Best practices for giving outside developer SSH access? Announcing the arrival of Valued...
Doubts about chords
How to find all the available tools in macOS terminal?
What does the "x" in "x86" represent?
Why was the term "discrete" used in discrete logarithm?
Are my PIs rude or am I just being too sensitive?
Should I discuss the type of campaign with my players?
Is high blood pressure ever a symptom attributable solely to dehydration?
Best practices for giving outside developer SSH access?
Single word antonym of "flightless"
Is there a documented rationale why the House Ways and Means chairman can demand tax info?
Is there a Spanish version of "dot your i's and cross your t's" that includes the letter 'ñ'?
Is it true that "carbohydrates are of no use for the basal metabolic need"?
What happens to sewage if there is no river near by?
Is 1 ppb equal to 1 μg/kg?
"Seemed to had" is it correct?
How can I make names more distinctive without making them longer?
Using et al. for a last / senior author rather than for a first author
List *all* the tuples!
Examples of mediopassive verb constructions
Is there a concise way to say "all of the X, one of each"?
Antler Helmet: Can it work?
How can I fade player when goes inside or outside of the area?
Disable hyphenation for an entire paragraph
Can inflation occur in a positive-sum game currency system such as the Stack Exchange reputation system?
Best practices for giving outside developer SSH access?
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!Linux: set up for remote sysadminCannot Access SSH - “Did not receive identification string from [IP]” in LogsHow to automate SSH session for a specific user from a specific IP?Best pratice for VPS setup and administration (web/ftp/ssh)What's best practice for communication between Amazon EC2 instances?Ultra Secure Linux Server SSH OnlySecurity risks of opening firewall for ssh access from internal to DMZHow to delete massive files via ftp or ssh?How do server administrators like their server logs?Folder keeps getting deleted and I can't find out whyPotential hijacked SSH session & SSH best practices
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
N00b here - I'm upgrading my website so that it isn't using a depreciated version of MySql/ PHP. I'm not comfortable enough with the code so I'm using an outside developer.
Due to this being database related I they will need SSH access ... which scares me.
I'm mostly worried about this developer accessing or downloading files that they don't need/I don't want them to. Are there activity logs when using SSH that shows what files were accessed? Is there a way to delete the logs?
I appreciate any thoughts!
ssh logging
New contributor
add a comment |
N00b here - I'm upgrading my website so that it isn't using a depreciated version of MySql/ PHP. I'm not comfortable enough with the code so I'm using an outside developer.
Due to this being database related I they will need SSH access ... which scares me.
I'm mostly worried about this developer accessing or downloading files that they don't need/I don't want them to. Are there activity logs when using SSH that shows what files were accessed? Is there a way to delete the logs?
I appreciate any thoughts!
ssh logging
New contributor
3
Someone with root access can do basically anything, including covering virtually any tracks they might leave. If you don't have an existing reputable contact (preferably a firm, and preferably in a jurisdiction you can go after in something like small claims court), you may be better off setting up a new server, contracting them to do any development work on the codebase to bring it up to modern PHP (thus controlling what you provide them with), and installing it yourself on the new server. Even there, there's a risk of back-doors.
– ceejayoz
6 hours ago
2
Is your developer expected to do the system upgrade for you? If so they will probably need sysadmin level acces and then they can do anything and everything. But for inspiration see this Q&A of mine: serverfault.com/q/805333/37681
– HBruijn
6 hours ago
Mysql database can be configured to allow direct remote access without need to provide SSH access. Malicious developer can add backdoor while having any access level though... (Backup is your friend)
– Anubioz
6 hours ago
@Anubioz If a MySQL (and PHP) upgrade is required, as appears to be the case, mere access to run SQL queries won't be sufficient.
– ceejayoz
5 hours ago
@ceejayoz I considered the MySQL/PHP versions already to be upgraded on the host for the developer to fix compatability issues with the web app itself (since updating OS for latest software version otherwise might be non-trivial task, usually unsuited for them ))
– Anubioz
5 hours ago
add a comment |
N00b here - I'm upgrading my website so that it isn't using a depreciated version of MySql/ PHP. I'm not comfortable enough with the code so I'm using an outside developer.
Due to this being database related I they will need SSH access ... which scares me.
I'm mostly worried about this developer accessing or downloading files that they don't need/I don't want them to. Are there activity logs when using SSH that shows what files were accessed? Is there a way to delete the logs?
I appreciate any thoughts!
ssh logging
New contributor
N00b here - I'm upgrading my website so that it isn't using a depreciated version of MySql/ PHP. I'm not comfortable enough with the code so I'm using an outside developer.
Due to this being database related I they will need SSH access ... which scares me.
I'm mostly worried about this developer accessing or downloading files that they don't need/I don't want them to. Are there activity logs when using SSH that shows what files were accessed? Is there a way to delete the logs?
I appreciate any thoughts!
ssh logging
ssh logging
New contributor
New contributor
New contributor
asked 6 hours ago
Roberto FrinkRoberto Frink
111
111
New contributor
New contributor
3
Someone with root access can do basically anything, including covering virtually any tracks they might leave. If you don't have an existing reputable contact (preferably a firm, and preferably in a jurisdiction you can go after in something like small claims court), you may be better off setting up a new server, contracting them to do any development work on the codebase to bring it up to modern PHP (thus controlling what you provide them with), and installing it yourself on the new server. Even there, there's a risk of back-doors.
– ceejayoz
6 hours ago
2
Is your developer expected to do the system upgrade for you? If so they will probably need sysadmin level acces and then they can do anything and everything. But for inspiration see this Q&A of mine: serverfault.com/q/805333/37681
– HBruijn
6 hours ago
Mysql database can be configured to allow direct remote access without need to provide SSH access. Malicious developer can add backdoor while having any access level though... (Backup is your friend)
– Anubioz
6 hours ago
@Anubioz If a MySQL (and PHP) upgrade is required, as appears to be the case, mere access to run SQL queries won't be sufficient.
– ceejayoz
5 hours ago
@ceejayoz I considered the MySQL/PHP versions already to be upgraded on the host for the developer to fix compatability issues with the web app itself (since updating OS for latest software version otherwise might be non-trivial task, usually unsuited for them ))
– Anubioz
5 hours ago
add a comment |
3
Someone with root access can do basically anything, including covering virtually any tracks they might leave. If you don't have an existing reputable contact (preferably a firm, and preferably in a jurisdiction you can go after in something like small claims court), you may be better off setting up a new server, contracting them to do any development work on the codebase to bring it up to modern PHP (thus controlling what you provide them with), and installing it yourself on the new server. Even there, there's a risk of back-doors.
– ceejayoz
6 hours ago
2
Is your developer expected to do the system upgrade for you? If so they will probably need sysadmin level acces and then they can do anything and everything. But for inspiration see this Q&A of mine: serverfault.com/q/805333/37681
– HBruijn
6 hours ago
Mysql database can be configured to allow direct remote access without need to provide SSH access. Malicious developer can add backdoor while having any access level though... (Backup is your friend)
– Anubioz
6 hours ago
@Anubioz If a MySQL (and PHP) upgrade is required, as appears to be the case, mere access to run SQL queries won't be sufficient.
– ceejayoz
5 hours ago
@ceejayoz I considered the MySQL/PHP versions already to be upgraded on the host for the developer to fix compatability issues with the web app itself (since updating OS for latest software version otherwise might be non-trivial task, usually unsuited for them ))
– Anubioz
5 hours ago
3
3
Someone with root access can do basically anything, including covering virtually any tracks they might leave. If you don't have an existing reputable contact (preferably a firm, and preferably in a jurisdiction you can go after in something like small claims court), you may be better off setting up a new server, contracting them to do any development work on the codebase to bring it up to modern PHP (thus controlling what you provide them with), and installing it yourself on the new server. Even there, there's a risk of back-doors.
– ceejayoz
6 hours ago
Someone with root access can do basically anything, including covering virtually any tracks they might leave. If you don't have an existing reputable contact (preferably a firm, and preferably in a jurisdiction you can go after in something like small claims court), you may be better off setting up a new server, contracting them to do any development work on the codebase to bring it up to modern PHP (thus controlling what you provide them with), and installing it yourself on the new server. Even there, there's a risk of back-doors.
– ceejayoz
6 hours ago
2
2
Is your developer expected to do the system upgrade for you? If so they will probably need sysadmin level acces and then they can do anything and everything. But for inspiration see this Q&A of mine: serverfault.com/q/805333/37681
– HBruijn
6 hours ago
Is your developer expected to do the system upgrade for you? If so they will probably need sysadmin level acces and then they can do anything and everything. But for inspiration see this Q&A of mine: serverfault.com/q/805333/37681
– HBruijn
6 hours ago
Mysql database can be configured to allow direct remote access without need to provide SSH access. Malicious developer can add backdoor while having any access level though... (Backup is your friend)
– Anubioz
6 hours ago
Mysql database can be configured to allow direct remote access without need to provide SSH access. Malicious developer can add backdoor while having any access level though... (Backup is your friend)
– Anubioz
6 hours ago
@Anubioz If a MySQL (and PHP) upgrade is required, as appears to be the case, mere access to run SQL queries won't be sufficient.
– ceejayoz
5 hours ago
@Anubioz If a MySQL (and PHP) upgrade is required, as appears to be the case, mere access to run SQL queries won't be sufficient.
– ceejayoz
5 hours ago
@ceejayoz I considered the MySQL/PHP versions already to be upgraded on the host for the developer to fix compatability issues with the web app itself (since updating OS for latest software version otherwise might be non-trivial task, usually unsuited for them ))
– Anubioz
5 hours ago
@ceejayoz I considered the MySQL/PHP versions already to be upgraded on the host for the developer to fix compatability issues with the web app itself (since updating OS for latest software version otherwise might be non-trivial task, usually unsuited for them ))
– Anubioz
5 hours ago
add a comment |
2 Answers
2
active
oldest
votes
In a password protected area you can install for instance https://www.adminer.org/ or https://www.phpmyadmin.net/ to allow someone access to the database without giving them SSH access, but that won't allow them to upgrade the OS for you.
Almost regardless of how much you trust the developer, make a good backup beforehand of your system, settings and data.
Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
– Roberto Frink
5 hours ago
Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
– ceejayoz
5 hours ago
Thanks! That is a very astute point @ceejayoz
– Roberto Frink
5 hours ago
add a comment |
No, you're allowing someone you don't trust to have root access to your servers. which means they can install a rat in the system or mess with it. you can log files accessed and permissions by creating an account and pass for the person but since he will need root access he can log in and then start deleting your monitoring system. which leaves you to square one. i suggest hire a firm that has reputation. hiring a single person from a craigslist ad would be asking for trouble.
Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
– Roberto Frink
5 hours ago
my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
– user3897632
3 hours ago
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Roberto Frink is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963175%2fbest-practices-for-giving-outside-developer-ssh-access%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
In a password protected area you can install for instance https://www.adminer.org/ or https://www.phpmyadmin.net/ to allow someone access to the database without giving them SSH access, but that won't allow them to upgrade the OS for you.
Almost regardless of how much you trust the developer, make a good backup beforehand of your system, settings and data.
Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
– Roberto Frink
5 hours ago
Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
– ceejayoz
5 hours ago
Thanks! That is a very astute point @ceejayoz
– Roberto Frink
5 hours ago
add a comment |
In a password protected area you can install for instance https://www.adminer.org/ or https://www.phpmyadmin.net/ to allow someone access to the database without giving them SSH access, but that won't allow them to upgrade the OS for you.
Almost regardless of how much you trust the developer, make a good backup beforehand of your system, settings and data.
Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
– Roberto Frink
5 hours ago
Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
– ceejayoz
5 hours ago
Thanks! That is a very astute point @ceejayoz
– Roberto Frink
5 hours ago
add a comment |
In a password protected area you can install for instance https://www.adminer.org/ or https://www.phpmyadmin.net/ to allow someone access to the database without giving them SSH access, but that won't allow them to upgrade the OS for you.
Almost regardless of how much you trust the developer, make a good backup beforehand of your system, settings and data.
In a password protected area you can install for instance https://www.adminer.org/ or https://www.phpmyadmin.net/ to allow someone access to the database without giving them SSH access, but that won't allow them to upgrade the OS for you.
Almost regardless of how much you trust the developer, make a good backup beforehand of your system, settings and data.
answered 6 hours ago
HBruijnHBruijn
56.5k1190150
56.5k1190150
Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
– Roberto Frink
5 hours ago
Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
– ceejayoz
5 hours ago
Thanks! That is a very astute point @ceejayoz
– Roberto Frink
5 hours ago
add a comment |
Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
– Roberto Frink
5 hours ago
Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
– ceejayoz
5 hours ago
Thanks! That is a very astute point @ceejayoz
– Roberto Frink
5 hours ago
Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
– Roberto Frink
5 hours ago
Awesome, thanks for the tips! My biggest fear is that there are around 100GB of proprietary/ trade secret documents in one directory that I don't want the developer downloading. Is there a way to temporary move that folder to somewhere they can't access? Realistically the code changes should only take a few hours so I suppose I could just download the entire folder and delete it from the server. Then upload it again after the fact. But is there an easier way than that?
– Roberto Frink
5 hours ago
Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
– ceejayoz
5 hours ago
Frankly, if you've got 100 GB of trade secrets on an out-of-support PHP server, I'd worry less about a particular developer and more about the rest of the Internet. Taking them off the server ASAP would be a good step either way.
– ceejayoz
5 hours ago
Thanks! That is a very astute point @ceejayoz
– Roberto Frink
5 hours ago
Thanks! That is a very astute point @ceejayoz
– Roberto Frink
5 hours ago
add a comment |
No, you're allowing someone you don't trust to have root access to your servers. which means they can install a rat in the system or mess with it. you can log files accessed and permissions by creating an account and pass for the person but since he will need root access he can log in and then start deleting your monitoring system. which leaves you to square one. i suggest hire a firm that has reputation. hiring a single person from a craigslist ad would be asking for trouble.
Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
– Roberto Frink
5 hours ago
my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
– user3897632
3 hours ago
add a comment |
No, you're allowing someone you don't trust to have root access to your servers. which means they can install a rat in the system or mess with it. you can log files accessed and permissions by creating an account and pass for the person but since he will need root access he can log in and then start deleting your monitoring system. which leaves you to square one. i suggest hire a firm that has reputation. hiring a single person from a craigslist ad would be asking for trouble.
Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
– Roberto Frink
5 hours ago
my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
– user3897632
3 hours ago
add a comment |
No, you're allowing someone you don't trust to have root access to your servers. which means they can install a rat in the system or mess with it. you can log files accessed and permissions by creating an account and pass for the person but since he will need root access he can log in and then start deleting your monitoring system. which leaves you to square one. i suggest hire a firm that has reputation. hiring a single person from a craigslist ad would be asking for trouble.
No, you're allowing someone you don't trust to have root access to your servers. which means they can install a rat in the system or mess with it. you can log files accessed and permissions by creating an account and pass for the person but since he will need root access he can log in and then start deleting your monitoring system. which leaves you to square one. i suggest hire a firm that has reputation. hiring a single person from a craigslist ad would be asking for trouble.
edited 5 hours ago
ceejayoz
27.1k66392
27.1k66392
answered 5 hours ago
user3897632user3897632
224
224
Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
– Roberto Frink
5 hours ago
my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
– user3897632
3 hours ago
add a comment |
Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
– Roberto Frink
5 hours ago
my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
– user3897632
3 hours ago
Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
– Roberto Frink
5 hours ago
Thanks! The developer would actually be from the company that made the specific platform I need updating. However, they are located in a different country where legal action would be unlikely which is what worries me most. But I think I am being overly paranoid.
– Roberto Frink
5 hours ago
my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
– user3897632
3 hours ago
my advice is just make a backup copy of the system before access. that way you can restore if there's any issues.
– user3897632
3 hours ago
add a comment |
Roberto Frink is a new contributor. Be nice, and check out our Code of Conduct.
Roberto Frink is a new contributor. Be nice, and check out our Code of Conduct.
Roberto Frink is a new contributor. Be nice, and check out our Code of Conduct.
Roberto Frink is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f963175%2fbest-practices-for-giving-outside-developer-ssh-access%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
3
Someone with root access can do basically anything, including covering virtually any tracks they might leave. If you don't have an existing reputable contact (preferably a firm, and preferably in a jurisdiction you can go after in something like small claims court), you may be better off setting up a new server, contracting them to do any development work on the codebase to bring it up to modern PHP (thus controlling what you provide them with), and installing it yourself on the new server. Even there, there's a risk of back-doors.
– ceejayoz
6 hours ago
2
Is your developer expected to do the system upgrade for you? If so they will probably need sysadmin level acces and then they can do anything and everything. But for inspiration see this Q&A of mine: serverfault.com/q/805333/37681
– HBruijn
6 hours ago
Mysql database can be configured to allow direct remote access without need to provide SSH access. Malicious developer can add backdoor while having any access level though... (Backup is your friend)
– Anubioz
6 hours ago
@Anubioz If a MySQL (and PHP) upgrade is required, as appears to be the case, mere access to run SQL queries won't be sufficient.
– ceejayoz
5 hours ago
@ceejayoz I considered the MySQL/PHP versions already to be upgraded on the host for the developer to fix compatability issues with the web app itself (since updating OS for latest software version otherwise might be non-trivial task, usually unsuited for them ))
– Anubioz
5 hours ago