up vote 2 down vote favorite

If I have 10,000 webapps on my server and I'd like enhanced permissions and make a user for every app (/var/www/NAME will have a matching /tmp/www/NAME), will everything be fine or will problems occur when I have 10k users?

share|improve this question
1  
However, having 10k simultaneous users or serving 10k sub-sites concurrently off one box might yield some performance issues. – msw Feb 28 '12 at 2:59
Why do you think that you need a user per app? Could you group apps within a hierarchy of sort? – Sardathrion Feb 28 '12 at 9:56
@Sardathrion This is just an exercise and nothing real. But my question is if i was a hosting company and i have a powerful server and i have 10k websites on it. How do i completely prevent one user from accessing data belonging to another? Lets say instead of using php (which has an option to bind a file to a folder) they all use asp.net which can read/write anything. How do i prevent user A from seeing user B data? – acidzombie24 Feb 28 '12 at 10:30

3 Answers

up vote 5 down vote

There are very few things that have problems with that many users and groups. The core NSS tooling is generally pretty robust, and glibc and the Linux kernel specifically won't have substantial problems.

If you use an NSS that uses network access, you might need to use a local cache tool to give good performance - but only because many lookups will take a lot of time, not because of any fundamental problem with that count.

share|improve this answer
up vote 1 down vote

Note that this is in response to the question as rephrased in the comment.

I would group users into "meta groups" which could be commercial groups (gold, valued, free, yadda, yadda) or just a hash of the company name. Then I would have this:

/home/users/${metaGroup}/user

as their $HOME with only permission for them to read it and an ssh access by key only. The OS will guarantee that every file with no group/world read permissions will be readable by either groups or everyone.

/home/users/${metaGroup}/user/public_html

would be their public folder which has to be world readable but not world rightable.

The ${metaGroup} is there to facilitate finding a customer and not spending ages looking through complex ls commands to get what you want. Note that the number of user IDs is limited as well -- see the documentation.

However, doing hosting on this model does not scalable and allowing customers shell access on your production server a sure way to get yourself in a heap of trouble.

share|improve this answer
Good thoughts. +1. You forgot a big thing tho. I need to execute code as its a shared webserver. Their /var/www/SOME_NAME/ is read/writable and being executed by asp.net with the user www-data. With this i believe they still can read eachothers files via www-data and code (i said .NET and mentioned php but it could be anything) that snoops around – acidzombie24 Feb 28 '12 at 11:09
I am not familiar with asp.net running on *nix so cannot really comment. I know that Apache/Nginx can be set up so that what you refer to is impossible: they cannot go above their root. – Sardathrion Feb 28 '12 at 11:14
up vote 0 down vote

If you've accumulated lots of bad karma in your previous lives, you might find yourself in a position where you use NFS (Nightmare^WNetwork File System) today.

NFS traditionally has a limit on 16 groups, but this can be avoided with modern installations. This article is worth reading if this applies to you: http://nfsworld.blogspot.com/2005/03/whats-deal-on-16-group-id-limitation.html

share|improve this answer

Your Answer

 
or
required, but never shown
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.