Linux admin help



  • I realize this isn't coding related, but.....

    My company recently upgraded our hosting to a virtual dedicated server.  I'm using the Plesk control panel, along with SSHing into the server.  I used the Plesk control panel to add a new web user for each one of our clients so they can FTP files over to us.  This works great as they can only ftp into their folder and they're none the wiser. 

    I can go in with my admin account via ftp and see everyone's folders along with every single file and folder that has to do with our server.  This is fine for me as the admin. 

    I need an account that is for our graphic designers to use to ftp into to ONLY see the folder that contains the client's folders.  So, the way it's currently set up, all of our client's folders reside in a folder called "web_users".  I need to create a user that only has access to this "web_users" folder (and sub-folders), and can't go up any higher.

    Any help with this would be fantastic, since I've been thrown into a position I'm definitely not prepared for, and I need this to work immediately.

    Help!  Thanks in advance.
     



  • I think the best solution for you would be to set up a samba share for the client folders and let the designers mount a drive to it.  That way they can't see above the client folders. 



  • [quote user="tster"]I think the best solution for you would be to set up a samba share for the client folders and let the designers mount a drive to it.  That way they can't see above the client folders. 
    [/quote]

    If you do that, it would be adviseable to add some firewall rules (on that server!) so the samba share is not world-visible. Otherwise, every security issue that might be found in Samba in the future immediately affects you.
     



  • That is also true for FTP: It should not be used. Passwords are sent in plaintext and can be read by anyone with a packet sniffer (on the clients network, in the data center on another colocated box, anywhere inbetween.) Require SSH file transfer via scp/sftp. There are many nice graphical frontends available (i.e. WinSCP) so this shouldn't be a problem.

     As for the graphic developer, you'll have to learn the wonderful world of user and group access rights. Basically it looks like this:

    User IDs are unique, and only one user can have a given ID.
    Group IDs are shared, and many users can be in a group.
    Every file has both a UID and a GID, and then access rights for the user, the group, and the world (everyone else.)


    You want to create a group for every client and make sure all their files are group read/write/accessible.

    Now put the web developers account into all the client groups, which will give him access on the group level to all their files. You could just make a single client group, but that would also give them the right to access each others files. That may be fine as long as they can't 'see' the directories, but i wouldn't count on it.

     The biggest problem with this would be that users may not give files the proper group access rights after they upload/modify content (see: umask) When that happens the root user would have to recursively set the proper group rights on their folder (see: chmod -R g+rw)

    The files that a user sees when they FTP in some kind of 'choot (change root)' that moves the file system root to a specified place. The FTP server may get this from the users home directory or from another config file. SSH may or may not do something similar.
     


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.