Manage Team User secretly linked to User Manager - unexpected FTP permission pitfall
I want to document this unusual behavior clearly because I believe others should know — it might even have security implications for shared hosting accounts.
I posted about this once before — here’s a confirmed update after more testing today.
Key Facts
1️⃣ Adding a Team User also creates a User Manager subaccount
If you add a user in Manage Team (whether you enable FTP or not), cPanel automatically creates a linked subaccount in User Manager.
2️⃣ Deleting the Team User removes the User Manager subaccount — but only sometimes
If you delete the Team User in Manage Team, cPanel also deletes the linked User Manager entry — but only if the User Manager subaccount did not exist beforehand under that same name.
(According to ChatGPT — I haven’t tested the “already-existing user” case myself.)
3️⃣ Enabling FTP gives access only to a subfolder by default
When you toggle FTP for a Team User, it sets the FTP Home Directory to /public_html/{username} by default — which is usually empty.
The FTP login for that Team User cannot go higher by default.
4️⃣ However — you can bypass this in User Manager
Because the same user appears in User Manager, you can manually edit the FTP Home Directory there.
If you change the path to / → that same Team User now has:
-
Full cPanel login (via Manage Team)
-
FTP access to the entire root of the cPanel account’s files
I think, from now on you should never ever click "save" again in Manage Team, as this would probably overwrite the FTP Home Directory again (not tested again, but remembered from last year's tests)
This expands on my older post about the same issue.
cPanel should clarify this linkage in their documentation and UI — or better, unify these controls so they can’t drift apart silently.
-
Hey there! I'll go through these in order to make sure I don't miss anything.
1 - Yes, this is expected behavior. Ultimately I would expect the User Manager tool to eventually go away as Manage Team allows much more control over the additional accounts on the server.
2 - This also seems correct to me as the accounts are really the same and just show up in different places. cPanel will not let you create a Manage Team user if the username is already in use by User Manager, as you'll get a duplicate username error in the interface. I did create improvement case CPANEL-48118 to provide a better error message regarding the duplicate username error, as the current one is not very user-friendly.
3 - On my end, after enabling the FTP feature I'm able to edit the path for the FTP user to be the public_html directory, so I can remove the username portion that is autofilled there. Are you not able to do that?
4 - I think my answer to #3 also helps to clarify #4, but let me know if that isn't the case.
0 -
I am kind of new to cPanel - know it for maybe 2 to 3 years as a user and I remember that the Manage Team feature is newish. What I was not aware of initially is how those things are all interrelated under the hood. Technical documentation is kind of lacking though so the only chance is learning by doing, sharing information and results.
I run detailed tests again and documented everything in here. In the end it is the same topic as I initially started in here, but showing directly the result at first.
⚠️ ⚠️ The core issue is that Manage Team handles empty home directory fields inconsistently (creation vs. modification) and can display a wrong home directory path, which may overwrite the actual setting if saved again.
at 1: When I looked at a situation I was facing I did not know anymore whether I manually created users on both ends (Manage Team and User Manager) for some reason or if the system did. There is no indication that the User Manager user exists only because it was automatically created by adding the Manage Team member. Perhaps even an indication that those two are linked in some way would have helped a lot. Of course in the long run it's good to see one of those features go away as it is just very confusing UI/UX as is. Keeping only Manage Team and sunsetting User Manager is for sure a good development
at 2: I am honestly not sure if User Manager + Manage Team are the same account or two separate accounts with the same username which are linked in some way. Difficult to say from outside. I didn't test the duplicate user thing, but I know that "both users" (User Manager + Manage Team) had the same username
at 3 + 4: Yes, I agree, after enabling FTP in Manage Team I can modify the Home Directory to change it from `public_html/andreas` to `public_html`. However, there is more to that.
I tested it again from scratch so that I don't have to rely on results of previous tests from last year.
a) Add a new Manage Team member `test` and immediately enable FTP and immediately delete the default `public_html/test` from home directory to keep it empty (before first time saving)
→ creates a user in User Manager with access to root `/` — tested via FTP client, access to root possible as expected (I tested this with 4 new users in total, 1 single time I only got access to `public_html` doing the exact same thing, maybe I am getting crazy)
b) Check (read-only): Have a look at User Manager and see the home directory showing `🏠/` followed by an empty field as expected. Have a look at Manage Team and see the home directory showing `public_html/test` which is not expected
c) Go to Manage Team and simply re-save the user → because the home directory in Manage Team shows wrongly `public_html/test` this is what is going to be written as new permissions.
Check User Manager home directory shows now `public_html/test'.
Check FTP client access lists empty folder in `public_html/test`
Result: unexpected that it showed wrongly `public_html/test` when we opened Manage Team; expected how it was setting the home directory in the end everywhere to the same path. It looks like changing home directory in Manage Team does overwrite/sync/show the same home directory for the user in User Manager but later tests do not fully confirm this - it depends on what path you try to set to receive a sync
d) Go to Manage Team and delete again the home directory (similar what we did when creating the new team member in (a) that means keeping the field empty.
Check User Manager home directory shows surprisingly `public_html`.
Check FTP access gives an empty folder, I assume `public_html/test` (very unexpected and complete chaos at that moment).
Check FTP access a few minutes later again gives `public_html`.
Result: At creation time of Manage Team I am able to set the home directory to root `/` by keeping the field empty. Later on I am not able anymore to do that as it automatically always points at least to `public_html`. Keeping the home directory field in Manage Team empty leads to different results during first time creation and later alteration. I also learned that testing FTP client perhaps requires some wait time and be sure that the connection got closed otherwise test results are getting messed up.
I repeated the entire step (d) again to double check – same result
e) Go this time to User Manager first and change the home directory there from `public_home` to root `/` by keeping the field empty.
Check Manage Team home directory shows surprisingly now `public_html/test`
FTP access shows at first `public_html` after waiting a few more minutes it gives me access to root `/`
Review User Manager still shows an empty field which I still interpret as access to root `/`
Result: I think this is exactly the same result I got 10 months ago, just this time I did more structured testing. This also shows that my first post in this thread is fully correct.
f) Now let's see one more time how changes "sync" between User Manager and Manage Team by testing without root `/` and empty fields as those might be special situations. It's unclear if "sync" is the correct term as a sync can only happen when there are two different entities or artefacts under the hood. Go to the User Manager and set the home directory to another folder e.g. I have one folder for all add-on domains `public_html_addon` so I add that as home directory in User Manager
Check Manage Team home directory shows now `public_html_addon`
FTP access gives me access to `public_html_addon`
Result: as expected
Now the other way round, go to Manage Team and set the home directory back to `public_html`
Check User Manager home directory shows now `public_html`
FTP access after some waiting time gives me access to `public_html`
Result: as expected
g) Similar to (d): Go to Manage Team and set the home directory to `/` instead of keeping it empty. For this one I added a screenshot to avoid miscommunication, because this one is interesting.
Check User Manager home directory shows now an empty field meaning root `/`
FTP gives me root access
Going back to Manage Team again however shows me `public_html/test`
h) Create a member in Manage Team and do not enable any services (FTP not enabled) does also create a user in User Manager. This should only show that a user in User Manager is always created, even for the most simple variation in Manage Team.
I hope this helps to get a better picture of this all. All those tests were run on cPanel 128.0.15. I am just on a reseller hosting, that means I do have access to WHM but I am only a user on that level.
0 -
Thanks for that excellent description. Step b is where I'm not longer able to reproduce - once I create the Manage Team user and remove "test" from public_html/test, I confirmed in User Manager the user shows public_html and then going back to Manage Team I still see just public_html with no "test" directory.
If you have a server you can reproduce this behavior on could you create a ticket so we can see this in action?
0 -
I am only on a reseller plan from a hosting company.
But I am not sure if you did the same as I did:
Add a new Manage Team member `test` and immediately enable FTP and immediately delete the default `public_html/test` from home directory to keep it empty (before first time saving)
I think you only removed "test" and left "public_html" as home directory. But to reproduce you need to try removing all and keep the home directory field completely empty.
Also, this only works the first time during the creation process of the Manage Team member. So if you try again, you need to add a new Manage Team member/user. Editing the Manage Team member/user now will not do it.
0 -
I don't think it will like it being completely empty as an option - if I do that it defaults back to public_html/username, as expected.
0 -
What else can I do? I tested this for hours and multiple times today.
If you do it like I said it, the result will be like I have presented it. User Manager will show root (it shows 🏠/ [empty field] which is root to be precise. FTP client will access root. Manage Team (if looked at it again) will show not root but `public_html/test`
0 -
Are you able to create a ticket with our team?
0 -
I can't sorry. I did everything that was in my power. I don't own the licence, the hosting company owns the licenses. Reporting it to the hosting company is 99% useless as they do not see such things as their task (which I can understand even in such a particular case).
0 -
I'll work through this again and let you know what I find out!
0 -
Great, thanks. I reproduced it many times, over many months and it became more and more clear over time. I hope this all helps to eventually get it fixed.
0 -
If I completely remove the FTP user path, and then go back to cPanel >> Manage Team >> Edit User, I can see that it restores the default of /public_html/username as the home directory.
While that is likely the intended behavior, I do believe that should be more clear in the interface, so I've created case CPANEL-48172 to see if we can make this behavior better, possibly by providing a warning or intuitive error message about the Home Directory text field not being allowed to be blank.
I think this would ultimately resolve the issues that lead to the confusion between the two pages, but let me know if you were looking for any additional changes there.
0 -
I don't think that's just it.
You basically say now, it's should not be allowed to keep the home directory field empty. If I am not mistaken, it's not only about the "home directory" but also about the actual permission when accessing via FTP client.
If you say, it should give a warning instead of allowing to keep the field empty or add a "/", then this would mean at the same time that it is not allowed to give root access.
That would mean with Manage Team (the one that should stay as it is the more advanced and newer interface) I could not do that (once it's fixed), but with User Manager I could do that (but that might go away in the future and be replaced by Manage Team to have one clear location to manage users and their permissions).
There is also a difference whether I leave the field (for the home directory in Manage Team) empty during first time member/user setup vs. later editing of that same member/user.
0 -
When the issue I reported is resolved it would also fix the permissions for the FTP user itself, since we'd be limiting them there.
0 -
I gave it some more thought — I think cPanel really needs to decide:
Is root access via FTP for users created through Manage Team allowed - or not?
Whatever the answer, it must be consistent across all interfaces (currently there are User Manager and Manage Team).
Also, setting the home directory during creation and later editing should not behave differently - the logic must be consistent to avoid confusion and accidental permission changes. This isn’t just confusing but can lead to real security issues in practice.
---
One more thing: it would help if it were clearer whether these are technically “team members” or “users.” Right now, every new entry in Manage Team also appears in User Manager, so I assume they’re the same entity under the hood → but that’s not obvious in the UI. I do understand that the terminology isn’t always simple, especially since the original cPanel account owner is likely yet another layer (a real UNIX user under the hood).
I started out just as a normal cPanel user (I don’t even run my own server, just a reseller account), but I am slowly starting to see through these layers - and it’s a bit scary what I’m discovering here.
0 -
When the issue I reported is resolved it would also fix the permissions for the FTP user itself, since we'd be limiting them there.
Didn't see your response while I was working on mine
0
Please sign in to leave a comment.
Comments
15 comments