Get rid of one user per domain policy


#1

Honestly, I don’t know why this is a thing in the first place.

It makes delegation really difficult and being able to assign an FTP user to a specific folder on a domain is commonplace and simple on literally every other host I’ve been with.

I need subdomains to directly correspond to folders on the main domain in order to use relative paths in the subdomain to access other folders on the main domain. This is impossible with subdirectory remapping and there’s no other solution for what should be a very common structure scenario.


#2

thanks for reaching out… I’m not sure I understand what you mean exactly… what exactly is the ‘one user per domain policy’ that you mention? It would help also if you described in more details (maybe a picture?) the workflow you’re trying to map to domains, subdomains, users’ permissions and directories on disk. Maybe we can suggest other approaches if we get a clear idea of what your needs are.


#3

Your policy is outlined here. I confirmed with support (Andrew P) earlier today that the following scenario is impossible and without a workaround with your current policy and setup:

I need domain.com/folder/example to be synonymous with example.domain.com in order to allow example.domain.com to use relative paths to access folders outside of domain.com/folder/example. Specifically, I need example.domain.com to be able to reference domain.com/resources/twitter via relative path. Because I also need a separate FTP user login for example.domain.com, I can’t simply connect example.domain.com to domain.com/folder/example, and remapping domain.com/folder/example to example.domain.com would not allow me to use relative paths either.

Instead, I’m forced to recreate the contents of domain.com/resources/twitter in every subdomain that requires it, leading to far more insecure practices than if I could just create FTP users limited to a specific folder of a domain owned by another user.


#4

Thanks for the extra details… I have been trying to understand what you’re trying to do and imagine what software solution you could use that allowed similar separation. I am a bit confused by your use of the word “example” for both domain and subdomain and directories… let me see if I got this right:

1- you want to have example.com/folder/subdir1 to be served at the URL subdir1.example.com.
2- As FTP user John you want to access via ftp example.com/folder/subdir1
3- As FTP user Jane you want to access example.com/folder/subdir1
4- You want to have Jane’s URL jane.example.com to be serving the same content of example.com/folder/subdir1

Basically you need to have a template shared across multiple domains? Do I get it right? If not, try to explain exactly what you’re trying to achieve. Try to use the ‘user story’ template (As a [user|administrator|etc] I want to [achieve something] so that [something else happens]). Try to describe also who your users are, what level of expertise they may have, what their relationship is to you. Now, who needs to write in these subfolders? Have you considered using a CMS with a complete role management and .htaccess redirects? Basically, you could avoid using FTP altogether and let the CMS manage access and content.


#5

Basically you need to move beyond shared hosting. Take a look at DreamCompute, you can do whatever you want there.

On a shared hosting server there are security issues that mandate that one user per domain policy.


#6

Some corrections below:

[quote]

1- As FTP user Admin you want to access to all of example.com/
2- As FTP user Jane you want to access via FTP to example.com/folder/subdir1
3- You want to have Jane’s URL jane.example.com to be serving the same content of example.com/folder/subdir1[/quote]

As an administrator, I want access to the entirety of the domain via one administrative (SFTP) login.

As a client user, I want access to only the contents of a subdirectory, which serves all the content for a subdomain.

The subdomain must be able to use relative paths to access files on the domain for authentication reasons. Specifically, for a script which displays a Twitter feed.

All of above is currently not possible with your one user per domain policy.

The client users in this scenario have a basic to intermediate level of expertise for the most part, but who have enjoyed FTP access to their specific subdirectories/subdomains for years without problems at our various previous hosts. Each is running a solo CMS from their subdir/subdom, and it would be inefficient to replace these multiple installations over multiple subdomains just for role management solutions.

As it is, my only solution seems to be placing the Twitter authentication files on each of their subdomains, giving them direct access to it, whereas if their subdomains could simply reference the domain for this, they wouldn’t need access to it – which is obviously much more secure. (And more efficient. If the auth data ever needs updating, I now need to update it on 9 subdomains in addition to the domain.)

I’m on VPS hosting, actually – having upgraded from shared hosting with another company which allowed this without issue – which is why this policy is even more ridiculous.

Every hosting company which supports a cPanel management interface allows this, and plenty of other proprietary backend hosting companies also allow this. This is the first time I’ve encountered such a policy.


#7

There was an era that you could turn off dreamhost management on a VPS, to be honest I don’t know if that option still exists but I doubt that it does since the ability to create admin users on a VPS no longer exists. Most managed servers and VPS all have shortcomings created by the fact they must be managed identically and alike, there are always tradeoff’s–no product offering is perfect.

As things go tho, it’s highly unlikely this will change anytime soon. I’ve been linking that one user per domain page in this forum for many years (originally a wiki.dreamhost link that was identical to the current help.dreamhost page). Once people understand how it works relatively very few complain about it.

You can move to a dreamcompute unmanaged cloud server instead and save money on your hosting. Unfortunately the drawback is you may then have to pay someone else and/or subscribe to an IT service for management, its difficult for most web designers to also be security and server admin, there are a lot of issues to follow and much to keep up to date.


#8

This absolutely shocks me to be honest. At the risk of sounding repetitive, I’ve never encountered this policy before and it seems so very standard-issue to be able to create FTP users that are only allowed to access a specific folder.

And yeah, I really don’t want to move to an unmanaged server/deal with managing a server/paying someone else to manage the server. For this particular website, the security risk of duplicating the authentication data is relatively small – I mostly trust my client users not to be malicious or stupid. However, I’ll definitely be keeping this crazy restriction in mind when considering hosts for other projects.


#9

As @lakerat said, I doubt that the logic of the approach picked by DreamHost can be changed. I still think that you can achieve something similar by dropping the logic of “FTP” and think more high level.

For example, WordPress can be setup to serve multiple sites from one user. One could delegate to the app (wordpress, drupal, something else) the management of files and subdomains instead of the low level approach of FTP/filesystem. Of course this would require you to change your applications though which may not be cheap/possible. Sorry, I don’t have better news for you.