New user creation for SFTP

Debian 10 Virtualmin 6.16

I read a lot of threads regarding user creation and was able to add a user with SFTP access (ProFTPd being removed from my servers) after some tweaking in the System Customization → Custom shells screen. User is able to login, he is logged directly into its own directory and he can navigate up and down into the virtualhost directory of the main user for that virtualhost. So far so good.

But I just discovered that although he is able to get into that directory, he cannot create folders (same for files) … the whole purpose of creating that user (and if I may the whole purpose of creating a SFTP user) is to upload files and folders … in fact my main goal is to have a second user (that I can revoke anytime) being allowed to upload files in the public_html folder of the concerned virtualhost … Is this possible at all ? did I take the wrong path ?

Thanks. Pierre.

Files and that subdirectory would need to be writable by the domain group (which the user should automatically be a part of). e.g. my joe account in the virtualmin domain is a member of the virtualmin group, so if files are writable by virtualmin group, my joe account can also write to those files.

Edit: I think this would be complicated in a suexec environment. I think it’ll require things to be not writable by the group…so, that’d make this not work. I’m not sure if PHP-FPM has that same restriction. You’d need to test it.

Though if the purpose of the user is to edit the website, you should use the “Add a website FTP access user” (regardless of whether you’re using FTP). We should probably update that labeling to not make it seem like it’s just FTP, because I believe it creates a user that can be used with SSH, as well (might require tweaking the shell settings, though). That creates a user with the same UID as the domain owner and sets their home directory to the public_html. No permissions questions there, since they are the domain owner.

Actually, looking into this, I’m not sure even I know how to make this kind of user work with SSH. I’m not sure the shell for this is editable in Custom Shells. Weird. I’ll have to ask Jamie.

You may need to configure what kinds of shells are available to FTP-access users are System Customization → Custom Shells.

Hello,

Yes I already did that to allow that user to sftp and the newuser is able to sftp into its own directory but not the main directory of the virtualhost. The user home directory is within /home/mainuser/homes/newuser.

As for using “Add a website FTP access user” I tried before, because it was not working I erased the user and it did erase my public_html directory (not stupid, I had a complete backup before so i was able to restore everything in a few minutes) so I’m not sure I want to try again. I had a warning but I didn’t realize it was telling that it was in the process of erasing the folder I had mentionned as the newuser root folder … so I’m not really sure I understand that process of “Add a website FTP access user” and how it is different from having a SFTP/SSH access …

Also newuser has the same group as mainuser … it’s weird I thought this was a very common process (at the same time I have been managing Virtualmin server for the last 15 years and it’s the first time I need this …).

P.

I explained that above. A “website FTP access user” has the same UID/GID as the domain owner account, and so operates exactly as that user. It will have all the same file permissions as the domain owner and file the user creates will be owned by the domain owner.

I don’t think I see a way for deleting that kind of user to delete the home directory of the domain, though.

And, to make it work with ssh, you have to do what Jamie said, which is the edit the shell for FTP users in Custom Shells to be something normal like bash (it is false by default, which makes ssh logins exit immediately).

For the last point, as I said I already went to that screen, and the only way to have the “Email, FTP and SSH” choice when creating the user was to check “default” in front of the line with /bin/bash and the newuser does have the capability to upload a file in its own directory but nowhere else.

For the “Add a website FTP access user” the only special thing I did was to check “website subdirectory” and to enter “public_html” in there because I wanted that newuser to access only the “public_html” folder, and when I decided to suppress I got a warning that I did misread, I understood that the newuser would loose acces to “public_html” not that the folder would be suppressed …

Yeah, I can see how that’s confusing. The language around user types is confusing as hell here. We need to work on that.

I don’t know which type of user in Custom Shells would apply to the website FTP access user. It just isn’t clear. Maybe Mailbox?? It probably ought to have its own shell type, as it is quite different than either admins or mailbox users.

That’s unnecessary for a “Website FTP access user” (and would be the wrong directory, since it’d be /home/domain/public_html/public_html). The default of Main website directory is public_html.

I still don’t know why it’d delete the directory, though. I can’t think of how/why it would.

But, to get you past this (and Jamie and Ilia and I can try to make this not so damned confusing going forward):

  1. Create a Website FTP access user. Do not change the default home directory.
  2. Edit the shell for the user in /etc/passwd to be whatever your preferred shell is (probably /bin/bash).

You’re done.

Hello,

Just did that (before even seeing your message) without changing the default directory (and after doing a full backup) and it did work :slight_smile: I even tried to delete that user and nothing was deleted so I guess it is that “changing home directory” that does something …

Thanks to you all !
Pierre

2 Likes