Otdfbt

What does 丫 mean? 丫是什么意思？

By what mechanism was the 2017 UK General Election called?

Can the Haste spell grant both a Beast Master ranger and their animal companion extra attacks?

Did John Wesley plagiarize Matthew Henry...?

Is the time—manner—place ordering of adverbials an oversimplification?

Twin's vs. Twins'

How many time has Arya actually used Needle?

Flight departed from the gate 5 min before scheduled departure time. Refund options

Short story about astronauts fertilizing soil with their own bodies

Is a copyright notice with a non-existent name be invalid?

Where did Ptolemy compare the Earth to the distance of fixed stars?

Can gravitational waves pass through a black hole?

Marquee sign letters

New Order #6: Easter Egg

French equivalents of おしゃれは足元から (Every good outfit starts with the shoes)

Sally's older brother

What is a more techy Technical Writer job title that isn't cutesy or confusing?

How to resize main filesystem

2018 MacBook Pro won't let me install macOS High Sierra 10.13 from USB installer

Vertical ranges of Column Plots in 12

Pointing to problems without suggesting solutions

Inverse square law not accurate for non-point masses?

Is this Half-dragon Quaggoth boss monster balanced?

What criticisms of Wittgenstein's philosophy of language have been offered?

Best practices for giving outside developer SSH access?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

2

N00b here - I'm upgrading my website so that it isn't using a deprecated version of MySql/ PHP. I'm not comfortable enough with the code so I'm using an outside developer.

Due to this being database related I they will need SSH access ... which scares me.

I'm mostly worried about this developer accessing or downloading files that they don't need/I don't want them to.

Are there activity logs when using SSH that shows what files were accessed?

Is there a way to delete the logs?

ssh logging

share|improve this question

edited Apr 16 at 2:53

Aaron Hall

296312

asked Apr 15 at 19:23

Roberto FrinkRoberto Frink

111

New contributor

Roberto Frink is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Someone with root access can do basically anything, including covering virtually any tracks they might leave. If you don't have an existing reputable contact (preferably a firm, and preferably in a jurisdiction you can go after in something like small claims court), you may be better off setting up a new server, contracting them to do any development work on the codebase to bring it up to modern PHP (thus controlling what you provide them with), and installing it yourself on the new server. Even there, there's a risk of back-doors.
  
  – ceejayoz
  Apr 15 at 19:33
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Is your developer expected to do the system upgrade for you? If so they will probably need sysadmin level acces and then they can do anything and everything. But for inspiration see this Q&A of mine: serverfault.com/q/805333/37681
  
  – HBruijn
  Apr 15 at 19:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Mysql database can be configured to allow direct remote access without need to provide SSH access. Malicious developer can add backdoor while having any access level though... (Backup is your friend)
  
  – Anubioz
  Apr 15 at 19:34
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Anubioz If a MySQL (and PHP) upgrade is required, as appears to be the case, mere access to run SQL queries won't be sufficient.
  
  – ceejayoz
  Apr 15 at 20:14
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  There are not technical solutions to every problem. The solution to this problem is the NDA.
  
  – Michael Hampton♦
  Apr 16 at 1:54
  

  
  
  
  

 | 
show 1 more comment

2

N00b here - I'm upgrading my website so that it isn't using a deprecated version of MySql/ PHP. I'm not comfortable enough with the code so I'm using an outside developer.

Due to this being database related I they will need SSH access ... which scares me.

I'm mostly worried about this developer accessing or downloading files that they don't need/I don't want them to.

Are there activity logs when using SSH that shows what files were accessed?

Is there a way to delete the logs?

ssh logging

share|improve this question

edited Apr 16 at 2:53

Aaron Hall

296312

asked Apr 15 at 19:23

Roberto FrinkRoberto Frink

111

New contributor

Roberto Frink is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  Someone with root access can do basically anything, including covering virtually any tracks they might leave. If you don't have an existing reputable contact (preferably a firm, and preferably in a jurisdiction you can go after in something like small claims court), you may be better off setting up a new server, contracting them to do any development work on the codebase to bring it up to modern PHP (thus controlling what you provide them with), and installing it yourself on the new server. Even there, there's a risk of back-doors.
  
  – ceejayoz
  Apr 15 at 19:33
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  Is your developer expected to do the system upgrade for you? If so they will probably need sysadmin level acces and then they can do anything and everything. But for inspiration see this Q&A of mine: serverfault.com/q/805333/37681
  
  – HBruijn
  Apr 15 at 19:34
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Mysql database can be configured to allow direct remote access without need to provide SSH access. Malicious developer can add backdoor while having any access level though... (Backup is your friend)
  
  – Anubioz
  Apr 15 at 19:34
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @Anubioz If a MySQL (and PHP) upgrade is required, as appears to be the case, mere access to run SQL queries won't be sufficient.
  
  – ceejayoz
  Apr 15 at 20:14
  

  
  
  
  


• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  There are not technical solutions to every problem. The solution to this problem is the NDA.
  
  – Michael Hampton♦
  Apr 16 at 1:54
  

  
  
  
  

 | 
show 1 more comment

N00b here - I'm upgrading my website so that it isn't using a deprecated version of MySql/ PHP. I'm not comfortable enough with the code so I'm using an outside developer.

Due to this being database related I they will need SSH access ... which scares me.

I'm mostly worried about this developer accessing or downloading files that they don't need/I don't want them to.

Are there activity logs when using SSH that shows what files were accessed?

Is there a way to delete the logs?

ssh logging

share|improve this question

edited Apr 16 at 2:53

Aaron Hall

296312

asked Apr 15 at 19:23

Roberto FrinkRoberto Frink

111

New contributor

Roberto Frink is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited Apr 16 at 2:53

Aaron Hall

296312

asked Apr 15 at 19:23

Roberto FrinkRoberto Frink

111

New contributor

Roberto Frink is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited Apr 16 at 2:53

Aaron Hall

296312

asked Apr 15 at 19:23

Roberto FrinkRoberto Frink

111

New contributor

Roberto Frink is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited Apr 16 at 2:53

Aaron Hall

296312

edited Apr 16 at 2:53

Aaron Hall

296312

asked Apr 15 at 19:23

Roberto FrinkRoberto Frink

111

New contributor

Roberto Frink is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked Apr 15 at 19:23

Roberto FrinkRoberto Frink

111

2 Answers
2

active

oldest

votes

4

In a password protected area you can install for instance https://www.adminer.org/ or https://www.phpmyadmin.net/ to allow someone access to the database without giving them SSH access, but that won't allow them to upgrade the OS for you.

Almost regardless of how much you trust the developer, make a good backup beforehand of your system, settings and data.

share|improve this answer

answered Apr 15 at 19:30

HBruijnHBruijn

56.8k1190150

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
  
  – Roberto Frink
  Apr 15 at 19:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
  
  – ceejayoz
  Apr 15 at 19:59
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks! That is a very astute point @ceejayoz
  
  – Roberto Frink
  Apr 15 at 20:12
  
  

  
  
  
  

add a comment | 

2

No, you're allowing someone you don't trust to have root access to your servers. which means they can install a rat in the system or mess with it. you can log files accessed and permissions by creating an account and pass for the person but since he will need root access he can log in and then start deleting your monitoring system. which leaves you to square one. i suggest hire a firm that has reputation. hiring a single person from a craigslist ad would be asking for trouble.

share|improve this answer

edited Apr 15 at 20:13

ceejayoz

27.2k66393

answered Apr 15 at 20:08

user3897632user3897632

324

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
  
  – Roberto Frink
  Apr 15 at 20:18
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
  
  – user3897632
  Apr 15 at 21:50
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

Roberto Frink is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963175%2fbest-practices-for-giving-outside-developer-ssh-access%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

4

In a password protected area you can install for instance https://www.adminer.org/ or https://www.phpmyadmin.net/ to allow someone access to the database without giving them SSH access, but that won't allow them to upgrade the OS for you.

Almost regardless of how much you trust the developer, make a good backup beforehand of your system, settings and data.

share|improve this answer

answered Apr 15 at 19:30

HBruijnHBruijn

56.8k1190150

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
  
  – Roberto Frink
  Apr 15 at 19:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
  
  – ceejayoz
  Apr 15 at 19:59
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks! That is a very astute point @ceejayoz
  
  – Roberto Frink
  Apr 15 at 20:12
  
  

  
  
  
  

add a comment | 

4

In a password protected area you can install for instance https://www.adminer.org/ or https://www.phpmyadmin.net/ to allow someone access to the database without giving them SSH access, but that won't allow them to upgrade the OS for you.

Almost regardless of how much you trust the developer, make a good backup beforehand of your system, settings and data.

share|improve this answer

answered Apr 15 at 19:30

HBruijnHBruijn

56.8k1190150

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
  
  – Roberto Frink
  Apr 15 at 19:49
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
  
  – ceejayoz
  Apr 15 at 19:59
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks! That is a very astute point @ceejayoz
  
  – Roberto Frink
  Apr 15 at 20:12
  
  

  
  
  
  

add a comment | 

In a password protected area you can install for instance https://www.adminer.org/ or https://www.phpmyadmin.net/ to allow someone access to the database without giving them SSH access, but that won't allow them to upgrade the OS for you.

Almost regardless of how much you trust the developer, make a good backup beforehand of your system, settings and data.

share|improve this answer

answered Apr 15 at 19:30

HBruijnHBruijn

56.8k1190150

share|improve this answer

answered Apr 15 at 19:30

HBruijnHBruijn

56.8k1190150

answered Apr 15 at 19:30

HBruijnHBruijn

56.8k1190150

answered Apr 15 at 19:30

HBruijnHBruijn

56.8k1190150

2

No, you're allowing someone you don't trust to have root access to your servers. which means they can install a rat in the system or mess with it. you can log files accessed and permissions by creating an account and pass for the person but since he will need root access he can log in and then start deleting your monitoring system. which leaves you to square one. i suggest hire a firm that has reputation. hiring a single person from a craigslist ad would be asking for trouble.

share|improve this answer

edited Apr 15 at 20:13

ceejayoz

27.2k66393

answered Apr 15 at 20:08

user3897632user3897632

324

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
  
  – Roberto Frink
  Apr 15 at 20:18
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
  
  – user3897632
  Apr 15 at 21:50
  

  
  
  
  

add a comment | 

2

No, you're allowing someone you don't trust to have root access to your servers. which means they can install a rat in the system or mess with it. you can log files accessed and permissions by creating an account and pass for the person but since he will need root access he can log in and then start deleting your monitoring system. which leaves you to square one. i suggest hire a firm that has reputation. hiring a single person from a craigslist ad would be asking for trouble.

share|improve this answer

edited Apr 15 at 20:13

ceejayoz

27.2k66393

answered Apr 15 at 20:08

user3897632user3897632

324

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
  
  – Roberto Frink
  Apr 15 at 20:18
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
  
  – user3897632
  Apr 15 at 21:50
  

  
  
  
  

add a comment | 

No, you're allowing someone you don't trust to have root access to your servers. which means they can install a rat in the system or mess with it. you can log files accessed and permissions by creating an account and pass for the person but since he will need root access he can log in and then start deleting your monitoring system. which leaves you to square one. i suggest hire a firm that has reputation. hiring a single person from a craigslist ad would be asking for trouble.

share|improve this answer

edited Apr 15 at 20:13

ceejayoz

27.2k66393

answered Apr 15 at 20:08

user3897632user3897632

324

share|improve this answer

edited Apr 15 at 20:13

ceejayoz

27.2k66393

answered Apr 15 at 20:08

user3897632user3897632

324

edited Apr 15 at 20:13

ceejayoz

27.2k66393

edited Apr 15 at 20:13

ceejayoz

27.2k66393

answered Apr 15 at 20:08

user3897632user3897632

324

answered Apr 15 at 20:08

user3897632user3897632

324