Hello,

>  i need create ftp accounts for users with access only to their app directory, can i do that?

Yes, you can do this.  Here's one way:

You can create FTP user via the WebFaction control panel  ("Account" --> "ssh/sftp users").  When you create the user, select "/bin/bash" as the shell.

Each user you create gets their own home directory.  You can use this home directory to store their webapp.

After you create the FTP user, you must then grant access to apache.  You will probably also want to be able to control all of the FTP user's files from your main user.  Also, to keep your sanity, you should preserve full control for the FTP user for all files that are created in their home directory.  You can do these things by logging into SSH as the FTP user and running the following commands:


# This grants access to Apache:
setfacl  -R  -m  default:u:apache:rx  /home/$USER
setfacl  -R  -m  u:apache:rx  /home/$USER


# This grants full control to the main user:
setfacl  -R  -m  default:u:YourMainUsername:rwx  /home/$USER
setfacl  -R  -m  u:YourMainUsername:rwx  /home/$USER


# This preserves full control for the FTP user, no matter who creates files:
setfacl  -R  -m  default:u:$USER:rwx  /home/$USER
setfacl  -R  -m  u:$USER:rwx  /home/$USER



After you have done the steps above, you then need to register the FTP user's home directory as a web app.  You do this by creating a Symbolic Link application in the WebFaction control panel.  In the "Extra Info" box of the Symbolic Link app, put the full path to the FTP user's home directory (for example, /home/TheFtpUser).  Finally, attach the newly created Symbolic Link app to a Site.

The user is then able to upload their webapp to their home directory using FTP.

Tip:  If you have to transfer some files from your main account to the FTP user's home directory, COPY the files (with the 'cp' command) -- don't move them over (with the 'mv').  This will keep the file permissions correct.



~Chris Sebastian

Last edited by likebike (2008-06-24 10:07:23)

Here are some more detailed instructions about how to accomplish this, using the "new" approach (keeping the files in the main user's home directory):

I have created an SSH/FTP user call 'flowers'.  I want to allow the 'flowers' user to manage their own webapp in their 'www' subdirectory (/home/flowers/www).

I have also created a 'flowers' app of type "Static/CGI/PHP" from the WebFaction Control Panel.

Here is what I need to do to link /home/flowers/www to the 'flowers' app that I created:

#RUN THESE IN SSH AS YOUR MAIN USER:
[chris@web123 ~]$ setfacl -m u:flowers:x ~
[chris@web123 ~]$ setfacl -R -m u:flowers:rwx ~/webapps/flowers
[chris@web123 ~]$ setfacl -R -m d:u:flowers:rwx ~/webapps/flowers
[chris@web123 ~]$ setfacl -R -m d:u:chris:rwx ~/webapps/flowers


# RUN THESE IN SSH AS YOUR FTP USER:
[flowers@web123 ~]$ ln -s /home/chris/webapps/flowers www


Finally, hook your 'flowers' app up to a WebSite by using the WebFaction Control Panel.

Now, your 'flowers' user will be able to control the contents of the website from their 'www' symlink.

~Christopher S.
WebFaction Support

thanks Christopher ,thats helpme a lot

Thanks very much for this handy guide!

All good, I followed the links you mentioned and worked it out. RTFM! Cheers again!

Ravivmg,

If you want to keep your FTP users isolated, and unable to see your home directory contents, then you will need to use the "old" procedure, which is the post #2 in this thread (posted by me on 2008-06-18 12:42:08).  Basically, you'll need to keep the FTP users in their own home directories, and not share yours.

The reason the procedure is known as the "old" procedure is because it works on some of our web servers, but not on others.  I believe it should work on your server.  (Specifically, I think the 'old' procedure works on Apache servers, but not Nginx servers.)

Any questions?

Regards,

Christopher S.
WebFaction Support

This is actually on our (quite long) todo list

All I can say is that we're working on it, but there is no set date for deploying this feature yet.

Me again...
I think that you should change the way the extra users are added/configured in the servers, one thing is, as I said before, to set the home dire to one inside the master home dir. And the other thing that I'm seeing right now, is that you should jail all the users to their home dirs, including ssh..., I'm connected via ssh, and I could go to the /etc dir, and see all the config files of the server, including the passwd file, where are all the users data configured in the server...., so, one person that have bad intentions, could try to stole accounts of the server, etc, etc... or not?

Besides that, this is my first day being a WebFaction client, and I'm pretty happy with the services

Thanks

You could peruse the other webapps directories because you had not denied the extra user access to those directories.

If you want to grant access to only a single webapp directory, and keep the extra user out of all of the other webapp directories:

setfacl -m u:flowers:--x ~
setfacl -R -m u:flowers:--- ~/webapps/*
setfacl -R -m d:u:flowers:--- ~/webapps/*
setfacl -R -m u:flowers:rwx ~/webapps/flowers
setfacl -R -m d:u:flowers:rwx ~/webapps/flowers

When that's done, 'flowers' will be able to see all of the directories in ~/webapps but the only one he'll be able to peruse is ~/webapps/flowers.

Just throwing in that I too would love if this was easier to accomplish.

I love webfaction, and would love to recommend it to clients, but general usability issues with the panel and the difficulty in creating users and granting them access to specific section of the site prevent me from doing this.

OK, apologies, addressed problem with setfacl article here: https://help.webfaction.com/index.php?_ … p;nav=0,15
Think I must have been missing some executable permissions, but weird as that was the one thing they all seemed to have...  it seems to have added a lot of +'s when I did setfacl for the group, forget what they mean.

Also, as long as I'm bothering admins (sort of), is Python2.6/Django1.1 auto install coming soon?  How hard would it be for me to modify existing 2.5 script to work on 2.6, to learn WebFaction APIs?  Also, is there any plans/interest in a script for pinax? I'm not sure how to get an existing script to try modifying it, but I'd like to.  Thanks!

Last edited by bglusman (2009-08-22 07:39:16)

FYI we now have docs for this at http://docs.webfaction.com/software/gen … ific-users