reseller with ssh/ftp access

[maur]

Hello.

As i saw in wishlist:
"resellers have an ftp login, where all users belonging to him are listed with their homedirs
resellers and users have ssh-shell (allow/disallow by admin for resellers, if allowed, resellers can allow/disalow for users)"

Im still getting knowing isp-cp panel, so i don't know exactly where are the limits in this case.
But Im really interested in helping or writing a modification allowing to setting ssh access.

Anyway.. i wanted to ask i someone maybe knows something more (like couple of technical issues involved in this task/wish) then these 2 lines?

[maur]

C'mon.. None of you guys has any idea about permissions of this directory structure?

[kilburn]

Quote:resellers have an ftp login, where all users belonging to him are listed with their homedirs

Unfeasible right now. Resellers do not have any system user assigned to them, neither ftp logins. This is because each main domain is treated as an individual entity (with it's own user). Nobody else can access their files. Not even the panel.

Quote:resellers and users have ssh-shell (allow/disallow by admin for resellers, if allowed, resellers can allow/disalow for users)

This is mostly a gui and trust issue. If you want a specific user to get shell access, just replace his default shell *and* change her password. Now, they will not be sandboxed/chrooted in any way, so make sure that permissions are correct elsewhere so he doesn't get access to things she shouldn't.

[maur]

(02-04-2010 07:31 AM)kilburn Wrote:  

Quote:resellers have an ftp login, where all users belonging to him are listed with their homedirs

Unfeasible right now. Resellers do not have any system user assigned to them, neither ftp logins. This is because each main domain is treated as an individual entity (with it's own user). Nobody else can access their files. Not even the panel.

Yes, i know. But you have it in wishlist.. so i thought maybe someone have an idea. Add system account to reseller isn't such a problem, but i don't know (yet) how to resolve problem with permissions..

Or wishlist is like "put there a porsche. It's a nice car. I don't know how we can put car into panel, but it's still pretty"?

[kilburn]

The wishlist is open to everyone and not moderated (except from very obviously malicious messages). You could go there and write "It would be great if the panel calls customers through VoIP when they're over quota, using a synthetized voice from festival". The stuff that we're commited to implement is on the roadmap, not in the wishlist.

What I mean is there are a lot of things in the wishlist that had not been discussed neither between devs nor in the community. As a result, we have no specific plans for these tasks, whereas we are "idle" on others because of technical blockers, etc...

In this case, I can assure you that this specific feature won't make it into the panel anytime soon, because:

1. It would force us to change the current fs layout that is hardcoded on some scripts (hard, bug-prone task).
2. There is no layout that can allow this "reseller has access to all their users' files" thingy without requiring acl support from the fs (something that is bad for performance, some distros doesn't even support and is very difficult to backup).
3. Some people (me at the very least) think that it's just stupid. Resellers can create temporary ftp accounts and access users' files, so there's no need to provide them with direct access everywhere. Additionally, anyone hacking the reseller ftp automatically would gain access to all the users' files, something that can be prevented by maintaining the current setup.

About the shell access feature, I know someone tried to implement it (without chrooting), so try searching the forum for more info / to see if he got something working. About the chrooting... it's a technical blocker: there's no "single solution fits all needs" available right now (I've invested a considerable amount of time analyzing different options) so we would have to either favor one type of users or implement multiple options, and we simply don't have the required dev workforce to do it.