FTP, PHPsuexc and Development

[nurseryboy]

Hey guys,

I work for a website development company and we're in the process of moving all our sites over to a dedicated CPanel server (running phpsuexec). The issue we're running into, though, is that for our developers to be able to manage/update/edit the websites, they have to set up the FTP clients in their editors with each account on the server, and, with a few hundred accounts, it's not really feasible.

Right now, since we're just getting started with the new server, we've given them the root password (yes.. I know..) so they have access to all of the sites through one FTP account. This is nice (security aside), but it does cause some issues with the permissions not being correct on any new files they create. (With phpsuexec, the files should be owned by the account it's under, but new files are created with the root account (which only makes sense)).

What we need is a way to give all our developers their own FTP accounts that give them access to only the /home directory, and, somehow not effect the permissions (at least to the point that allows the files to be run through the web, as right now you get error 500's.).

Does anyone have any ideas? We love CPanel and the balance of management and flexibility it gives us, but this is one thing we haven't been able to figure out how to do yet. Any suggestions would be greatly appreciated.

Thanks!

Matthew

 

[adept2003]

If they keep the root login, you could write a script that can be run periodically to set correct ownership & file permissions. Not sure if cPanel's built in script will do it, but try it at your own risk (I'm a little bit weary about the part saying files being deleted!):

/scripts/chownpublichtmls - Change ownership of all users web space to them, which is useful for converting to suexec. Files owned by nobody are deleted.

Alternatively, maybe setup the sites as addon domains under one main account (although this probably defeats the whole point of phpsuexec).

 

[brianoz]

If you're asking for a generic password so web developers can access all sites, I can't think of a way that you could do that other than root, or per-developer root logins, both of which are a very, very bad idea. Wait till a developer destroys your system by removing something accidentally and you'll see what I mean.

Your developers pretty much are going to have to use per-site logins. They could use the cpanel username and password, or you could use the FTP manager to create a per-developer login. For instance the developer jo could have a standard ftp login of [email protected] with a standard password on each domain so she wouldn't need to remember something different for each domain.

This has the advantage that you can keep track of which developer has worked on which site very easily - that is, if they have a domain FTP account they have worked on the site.

With the standard setup, you'd have to create these users manually.

At the moment you'd have to create these FTP users manually, once for each domain on the system, which is messy. I have the same problem and I've been thinking that one solution could be to have a standard webpage which exists in only one place on the system but is mapped to each domain. To activate their FTP username on a domain, the developer would visit www.domain.com/ftp-activation and enter their special username and password and a behind-the-scenes root job would create their username on the account. This does take a bit of knowledge to setup but could work a treat, as any developer can have auditable access to any domain on the server - which still leaves you with accountability and visibility, something you lose badly on with global root access.

Unfortunately once you give developers root they start to think they need it. Unless you want your system to end up unreliable, I'd take it back quickly and replace it with manually created FTP logins for now. If you explain to the developers the risk of them having root access (they could easily render the system unbootable by changing/deleteing the wrong files) they should understand!

 

[nurseryboy]

Yeah, I totally agree with you about allowing them to have root access. I don't like it at all either. It's really unfortunate there's no way to make a CPanel server more developer-friendly, though I don't think there's much CPanel could do anyhow. I guess it's just the sacrifice that needs to be made in order to keep a secure server.

I like your idea about FTP accounts. It's just going to be a pain to have a few hundred connections in the developer's IDE's. Oh well. Thanks for your comments. I'm going to see what we can get set up!

Matthew