Restrict FTP user access to a directory owned by another user


#1

Hi everybody,
In my situation I have configured 2 users:
“webmaster” with 2 website: “public.it” and “private.it” in “/home/webmaster/public.it” and “/home/webmaster/private.it”.
“contributor” without websites.

I need to configure Unix Groups/Permissions/Remaps/etc. in this way:
“webmaster”: full access to " /home/webmaster/* ".
“contributor”: full access to “/home/webmaster/public.it” and NO access to other webmaster’s stuff, for example “/home/webmaster/private.it”

I’ve tried what descripted in the chapter "UNIX Groups & FTP users " of http://wiki.dreamhost.com/Unix_Groups
In this case, using SFTP, the user “contributor” can change current dir to “/home/webmaster/” and read other webmaster’s stuff. If I remove the read permission of the contributor’s group, Apache is not able anymore to serve the webpages.

How can i configure this to get it working?

Thank you!


#2

turn on enhanced security for public.it

but let me know how you get on. i’ve never been able to set up the system you mention because when contributor uploads a file, I can’t read it


#3

If I turn on “enhanced security” for public.it, anyone except the “webmaster” and the Apache user has access (read+write+execute) to " /home/webmaster/* " http://wiki.dreamhost.com/Enhanced_User_Security

The symbolic link to “/home/webmaster/public.it” in “/home/contributor” will not work: “access denied”…


#4

right, but it solves the problem of ‘anyone’ seeing the files that are NOT in public.it

that’s half of the problem.

i’ve worked on it before and never found a satisfactory answer. there are a few ideas documented on these boards if you want to have a go. one involved a cronjob to update permissions, IIRC


#5

yes, you’re right…
What do you think about setting up public.it as a WebDAV directory??
In this way, the webmaster and the contributor must use a WebDAV client to access that directory… and the contributor can’t cd “…” and see other webmaster’s stuff. I’m right?

But the contributor can create a php script that reads content in the private.it directory…for example, file “test.php” uploaded via WebDAV in /home/webmaster/public.it/:

In this way, if there is something important in private.it, the contributor can still read it!


#6

the only way i can think to do it since the groups/permissions route probably won’t work is to set it up in
/home/contributor/public.it/
and both webmaster and contributor share a username/password


#7

I’ve come up width a solution: via WebDAV.

I’ve moved the site into a subfolder called “site” and then I’ve redirected all requests for public.it to public.it/site, via .htaccess.
I’ve read this guide about how to setup a WebDAV for an entire account.
http://wiki.dreamhost.com/WebDAV

Then, I’ve set up WebDAV into public.it/site and contacted DH as described there http://discussion.dreamhost.com/thread-10321.html in order to be able to edit .php files.

Hope this can help!


#8

let us know how you get on. i’ve tried webdav before and it seems that the files won’t be visible to apache if you upload them via webdav and try to use them as a regular website. but maybe i did something wrong.


#9

I wouldn’t recommend relying on WebDAV for this functionality. It’s kind of a pain to work with, and we may at some point end up making changes to the way WebDAV is implemented that will make this particular approach stop working.

If you need to allow multiple users to edit and manage your site, our current best recommendations are that you either:

[list=1]
[] Move the site to its own FTP user and share the password with the users who will be managing the site. (If you are comfortable with SSH authorized keys, you can use those with SFTP instead of sharing the password.)
[
] Use a content management system to collaboratively edit the site rather than editing site files directly.
[/list]


#10

if your users are comfortable with SVN, you could set up a repository… that’s what I use although I seem to be the only contributor lately…


#11

Setting up your site with SVN takes some extra gunk to get your site to deploy automatically when you check in a revision, though. Between that and needing an SVN client to edit, It’s enough extra complication that I wouldn’t recommend it to anyone who didn’t specifically want SVN.


#12

WebDAV worked well for my (temporary) problem…
[list]
[] I can’t share the ftp password with contributor(s) beacuse there is other private stuff that I want to remain private.
[
] To use SVN you have to teach contributor(s) how to COMMIT/UPDATE/etc and this will cost you MUCH time! Also, on every repository change, you have to update the public web “working copy”, maybe with a cronjob every 10minutes.
[/list]

Briefly, this is the procedure…
[list=1]
[] move your website to /home/webmaster/example.com/site
[
] insert in /home/webmaster/example.com a .htaccess file width

RewriteEngine on RewriteCond %{REQUEST_URI} !site/ RewriteRule ^(.*)$ /site/$1
according to http://wiki.dreamhost.com/WebDAV paragraph "applying WebDAV to an entire domain, not just to one of its folder"
In this way, all requests to example.com will be redirected to example.com/site.
[] Set up WebDAV into example.com/site. Apache will serve the files normally, but now you can view the files via WebDAV (for example with BitKinex). But there’s a problem: php files will be interpreted also if you retrieve them via WebDAV. DH will kindly solve this problem for you in the next step.
[
] Kindly ask DH to create an alias dir “php-source” and tell Apache to not parse php files. I’ve read this http://discussion.dreamhost.com/thread-10321.html.
[*] Then, you have full WebDAV read/write access to example.com/php-source.
[/list]


#13

wow, interesting! I’ll have to give it a try…

don’t forget to add this to the wiki. I think it gets much more traffic than this board.

cheers!