Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 8th August 2010, 16:27
fatbear fatbear is offline
Member
 
Join Date: Jul 2010
Location: Raleigh, NC US
Posts: 41
Thanks: 4
Thanked 9 Times in 4 Posts
Default Client-Level Acess vs Web-Level Access

FTP and Shell access seems to be defined only in terms of access to websites (e.g., /var/www/clients/client1/web5). This is a problem for the account owner who needs to access everything (e.g., /var/www/clients/client1). I am legally obligated to make all content conveniently available to account owners. All content ("everything") includes all website content, all e-mail content, all generated statistics, all databases, etc.

How can I make it so that:

1. The client can FTP and see everything in their account?
2. The client can SSH into the server and see everything in their account?

This is a very basic need, so I'm hoping there is a solution to this within the GUI.

If there is not a present GUI solution, I can deal with a short-term manual approach.
__________________
Steve Amerige, Fat Bear Incorporated
Server Leasing | Web Software Development | User Experience & Graphic Design
Managed Services, Website, Java, and Source-Code Hosting
Did my post help you? Click the Thanks button!
Reply With Quote
Sponsored Links
  #2  
Old 8th August 2010, 16:50
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,972
Thanks: 825
Thanked 5,367 Times in 4,214 Posts
Default

Every website has its own Linux system user. The FTP user accounts and SSH accounts on Linux work on sytm user level. So you can not access more then one website with a given SSH or FTP user accounts, as this FTP /SSH user will not have any permissions to access the content of another website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 8th August 2010, 17:21
fatbear fatbear is offline
Member
 
Join Date: Jul 2010
Location: Raleigh, NC US
Posts: 41
Thanks: 4
Thanked 9 Times in 4 Posts
Default

This is very inconvenient. Note that FTP users are not necessarily created to manage websites. They might be people who are providing data to the account owner for other reasons. For example, one customer is a certified public accountant. His clients upload their tax data to his website via FTP. He has many hundreds of clients.

So, if he has the UID:GID entries:

web1:client1 - /home/clients/client1/web1
web2:client1 - /home/clients/client1/web2
...
web999:client1 - /home/clients/client1/web999

Then, it would be unacceptably inconvenient for him to get data from his clients by needing to deal with individual user's usernames and passwords.

Why not just create an FTP account for the client? Such as:

client1:client1 - /home/clients/client1

This approach works equally well for SSH and allows the client to see everything under his/her account.

This should be simple, right?
__________________
Steve Amerige, Fat Bear Incorporated
Server Leasing | Web Software Development | User Experience & Graphic Design
Managed Services, Website, Java, and Source-Code Hosting
Did my post help you? Click the Thanks button!
Reply With Quote
  #4  
Old 8th August 2010, 17:30
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,972
Thanks: 825
Thanked 5,367 Times in 4,214 Posts
Default

Quote:
This should be simple, right?
No, its not that simple. This permission system is a very complex field that deals with script permissions etc as well incl. jails tec. You might want to take a look into the code of the diverse server plugins to see how it works. The system you describe is quite insecure, if the client hosts e.g. 999 websites as in your example and e.g. one of the sites is a joomla website and this single site has a vulnerable plugin installed (which happens quite often if you run a hosting server as your clients will not caer about updating their scripts), then in your install he will loose 999 sites or 999 sites get defaced. In the current setup, only one site gets defaced. Another example, almost all clients and agencys use software like dreamweaver to manage the site contants, dreamwaver manages sites always by site and not client, so you need a dedicated FTP account per site anyway.

Quote:
Then, it would be unacceptably inconvenient for him to get data from his clients by needing to deal with individual user's usernames and passwords.
Thats not the case in ispconfig. In ISPConfig, you may have as many SSH and FTP users per website. So the webdesign agency has its own FTP account to the site and the client gets another account for the same site. They do not need to know the password of the other account.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 8th August 2010, 17:41
fatbear fatbear is offline
Member
 
Join Date: Jul 2010
Location: Raleigh, NC US
Posts: 41
Thanks: 4
Thanked 9 Times in 4 Posts
Default

The client actually has only 1 website... they have hundreds of customers. Each customer uses FTP to upload data to the client. With the current control panel (VirtualminPro), the FTP area is outside of all website directories.

The problem is the assumption that FTP is for website use only. My customer needs FTP just as a way of allowing customers to provide data to him. So, he needs an FTP account for himself whereby he can see his entire account, and customers needs FTP accounts so they can upload data. But none of these FTP accounts are being used for website management at all.

I have many customers that do business this way... mostly clients that have vendors that need to upload information to the client.

I can't ask customers to change the way they're doing business. I need the control panel to enable users to do as I'm describing above.
__________________
Steve Amerige, Fat Bear Incorporated
Server Leasing | Web Software Development | User Experience & Graphic Design
Managed Services, Website, Java, and Source-Code Hosting
Did my post help you? Click the Thanks button!
Reply With Quote
  #6  
Old 8th August 2010, 17:53
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,972
Thanks: 825
Thanked 5,367 Times in 4,214 Posts
Default

Quote:
The client actually has only 1 website... they have hundreds of customers. Each customer uses FTP to upload data to the client. With the current control panel (VirtualminPro), the FTP area is outside of all website directories.

The problem is the assumption that FTP is for website use only. My customer needs FTP just as a way of allowing customers to provide data to him. So, he needs an FTP account for himself whereby he can see his entire account, and customers needs FTP accounts so they can upload data. But none of these FTP accounts are being used for website management at all.
Ok, now we come to the real point. You just want to provide customers with a upload area with different usernames by FTP. Thats pretty easy to do in ispconfig as well . You mixed up the website access restrictions with the FTP restrictions and client restrictions.

Every website can have as many idependant FTP accounts as well and every FTP account can have its own directory outside of the website document root which is accessible by FTP. Thats why you can set the path in the ftp user settings.

So the setup you use is simply:

create one FTP user where you dont change the path, this user will be able to access all directories of the FTP sub users. Then create as many sub users that you need and change the path to a subdirectory of the web basedir e.g. chnage it from /var/www/clients/client2/web11/ to /var/www/clients/client2/web11/clientuplods/cust1. Then this FTP user can only access the /var/www/clients/client2/web11/clientuplods/cust1 directory.

But for the scenario that you describe you would normally use webdav these days as it allows clients with windows or mac computers to access the upload directories from their file explorer. The upload functionality with webdav is available in the current 3.0.3 beta.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.

Last edited by till; 8th August 2010 at 18:00. Reason: typos
Reply With Quote
  #7  
Old 8th August 2010, 18:31
fatbear fatbear is offline
Member
 
Join Date: Jul 2010
Location: Raleigh, NC US
Posts: 41
Thanks: 4
Thanked 9 Times in 4 Posts
 
Default

Thanks, Till, for your replies. Your workaround does help... but, the workaround requires the end user to be educated on how to do more advanced configurations.

Keep it Simple - I think when a client is added to the system, an FTP (and/or webDAV) account might be created to enable the user to see everything that "belongs" to him/her. This should be automatic, with nothing for the user to do. (Similarly, when a website is created, DNS entries should also be created.)

Not Just for Websites - And, some of my clients don't even have websites... some are software developers that are just looking to use our servers to maintain their source code. We provide Subversion and other source-code control systems.

So, it still strikes me as odd that FTP is being attached only to websites. FTP is just about choosing a place on the fileserver that the end user will have access to. The same with SSH.

While I can manually do what you suggest, it is the case that most clients will not be able to do this. It is hard enough to teach them the basics.

For permissions, I think the client should have access to everything via group permissions. Users can own any subtree of the client space. It doesn't matter what it is going to be used for (web, code development, or just plain storage). I think the bottom line is that the GID=client's GID in all cases. The UIDs are assigned as needed for different purposes. The mode (chmod) should be u=rwX,g+rwX,o-a with a umask of 007.

I think the bottom line is that the control panel should allow Clients to assign users to any portion of the filesystem that they own. It is reasonable that the Client and Web users be created automatically. And, Clients should be able to add additional users associated with any directory under the Clients' available space.
__________________
Steve Amerige, Fat Bear Incorporated
Server Leasing | Web Software Development | User Experience & Graphic Design
Managed Services, Website, Java, and Source-Code Hosting
Did my post help you? Click the Thanks button!
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to receve email aberrio Server Operation 16 8th July 2009 10:26
Web Issues - Access Forbidden! rytech Installation/Configuration 23 22nd June 2006 15:25
How to access a web in intranet ? chees Installation/Configuration 2 28th February 2006 11:47
sftp acess for Web users anuragj Installation/Configuration 2 6th February 2006 23:41
FTP access to web files in ISPConfig Rocky Installation/Configuration 14 8th November 2005 23:17


All times are GMT +2. The time now is 11:37.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.