I need to create a (sub-)server for making a new website. I can’t seem to create a user or extra admin for coping in the files with SCP or SFTP . Also this user needs to view, modify, sitespecifics but not eg e-mail.
Creating an FTP only user does not provide this , or I can not seem to find the proper credentials to access the server.
Adding Terminal to the user gives it access to root and does not provide for SCP/SFTP access.
How can I achieve this from within the Virtualmin environment?
That’s tricky, actually. Ownership of files (website data) is defined by system users, and a Virtualmin extra admin is not a system user, it’s just a Webmin user.
You have a couple of options; the one I think is probably best is to just create both an FTP user and an extra admin user. The extra admin is the Webmin login, and the FTP user is the SSH/SFTP login. Yes, it’s two users, but there’s not a lot of overlap in functionality, so you’re not missing much (terminal and file manager, mostly).
Another option is maybe a little hacky, and I’m not sure it actually works (and there may be some implications I’m not aware of…please test this on a dev server, if trying this): Create a system user that has the same group as the domain (so they have file access, at least for files that are group read/write), and then create a matching Webmin user that has access to the modules you want them to have, including Virtualmin. You must edit the ACLs for all those modules, though. A standard Webmin user is a root user; as you found out, granting a user Terminal without editing their ACL for that Terminal to make it work as their user gives them root (and an Extra Admin doesn’t have a system user to make the Terminal run as anyway). This is potentially a minefield if the user is untrusted. Most Webmin modules have quite fine-grained ACLs, including Virtualmin, and delegation has always been a focus of the project, but…still, it’s risky territory for untrusted users.
The core part of the second option is that you need to edit the Virtualmin Virtual Servers ACL for that user to allow them the ability to edit the domain(s) you want them to be able to manage.
We should probably formalize this second option, assuming it’s possible and safe, but we’re rethinking the user model in dramatic ways in Virtualmin 8, so it might be wasted effort.
I wanted a second non privileged account to do file transfers from another server with ssh so I think I just edited the /etc/passwd file directly. But this was months ago so I’m not positive.