Virtualmin User to only have File Manager and Upload/Download access?

So as per previous ticket I can't have Chroot enabled via Virtualmin. That's ok I have now configured the Chroot Jail for 2 unix users and they can't access on SFTP anything outside their designated directory.

But I want to give webmin access with only access to designated directories to them and they not being able to access anything outside those directories on File Manager and Upload/Download modules. Also I don't want to give them anything else than these two modules. Yesterday I tried to do so but on Virtualmin there is no way to select or deselect modules for virtualmin users. And when I go to Webmin then I can't modify those users. System says that these are Virtualmin users and you shouldn't modify them.

So I thought I will create a new Webmin user and only give them only File Manager and Upload /Download functionalities. But in doing so, that user has access to everything on domain. Including .ssh folders in home directory.

I'm stuck. How can I configure Webmin or Virtualmin (it doesn't matter to me really), but I want virtualmin users to only have access to File Manager, Upload/Download modules and also they are not able to access anything outside the designated directories for which they are Chroot Jailed (I know that is SSH functionality and this is not SSH), but would be good if I can select their highest level of directory access so they are not able to access anything above that.

Appreciate your quick hand with this.

Take Care.

Status: 
Closed (works as designed)
Virtualmin version: 
6.12
Webmin version: 
1.955

Comments

Ilia's picture
Submitted by Ilia on Tue, 10/13/2020 - 06:25

Hi,

So I thought I will create a new Webmin user and only give them only File Manager and Upload /Download functionalities. But in doing so, that user has access to everything on domain. Including .ssh folders in home directory. I'm stuck. How can I configure Webmin or Virtualmin (it doesn't matter to me really), but I want Virtualmin users to only have access to File Manager, Upload/Download modules

You would need to Create a new safe user under Webmin Users module. This user will already be a restricted user. It will require creating a new Unix user first under Users and Groups module.

Thanks. I created a user xyz through Users & Groups under Webmin -> System. (Directory = website public_html directory owned by admin user, Shell = /sbin/nologin, Primary Group = Chroot Jail users' group, Move home directory if changed? = No, Change Userid on Files = No, Change Group ID on Files = No, Modify User in Other Modules = Yes. And saved.

Then I created user xyz through Webmin -> Users.

I then logged in with xyz user to Webmin and went to File manager but it gives me following error,

"Error creating configuration directory: Permission denied"

What could this error be and how can I fix that?

Ilia's picture
Submitted by Ilia on Thu, 10/15/2020 - 07:37

What could this error be and how can I fix that?

Make sure that the newly created user have permissions to access whatever you're trying to make this user access.

(Directory = website public_html directory owned by admin

You would need to add that newly created user to be a part of admin group and make sure that permissions on the home directory for admin user include group permissions accordingly (at least like 0740 rather than secure default 0700).

Primary Group = Chroot Jail users' group,

The same rule applies for any group.

"Error creating configuration directory: Permission denied"

If you can read the files and cannot write them, then you would need to loosen permissions for home directory down to 0770.

Thanks. Works as designed. I was with cPanel and just needed a separate user created restricted to the home directory of the website public_html folder. They said feature is being considered. Since I had virtualmin for my test server (of the live website), I saw that functionality of multiple user creation and the restricted user. I switched to virtualmin on live server too. Sure that cPanel is easy to follow, but such simple feature not available is a big no no. Now that I'm on virtualmin/webmin completely for both live <-> test server, and the fact that I could create separate restricted webmin login for the developer, I'm very happy. All the efforts of the migration are all worth it.

Thanks Ilia, you were correct. It just works in two easy steps. 1) User creation in Users and Groups and then 2) User creation in Webmin -> users. And wohala..! that user can now only access file manager and upload/download and can only access public_html folder. Perfect. Exactly what I wanted to achieve.

Thanks again. Closing this ticket with your permission.