Owner should be who uploads. Apache can can receive read permissions from world-readable bit. BUT, sometimes it needs also write permissions…
This is exactly a “Shared folders” feature I don’t want to duplicate!
The new User & Groups model in NS7 allows simplifying the underlying implementation of ACLs for Apache. We could add
apache group as “Owner” and also
apache user under ACLs tab.
This would remove the need of that exoteric checkbox “Allow .htaccess and write permissions overrides”…
A virtual host could require more than one directory with different filesystem permissions.
…or no filesystem at all: think about proxypass setup
I vote for two simpler implementations even if we need to duplicate a little code!
I had a little time think about this feature and I would like to present my proposal.
Let’s start from a strong assumption: FTP is an insecure protocol, password of system users must not be sent over FTP protocol.
Given a virtual host named goofy, the virtual host should have:
DNS name automatically associated as server alias
HTTPS access with custom certificate (auto-signed or Let’s Encrypt or purchased)
Text area for advanced options (like PHP options or rewrite rules)
FTP access using the virtual host name as user and a strong generated strong random password.
- User: goofy
- Password: GBq6Hdvn
WebDav access (thanks to @stephdl for the implementation already done for NS 6)
This implementation could be very simple to maintain and extend.
Yes, we loose access using system users but this will save us from many problems and hacky code.
It’s not a big lost, virtual users are commonly used to access ftp, since who uploads files isn’t a system users but external webmasters
Like it, we may start with this, see how it goes and improve along the way.
It can be overcomed in two ways.
- First create a file upload management from inside web NS interface (for specific users).
- Use SFTP .
Also having a FTP upload group that will restrict/permit some users to access NS via FTP can be plus.
My two cents:
- I think it is important to make the use of a ‘proper’ (i.e. not self-signed) SSL certificate achievable for every Nethserver user! Basically to make it a standard setting for every web host/-site using a FQDN (using LE! or a purchased cert).
- FTP? No! SFTP, yes. For those vhost users that need it, throw in restricted secure shell access as well.
What people are used to is one thing, what we would like them to use can be something different. If we would like to stop them using ftp and we can make configuring and using sftp just as easy . . . why not.
Making it easy to use SSH keys in stead of passwords might also be a good idea.
- SSL configuration per Virtual Host (a must have option)
- Ability to configure alias
- Access through SCP, SFTP
- For novice users to advance users it would be great to have a webui (or file manager) to manage virtual hosts files:
A like the ability of extplorer to manage files via webdav or ftp, chmod, unzip, edit text files, etc.
and the simplicity of Ajenti file manager
Having read through the comments above, and currently testing N7 A3. Firstly, great job on the new install UI. As a webmaster I always use FTP to upload sites and pages, so please do not make this more difficult when upgrading the security side of things. As a sys admin I need a UI that makes it easy to install sites on a server with the individual SSL certs. Also we need to think about the newbie sys admin, these are people who need a system that is from their point of view is simple and easy to setup.
I like the letsencrypt integration into Nethserver idea, and as a db programmer I know it’s not easy to code something simple to use.
once you know you’ve to use SFTP instead of FTP, there’s no added difficulty to do things…
@davidep has some good news on this argument I don’t want to spoil the surprise,
A post was split to a new topic: NS7 Virtual host page proposal going on
New module ready, please follow the discussion here NS7 Virtualhost page proposal going on