Creating Contractor SFTP Users?
This article just scratches the surface of this problem. Since FTP is becoming old news, there is no other way on cPanel to give a contractor (dev, designer, marketer) SFTP access without sharing your entire cPanel root.
Sure, you can create a separate SSH key for them, but they still have to use your username, and as I said, they gain access to your entire root.
One way is to create a bare Linux user for the sole purpose of giving him access to a specific folder by chrooting him via SSH, then mounting your website's root to the user's root, and making sure he is in the group so he can have ownership of the files. Permissions should be flawless throughout all the paths. And even then, ownership can break some PHP and CGI setups - such a raw and wild procedure for a standard that has to become the cornerstone of safety.
I can't believe this isn't a feature in Panel yet. In my experience, collaboration is a far more likely scenario than just one admin doing all the work. There should be a one-click option to create users who can have SFTP access. We can then filter them through SSH settings and decide whether they'll have access to SFTP or the entire shell. Even this can be an option in cPanel.
-
This is a very important issue and is the single most important issue that causes cPanel users to switch to google workspace, outlook etc.
All SFTP users also have 100% access to domains emails if the emails are hosted on the cPanel server. Imagine the level of compromise here, Snooping possibilities and even blackmailing.
0 -
All SFTP users
Can you elaborate? All emails on the server, or to their own domains' emails?
0 -
With CageFS the SFTP has access to the users' domains' mails.
Even own domains' email data, available to a contractor, is is not acceptable !
0 -
I'm on AlmaLinux, so I don't have CageFS. I still fail to understand what CageFS has to do with SSH.
The point is, it's easy to chroot Linux users (the ones created outside cPanel) in SSH using ChrootDirectory and thus protect your files, like mail or similar, but it's not easy to create a future-proof shared ownership environment in your website's folder for your cPanel user and a user created in Linux for the contractor.
If you try to chroot cPanel users in SSH, it will break the VirtFS's JailedShell environment, which is a superior setup than simple chrooting in SSH, so we wouldn't want that.
Am I missing something?
In the meantime, I will stay awar from custom Linux users for contractors and settle with FTPS with strong passwords. :(
0 -
cP has:
- Choose the type of shell - normal or jailed.
cP needs:
- Select whether the standard cPanel user is SFTP-only or SFTP + shell. This can be added as a toggle in the existing WHM > Manage Shell Access UI, alongside the normal or jailed shell toggle.
- Create custom Linux-only SFTP-only users, for example, contractors. These users won't be recognized by cPanel, like any other regular users created in Linux outside of cPanel.
- During their creation, we can select options like: don't create home dir in /home/~, password, choose their chroot directory in SSH. This is paramount because we need to mount our website root to the contractor's chroot in SSH.
I know that this means cPanel taking control over the sshd_config file heavily. Currently, the only thing it does to it is add/remove 2 directives regarding Password Authorization Tweak.
0 -
Hey hey - I don't have any good news on this one. We don't have any plans to expand sFTP to individual sub users. It's been requested many times over the years, and we've consistently said "no"
1 -
I figured. I can see why. It's a deep dive into an external software management, probably not worth it financially. The only thing that can drive this forward is an utter FTP deprication.
0
Please sign in to leave a comment.
Comments
7 comments