to know you’re thinking about security. I also use temporary accounts for 3rd party users. In some cases I give them their own VPS.
I’m slowly working on a CLI video that will help everyone here improve their skill levels by teaching day-to-day tasks you might need to perform. I’ve copied and pasted some of those here…
Method 1 (The secure way)
adduser
In order to create a new user on the web server, we’d use the adduser
command. This is a command that requires “superuser” privileges. Therefore, we prefix it with sudo
. And at the end we add the username we wish to add.
So, if I wanted to add a user called “bob” then I’d run:
sudo adduser bob
You’ll then be prompted to add a password for that user. And then add additional details of that user - Which you can skip by hitting Enter. Then confirm everything at the end when prompted by pressing Y.
group
You’ll also need to allow your new user to the www-group
, to help control their level of access to the Magento files. You can do this by entering:
sudo usermod -g www-data bob
chmod
Now that “bob” is part of the www-data
group, you will need to decide what Folders/Files you want them to be able to Write to. The most common places where code gets created or modified are both app/design/
and app/code
. So, to allow any use in the www-group
to edit those files and folders then you would want to apply Permission 775
. You can apply this rule to those locations by running the following as the “magento” user within the Magento root directory:
Apply 775
Permissions to all Files within app/design/
and app/code
:
find app/code app/design -type f -exec chmod 775 {} +
Apply 775
Permissions to all Directories within app/design/
and app/code
:
find app/code app/design -type d -exec chmod 775 {} +
There will be some complications with this method. For example, if “bob” were to upload any files via FTP then the Owner of that file would default to “bob” instead of “magento”. So, you’d regularly have to reset the ownership of your Files/Folders. But that’s like a 20 second task.
Method 2 (The half-arsed way)
Naturally, you could also just give them the password for the “magento” user - Who will have all of the Read+Write Permissions without having to do anything else. Obviously, you would need to change the password for this user regularly.
There maybe more methods, but these are the only 2 that come to mind for me - That I use.
Misc
passwd
Sometimes you’ll need to change the password of a user. This can be achieved with passwd
. To change my own password, I would simply type:
passwd
And confirm the new password twice.
But if I wanted to change the password of another user, I could use the superuser command. So, to change the password of the “magento” user I would type:
sudo passwd magento
And again, I’d confirm the password twice.
IP Restriction
If you’re using a good host, then you could use their Dashboard to control the Firewall. If not, then you can use the following ufw
commands.
To whitelist an IP address on any/all ports:
sudo ufw allow from 123.123.123.123
To remove the whitelisted IP address that you’ve added:
sudo ufw delete allow from 123.123.123.123
You can verify your changes using:
sudo ufw status
Obviously, you can temporarily disable any user by either changing their password or removing their IP address from the Whitelist (or both). I’ll check back in tonight if you have any further questions.