Re: [cpx] File Manager Questions

[Rus Berrett <rberrett@xxxxxxxxx>]

On Wed, Dec 14, 2005 at 10:34:41AM -0700, Jonathan Duncan wrote:
>
> Subject: [cpx] File Manager Questions
>
> I am sure this is on the todo list, but the help options are lacking info 
> about the File Manager.  Also the Help list is not in Alphabetical order. 
> Also, the contextual help has a question mark icon as well as an arrow, 
> but only the arrow is clickable to open the context help.  I most often 
> click the question mark since it is on the left and I see it first.

I think these will all be backfilled with the upcoming 1.5 release, but
I'm not 100% sure.  All of the file manager man pages will be backfilled
for 1.5; I finally got around to writing them.  ;)

> 
> Anyway, onto the real point of this message.
> 
> I am wondering about the file management tool.  I noticed that I can give 
> File Management rights to users, but only if FTP is checked.  As a matter 
> of security, I am trying to phase out the use of FTP and have my users use 
> SSH/SFTP for accessing the server.  Perhaps I am overlooking something.  I 
> imagine that the File Management is setup this way because the FTP 
> protocol is supported by web browsers, but SSH is not.  What options do I 
> have for allowing file management securely?

You've actually stumbled onto a fairly high level philosophical design
decision we made in CPX.  Originally, when I wrote the file manager for
CPX, I had file manager open to anyone who had FTP privs _or_ shell
privs.  Later, an additional authorization field ("fileman") was created
and now currently controls file manager access.  

For whatever reason, at the time that the "fileman" privilege was
created it was decided that it would be exclusively predicated on whether
or not the user had FTP privs (i.e. must click on the grant-user-FTP-privs
checkbox before being allowed to grant user fileman privs).  If I recall
correctly, I pushed for ftp _or_ shell as a prerequisite for fileman
access, but my arguments must not have been that convincing.  ;) 

In any case, the new rule was only enforced at the browser level via some 
javascript-fu... you can get around the restriction if really necessary.
The VSAP server module for adding new users will allow new users to be 
created with a fileman privilege if the new user has ftp privs _or_ shell
privs.  So, you could compose a manual request to the VSAP user:add
module (see man page) and create a CPX user with shell privs, fileman
privs, and no ftp privs.   Let me know (off-list) if you need some
sample code.

(I just checked and Scott does have the "must have FTP or no fileman 
priv" check in vadduser... line 418 of vadduser, v1.50... bummer.  You
could simply just make your own copy of vadduser and remove that check,
which would probably be easier than using some of my sample code).

cheers.

--rus.


> 
> Thanks,
> Jonathan
> ======================================================================
> This is <cpx@xxxxxxxxxxxxx>      <http://www.groupmail.org/lists/cpx/>
> Before posting a question, please search the archives (see above URL).

-- 
========================================================================
Rus Berrett                                                    NTT/Verio
                 See Perl. See Perl Run. Run Perl, Run!

======================================================================
This is <cpx@xxxxxxxxxxxxx>      <http://www.groupmail.org/lists/cpx/>
Before posting a question, please search the archives (see above URL).