Hi, I am currently trying (and failing) to implement the following behaviour using ISPConfig: In order to fulfil client-specific criteria we need multiple FTP users (ftp-1, ftp-2, ...) that all have the "/web" directory as root. In this web directory they should only be able to write to (and ideally also only see) a specific sub-directory: ftp-1 -> /web/ftp-1/ ftp-2 -> /web/ftp-2/ The files in these directories should then be hosted at domain.xyz/ftp-1/ domain.xyz/ftp-2/ I already tried different approaches (creating shell users, mapping the web users to shell users, reading up on site aliases, ...) but am stuck. Is this possible to implement using ISPConfig (or by adding manual steps outside ISPConfig)?
That's really easy to do in ISPConfig with FTP users. Shell users are not used for FTP, so take care to delete them and to undo any custom config changes you made. Then create an FTP user in ISPConfig by clicking on new FTP user and selecting website it belongs to and entering its username and password, then go to the Options tab of the FTP user, and there you set its directory to: /var/www/clients/clientX/webY/web/ftp-1 where the X and Y must match the ID's of the existing path you see there, so basically all you do is append /web/ftp-1 to the path that's already there.
Hi Till, thanks for your reply. I have set specific starting directories for FTP users in the past. In this case it is important though, that the FTP user starts in the "/web" directory. The reason for this is, that the client application has to realize that the path to the files is a subdirectory.
The start folder and restricted folder in FTP is always the same, so you can either set it to the web folder and have it not restricted to ftp-1 or you set it to /web/ftp-1 and the start older is also /web/ftp-1. This is relevant for the FTP client only btw, the web application and also HTTP clients see the sub folder as domain.xyz/ftp-1/
Ok, so there is no way to connect the virtual FTP user to a specific existing shell user and restrict folder access by changing the permissions on the folder itself?
That's something that you can do, the shell user that is connected to the FTP user is configured on the options tab as well. But the web application might refuse access to files then when they are not owned by the website user anymore.
I tried to set the shell user that is connected to the virtual FTP user (which was a bit difficult, because the form validation would not let me set some users, even though they existed). I wasn't able to change the directory to a different owner though (chmod to the shell user as root resulted in no error, but the folder still belonged to web1 afterwards). Is there a mechanism that prevents setting a different owner?
You might have to change the folder owner after changing the FTP user, it might be that the FTP user change triggers the folder to be changed to the website owner. and the 'web' folder ownership should not be changed, change only the ftp-1 folder ownership.
That's the thing that puzzles me: If i try to change the owner of /web/ftp-1 to an existing user (let's say "ftp-1") as root, it stays (or reverts) to be "web1"
And this existing user is really in /etc/passwd file? What yu can try to do is to remove the immutable bit of the client folder as a test, but this should not have any influence on that as ftp-1 is in the web folder which is not set to be immutable. chattr -i /var/www/clients/clientX/webY
When you add a "ftp-1" shell user to the web1 site, it will be added to the system /etc/passwd with the same uid as the existing "web1" user, so whether you "chown ftp-1 some-file" or "chown web1 some-file" they will both have the same owner, and both show in ls as user "web1" because that's the first match in /etc/passwd for that uid.
