#1  
Old 10th July 2013, 08:48
harkman harkman is offline
Junior Member
 
Join Date: Aug 2012
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default Security level for websites

Hello.

I have a issue with the security levels for the websites. Configurable under System->Server Config->Web

The manual tells me:
Quote:
Security level: This defines how permissions and ownerships are set for the Website path
directory.
• Medium: The directory is owned by root and readable for all users.
• High: The directory is owned by the web site user and cannot be read by other users. It is
recommended to choose High.
I need a third type of folder access rights.
I have resellers on my server that maintain a couple of sites they own. Most of the domains/pages are created under the reseller account, sharing the same group (clientXY) but with different user.
I need a security level that looks like this:
Directory owned by web site user and readable and writeable by same group but not accessable for others.

Is it possible to add this to ISPconfig myself? Maybe you (Till) want this to be part of the next update for ISPconfig.

Reason why I ask for this is the need of my reseller to access and maintain all the sites under his clientId with one FTP account. Currently he only can see and edit files in one site and needs to create a FTP user for every site he creates. This is a little bit annoying.

Regards, Jürgen
Reply With Quote
Sponsored Links
  #2  
Old 10th July 2013, 17:56
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,483
Thanks: 835
Thanked 5,524 Times in 4,345 Posts
Default

The permission schemes are fine balanced permissions to met the requirements of all subsystems like webserver, ftp, ssh, jails, cronjobs etc. It might be that some subsystems will fails with a security error if you cahnge the permisions like you described above.

E.g. if the directory /var/www/clients/client1/web1/ would be owned by the web user and not root, then security features like ssh jails or or jailed cronjobs will fail.

You may change the security scheme for your servers of course if you dont need a secure system, all you have to do is to write your own apache / nginx ispconfig plugins based on the plugins that we deliver. Also the cron* plugins and the ssh user plugins will have to be altered.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 11th July 2013, 08:55
harkman harkman is offline
Junior Member
 
Join Date: Aug 2012
Posts: 9
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
E.g. if the directory /var/www/clients/client1/web1/ would be owned by the web user and not root, then security features like ssh jails or or jailed cronjobs will fail.
Sorry, but this can't be true as the standard security options "High" already set all web* directories to 0710 and owner is already the web user. This is documented in the current manual too:
Quote:
• Security level: This defines how permissions and ownerships are set for the Website path directory.
• Medium: The directory is owned by root and readable for all users.
High: The directory is owned by the web site user and cannot be read by other users. It is recommended to choose High.
The High level now disables FTP users to see all the webs they own (Group) I'd prefer to have a additional Security level that will add read/write access to Group for all webs that belong to the same client.

Regards, Jürgen
Reply With Quote
  #4  
Old 11th July 2013, 11:24
till till is online now
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,483
Thanks: 835
Thanked 5,524 Times in 4,345 Posts
 
Default

Quote:
Sorry, but this can't be true as the standard security options "High" already set all web* directories to 0710 and owner is already the web user. This is documented in the current manual too:
I'am talking about the web root directory (see my example above /var/www/clients/client1/web1/), the documentation refers to the "eb" directory that holds the html and php files /var/www/clients/client1/web1/web/

Quote:
The High level now disables FTP users to see all the webs they own (Group) I'd prefer to have a additional Security level that will add read/write access to Group for all webs that belong to the same client.
Ok.I thought you meant the web root. If you refer only to the "web" html file directory, then this can be changed most likely.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Problem with ispconfig 3 staff007 Installation/Configuration 4 10th October 2011 22:17
FTP Problems wabz Installation/Configuration 6 11th January 2010 19:51
Unable to receve email aberrio Server Operation 16 8th July 2009 11:26
Unable to install ISPConfig bdonecker Installation/Configuration 21 26th May 2009 09:20
slow download through webserver problem snewp Technical 14 9th May 2008 06:25


All times are GMT +2. The time now is 15:10.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.