I need to give my web devs access to /home

I need to give my web devs access to /home which is where all of the users accounts are stored. However, I don't wish them to have root access. I am not sure how to get the proper permissions setup.

Previously we just allowed them to use the SSH as root ability to SFTP to the server and have the FTP client automatically set the remote folder to /home. Logins are private / public key pairs, not password. Of course this does nothing to prevent them from changing to a directory above that. Friday evening about 4:30 one of my devs broke the server, the /usr/local directory was missing. I spent three hours in a panic figuring out if the folder had been deleted, or just moved. Lucky for me I found the folder in another subfolder of /usr - obviously someone dragged and dropped it via the SFTP client.

So, what I what to be able to do is create an account for the web devs that will give them access to the /home folder and have full control of everything there, without screwing up permissions in the individual folders and files that belong to the users themselves, and without giving them root access. How might I do this? I am not sure if this is something that can be done within WHM, if it needs to be done at the server level, or what group the user should belong to.

This server is a dedicated server colocated in a datacenter, so my access level is root.

Code:

grep '' /etc/redhat-release /usr/local/cpanel/version /var/cpanel/envtype ; grep CPANEL= /etc/cpupdate.conf ; httpd -v ; php -v ; mysql -V

/etc/redhat-release:CentOS Linux release 7.3.1611 (Core)
/usr/local/cpanel/version:11.62.0.15
/var/cpanel/envtype:standard
CPANEL=release
Server version: Apache/2.4.25 (Unix)
Server built:   Jan 25 2017 17:34:23
Cpanel::Easy::Apache v3.34.11 rev9999
PHP 5.6.30 (cli) (built: Jan 25 2017 17:38:54)
Copyright © 1997-2016 The PHP Group
Zend Engine v2.6.0, Copyright © 1998-2016 Zend Technologies
    with the ionCube PHP Loader v4.7.5, Copyright © 2002-2014, by ionCube Ltd.
mysql  Ver 14.14 Distrib 5.5.54, for Linux (x86_64) using readline 5.1

 

I just want to make sure I understand you correctly. Your saying I should put every web dev's public key (5 of them) into every .ssh/authorized_users file for every domain user (over 400 of them) and maintain this every time we add or remove a new user (a dozen or so times a week?) I'm not sure that solution is going to work to well for me.

 

WHM itself has access to somehow make changes to files and folders under home. It does not run as root, and the owner user and owner group of everything under /home it set the same as the account username. Also, there does not appear to be any filesystem ACLs in use on the home directory.

So how is the WHM / cPanel software giving itself access? I can only assume that the script somehow adds some user to each group membership, or there is a group that you can belong to that is itself added to each group membership of all the accounts. If I can add my web devs to that group, it gets me exactly what I asked for.

I don't see how it is unreasonable to assume there is no way to gain the same access that the hosting platform itself affords. WHM / cPanel is not itself running as root. So I am not asking to give them root access without giving them root access as you state. I am asking to give them access to a specific folder and have that access inherit down through the folder structure from that specific top level folder. The hosting application we are running appears to have this ability already, I just don't know how it is being accomplished as I don't see it being done via ACLs when I run getfacl

I might point out that if the filesystem was NTFS, it would do this stuff in it's sleep. I know that in most places Linux/Unix is suppose to be better, but the User:Group:Other filesystem permissions paradigm is very limiting and has painted me into a corner more times than I can count. I was hoping somebody more knowledgeable than myself could shed some light on it for me, as I can't believe that if the permissions issue was half as limiting as it appears to be to me, it would not have been fixed long ago. I want to believe it is lack of education on my end.

 

Does this include file transfer access for the web developer to work on all hosted web sites?

 

Ok, so this answers a lot of questions for me and it very helpful. I think that my solution is here, I just need to so a little experimenting with the reseller and how it works. Ultimately the Web Devs don't want to track 400 +/- account logins for FTP access. Either reseller will fix that for me, or I can setup a secondary FTP daemon running as root on an alternative port and requiring explicit TLS, then in that FTP daemon create a user who's FTP root is the home folder.