[ec2] ubuntu user and Apache setup

Thu Jun 11 04:32:21 BST 2009

Micah:

The "ubuntu" user is primarily there just to give you a clean, secure
entry point into the new instance.  There is (almost) no particular
reason you should continue using it once you gain access and start
setting up the server.

For example, it would be fine to create individual user accounts for the
folks you need to give access to the system and install their public ssh
keys in .ssh/authorized_keys for each account.  You could then delete
the "ubuntu" user and let folks connect with their own accounts.

The one exception I can think of as a good reason for keeping the
"ubuntu" account is if you need to rebundle new images and those images
need to set up ssh access based on ssh keypairs specified at instance
startup.  In that case, you might want to let the ec2-init startup code
do its job in setting up authorized_keys for the default "ubuntu" user.

On another note, Apache generally does not need to run as the same user
that owns the files it is serving.  It often only needs read access to
those files that define the web site.   Setting it up this way can also
have security benefits by preventing the malicious overwriting of files
if an exploit is discovered in the Apache software or your web application.

You could keep the web content files owned by a completely different
account to which your staff has ssh access or keep the files owned by a
shared group with umask set to allow group write, directories with "set
group id", etc.

We're straying a bit away from EC2-specific land now, but an even better
and common way to manage files for a web application is to give your
staff access to a revision control repository where all changes are
written, and create a mechanism which updates the web server from the
central repository.

--
Eric Hammond
ehammond at thinksome.com

Micah Walter wrote:
> Thanks for the links, I figured it out... seems to work just fine...
> 
> On related note. I am planning to set up a single instance to serve as  
> an apache web-server... for this server I was thinking to just leave  
> the single Ubuntu user installed... however other people will probably  
> need access ( like one or two other people) and so to make things easy  
> my idea was to move the website files to the Ubuntu home folder, and  
> use apache2-mpm-itk to so that I can set apache to run as the ubuntu  
> user ( as I'm typing this I am thinking I may not even need to do this  
> as ubuntu will be the ONLY user for apache )
> 
> anyway, the thinking here is that I can just give a few select people  
> the key-pair so they can log in as ubuntu via transmit and upload any  
> files without having to worry about SSHing and setting permissions...
> 
> is there any obvious security issue doing this, other than the obvious  
> one where I am handing out a key to someone other than myself?
> 
> 
> thanks for your help so far -- looking forward to the 9.04 RC1!!!