Hello everyone, I’m new here. I hope I can contribute to the forum.
Is there any problem with using only the admin user (instead of creating another), and to have more flexibility with the admin, modify the admin package from system to default? My ADHD has been confusing me a lot, having to switch between these two accounts all the time.
Thank you.
Hi,
Creating services under admin account could be a security risk and that is the reason is not recommended to use it for non administrative tasks.
Just create a new user and add your web/mail domains, etc. to that user and login always with that user to operate your site so you should only login with admin user to perform administrative tasks (add, edit or remove users, firewall rules, etc.).
Hi @sahsanu
The problem is that I was unable to perform some settings that I needed with my new user (even though it has the administrator role), such as viewing the Task Manager.
Now that I noticed, that when I change user via admin (Log in as ___), it doesn’t show the “server settings” menu for my new logged user. I don’t know if it’s a bug or on purpose. If I log in directly as my new user (entering login and password) then the server settings menu appears. This ended up confusing me.
Now I have a doubt, does leaving my new user with the administrator role cause the same security risk as if I used the default admin to modify things?
It seems that only the administrator role allows me to see the Task Manager, and it is essential for me.
Thank you.
Me too, I don’t know whether it’s a bug or a feature but since it works correctly login directly with the user, I would say it is a feature 
A user with administrator role (different to user admin) , doesn’t have the same privileges as the user admin, for example, those users can’t use sudo to run v-* scripts in /usr/local/hestia/bin/ so there should be no more security issues than using a regular user.
Thanks for the clarification.
In the case of the example you used (using sudo), wouldn’t this only be a problem in the panel if HestiaCP had a terminal? I didn’t quite understand. Because access to the panel is different from my SSH root access.
Thank you.
No, if for example you add a web domain to admin user, and for some reason you upload a php file like this:
<?php exec('sudo /usr/local/hestia/bin/v-change-user-password admin "newpassword"
And anyone visiting that php file in your site, will change your admin password.
Take a look here to get more info.
Ah, got it!
Thanks for the clarification!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.