4
Farshad
3y

I need to install a web hosting control panel with limited access for web developer. but most panels mess up with other server configuration (e.g mail server and ...).
What do you suggest. Is there any panel that doesn't break other configurations?

Comments
  • 7
    Out of curiosity: What do the web developers need to configure?
  • 2
    I wouldn't dare installing one of these. The way they work you are pretty much rekt if one serious security problem arises, as most of them either do exec() here and there and to make matters worse run as root.
    Doesn't happen? Just some weeks ago a bug in Webmin allowed running commands as root without logging in and a day later it was being exploited already.
    Web devs shouldn't need access to the server directly. Maybe setup sftp for them, locking them into the web root, or implement a clean CI/CD pipeline
  • 2
    (Also why is your mail server running in the same context as your web stuff? Cue: LXC containers)
  • 1
    @sbiewald I don't know he is using laravel and says that he need a panel
  • 3
    @Farshad Simple: No
    you can run migrations, install packages, but never give devs potential root access.
  • 2
    @Farshad I'm sorry, but that does not make much sense for me.
  • 4
    A dev *shouldn't* need direct access to production servers, everything in a production server(s) should be replicatable in another environment.
    Your dev should change the way he works, not the other way around.

    Even direct DB access I would question, hell I deleted a backdoor a dev wrote once to give him direct db access - it's security was a fucking email address. *mini rant - I'm good now*

    There should be a process in place for migrations and ci/cd to some extent if not automated completely.
    Database updates should be rolled out in advance if required, or at least not hinder the site useless during a migration period - again you don't need direct access to do this.

    *shouldn't: unless under a major failure or investigating an issue that can't be reproduced, a dev has no reason to access production.

    Source: I'm a dev, I have root access to all my environments, I never let myself or other devs login directly without proving its needed.
Add Comment