The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

FTP accounts is useless.

Discussion in 'General Discussion' started by mchan004, Jul 11, 2012.

  1. mchan004

    mchan004 Member

    Joined:
    Jul 11, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    I feel that if you want to share a space in your hosting for another, FTP account is useless.
    Because after creat account FTP limit (50mB), users can upload web have function "File Management" to access or modify ALL files in your hosting :eek::mad:
    for example /http://extensions.joomla.org/extensions/core-enhancements/file-management/2630 of joomla

    last, how to fix this :D I use JustHost cPanel
     
    #1 mchan004, Jul 11, 2012
    Last edited: Jul 11, 2012
  2. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    I don't quite understand what it is that you are saying.

    Your primary FTP login on Cpanel accounts takes you to the folder just above public_html.

    However when you create additional FTP logins, they are locked specifically to the folder you specify and any folder beneath that location and mainly useful for creating separate FTP logins to manage either subdomains or addon domains on your account.

    Anyone using those FTP logins cannot access other parts of your web account --- just the folders where the FTP is setup. The also do not have any need to change to "public_html" once connecting because they are already at the correct location needed for uploading files upon connecting.

    If you have additional added FTP accounts that access the whole account, you didn't setup it up correctly! ;)
     
  3. mchan004

    mchan004 Member

    Joined:
    Jul 11, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Thanks for help :eek:
    My problem is when I create additional FTP acc (example: create additional FTP logins for public_html/thanhtu)
    User of this acc can access, modify, edit,... to other parts including public_html by upload website able "File Management"
    I tried create web joomla in thanhtu, installing component "File Management" and this component can modify to other parts in public_html :eek:
    My english too bad :D
     
    #3 mchan004, Jul 11, 2012
    Last edited: Jul 11, 2012
  4. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    You didn't happen to give that user the same password as your main account for their FTP account login, right?
     
  5. mchan004

    mchan004 Member

    Joined:
    Jul 11, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Yes. user is only account FTP
     
  6. cPanelTristan

    cPanelTristan Quality Assurance Analyst
    Staff Member

    Joined:
    Oct 2, 2010
    Messages:
    7,623
    Likes Received:
    21
    Trophy Points:
    38
    Location:
    somewhere over the rainbow
    cPanel Access Level:
    Root Administrator
    Not talking about the username itself. Is the password an entirely different password than your main account?
     
  7. mchan004

    mchan004 Member

    Joined:
    Jul 11, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Yes :eek:
    Problem here is with acc FTP, uesr can uppload website to Management ALL my file
     
  8. mchan004

    mchan004 Member

    Joined:
    Jul 11, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    you can try it


    In img, I share acc FTP of directory is public_html/dichvuweb/kythuat/
    with this directory I can upload website to Management my files in public_html
     
    #8 mchan004, Jul 11, 2012
    Last edited by a moderator: Apr 13, 2013
  9. Chris.Bshm

    Chris.Bshm Member

    Joined:
    Oct 20, 2011
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
  10. mchan004

    mchan004 Member

    Joined:
    Jul 11, 2012
    Messages:
    6
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Website Owner
    Thanks you!you know what I mean :p
    But I think there are other source code can to do this.
    how to prevent radical

    How to do that :D
     
  11. NetMantis

    NetMantis BANNED

    Joined:
    Apr 22, 2012
    Messages:
    117
    Likes Received:
    0
    Trophy Points:
    0
    Location:
    Utah
    cPanel Access Level:
    DataCenter Provider
    That sort of says it all! That's not FTP --- that's PHP scripting!

    If your server is using DSO (Mod_PHP) then all scripts on your account (and the rest of the server for that matter) will execute from the user named "nobody" and have the common permissions under that owner. This is actually an extremely dangerous security flaw in it's design and one of the larger (one of many) reasons not to use DSO based PHP on any hosting server. Not only can all the users under your Cpanel account access all your files but also any other hosting user anywhere else on that same web hosting server too!

    Ideally you would want to be using either SuPHP or FCGI (Not to be confused with FastCGI though commonly used interchangeably by a lot of people). With these types of PHP installations, all your scripts execute under the owner of the file (IE: the name of the FTP login you used to upload the files originally) instead of the common user 'nobody' so permissions can be restricted to the owner access alone and you don't have the same security complications.

    Since you are trying to setup a second user as an addon FTP account on your Cpanel account verses just simply giving them their own Cpanel account separate from yours, I would presume that you must be a shared hosting user without any access to the actual server itself or to the WHM console. If that is the case, there may not be much you could do other than change hosting providers to somewhere that isn't using insecure Mod_PHP for their PHP installation. Shared hosting account users typically do not have access to 'root' or WHM and would not normally be able to change the type of PHP that is installed or make any other security enhancement type of modifications to the server.

    If you are a shared hosting account user, you can skip most of the rest of this message ....

    If you do have your own server (fully dedicated or VPS) and you do in fact have "root" access to the server then you would be able to go ahead and change the PHP type to a more secure form using "EasyApache" either from WHM or from the Linux command shell (/scripts/easyapache).

    Having root access to the server means you could also just give the other user their own separate Cpanel account apart from yours instead of as an addon user to your own cpanel account. However, as I pointed out above, as long as the server is running DSO (Mod_PHP) based PHP, the user even on their own separate cpanel account would still have the ability and access to be able to look at and change the files on your account so you would still want to change the PHP type to either SuPHP or FCGI even if you did give the user their own separate account!

    Once you have changed over to either SuPHP or FCGI, you would also want to modify the permissions of the files in your web hosting account to be more secure to properly make use of the security improvements that those types of PHP installations actually will bring you.

    The following is the most ideal list of permissions for files in your web hosting account:

    600 Use this permission for all your PHP scripts including also those that ask you to set 777 as the permission
    400 If any PHP script complains about being "WRITABLE" or thinks it's 777 when it's not, use this instead.
    755 This should be the permission of all CGI scripts (*.pl and *.cgi) and also all folders beneath public_html
    644 This should be the permission of all your NON-SCRIPT files (IE: *.html, *.css, *.txt, *.gif, *.jpg, etc)

    NOTE: Under no circumstances set any file or folder to permission 666 or 777. In fact under either SuPHP or FCGI it will actually break your scripts to have permissions set to 777 because it's roughly equivalent to '000' on those systems. 600 for PHP Scripts and 755 for folders under SuPHP/FCGI is roughly the same as 777 from DSO (Mod_PHP) for those same files and folders respectively.
     
Loading...

Share This Page