I need to give my web devs access to /home

[John C. Reid]

I need to give my web devs access to /home which is where all of the users accounts are stored. However, I don't wish them to have root access. I am not sure how to get the proper permissions setup.

Previously we just allowed them to use the SSH as root ability to SFTP to the server and have the FTP client automatically set the remote folder to /home. Logins are private / public key pairs, not password. Of course this does nothing to prevent them from changing to a directory above that. Friday evening about 4:30 one of my devs broke the server, the /usr/local directory was missing. I spent three hours in a panic figuring out if the folder had been deleted, or just moved. Lucky for me I found the folder in another subfolder of /usr - obviously someone dragged and dropped it via the SFTP client.

So, what I what to be able to do is create an account for the web devs that will give them access to the /home folder and have full control of everything there, without screwing up permissions in the individual folders and files that belong to the users themselves, and without giving them root access. How might I do this? I am not sure if this is something that can be done within WHM, if it needs to be done at the server level, or what group the user should belong to.

This server is a dedicated server colocated in a datacenter, so my access level is root.

grep '' /etc/redhat-release /usr/local/cpanel/version /var/cpanel/envtype ; grep CPANEL= /etc/cpupdate.conf ; httpd -v ; php -v ; mysql -V

/etc/redhat-release:CentOS Linux release 7.3.1611 (Core)
/usr/local/cpanel/version:11.62.0.15
/var/cpanel/envtype:standard
CPANEL=release
Server version: Apache/2.4.25 (Unix)
Server built:   Jan 25 2017 17:34:23
Cpanel::Easy::Apache v3.34.11 rev9999
PHP 5.6.30 (cli) (built: Jan 25 2017 17:38:54)
Copyright © 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright © 1998-2016 Zend Technologies
    with the ionCube PHP Loader v4.7.5, Copyright © 2002-2014, by ionCube Ltd.
mysql  Ver 14.14 Distrib 5.5.54, for Linux (x86_64) using readline 5.1

 

[quizknows]

Honestly in this case I would try to use key based access. No matter what you're going to face some risk but not as bad as someone else having root.

Anyway, if you could get them to use SSH keys for each account, you could drop authorized_keys files into ~/.ssh/ for each user. Then each dev could have their own key that you allow access to several or all accounts if you wish.

It would be a bit tricky if you've never done it before but likely easier than trying to work out permissions / user groups etc to just let them access /home/

It wouldn't be hard to script out to add a (new) key to every cpanel user's authorized keys file.

 

[John C. Reid]

Honestly in this case I would try to use key based access. No matter what you're going to face some risk but not as bad as someone else having root.

Anyway, if you could get them to use SSH keys for each account, you could drop authorized_keys files into ~/.ssh/ for each user. Then each dev could have their own key that you allow access to several or all accounts if you wish.

It would be a bit tricky if you've never done it before but likely easier than trying to work out permissions / user groups etc to just let them access /home/

It wouldn't be hard to script out to add a (new) key to every cpanel user's authorized keys file.

I just want to make sure I understand you correctly. Your saying I should put every web dev's public key (5 of them) into every .ssh/authorized_users file for every domain user (over 400 of them) and maintain this every time we add or remove a new user (a dozen or so times a week?) I'm not sure that solution is going to work to well for me.

 

[quizknows]

I mean, you're basically asking to give devs root access without giving them root access. I don't say this to be mean; it's just that your needs present a very difficult situation, and not one with an accepted solution that I know of.

Perhaps someone who has worked more with reseller accounts could offer a solution that involves owning all of your domains with a reseller account instead of root, and using that login for devs rather than root. That's the only other thing I can think of off the top of my head, and that might be easier for you.

 

[John C. Reid]

I mean, you're basically asking to give devs root access without giving them root access. I don't say this to be mean; it's just that your needs present a very difficult situation, and not one with an accepted solution that I know of.

Perhaps someone who has worked more with reseller accounts could offer a solution that involves owning all of your domains with a reseller account instead of root, and using that login for devs rather than root. That's the only other thing I can think of off the top of my head, and that might be easier for you.

WHM itself has access to somehow make changes to files and folders under home. It does not run as root, and the owner user and owner group of everything under /home it set the same as the account username. Also, there does not appear to be any filesystem ACLs in use on the home directory.

So how is the WHM / cPanel software giving itself access? I can only assume that the script somehow adds some user to each group membership, or there is a group that you can belong to that is itself added to each group membership of all the accounts. If I can add my web devs to that group, it gets me exactly what I asked for.

I don't see how it is unreasonable to assume there is no way to gain the same access that the hosting platform itself affords. WHM / cPanel is not itself running as root. So I am not asking to give them root access without giving them root access as you state. I am asking to give them access to a specific folder and have that access inherit down through the folder structure from that specific top level folder. The hosting application we are running appears to have this ability already, I just don't know how it is being accomplished as I don't see it being done via ACLs when I run getfacl

I might point out that if the filesystem was NTFS, it would do this stuff in it's sleep. I know that in most places Linux/Unix is suppose to be better, but the User:Group:Other filesystem permissions paradigm is very limiting and has painted me into a corner more times than I can count. I was hoping somebody more knowledgeable than myself could shed some light on it for me, as I can't believe that if the permissions issue was half as limiting as it appears to be to me, it would not have been fixed long ago. I want to believe it is lack of education on my end.

 

[Infopro]

I can't imagine any reason to give a group of people access to home, for anything.

Perhaps someone who has worked more with reseller accounts could offer a solution that involves owning all of your domains with a reseller account instead of root, and using that login for devs rather than root. That's the only other thing I can think of off the top of my head, and that might be easier for you.

Agreed. If you created a Reseller, and made that Reseller owner of all accounts, he could log into his own cPanel and have access to the other accounts he owns via the Current User menu.

 

[John C. Reid]

I can't imagine any reason to give a group of people access to home, for anything.



Agreed. If you created a Reseller, and made that Reseller owner of all accounts, he could log into his own cPanel and have access to the other accounts he owns via the Current User menu.

Does this include file transfer access for the web developer to work on all hosted web sites?

 

[quizknows]

If you go the reseller route then they would have total control over the cpanel accounts, but not root on the server. For example the reseller login could be used to change the cPanel account password (and subsequently, the SFTP password) for any account owned by that reseller. In short yes they could upload files, but they would also have access to email etc (but, realistically, that is hosted in home anyway.)

Also, there is a reason you use a root password to log into WHM. While it leaves the accounts owned by their own usernames/groups, and many tasks in WHM run with restricted privileges, it does actually use root permissions for things. I'm not sure where you got the idea that WHM doesn't run as root.

root     29169  0.0  3.2 103740 28016 ?        S    Feb28   0:07 cpsrvd (SSL) - waiting f --llu=1488428286 --listen=10,11,3,4,5,6,7,
root     18167  0.2  2.7 109820 24060 ?        S    16:38   0:00  \_ whostmgrd - serving 10.3 --llu=1488428286 --listen=10,11,3,4,5,
root     18168  0.3  2.8 117472 24868 ?        S    16:38   0:00  \_ whostmgrd - serving 10.3 --llu=1488428286 --listen=10,11,3,4,5,

 

[John C. Reid]

If you go the reseller route then they would have total control over the cpanel accounts, but not root on the server. For example the reseller login could be used to change the cPanel account password (and subsequently, the SFTP password) for any account owned by that reseller. In short yes they could upload files, but they would also have access to email etc (but, realistically, that is hosted in home anyway.)

Also, there is a reason you use a root password to log into WHM. While it leaves the accounts owned by their own usernames/groups, and many tasks in WHM run with restricted privileges, it does actually use root permissions for things. I'm not sure where you got the idea that WHM doesn't run as root.

root     29169  0.0  3.2 103740 28016 ?        S    Feb28   0:07 cpsrvd (SSL) - waiting f --llu=1488428286 --listen=10,11,3,4,5,6,7,
root     18167  0.2  2.7 109820 24060 ?        S    16:38   0:00  \_ whostmgrd - serving 10.3 --llu=1488428286 --listen=10,11,3,4,5,
root     18168  0.3  2.8 117472 24868 ?        S    16:38   0:00  \_ whostmgrd - serving 10.3 --llu=1488428286 --listen=10,11,3,4,5,

Ok, so this answers a lot of questions for me and it very helpful. I think that my solution is here, I just need to so a little experimenting with the reseller and how it works. Ultimately the Web Devs don't want to track 400 +/- account logins for FTP access. Either reseller will fix that for me, or I can setup a secondary FTP daemon running as root on an alternative port and requiring explicit TLS, then in that FTP daemon create a user who's FTP root is the home folder.

 

[quizknows]

Glad it helps. If I remember right, as long as "tweak settings" allows it, you can use the reseller account password to access a cPanel for any account owned by the reseller; I just don't know if that password can be used for other daemons. If nothing else though, the devs could log into each cPanel account using the appropriate accounts username and the reseller password.