ftp users and access

I've read through several posts about remapping a subdirectory, but I still can't manage to set up what I'm trying to set up. So here goes:

I have user1 set up to manage the entire domain, all access.

I set up user2 to be able to access one subdomain, and remapped that subdomain to user2's directory. that all works fine.

Then when I ftp in using SFTP and user1, I can see user2's subdirectory, as I intended. But if user2 puts a file in that subdirectory user1 can't see it.

As user1 I'm trying to have access to everything everywhere, while only allowing user2 to have access to his subdirectory. It works for the diretory, but not for a file he puts there.

What am I missing?

Set the files in user 2's directory with permissions that allow user 1 to read them. wink

While I do not think this is ideal/proper security practice, it will do what you want.

--rlparker

I don't know if DH has something similar, but on... just about any other unix system, you can put user 1 and user 2 in the same group, then the files need only be read/writeable to that group and no one else. I *think* they used to have something where you could create and assign groups to users in their control panel. Since I haven't needed to, I'm not sure if it's still there or not.

Yes, I have an opinion.

Get a minimum 50% off with the "haveadreamyday" promo code, and... have a dreamy day. Original, no?

Yep, it's still there. That is one way to "set the permissions" so that both users can read the files. wink

I just didn't go into that, as there are other ways also!

--rlparker

You know me, Rlparker. Always lookin' for the easy way out. :-)

Yes, I have an opinion.

Get a minimum 50% off with the "haveadreamyday" promo code, and... have a dreamy day. Original, no?

He he he! Indeed, and there is nothing at all wrong with that! smile

--rlparker

Thanks - how do I set the permissions to the directory so that whenever user2 uploads a file it has the right permissions for user1 to see them?

Thanks. Not as up on this as I should be...

No problem! The first two links in this list of articles from the DreamHost wiki regarding file permissions should give you everything you need. wink

--rlparker

Ok, here's where I continue to reveal my ineptitude...

I see that I can change the permissions on the directory I created for user2, but what I still can't figure out is how to prep that directory so that I, as user1, can automatically see any file user2 puts in that directory. In order to see a file now I have to login as user2. I can change permissions on that file as user2, but that defeats the purpose.

By the way, I'm using an ftp program to modify permissions.

What is this newbie still missing? Thanks much.

Well, I don't think you are really "missing" anything, as you seem to have pretty much discovered one of the frustrations involved in doing what you are trying to do.

It is a proper security function of *nix file systems to keep separate users' files under separate user controls, and you generally have to jump through some hoops to work around that if you want to work "transparently" with files belonging to another user. This is sometimes a hard concept to grasp for users more accustomed to other operating systems (especially those whose principle prior experience is in the wind*ze platform, which really has had no concept of user permissions to speak of).

These hoops can involve setting up *nix groups, and assigning files group read/write permissions and/or crontabs that periodically modify permissions of all files in a directory. Generally, I've always thought it was more trouble than it was worth, and have used a different approach altogether.

It would help if I understood why you are wanting to do this, as there might well be a "better" way to approach the problem that will meet your needs and work more easily within the *nix permission system and is appropriate for use on a shared webserver.

--rlparker

Really appreciate this help.

Ok, here's my goal, which seems to me to be a basic goal of all webmasters:

I'm user1 and I run the site. I own everything and want access to everything. I want to be able to set up user2 as an ftp user who has access to a directory I designate. He is given his own username and password, and he can login via ftp and see only his directory. He can then upload/download to/from that directory, and that's all he can do. This is being done so I can give various people their own directories for file transfer purposes, and each person can only access the directory I designate for them.

That part I have done successfully.

Then, I want to be able to login to my ftp with my own user/pass and be able to go into user2's directory and up/download as well. Since I am the admin I assumed I could see all directories and all files, while user2 can only see what is in his designated directory.

As user1 I can see his directory but cannot see any files he puts there. It seems to me that an admin should have all access privileges automatically, but that's where I'm running aground.

In order to retrieve user2's files I need to login as user2, and I'm trying to do it as user1.

There it is in a nutshell. Thoughts?

Many thanks.

I understand! For what you describe, when using FTP, I log in as user 2. While that may not seem elegant, it "just works", leaves the file permissions alone and precludes me from having to diddle around with a complicated and "messey" process of expanding file privileges beyond those of the owner.

In fact, using the "remapping a subdir" methodology for this on DH, logging in as user 2 is how DH says it should be done.

Note that, while it might not make a difference now, you cannot run CGI from a "remapped" subdir, and at some point this may create a problem for you.

That said, if you do decide to just "control" user 2's files by using user 2's credentials, then there is really no reason to "remap" the subdomain to the subdir, you can just leave it set up as a straight subdomain and use user 2's credentials when you want to manipulate user 2's files.

Another alternative, that I often use and actually like a lot better, is to not provide FTP access at all. I provide all upload and download facilities to these "sub-users", for whom I am responsible, via a "filemanager" type of script that allows me to maintain ownership of *all* files as *my* user, but allows them to upload and download within the constraints I have determined are appropriate.

This has numerous advantages from a security and control standpoint, is pretty much the same functionality for the user, and solves some of other "issues" involved with remapping sub-dirs (CGI for instance). It is just a much "cleaner" method of doing this, IMO.

There are lots of these types of scripts around, with varying features and capabilities, and that is how I *prefer* to accomplish what you are trying to do.

A couple, in particular, that I often recommend are ffileman , and EasyHost (Free version is linked). They take considerably different approaches to the problem and provide different features - both have worked very well for me depending upon what I have wanted to do. Ffileman is more of a "general file manager utility", much like the DH "webftp" application, while EasyHost gives the appearance of being almost a private hosting control panel, which is particularly nice for users enjoying a subdomain on your account.

In either case, all the files they upload end up being owned by *you* (which as you have seen, solves a lot of problems). In the case of EasyHost, your job of "monitoring" what user 2 does can be made a lot easier with the configurable limits/settings available, allowing you considerable control over what user 2 can upload (file types, disk space used, etc.).

Of course, all this is just my opinion, and YMMV. I've just found that this is what works best for me, and leaves me sleeping more comfortably at night when providing access to my account to another user.

--rlparker

Thanks for taking all that time to explain. I see what's up now. I'm going to look into EasyHost, but initially I'll just adjust to switching from user1 to user2 for the files. It works and does keep things clean, and it's really only a small thing to do each time to make it happen.

Really appreciate the lesson. I'll let you know if I move on to EasyHost.

Jeff

You are most welcome, and I hope some of that information turns out to be useful to you. smile

Good luck with your site(s)!

--rlparker

Okay, so I'm a windoze user, and I'm trying do do the same setup as the original author of this article. Me be admin, see/do everything. Individual users have access to individual folders on the domain. But I need all the CGI/PHP fun setup since we've got some snazzy webdev guys on the team.

So I am giving the groups option a try. Set up a group and added people. Cool. But how do I change the permissions on folders to only allow that group access?

Thanks for any help you can give.
~Elise

If you have shell access, which you should, from the username who happens to currently own the files/folders in question:

In reply to:

chmod 770 somefolder

Where somefolder is the particular folder name you want to grant access to. If you want the group to just have read/write access, replace the second 7 with a 5 (username with file ownership requires 7 for PHP, or anything executeable).

Yes, I have an opinion.

Get a minimum 50% off with the "haveadreamyday" promo code, and... have a dreamy day. Original, no?