Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 3 > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 22nd November 2011, 12:16
Nebhead Nebhead is offline
Junior Member
 
Join Date: Oct 2011
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Easy administration via FTP/SCP?

Hi all,

I'm a little frustrated with how difficult it is to centrally manage a large number of websites through ISPConfig, as I am required to have a separate FTP account for each website. This means I need to constantly switch between accounts.

Is there any way I can set up an "admin" ftp account (or, preferably, an admin shell account so I can use SCP instead of FTP) which has read/write access to all clients/sites? This would make my life so much easier!

Thanks,
Ben
Reply With Quote
Sponsored Links
  #2  
Old 22nd November 2011, 12:32
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,388 Times in 4,233 Posts
Default

Quote:
Is there any way I can set up an "admin" ftp account (or, preferably, an admin shell account so I can use SCP instead of FTP) which has read/write access to all clients/sites? This would make my life so much easier!
Thais is not possible as websites in ispconfig run under different Linux system users for security reasons. A FTP user is assigned to one system user, so it can only access one website.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #3  
Old 22nd November 2011, 13:08
Nebhead Nebhead is offline
Junior Member
 
Join Date: Oct 2011
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
Thais is not possible as websites in ispconfig run under different Linux system users for security reasons. A FTP user is assigned to one system user, so it can only access one website.
But this makes administration a nightmare. If I set up a client's website, gave them FTP access, and allowed them to run their own site, the only way I could see what they're uploading and/or help them with their problems is by logging in with the same account they use!

Surely its more secure to have an admin account rather than requiring usernames/passwords to be shared between users?
Reply With Quote
  #4  
Old 22nd November 2011, 13:58
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,388 Times in 4,233 Posts
Default

Quote:
But this makes administration a nightmare. If I set up a client's website, gave them FTP access, and allowed them to run their own site, the only way I could see what they're uploading and/or help them with their problems is by logging in with the same account they use!
Such administration tasks are normally done with the root login which can access all sites. You can do this as shell access (e.g. putty) or scp access (with e.g. winscp). If you use the root account, then dont forget to change the owner of uploaded files to the user and group of the website.

Quote:
Surely its more secure to have an admin account rather than requiring usernames/passwords to be shared between users?
Why should you share passwords? A website can have as many FTP users and SSH user as you need which run all under the same system user internally. So you have multiple username / password combinations for the same website and dont share any login information with others.

Running all websites under just one user is not a option for a hosting system. If you would do that and one website of a client gets hacked, then you will loose all wesbites to the hacker.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #5  
Old 22nd November 2011, 14:11
Nebhead Nebhead is offline
Junior Member
 
Join Date: Oct 2011
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by till View Post
Such administration tasks are normally done with the root login which can access all sites. You can do this as shell access (e.g. putty) or scp access (with e.g. winscp). If you use the root account, then dont forget to change the owner of uploaded files to the user and group of the website.
I really don't like the idea of using the server's root account for every-day admin tasks.


Quote:
Originally Posted by till View Post
Why should you share passwords? A website can have as many FTP users and SSH user as you need which run all under the same system user internally. So you have multiple username / password combinations for the same website and dont share any login information with others.
Good point, didn't think about setting up multiple users for the same website. Still, it adds administrative overhead.

Quote:
Originally Posted by till View Post
Running all websites under just one user is not a option for a hosting system. If you would do that and one website of a client gets hacked, then you will loose all wesbites to the hacker.
I agree that normal user accounts should be restricted to only view their own sites. But why not make all site folders read/writeable by an "admin" group (or something similar)? Only I would be able to add accounts to that group, so it's only my account that is the point of weakness (rather than every user's account).



As an aside, how does apache write files to the disk (e.g. folders uploaded through a web interface) if all sites are locked down to specific users?
Reply With Quote
  #6  
Old 22nd November 2011, 14:24
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,046
Thanks: 826
Thanked 5,388 Times in 4,233 Posts
Default

Quote:
As an aside, how does apache write files to the disk (e.g. folders uploaded through a web interface) if all sites are locked down to specific users?
Apache switches the user under which scripts are run. See suexec in apache docs.

Quote:
I agree that normal user accounts should be restricted to only view their own sites. But why not make all site folders read/writeable by an "admin" group (or something similar)? Only I would be able to add accounts to that group, so it's only my account that is the point of weakness (rather than every user's account).
This wont work as the group of a file is already required to allow the apache user to get read access to html files.

One thing that you can do is that you add your own system user and then add this system user to all client groups on the server. The drawback is that uploaded files then are owned by the wrong user (your admin user) so that e.g. suphp will use your system user then to execute these scripts and not the web user as suphp gets the user to run a script from the script owner. Only system administrators like root are excluded from that.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #7  
Old 22nd November 2011, 15:13
Nebhead Nebhead is offline
Junior Member
 
Join Date: Oct 2011
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

Hi Till,

Thanks very much for your help here. Looks like I'll just need to continue using multiple accounts to maintain all the different sites.

Thanks,
Ben
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Install Fedora12 in VMware and bypass easy install tosmith1 Installation/Configuration 0 24th December 2010 18:26
which destro is easy to use for bioinformatics professional linux.ab Desktop Operation 2 15th March 2010 04:53
easy simple local server niemo810 Server Operation 3 21st May 2008 04:48
Remove the https from the administration panel ? Jonathan Installation/Configuration 1 27th September 2006 22:17
Apache2 and DNS Made Easy browngb Server Operation 4 28th July 2006 14:23


All times are GMT +2. The time now is 16:42.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.