Easy administration via FTP/SCP?

Discussion in 'Installation/Configuration' started by Nebhead, Nov 22, 2011.

  1. Nebhead

    Nebhead New Member

    Hi all,

    I'm a little frustrated with how difficult it is to centrally manage a large number of websites through ISPConfig, as I am required to have a separate FTP account for each website. This means I need to constantly switch between accounts.

    Is there any way I can set up an "admin" ftp account (or, preferably, an admin shell account so I can use SCP instead of FTP) which has read/write access to all clients/sites? This would make my life so much easier!

    Thanks,
    Ben
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thais is not possible as websites in ispconfig run under different Linux system users for security reasons. A FTP user is assigned to one system user, so it can only access one website.
     
  3. Nebhead

    Nebhead New Member

    But this makes administration a nightmare. If I set up a client's website, gave them FTP access, and allowed them to run their own site, the only way I could see what they're uploading and/or help them with their problems is by logging in with the same account they use!

    Surely its more secure to have an admin account rather than requiring usernames/passwords to be shared between users?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Such administration tasks are normally done with the root login which can access all sites. You can do this as shell access (e.g. putty) or scp access (with e.g. winscp). If you use the root account, then dont forget to change the owner of uploaded files to the user and group of the website.

    Why should you share passwords? A website can have as many FTP users and SSH user as you need which run all under the same system user internally. So you have multiple username / password combinations for the same website and dont share any login information with others.

    Running all websites under just one user is not a option for a hosting system. If you would do that and one website of a client gets hacked, then you will loose all wesbites to the hacker.
     
  5. Nebhead

    Nebhead New Member

    I really don't like the idea of using the server's root account for every-day admin tasks.


    Good point, didn't think about setting up multiple users for the same website. Still, it adds administrative overhead.

    I agree that normal user accounts should be restricted to only view their own sites. But why not make all site folders read/writeable by an "admin" group (or something similar)? Only I would be able to add accounts to that group, so it's only my account that is the point of weakness (rather than every user's account).



    As an aside, how does apache write files to the disk (e.g. folders uploaded through a web interface) if all sites are locked down to specific users?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Apache switches the user under which scripts are run. See suexec in apache docs.

    This wont work as the group of a file is already required to allow the apache user to get read access to html files.

    One thing that you can do is that you add your own system user and then add this system user to all client groups on the server. The drawback is that uploaded files then are owned by the wrong user (your admin user) so that e.g. suphp will use your system user then to execute these scripts and not the web user as suphp gets the user to run a script from the script owner. Only system administrators like root are excluded from that.
     
  7. Nebhead

    Nebhead New Member

    Hi Till,

    Thanks very much for your help here. Looks like I'll just need to continue using multiple accounts to maintain all the different sites.

    Thanks,
    Ben
     

Share This Page