A File Manager that works!

Discussion in 'Tips/Tricks/Mods' started by JohnK42, Mar 2, 2020.

Tags:
  1. Jesse Norell

    Jesse Norell Well-Known Member

    I mean the FTP username/password doesn't change, it's always generated using the same parameters. By change I mean periodically (once an hour? every time the user logs into ispconfig? every time the file manage button is clicked?) a new password would be generated and set for the FTP account, such that the previous credentials (which are embedded in the HTML and quite likely found in your browser's cache) don't work any more.

    So if the user enters 'https://my_ispconfig_site:8080/mftp/' in their browser (or the browser auto-fills it from history), mftp will check that the ISPConfig session is no longer active and not allow the user to access the utility? That is possible (in fact I do a similar thing in my example monit proxy config posted here in the forums), but I'm guessing that probably hasn't been done, and you mean that the site_webftp.php script itself doesn't function if the user is not logged in? That is one piece of it, but directly accessing /mftp/ with the same username/password sent previously is more the scenario I was thinking about.
     
  2. webguyz

    webguyz Active Member HowtoForge Supporter

    What I meant was that each website has a unique username/password for their filemanager and customers do not need to know what it is. Just like cPanels filemanager works. The browser info is not cached and I have gone and used the link to update 10 websites with filemanger script one after the other and never had anything get confused. Nobody but me sees the code and knows what the secret is or that the pw is actually crc32 of the website name plus secret. Works great for me and I thought I would share. Have been using this since MonstaFTP came out a few years ago.
     
  3. nhybgtvfr

    nhybgtvfr Active Member

    ok, instead of applying the fixed secret 'xyz', could you not use secret=$(od -A n -t d -N 1 /dev/urandom)

    that way the suffix is a different random number every time the script is run, ie every time the ftp link button is pressed.

    although that still leaves the issue of how long the ftp account should be valid/exist for.
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    Yes, something like that, though there is still the need to set the password for the ftp account. Normally that is done via sys_datalog entries, but that wouldn't be timely enough to work for this use case, the password needs to be set before the user hits /mftp. In the example script it appears the ispconfig master already has mysql (root) access to the slave server, which would facilitate setting the new password. That is not a normal setup though, the individual servers in the cluster are kept as isolated from each other as possible, so probably not a viable 'official' solution, but could work for folks wanting to do something now, until an official solution would exist.
     
  5. nhybgtvfr

    nhybgtvfr Active Member

    ok. a bit off the wall here, but maybe there's a completely different way of going about this...

    tinyfilemanager doesn't have any ftp login code anyway, but looks easy to embed into other stuff, net2ftp has all the ftp code required and if people aren't going through the panel, they should have to provide login details anyway....

    so net2ftp installed on each webserver, configured in /etc/apache2/conf-enabled, using eg /webftp as the alias, so anyone can just go to domainname.tld/webftp, get asked for the ftp login, and have access. allows full access to anyone completely outside of ispconfig, even if they can't/dont' know how to use/install their own ftp client.

    in the control panel, use tinyfilemanager, exposed in an iframe like monit is currently, it's loaded when they click on the ftp link button, a randomfilename gets generated, and the tinyfilemanager.php file gets put on their site with that filename, the iframe connecting as http://clientdomain.tld/.randomfilename.php, (i'm assuming any file changes/uploads would be done using that domains uid/gid, rather than get overridden by the panels uid/gid, never tried anything like this before :eek:). I guess it would also need to check if ssl/letenscrypt is enabled and change to http/https as appropriate. (it'll be so much easier when everythings https only)
    if they change tabs/pages in ispconfig, the file gets removed from their site.
    the random name and removing the file when they change pages in ispconfig would reduce the security risk. need to work out how to deal with the user just closing the browser or browser tab.
    or keep the filename standard, but still a hidden file, with basic auth just on the file. in each website. if whatever workaround used for monit in the iframe can be done with tinyfilemanager now that browsers won't pass on the auth details?
    admittedly needs more thought. but could be a way forward...
     
    Last edited: Apr 17, 2020
  6. webguyz

    webguyz Active Member HowtoForge Supporter

    Convert the URL GET string to a POST, or at least the password entry. These programs are all open source so you can easily do it. Not sure I see why you have to keep changing the pw. Every time you do you have to update the dbispconfig entry and every time there can be up to a 1 minute delay while ISPConfig updates the correct server if you have a multiserver setup.

    My script creates a login/pw and if it does not exist it adds it so the first time you click the ftp link there can be up to a minute delay but after that it logs in immediately.
     
  7. gOOvER

    gOOvER Member

  8. JohnK42

    JohnK42 New Member

    I'm now using Tinyfilemanager exclusively and despite my previous concerns, the latest version works perfectly. It's a single PHP and such a small file which can be installed in the site's root. I created a directory called manager and changed the filename to index.php.
    Now I simply run http://mysite.com/manager and bingo, I have access to all sub directories.
    Someone mentioned that it doesn't have online editing, well it does and line numbers are provided.
    There's no need to integrate it with ISPconfig because it works perfectly as a standalone script that works side-by-side.
    I love it!
     

Share This Page