Client-Level Acess vs Web-Level Access

Discussion in 'Installation/Configuration' started by fatbear, Aug 8, 2010.

  1. fatbear

    fatbear Member HowtoForge Supporter

    FTP and Shell access seems to be defined only in terms of access to websites (e.g., /var/www/clients/client1/web5). This is a problem for the account owner who needs to access everything (e.g., /var/www/clients/client1). I am legally obligated to make all content conveniently available to account owners. All content ("everything") includes all website content, all e-mail content, all generated statistics, all databases, etc.

    How can I make it so that:

    1. The client can FTP and see everything in their account?
    2. The client can SSH into the server and see everything in their account?

    This is a very basic need, so I'm hoping there is a solution to this within the GUI.

    If there is not a present GUI solution, I can deal with a short-term manual approach.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Every website has its own Linux system user. The FTP user accounts and SSH accounts on Linux work on sytm user level. So you can not access more then one website with a given SSH or FTP user accounts, as this FTP /SSH user will not have any permissions to access the content of another website.
  3. fatbear

    fatbear Member HowtoForge Supporter

    This is very inconvenient. Note that FTP users are not necessarily created to manage websites. They might be people who are providing data to the account owner for other reasons. For example, one customer is a certified public accountant. His clients upload their tax data to his website via FTP. He has many hundreds of clients.

    So, if he has the UID:GID entries:

    web1:client1 - /home/clients/client1/web1
    web2:client1 - /home/clients/client1/web2
    web999:client1 - /home/clients/client1/web999

    Then, it would be unacceptably inconvenient for him to get data from his clients by needing to deal with individual user's usernames and passwords.

    Why not just create an FTP account for the client? Such as:

    client1:client1 - /home/clients/client1

    This approach works equally well for SSH and allows the client to see everything under his/her account.

    This should be simple, right?
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    No, its not that simple. This permission system is a very complex field that deals with script permissions etc as well incl. jails tec. You might want to take a look into the code of the diverse server plugins to see how it works. The system you describe is quite insecure, if the client hosts e.g. 999 websites as in your example and e.g. one of the sites is a joomla website and this single site has a vulnerable plugin installed (which happens quite often if you run a hosting server as your clients will not caer about updating their scripts), then in your install he will loose 999 sites or 999 sites get defaced. In the current setup, only one site gets defaced. Another example, almost all clients and agencys use software like dreamweaver to manage the site contants, dreamwaver manages sites always by site and not client, so you need a dedicated FTP account per site anyway.

    Thats not the case in ispconfig. In ISPConfig, you may have as many SSH and FTP users per website. So the webdesign agency has its own FTP account to the site and the client gets another account for the same site. They do not need to know the password of the other account.
  5. fatbear

    fatbear Member HowtoForge Supporter

    The client actually has only 1 website... they have hundreds of customers. Each customer uses FTP to upload data to the client. With the current control panel (VirtualminPro), the FTP area is outside of all website directories.

    The problem is the assumption that FTP is for website use only. My customer needs FTP just as a way of allowing customers to provide data to him. So, he needs an FTP account for himself whereby he can see his entire account, and customers needs FTP accounts so they can upload data. But none of these FTP accounts are being used for website management at all.

    I have many customers that do business this way... mostly clients that have vendors that need to upload information to the client.

    I can't ask customers to change the way they're doing business. I need the control panel to enable users to do as I'm describing above.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, now we come to the real point. You just want to provide customers with a upload area with different usernames by FTP. Thats pretty easy to do in ispconfig as well . You mixed up the website access restrictions with the FTP restrictions and client restrictions.

    Every website can have as many idependant FTP accounts as well and every FTP account can have its own directory outside of the website document root which is accessible by FTP. Thats why you can set the path in the ftp user settings.

    So the setup you use is simply:

    create one FTP user where you dont change the path, this user will be able to access all directories of the FTP sub users. Then create as many sub users that you need and change the path to a subdirectory of the web basedir e.g. chnage it from /var/www/clients/client2/web11/ to /var/www/clients/client2/web11/clientuplods/cust1. Then this FTP user can only access the /var/www/clients/client2/web11/clientuplods/cust1 directory.

    But for the scenario that you describe you would normally use webdav these days as it allows clients with windows or mac computers to access the upload directories from their file explorer. The upload functionality with webdav is available in the current 3.0.3 beta.
    Last edited: Aug 8, 2010
  7. fatbear

    fatbear Member HowtoForge Supporter

    Thanks, Till, for your replies. Your workaround does help... but, the workaround requires the end user to be educated on how to do more advanced configurations.

    Keep it Simple - I think when a client is added to the system, an FTP (and/or webDAV) account might be created to enable the user to see everything that "belongs" to him/her. This should be automatic, with nothing for the user to do. (Similarly, when a website is created, DNS entries should also be created.)

    Not Just for Websites - And, some of my clients don't even have websites... some are software developers that are just looking to use our servers to maintain their source code. We provide Subversion and other source-code control systems.

    So, it still strikes me as odd that FTP is being attached only to websites. FTP is just about choosing a place on the fileserver that the end user will have access to. The same with SSH.

    While I can manually do what you suggest, it is the case that most clients will not be able to do this. It is hard enough to teach them the basics. :(

    For permissions, I think the client should have access to everything via group permissions. Users can own any subtree of the client space. It doesn't matter what it is going to be used for (web, code development, or just plain storage). I think the bottom line is that the GID=client's GID in all cases. The UIDs are assigned as needed for different purposes. The mode (chmod) should be u=rwX,g+rwX,o-a with a umask of 007.

    I think the bottom line is that the control panel should allow Clients to assign users to any portion of the filesystem that they own. It is reasonable that the Client and Web users be created automatically. And, Clients should be able to add additional users associated with any directory under the Clients' available space.

Share This Page