I'm not sure how best to ask this question. Over several years I've developed my way into a corner and need to figure some things out. I almost certainly haven't been following best practices up until now but there you go.
I make and host Django websites on my own Linux (Ubuntu) server. I manage their version control with Bazaar and upload over SSH+BZR. They all go into a parent directory imaginatively called /websites/
. The production copies are just master BZR branches (not exports). I don't run any sort of FTP server, just SSH.
My workflow is I edit a local copy of a website, commit the change. Because they're all bound branches, the commit it pushed to the server automatically and that has a hook which then runs an update, which in turn decides whether or not the Django site needs to be reloaded. I've just scripted things so they work for me.
All the websites' files are owned by my user account oli
. The websites currently all run under that account too.
Occasionally a client wants access to their sites that's fair enough but I'm not sure if I can do that under the current structure. I think things need to change in order to let me achieve the following things:
I can create a new user account for a client so that they can log in and play with their sites (and only their) sites. I do trust my clients but my other clients shouldn't be put in a position where I force them to trust each other.
I can still work on all the sites just as I would with my own account, ideally in one place but I'd survive if on the server they were split up based on users.
If possible, force the users to go through BZR so they don't mess up the production branch with silly faff that can't easily be rolled back. You know how this works: if I give a client access and something "mysteriously" stops working, it's my fault regardless of what's happened. I need to be able to track what's happening but similarly clients do need to be able to make changes without my interaction (the gatekeeper VCS model wouldn't work for me).
So assuming I can do anything to change my current setup, what's the best way of doing this?
My current thoughts are:
Installing a simple FTP (et al) server that runs as
oli
to preserve any permissions and try to coerce them into using BZR but otherwise needing to sync updates.If you think this is viable, is there a secure equivalent to FTP that the system sees as one user but similarly something that I can arbitrarily limit to certain directories (eg user client-a can only view a subset of the website directories).
Shake it up completely, use distinct SSH logins, keep websites in clients'
$HOME
dirs. If that gets your vote, what's my best tactic for stopping them doing anything but accessing their files? Is there a nice combination to limitForceCommand internal-sftp
with a chroot mechanism?
But I've learnt bad habits from hacking things around. How would you do this?
I would change the group owner of each directory to a group for each respective client ( and set the sticky bit on the dir so new files inherit that gid ), and give them an account with bzr+ssh access only, then have them use bzr to check out their site and work on it just like you do. Obviously add yourself to all of the client groups.