Safe automated FTP


#1

Sorry for this long post, I feel like such a newb about now…

I use a single user ID to update a website via shell and FTP. All files on the site show this user as Owner, and that’s fine for our purposes. I’ve written some code that will generate web pages which will replace some on our site. The idea is to create the pages in one step and then cURL them up to the server in a second step. All of this is working.

My question is about doing an FTP safely. The goal is to securely push files from a remote PC up to a path in our DH domain space, without exposing the user:pass to the cloud and without creating permissions issues on the server. I can manipulate the tools to do whatever I need to do, I’m just not sure what the right process should be.

I don’t use SFTP for site updates but I suppose that means our user:password data floats on the wire every time I connect to the server. (BTW, I use FileZilla which is the most stable FTP utility I’ve ever used.) When using cURL, I’m putting “-u user:password” in the command string. Since this is on a local PC I don’t have an issue with that (wouldn’t do that in FTP from a DH server) but I’m still wondering how secure it is when it gets into the cloud.

So to avoid exposing my primary user mentioned above, I have a restricted purpose SFTP user which I can use to post files on the site, but then the owner of these files will be different from the rest of the site and I’m concerned there will be permissions issues when other updates are done later. To fix this I’m thinking I’d need to chown via FTP?

Assuming I do use this SFTP user, to get files from the /home/user path into our website I’m thinking about setting up a symbolic link (ln -s) that points to specific directories that need to be updated. I don’t like SFTP users on DH because it looks like every user can see every other user’s space (the irony of secure FTP) and I’m concerned about creating a link in /home/user that goes to our web space because that might just give everyone on the server a view into our web space.

Am I really blowing this out of proportion? I can experiment with the connectivity but there are so many permutations on which user/protocol/commands to use. I could experiment all day and still create a security hole for myself or a permissions hassle that may not be necessary.

TIA!


#2

The proportion bit :wink:

What I’d suggest is editing your user via the Panel, select SFTP access and check the Enhanced Security option.

Maximum Cash Discount on any plan with MAXCASH


#3

I’ll be happy to accept a simple answer, and I appreciate your response, but the wiki link you provided says :

Specifically, “Enhanced Security” means your user’s home directory has its permissions set to 750 and its group is changed to adm. This option is much more secure, but is not for people that share data between their users.

That does keep out prying eyes but it also precludes my ability to push files into that user’s space and then move them to my domain, no? The site owner and group will be different from the SFTP user.


#4

I’m also looking at this other post of yours. Maybe I can use a cron job in the domain to reach out to the FTP user’s space and pull in files - but I think this is just adding complexity.

The best solution seems to be to SFTP with cURL using the site owner ID, make sure the data in the cloud is encrypyed, and just put the files where I want them. I’m checking the cURL/SSL option until someone else here has a better idea.

Thanks!


#5

That other post concerns sharing files between user accounts at Dreamhost itself, which is something I thought you were actually trying to avoid. I was under the impression you were enquiring about a secure way to upload local files from, for example, a development computer at your workplace via the Internet and into your Dreamhost account.

Sorry for my previous confused response, I must need sleep.

Maximum Cash Discount on any plan with MAXCASH


#6

You are correct that the goal is to securely FTP to DH from outside. I was thinking that this could be done indirectly by posting to another account and then reaching over from the web space to get the file. I think there would still be permissions issues.

I need to backup and take another shot at this with a more focused thread. Please forgive me as I abandon this thread and start a new one that might make more sense. See the one titled cURL to DH with SFTP. If the solution is not with cURL and SFTP then I hope someone posts here.

Thanks again.